diff --git a/rules/sigma/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml b/rules/sigma/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml
new file mode 100644
index 00000000..b578ca24
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml
@@ -0,0 +1,38 @@
+title: Azure AD Health Monitoring Agent Registry Keys Access
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+description: |
+  This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
+  This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    EventID: 4663
+  SELECTION_3:
+    ObjectType: Key
+  SELECTION_4:
+    ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent
+  SELECTION_5:
+    ProcessName:
+    - '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
+    - '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
+    - '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
+    - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
+    - '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
+  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://o365blog.com/post/hybridhealthagent/
+- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
diff --git a/rules/sigma/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml b/rules/sigma/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml
new file mode 100644
index 00000000..fc58977e
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml
@@ -0,0 +1,41 @@
+
+title: Azure AD Health Service Agents Registry Keys Access
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+description: |
+  This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
+  Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
+  This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
+  Make sure you set the SACL to propagate to its sub-keys.
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    EventID: 4663
+  SELECTION_3:
+    ObjectType: Key
+  SELECTION_4:
+    ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent
+  SELECTION_5:
+    ProcessName:
+    - '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
+    - '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
+    - '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
+    - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
+    - '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
+  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Unknown
+id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://o365blog.com/post/hybridhealthagent/
+- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
diff --git a/rules/sigma/windows/builtin/win_account_backdoor_dcsync_rights.yml b/rules/sigma/windows/builtin/win_account_backdoor_dcsync_rights.yml
new file mode 100644
index 00000000..14368dbb
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_account_backdoor_dcsync_rights.yml
@@ -0,0 +1,34 @@
+
+title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
+author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
+date: 2019/04/03
+description: backdooring domain object to grant the rights associated with DCSync
+  to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
+  Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
+detection:
+  SELECTION_1:
+    EventID: 5136
+  SELECTION_2:
+    AttributeLDAPDisplayName: ntSecurityDescriptor
+  SELECTION_3:
+    AttributeValue:
+    - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
+    - '*89e95b76-444d-4c62-991a-0facbeda640c*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- New Domain Controller computer account, check user SIDs within the value attribute
+  of event 5136 and verify if it's a regular user or DC computer account.
+id: 2c99737c-585d-4431-b61a-c911d86ff32f
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/09
+references:
+- https://twitter.com/menasec1/status/1111556090137903104
+- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
+status: experimental
+tags:
+- attack.persistence
+- attack.t1098
diff --git a/rules/sigma/windows/builtin/win_account_discovery.yml b/rules/sigma/windows/builtin/win_account_discovery.yml
new file mode 100644
index 00000000..ef8b4bb5
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_account_discovery.yml
@@ -0,0 +1,43 @@
+
+title: AD Privileged Users or Groups Reconnaissance
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detect priv users or groups recon based on 4661 eventid and known privileged
+  users or groups SIDs
+detection:
+  SELECTION_1:
+    EventID: 4661
+  SELECTION_2:
+    ObjectType:
+    - SAM_USER
+    - SAM_GROUP
+  SELECTION_3:
+    ObjectName:
+    - '*-512'
+    - '*-502'
+    - '*-500'
+    - '*-505'
+    - '*-519'
+    - '*-520'
+    - '*-544'
+    - '*-551'
+    - '*-555'
+  SELECTION_4:
+    ObjectName: '*admin*'
+  condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- if source account name is not an admin then its super suspicious
+id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
+level: high
+logsource:
+  definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
+  product: windows
+  service: security
+modified: 2021/09/08
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
diff --git a/rules/sigma/windows/builtin/win_ad_object_writedac_access.yml b/rules/sigma/windows/builtin/win_ad_object_writedac_access.yml
new file mode 100644
index 00000000..d186b4be
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_ad_object_writedac_access.yml
@@ -0,0 +1,31 @@
+
+title: AD Object WriteDAC Access
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects WRITE_DAC access to a domain object
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    ObjectServer: DS
+  SELECTION_3:
+    AccessMask: '0x40000'
+  SELECTION_4:
+    ObjectType:
+    - 19195a5b-6da0-11d0-afd3-00c04fd930c9
+    - domainDNS
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1222
+- attack.t1222.001
diff --git a/rules/sigma/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/sigma/windows/builtin/win_ad_replication_non_machine_account.yml
new file mode 100644
index 00000000..9ba3f9f4
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_ad_replication_non_machine_account.yml
@@ -0,0 +1,41 @@
+
+title: Active Directory Replication from Non Machine Account
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/07/26
+description: Detects potential abuse of Active Directory Replication Service (ADRS)
+  from a non machine account to request credentials.
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    AccessMask: '0x100'
+  SELECTION_3:
+    Properties:
+    - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
+    - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    - '*89e95b76-444d-4c62-991a-0facbeda640c*'
+  SELECTION_4:
+    SubjectUserName: '*$'
+  SELECTION_5:
+    SubjectUserName: MSOL_*
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4
+    or SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+id: 17d619c1-e020-4347-957e-1d1207455c93
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.006
diff --git a/rules/sigma/windows/builtin/win_ad_user_enumeration.yml b/rules/sigma/windows/builtin/win_ad_user_enumeration.yml
new file mode 100644
index 00000000..e294af0b
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_ad_user_enumeration.yml
@@ -0,0 +1,34 @@
+
+title: AD User Enumeration
+author: Maxime Thiebaut (@0xThiebaut)
+date: 2020/03/30
+description: Detects access to a domain user from a non-machine account
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
+  SELECTION_3:
+    SubjectUserName: '*$'
+  SELECTION_4:
+    SubjectUserName: MSOL_*
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Administrators configuring new users.
+id: ab6bffca-beff-4baa-af11-6733f296d57a
+level: medium
+logsource:
+  definition: Requires the "Read all properties" permission on the user object to
+    be audited for the "Everyone" principal
+  product: windows
+  service: security
+modified: 2021/08/09
+references:
+- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
+- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
+- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
diff --git a/rules/sigma/windows/builtin/win_admin_rdp_login.yml b/rules/sigma/windows/builtin/win_admin_rdp_login.yml
new file mode 100644
index 00000000..8f957093
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_admin_rdp_login.yml
@@ -0,0 +1,36 @@
+
+title: Admin User Remote Logon
+author: juju4
+date: 2017/10/29
+description: Detect remote login by Administrator user (depending on internal pattern).
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    LogonType: 10
+  SELECTION_3:
+    AuthenticationPackageName: Negotiate
+  SELECTION_4:
+    TargetUserName: Admin*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate administrative activity.
+id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
+level: low
+logsource:
+  definition: 'Requirements: Identifiable administrators usernames (pattern or special
+    unique character. ex: "Admin-*"), internal policy mandating use only as secondary
+    account'
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://car.mitre.org/wiki/CAR-2016-04-005
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1078
+- attack.t1078.001
+- attack.t1078.002
+- attack.t1078.003
+- car.2016-04-005
diff --git a/rules/sigma/windows/builtin/win_admin_share_access.yml b/rules/sigma/windows/builtin/win_admin_share_access.yml
new file mode 100644
index 00000000..cc1bcf4e
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_admin_share_access.yml
@@ -0,0 +1,28 @@
+
+title: Access to ADMIN$ Share
+author: Florian Roth
+date: 2017/03/04
+description: Detects access to $ADMIN share
+detection:
+  SELECTION_1:
+    EventID: 5140
+  SELECTION_2:
+    ShareName: Admin$
+  SELECTION_3:
+    SubjectUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Legitimate administrative activity
+id: 098d7118-55bc-4912-a836-dc6483a8d150
+level: low
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit File Share"
+    must be configured for Success/Failure
+  product: windows
+  service: security
+modified: 2020/08/23
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
diff --git a/rules/sigma/windows/builtin/win_alert_active_directory_user_control.yml b/rules/sigma/windows/builtin/win_alert_active_directory_user_control.yml
new file mode 100644
index 00000000..e591f3be
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_alert_active_directory_user_control.yml
@@ -0,0 +1,30 @@
+
+title: Enabled User Right in AD to Control User Objects
+author: '@neu5ron'
+date: 2017/07/30
+description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege
+  right in Active Directory it would allow control of other AD user objects.
+detection:
+  SELECTION_1:
+    EventID: 4704
+  SELECTION_2:
+    PrivilegeList:
+    - '*SeEnableDelegationPrivilege*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
+level: high
+logsource:
+  definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy
+    Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+    Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
+    Change'
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+tags:
+- attack.persistence
+- attack.t1098
diff --git a/rules/sigma/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/sigma/windows/builtin/win_alert_ad_user_backdoors.yml
new file mode 100644
index 00000000..8e170c36
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_alert_ad_user_backdoors.yml
@@ -0,0 +1,51 @@
+
+title: Active Directory User Backdoors
+author: '@neu5ron'
+date: 2017/04/13
+description: Detects scenarios where one can control another users or computers account
+  without having to use their credentials.
+detection:
+  SELECTION_1:
+    EventID: 4738
+  SELECTION_10:
+    AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
+  SELECTION_2:
+    AllowedToDelegateTo: '-'
+  SELECTION_3:
+    AllowedToDelegateTo|re: ^$
+  SELECTION_4:
+    EventID: 5136
+  SELECTION_5:
+    AttributeLDAPDisplayName: msDS-AllowedToDelegateTo
+  SELECTION_6:
+    EventID: 5136
+  SELECTION_7:
+    ObjectClass: user
+  SELECTION_8:
+    AttributeLDAPDisplayName: servicePrincipalName
+  SELECTION_9:
+    EventID: 5136
+  condition: (((((SELECTION_1 and  not (SELECTION_2)) and  not (SELECTION_3)) or (SELECTION_4
+    and SELECTION_5)) or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or (SELECTION_9
+    and SELECTION_10))
+falsepositives:
+- Unknown
+id: 300bac00-e041-4ee2-9c36-e262656a6ecc
+level: high
+logsource:
+  definition: 'Requirements: Audit Policy : Account Management > Audit User Account
+    Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+    Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
+    Management, DS Access > Audit Directory Service Changes, Group Policy : Computer
+    Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
+    Policies\DS Access\Audit Directory Service Changes'
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://msdn.microsoft.com/en-us/library/cc220234.aspx
+- https://adsecurity.org/?p=3466
+- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
+tags:
+- attack.t1098
+- attack.persistence
diff --git a/rules/sigma/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/sigma/windows/builtin/win_alert_enable_weak_encryption.yml
new file mode 100644
index 00000000..1e47b7cf
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_alert_enable_weak_encryption.yml
@@ -0,0 +1,89 @@
+
+title: Weak Encryption Enabled and Kerberoast
+author: '@neu5ron'
+date: 2017/07/30
+description: Detects scenario where weak encryption is enabled for a user profile
+  which could be used for hash/password cracking.
+detection:
+  SELECTION_1:
+    EventID: 4738
+  SELECTION_2:
+    NewUacValue:
+    - '*8???'
+    - '*9???'
+    - '*A???'
+    - '*B???'
+    - '*C???'
+    - '*D???'
+    - '*E???'
+    - '*F???'
+  SELECTION_3:
+    OldUacValue:
+    - '*8???'
+    - '*9???'
+    - '*A???'
+    - '*B???'
+    - '*C???'
+    - '*D???'
+    - '*E???'
+    - '*F???'
+  SELECTION_4:
+    NewUacValue:
+    - '*1????'
+    - '*3????'
+    - '*5????'
+    - '*7????'
+    - '*9????'
+    - '*B????'
+    - '*D????'
+    - '*F????'
+  SELECTION_5:
+    OldUacValue:
+    - '*1????'
+    - '*3????'
+    - '*5????'
+    - '*7????'
+    - '*9????'
+    - '*B????'
+    - '*D????'
+    - '*F????'
+  SELECTION_6:
+    NewUacValue:
+    - '*8??'
+    - '*9??'
+    - '*A??'
+    - '*B??'
+    - '*C??'
+    - '*D??'
+    - '*E??'
+    - '*F??'
+  SELECTION_7:
+    OldUacValue:
+    - '*8??'
+    - '*9??'
+    - '*A??'
+    - '*B??'
+    - '*C??'
+    - '*D??'
+    - '*E??'
+    - '*F??'
+  condition: (SELECTION_1 and (((SELECTION_2 and  not (SELECTION_3)) or (SELECTION_4
+    and  not (SELECTION_5))) or (SELECTION_6 and  not (SELECTION_7))))
+falsepositives:
+- Unknown
+id: f6de9536-0441-4b3f-a646-f4e00f300ffd
+level: high
+logsource:
+  definition: 'Requirements: Audit Policy : Account Management > Audit User Account
+    Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+    Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
+    Management'
+  product: windows
+  service: security
+references:
+- https://adsecurity.org/?p=2053
+- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/windows/builtin/win_alert_lsass_access.yml b/rules/sigma/windows/builtin/win_alert_lsass_access.yml
new file mode 100644
index 00000000..b8defbf3
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_alert_lsass_access.yml
@@ -0,0 +1,28 @@
+
+title: LSASS Access Detected via Attack Surface Reduction
+author: Markus Neis
+date: 2018/08/26
+description: Detects Access to LSASS Process
+detection:
+  SELECTION_1:
+    EventID: 1121
+  SELECTION_2:
+    Path: '*\lsass.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Google Chrome GoogleUpdate.exe
+- Some Taskmgr.exe related activity
+id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
+level: high
+logsource:
+  definition: 'Requirements:Enabled Block credential stealing from the Windows local
+    security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID:
+    9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
+  product: windows_defender
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/sigma/windows/builtin/win_alert_mimikatz_keywords.yml
new file mode 100644
index 00000000..8e0adbf0
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_alert_mimikatz_keywords.yml
@@ -0,0 +1,44 @@
+
+title: Mimikatz Use
+author: Florian Roth
+date: 2017/01/10
+description: This method detects mimikatz keywords in different Eventlogs (some of
+  them only appear in older Mimikatz version that are however still used by different
+  threat groups)
+detection:
+  SELECTION_1:
+  - \mimikatz
+  - mimikatz.exe
+  - \mimilib.dll
+  - <3 eo.oe
+  - eo.oe.kiwi
+  - privilege::debug
+  - sekurlsa::logonpasswords
+  - lsadump::sam
+  - mimidrv.sys
+  - ' p::d '
+  - ' s::l '
+  - gentilkiwi.com
+  - Kiwi Legit Printer
+  condition: (SELECTION_1)
+falsepositives:
+- Naughty administrators
+- Penetration test
+- AV Signature updates
+- Files with Mimikatz in their filename
+id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
+level: critical
+logsource:
+  product: windows
+modified: 2021/08/26
+tags:
+- attack.s0002
+- attack.t1003
+- attack.lateral_movement
+- attack.credential_access
+- car.2013-07-001
+- car.2019-04-004
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.001
+- attack.t1003.006
diff --git a/rules/sigma/windows/builtin/win_alert_ruler.yml b/rules/sigma/windows/builtin/win_alert_ruler.yml
new file mode 100644
index 00000000..29183e34
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_alert_ruler.yml
@@ -0,0 +1,39 @@
+
+title: Hacktool Ruler
+author: Florian Roth
+date: 2017/05/31
+description: This events that are generated when using the hacktool Ruler by Sensepost
+detection:
+  SELECTION_1:
+    EventID: 4776
+  SELECTION_2:
+    Workstation: RULER
+  SELECTION_3:
+    EventID: 4624
+  SELECTION_4:
+    EventID: 4625
+  SELECTION_5:
+    WorkstationName: RULER
+  condition: ((SELECTION_1 and SELECTION_2) or ((SELECTION_3 or SELECTION_4) and SELECTION_5))
+falsepositives:
+- Go utilities that use staaldraad awesome NTLM library
+id: 24549159-ac1b-479c-8175-d42aea947cae
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+references:
+- https://github.com/sensepost/ruler
+- https://github.com/sensepost/ruler/issues/47
+- https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
+tags:
+- attack.discovery
+- attack.execution
+- attack.t1087
+- attack.t1075
+- attack.t1114
+- attack.t1059
+- attack.t1550.002
diff --git a/rules/sigma/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/sigma/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml
new file mode 100644
index 00000000..27e0f507
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml
@@ -0,0 +1,47 @@
+
+title: File Was Not Allowed To Run
+author: Pushkarev Dmitry
+date: 2020/06/28
+description: Detect run not allowed files. Applocker is a very useful tool, especially
+  on servers where unprivileged users have access. For example terminal servers. You
+  need configure applocker and log collect to receive these events.
+detection:
+  SELECTION_1:
+    EventID: 8004
+  SELECTION_2:
+    EventID: 8007
+  condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- need tuning applocker or add exceptions in SIEM
+fields:
+- PolicyName
+- RuleId
+- RuleName
+- TargetUser
+- TargetProcessId
+- FilePath
+- FileHash
+- Fqbn
+id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
+level: medium
+logsource:
+  product: windows
+  service: applocker
+modified: 2020/08/23
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
+- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1064
+- attack.t1204
+- attack.t1035
+- attack.t1204.002
+- attack.t1059.001
+- attack.t1059.003
+- attack.t1059.005
+- attack.t1059.006
+- attack.t1059.007
diff --git a/rules/sigma/windows/builtin/win_apt_carbonpaper_turla.yml b/rules/sigma/windows/builtin/win_apt_carbonpaper_turla.yml
new file mode 100644
index 00000000..fa48e983
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_apt_carbonpaper_turla.yml
@@ -0,0 +1,29 @@
+
+title: Turla Service Install
+author: Florian Roth
+date: 2017/03/31
+description: This method detects a service install of malicious services mentioned
+  in Carbon Paper - Turla report by ESET
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ServiceName:
+    - srservice
+    - ipvpn
+    - hkmsvc
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
+level: high
+logsource:
+  product: windows
+  service: system
+references:
+- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+tags:
+- attack.persistence
+- attack.g0010
+- attack.t1050
+- attack.t1543.003
diff --git a/rules/sigma/windows/builtin/win_apt_chafer_mar18_security.yml b/rules/sigma/windows/builtin/win_apt_chafer_mar18_security.yml
new file mode 100644
index 00000000..db762f47
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_apt_chafer_mar18_security.yml
@@ -0,0 +1,40 @@
+
+title: Chafer Activity
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
+  in March 2018
+detection:
+  SELECTION_1:
+    EventID: 4698
+  SELECTION_2:
+    TaskName:
+    - SC Scheduled Scan
+    - UpdatMachine
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c0580559-a6bd-4ef6-b9b7-83703d98b561
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/19
+references:
+- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+related:
+- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+  type: derived
+tags:
+- attack.persistence
+- attack.g0049
+- attack.t1053
+- attack.t1053.005
+- attack.s0111
+- attack.t1050
+- attack.t1543.003
+- attack.defense_evasion
+- attack.t1112
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
diff --git a/rules/sigma/windows/builtin/win_apt_chafer_mar18_system.yml b/rules/sigma/windows/builtin/win_apt_chafer_mar18_system.yml
new file mode 100644
index 00000000..1a30419c
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_apt_chafer_mar18_system.yml
@@ -0,0 +1,37 @@
+
+title: Chafer Activity
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
+  in March 2018
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ServiceName:
+    - SC Scheduled Scan
+    - UpdatMachine
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+level: critical
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/19
+references:
+- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+tags:
+- attack.persistence
+- attack.g0049
+- attack.t1053
+- attack.t1053.005
+- attack.s0111
+- attack.t1050
+- attack.t1543.003
+- attack.defense_evasion
+- attack.t1112
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
diff --git a/rules/sigma/windows/builtin/win_apt_gallium.yml b/rules/sigma/windows/builtin/win_apt_gallium.yml
new file mode 100644
index 00000000..2aa1f54f
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_apt_gallium.yml
@@ -0,0 +1,37 @@
+
+title: GALLIUM Artefacts
+author: Tim Burrell
+date: 2020/02/07
+description: Detects artefacts associated with activity group GALLIUM - Microsoft
+  Threat Intelligence Center indicators released in December 2019.
+detection:
+  SELECTION_1:
+    EventID: 257
+  SELECTION_2:
+    QNAME:
+    - asyspy256.ddns.net
+    - hotkillmail9sddcc.ddns.net
+    - rosaf112.ddns.net
+    - cvdfhjh1231.myftp.biz
+    - sz2016rose.ddns.net
+    - dffwescwer4325.myftp.biz
+    - cvdfhjh1231.ddns.net
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 3db10f25-2527-4b79-8d4b-471eb900ee29
+level: high
+logsource:
+  product: windows
+  service: dns-server
+modified: 2021/09/19
+references:
+- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+related:
+- id: 440a56bf-7873-4439-940a-1c8a671073c2
+  type: derived
+status: experimental
+tags:
+- attack.credential_access
+- attack.command_and_control
diff --git a/rules/sigma/windows/builtin/win_apt_slingshot.yml b/rules/sigma/windows/builtin/win_apt_slingshot.yml
new file mode 100644
index 00000000..4eda9120
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_apt_slingshot.yml
@@ -0,0 +1,29 @@
+
+title: Defrag Deactivation
+author: Florian Roth, Bartlomiej Czyz (@bczyz1)
+date: 2019/03/04
+description: Detects the deactivation and disabling of the Scheduled defragmentation
+  task as seen by Slingshot APT group
+detection:
+  SELECTION_1:
+    EventID: 4701
+  SELECTION_2:
+    TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
+level: medium
+logsource:
+  definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
+  product: windows
+  service: security
+modified: 2021/09/19
+references:
+- https://securelist.com/apt-slingshot/84312/
+related:
+- id: 958d81aa-8566-4cea-a565-59ccd4df27b0
+  type: derived
+tags:
+- attack.persistence
+- attack.s0111
diff --git a/rules/sigma/windows/builtin/win_apt_stonedrill.yml b/rules/sigma/windows/builtin/win_apt_stonedrill.yml
new file mode 100644
index 00000000..73d5e5ed
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_apt_stonedrill.yml
@@ -0,0 +1,28 @@
+
+title: StoneDrill Service Install
+author: Florian Roth
+date: 2017/03/07
+description: This method detects a service install of the malicious Microsoft Network
+  Realtime Inspection Service service described in StoneDrill report by Kaspersky
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ServiceName: NtsSrv
+  SELECTION_3:
+    ServiceFileName: '* LocalService'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely
+id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
+level: high
+logsource:
+  product: windows
+  service: system
+references:
+- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+tags:
+- attack.persistence
+- attack.g0064
+- attack.t1050
+- attack.t1543.003
diff --git a/rules/sigma/windows/builtin/win_apt_turla_service_png.yml b/rules/sigma/windows/builtin/win_apt_turla_service_png.yml
new file mode 100644
index 00000000..e21435f5
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_apt_turla_service_png.yml
@@ -0,0 +1,26 @@
+
+title: Turla PNG Dropper Service
+author: Florian Roth
+date: 2018/11/23
+description: This method detects malicious services mentioned in Turla PNG dropper
+  report by NCC Group in November 2018
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ServiceName: WerFaultSvc
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unlikely
+id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
+level: critical
+logsource:
+  product: windows
+  service: system
+references:
+- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
+tags:
+- attack.persistence
+- attack.g0010
+- attack.t1050
+- attack.t1543.003
diff --git a/rules/sigma/windows/builtin/win_apt_wocao.yml b/rules/sigma/windows/builtin/win_apt_wocao.yml
new file mode 100644
index 00000000..8bcc4956
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_apt_wocao.yml
@@ -0,0 +1,37 @@
+
+title: Operation Wocao Activity
+author: Florian Roth, frack113
+date: 2019/12/20
+description: Detects activity mentioned in Operation Wocao report
+detection:
+  SELECTION_1:
+    EventID: 4799
+  SELECTION_2:
+    TargetUserName: Administr*
+  SELECTION_3:
+    CallerProcessName: '*\checkadmin.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrators that use checkadmin.exe tool to enumerate local administrators
+id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/19
+references:
+- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
+- https://twitter.com/SBousseaden/status/1207671369963646976
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+- attack.defense_evasion
+- attack.t1036.004
+- attack.t1036
+- attack.t1027
+- attack.execution
+- attack.t1053.005
+- attack.t1053
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/sigma/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
new file mode 100644
index 00000000..850d8d75
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
@@ -0,0 +1,33 @@
+
+title: Arbitrary Shell Command Execution Via Settingcontent-Ms
+author: Sreeman
+date: 2020/03/13
+description: The .SettingContent-ms file type was introduced in Windows 10 and allows
+  a user to create "shortcuts" to various Windows 10 setting pages. These files are
+  simply XML and contain paths to various Windows 10 settings binaries.
+detection:
+  SELECTION_1:
+    CommandLine: '*.SettingContent-ms*'
+  SELECTION_2:
+    FilePath: '*immersivecontrolpanel*'
+  condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- unknown
+fields:
+- ParentProcess
+- CommandLine
+- ParentCommandLine
+id: 24de4f3b-804c-4165-b442-5a06a2302c7e
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+references:
+- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
+tags:
+- attack.t1204
+- attack.t1193
+- attack.t1566.001
+- attack.execution
+- attack.initial_access
diff --git a/rules/sigma/windows/builtin/win_asr_bypass_via_appvlp_re.yml b/rules/sigma/windows/builtin/win_asr_bypass_via_appvlp_re.yml
new file mode 100644
index 00000000..cd230cdf
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_asr_bypass_via_appvlp_re.yml
@@ -0,0 +1,29 @@
+
+title: Using AppVLP To Circumvent ASR File Path Rule
+author: Sreeman
+date: 2020/03/13
+description: Application Virtualization Utility is included with Microsoft Office.We
+  are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used
+  for Application Virtualization, but we can use it as an abuse binary to circumvent
+  the ASR file path rule folder or to mark a file as a system file
+detection:
+  SELECTION_1:
+    CommandLine|re: (?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)
+  condition: SELECTION_1
+falsepositives:
+- unknown
+fields:
+- ParentProcess
+- CommandLine
+- ParentCommandLine
+id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/06/11
+status: experimental
+tags:
+- attack.t1218
+- attack.defense_evasion
+- attack.execution
diff --git a/rules/sigma/windows/builtin/win_atsvc_task.yml b/rules/sigma/windows/builtin/win_atsvc_task.yml
new file mode 100644
index 00000000..c80980a5
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_atsvc_task.yml
@@ -0,0 +1,34 @@
+
+title: Remote Task Creation via ATSVC Named Pipe
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects remote task creation via at.exe or API interacting with ATSVC
+  namedpipe
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\*\IPC$
+  SELECTION_3:
+    RelativeTargetName: atsvc
+  SELECTION_4:
+    Accesses: '*WriteData*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- pentesting
+id: f6de6525-4509-495a-8a82-1f8b0ed73a00
+level: medium
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+references:
+- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
+tags:
+- attack.lateral_movement
+- attack.persistence
+- attack.t1053
+- car.2013-05-004
+- car.2015-04-001
+- attack.t1053.002
diff --git a/rules/sigma/windows/builtin/win_audit_cve.yml b/rules/sigma/windows/builtin/win_audit_cve.yml
new file mode 100644
index 00000000..2b4486a6
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_audit_cve.yml
@@ -0,0 +1,38 @@
+
+title: Audit CVE Event
+author: Florian Roth
+date: 2020/01/15
+description: Detects events generated by Windows to indicate the exploitation of a
+  known vulnerability (e.g. CVE-2020-0601)
+detection:
+  SELECTION_1:
+    Source: Microsoft-Windows-Audit-CVE
+  condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
+level: critical
+logsource:
+  product: windows
+  service: application
+modified: 2020/08/23
+references:
+- https://twitter.com/mattifestation/status/1217179698008068096
+- https://twitter.com/VM_vivisector/status/1217190929330655232
+- https://twitter.com/davisrichardg/status/1217517547576348673
+- https://twitter.com/DidierStevens/status/1217533958096924676
+- https://twitter.com/FlemmingRiis/status/1217147415482060800
+status: experimental
+tags:
+- attack.execution
+- attack.t1203
+- attack.privilege_escalation
+- attack.t1068
+- attack.defense_evasion
+- attack.t1211
+- attack.credential_access
+- attack.t1212
+- attack.lateral_movement
+- attack.t1210
+- attack.impact
+- attack.t1499.004
diff --git a/rules/sigma/windows/builtin/win_av_relevant_match.yml b/rules/sigma/windows/builtin/win_av_relevant_match.yml
new file mode 100644
index 00000000..56c965a0
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_av_relevant_match.yml
@@ -0,0 +1,42 @@
+
+title: Relevant Anti-Virus Event
+author: Florian Roth
+date: 2017/02/19
+description: This detection method points out highly relevant Antivirus events
+detection:
+  SELECTION_1:
+  - HTool-
+  - Hacktool
+  - ASP/Backdoor
+  - JSP/Backdoor
+  - PHP/Backdoor
+  - Backdoor.ASP
+  - Backdoor.JSP
+  - Backdoor.PHP
+  - Webshell
+  - Portscan
+  - Mimikatz
+  - WinCred
+  - PlugX
+  - Korplug
+  - Pwdump
+  - Chopper
+  - WmiExec
+  - Xscan
+  - Clearlog
+  - ASPXSpy
+  SELECTION_2:
+  - Keygen
+  - Crack
+  condition: ((SELECTION_1) and  not (SELECTION_2))
+falsepositives:
+- Some software piracy tools (key generators, cracks) are classified as hack tools
+id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
+level: high
+logsource:
+  product: windows
+  service: application
+modified: 2021/07/28
+tags:
+- attack.resource_development
+- attack.t1588
diff --git a/rules/sigma/windows/builtin/win_camera_microphone_access.yml b/rules/sigma/windows/builtin/win_camera_microphone_access.yml
new file mode 100644
index 00000000..37ef15db
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_camera_microphone_access.yml
@@ -0,0 +1,31 @@
+
+title: Processes Accessing the Microphone and Webcam
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/07
+description: Potential adversaries accessing the microphone and webcam in an endpoint.
+detection:
+  SELECTION_1:
+    EventID: 4657
+  SELECTION_2:
+    EventID: 4656
+  SELECTION_3:
+    EventID: 4663
+  SELECTION_4:
+    ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*'
+  SELECTION_5:
+    ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://twitter.com/duzvik/status/1269671601852813320
+- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+status: experimental
+tags:
+- attack.collection
+- attack.t1123
diff --git a/rules/sigma/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/sigma/windows/builtin/win_cobaltstrike_service_installs.yml
new file mode 100644
index 00000000..955aea00
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_cobaltstrike_service_installs.yml
@@ -0,0 +1,47 @@
+
+title: CobaltStrike Service Installations
+author: Florian Roth, Wojciech Lesicki
+date: 2021/05/26
+description: Detects known malicious service installs that appear in cases in which
+  a Cobalt Strike beacon elevates privileges or lateral movement
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ImagePath: '*ADMIN$*'
+  SELECTION_3:
+    ImagePath: '*.exe*'
+  SELECTION_4:
+    ImagePath: '*%COMSPEC%*'
+  SELECTION_5:
+    ImagePath: '*start*'
+  SELECTION_6:
+    ImagePath: '*powershell*'
+  SELECTION_7:
+    ImagePath: '*powershell -nop -w hidden -encodedcommand*'
+  SELECTION_8:
+    ImagePath:
+    - '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*'
+    - '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*'
+    - '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and SELECTION_6) or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: 5a105d34-05fc-401e-8553-272b45c1522d
+level: critical
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/21
+references:
+- https://www.sans.org/webcasts/119395
+- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
+- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1543.003
+- attack.t1569.002
diff --git a/rules/sigma/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/sigma/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
new file mode 100644
index 00000000..a09fdfcf
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
@@ -0,0 +1,30 @@
+
+title: DCERPC SMB Spoolss Named Pipe
+author: OTR (Open Threat Research)
+date: 2018/11/28
+description: Detects the use of the spoolss named pipe over SMB. This can be used
+  to trigger the authentication via NTLM of any machine that has the spoolservice
+  enabled.
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\*\IPC$
+  SELECTION_3:
+    RelativeTargetName: spoolss
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Domain Controllers acting as printer servers too? :)
+id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
+- https://twitter.com/_dirkjan/status/1309214379003588608
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/windows/builtin/win_dcom_iertutil_dll_hijack.yml b/rules/sigma/windows/builtin/win_dcom_iertutil_dll_hijack.yml
new file mode 100644
index 00000000..bd963770
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_dcom_iertutil_dll_hijack.yml
@@ -0,0 +1,29 @@
+
+title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program
+  Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer
+  DLL Hijack scenario.
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    RelativeTargetName: '*\Internet Explorer\iertutil.dll'
+  SELECTION_3:
+    SubjectUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: c39f0c81-7348-4965-ab27-2fde35a1b641
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1021.003
diff --git a/rules/sigma/windows/builtin/win_dcsync.yml b/rules/sigma/windows/builtin/win_dcsync.yml
new file mode 100644
index 00000000..1415f4f1
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_dcsync.yml
@@ -0,0 +1,40 @@
+
+title: Mimikatz DC Sync
+author: Benjamin Delpy, Florian Roth, Scott Dermott
+date: 2018/06/03
+description: Detects Mimikatz DC sync security events
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    Properties:
+    - '*Replicating Directory Changes All*'
+    - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+  SELECTION_3:
+    SubjectDomainName: Window Manager
+  SELECTION_4:
+    SubjectUserName:
+    - NT AUTHORITY*
+    - MSOL_*
+  SELECTION_5:
+    SubjectUserName: '*$'
+  condition: ((((SELECTION_1 and SELECTION_2) and  not (SELECTION_3)) and  not (SELECTION_4))
+    and  not (SELECTION_5))
+falsepositives:
+- Valid DC Sync that is not covered by the filters; please report
+- Local Domain Admin account used for Azure AD Connect
+id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+references:
+- https://twitter.com/gentilkiwi/status/1003236624925413376
+- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+status: experimental
+tags:
+- attack.credential_access
+- attack.s0002
+- attack.t1003
+- attack.t1003.006
diff --git a/rules/sigma/windows/builtin/win_disable_event_logging.yml b/rules/sigma/windows/builtin/win_disable_event_logging.yml
new file mode 100644
index 00000000..6f0a19e3
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_disable_event_logging.yml
@@ -0,0 +1,38 @@
+
+title: Disabling Windows Event Auditing
+author: '@neu5ron'
+date: 2017/11/19
+description: 'Detects scenarios where system auditing (ie: windows event log auditing)
+  is disabled. This may be used in a scenario where an entity would want to bypass
+  local logging to evade detection when windows event logging is enabled and reviewed.
+  Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO,
+  which will make sure that Active Directory GPOs take precedence over local/edited
+  computer policies via something such as "gpedit.msc". Please note, that disabling
+  "Local Group Policy Object Processing" may cause an issue in scenarios of one off
+  specific GPO modifications -- however it is recommended to perform these modifications
+  in Active Directory anyways.'
+detection:
+  SELECTION_1:
+    EventID: 4719
+  SELECTION_2:
+    AuditPolicyChanges:
+    - '*%%8448*'
+    - '*%%8450*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 69aeb277-f15f-4d2d-b32a-55e883609563
+level: high
+logsource:
+  definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration,
+    Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+    Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
+    Change'
+  product: windows
+  service: security
+references:
+- https://bit.ly/WinLogsZero2Hero
+tags:
+- attack.defense_evasion
+- attack.t1054
+- attack.t1562.002
diff --git a/rules/sigma/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/sigma/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
new file mode 100644
index 00000000..0c80adc9
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
@@ -0,0 +1,30 @@
+
+title: DPAPI Domain Backup Key Extraction
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/06/20
+description: Detects tools extracting LSA secret DPAPI domain backup key from Domain
+  Controllers
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    ObjectType: SecretObject
+  SELECTION_3:
+    AccessMask: '0x2'
+  SELECTION_4:
+    ObjectName: BCKUPKEY
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 4ac1f50b-3bd0-4968-902d-868b4647937e
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.004
diff --git a/rules/sigma/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/sigma/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
new file mode 100644
index 00000000..8ebc6b42
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
@@ -0,0 +1,28 @@
+
+title: DPAPI Domain Master Key Backup Attempt
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects anyone attempting a backup for the DPAPI Master Key. This events
+  gets generated at the source and not the Domain Controller.
+detection:
+  SELECTION_1:
+    EventID: 4692
+  condition: SELECTION_1
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.004
diff --git a/rules/sigma/windows/builtin/win_etw_modification.yml b/rules/sigma/windows/builtin/win_etw_modification.yml
new file mode 100644
index 00000000..1ecdce1d
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_etw_modification.yml
@@ -0,0 +1,36 @@
+
+title: COMPlus_ETWEnabled Registry Modification
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/05
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+detection:
+  SELECTION_1:
+    EventID: 4657
+  SELECTION_2:
+    ObjectName: '*\SOFTWARE\Microsoft\.NETFramework'
+  SELECTION_3:
+    ObjectValueName: ETWEnabled
+  SELECTION_4:
+    NewValue: '0'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://twitter.com/_xpn_/status/1268712093928378368
+- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+- https://bunnyinside.com/?term=f71e8cb9c76a
+- http://managed670.rssing.com/chan-5590147/all_p1.html
+- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/builtin/win_event_log_cleared.yml b/rules/sigma/windows/builtin/win_event_log_cleared.yml
new file mode 100644
index 00000000..a5317944
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_event_log_cleared.yml
@@ -0,0 +1,30 @@
+
+title: Security Event Log Cleared
+author: Saw Winn Naung
+date: 2021/08/15
+description: Checks for event id 1102 which indicates the security event log was cleared.
+detection:
+  SELECTION_1:
+    EventID: 1102
+  SELECTION_2:
+    Source: Microsoft-Windows-Eventlog
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate administrative activity
+fields:
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SubjectDomainName
+id: a122ac13-daf8-4175-83a2-72c387be339d
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/10/08
+references:
+- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
+status: experimental
+tags:
+- attack.t1107
+- attack.t1070.001
diff --git a/rules/sigma/windows/builtin/win_exchange_transportagent.yml b/rules/sigma/windows/builtin/win_exchange_transportagent.yml
new file mode 100644
index 00000000..be3d4154
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_exchange_transportagent.yml
@@ -0,0 +1,27 @@
+
+title: MSExchange Transport Agent Installation
+author: Tobias Michalski
+date: 2021/06/08
+description: Detects the Installation of a Exchange Transport Agent
+detection:
+  condition: Install-TransportAgent
+falsepositives:
+- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator
+  for this.
+fields:
+- AssemblyPath
+id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
+level: medium
+logsource:
+  product: windows
+  service: msexchange-management
+modified: 2021/09/19
+references:
+- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+related:
+- id: 83809e84-4475-4b69-bc3e-4aad8568612f
+  type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.002
diff --git a/rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml
new file mode 100644
index 00000000..b7dfe24d
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml
@@ -0,0 +1,44 @@
+
+title: Possible CVE-2021-1675 Print Spooler Exploitation
+author: Florian Roth, KevTheHermit, fuzzyf10w
+date: 2021/06/30
+description: Detects events of driver load errors in print service logs that could
+  be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
+detection:
+  SELECTION_1:
+    EventID: 808
+  SELECTION_2:
+    EventID: 4909
+  SELECTION_3:
+    ErrorCode:
+    - '0x45A'
+    - '0x7e'
+  SELECTION_4:
+  - The print spooler failed to load a plug-in module
+  - MyExploit.dll
+  - evil.dll
+  - \addCube.dll
+  - \rev.dll
+  - \rev2.dll
+  - \main64.dll
+  - \mimilib.dll
+  - \mimispool.dll
+  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4))
+falsepositives:
+- Problems with printer drivers
+fields:
+- PluginDllName
+id: 4e64668a-4da1-49f5-a8df-9e2d5b866718
+level: high
+logsource:
+  product: windows
+  service: printservice-admin
+modified: 2021/07/08
+references:
+- https://github.com/hhlxf/PrintNightmare
+- https://github.com/afwu/PrintNightmare
+- https://twitter.com/fuzzyf10w/status/1410202370835898371
+- https://nvd.nist.gov/vuln/detail/cve-2021-1675
+status: experimental
+tags:
+- attack.execution
diff --git a/rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
new file mode 100644
index 00000000..42eb7436
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
@@ -0,0 +1,30 @@
+
+title: CVE-2021-1675 Print Spooler Exploitation
+author: Florian Roth
+date: 2021/07/01
+description: Detects driver load events print service operational log that are a sign
+  of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
+detection:
+  SELECTION_1:
+    EventID: '316'
+  SELECTION_2:
+  - 'UNIDRV.DLL, kernelbase.dll, '
+  - ' 123 '
+  - ' 1234 '
+  - mimispool
+  condition: (SELECTION_1 and (SELECTION_2))
+falsepositives:
+- Unknown
+fields:
+- DriverAdded
+id: f34d942d-c8c4-4f1f-b196-22471aecf10a
+level: critical
+logsource:
+  product: windows
+  service: printservice-operational
+references:
+- https://twitter.com/MalwareJake/status/1410421967463731200
+- https://nvd.nist.gov/vuln/detail/cve-2021-1675
+status: experimental
+tags:
+- attack.execution
diff --git a/rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml
new file mode 100644
index 00000000..808b8daa
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml
@@ -0,0 +1,33 @@
+
+title: CVE-2021-1675 Print Spooler Exploitation IPC Access
+author: INIT_6
+date: 2021/07/02
+description: Detects remote printer driver load from Detailed File Share in Security
+  logs that are a sign of successful exploitation attempts against print spooler vulnerability
+  CVE-2021-1675 and CVE-2021-34527
+detection:
+  SELECTION_1:
+    EventID: '5145'
+  SELECTION_2:
+    ShareName: \\\*\IPC$
+  SELECTION_3:
+    RelativeTargetName: spoolss
+  SELECTION_4:
+    AccessMask: '0x3'
+  SELECTION_5:
+    ObjectType: File
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- nothing observed so far
+id: 8fe1c584-ee61-444b-be21-e9054b229694
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://twitter.com/INIT_3/status/1410662463641731075
+- https://nvd.nist.gov/vuln/detail/cve-2021-1675
+- https://nvd.nist.gov/vuln/detail/cve-2021-34527
+status: experimental
+tags:
+- attack.execution
diff --git a/rules/sigma/windows/builtin/win_external_device.yml b/rules/sigma/windows/builtin/win_external_device.yml
new file mode 100644
index 00000000..6eefe6ba
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_external_device.yml
@@ -0,0 +1,28 @@
+
+title: External Disk Drive Or USB Storage Device
+author: Keith Wright
+date: 2019/11/20
+description: Detects external diskdrives or plugged in USB devices , EventID 6416
+  on windows 10 or later
+detection:
+  SELECTION_1:
+    EventID: 6416
+  SELECTION_2:
+    ClassName: DiskDrive
+  SELECTION_3:
+    DeviceDescription: USB Mass Storage Device
+  condition: ((SELECTION_1 and SELECTION_2) or SELECTION_3)
+falsepositives:
+- Legitimate administrative activity
+id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
+level: low
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+status: experimental
+tags:
+- attack.t1091
+- attack.t1200
+- attack.lateral_movement
+- attack.initial_access
diff --git a/rules/sigma/windows/builtin/win_global_catalog_enumeration.yml b/rules/sigma/windows/builtin/win_global_catalog_enumeration.yml
new file mode 100644
index 00000000..fca20a1c
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_global_catalog_enumeration.yml
@@ -0,0 +1,32 @@
+
+title: Enumeration via the Global Catalog
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2020/05/11
+description: Detects enumeration of the global catalog (that can be performed using
+  BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain
+  width.
+detection:
+  SELECTION_1:
+    EventID: 5156
+  SELECTION_2:
+    DestinationPort: 3268
+  SELECTION_3:
+    DestinationPort: 3269
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) | count() by SourceAddress
+    > 2000
+falsepositives:
+- Exclude known DCs.
+id: 619b020f-0fd7-4f23-87db-3f51ef837a34
+level: medium
+logsource:
+  definition: The advanced audit policy setting "Windows Filtering Platform > Filtering
+    Platform Connection" must be configured for Success
+  product: windows
+  service: security
+modified: 2021/06/01
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
diff --git a/rules/sigma/windows/builtin/win_gpo_scheduledtasks.yml b/rules/sigma/windows/builtin/win_gpo_scheduledtasks.yml
new file mode 100644
index 00000000..06d06e5b
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_gpo_scheduledtasks.yml
@@ -0,0 +1,36 @@
+
+title: Persistence and Execution at Scale via GPO Scheduled Task
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detect lateral movement using GPO scheduled task, usually used to deploy
+  ransomware at scale
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\*\SYSVOL
+  SELECTION_3:
+    RelativeTargetName: '*ScheduledTasks.xml'
+  SELECTION_4:
+    Accesses:
+    - '*WriteData*'
+    - '*%%4417*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- if the source IP is not localhost then it's super suspicious, better to monitor
+  both local and remote changes to GPO scheduledtasks
+id: a8f29a7b-b137-4446-80a0-b804272f3da2
+level: high
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+references:
+- https://twitter.com/menasec1/status/1106899890377052160
+- https://www.secureworks.com/blog/ransomware-as-a-distraction
+tags:
+- attack.persistence
+- attack.lateral_movement
+- attack.t1053
+- attack.t1053.005
diff --git a/rules/sigma/windows/builtin/win_hack_smbexec.yml b/rules/sigma/windows/builtin/win_hack_smbexec.yml
new file mode 100644
index 00000000..97fb5b6e
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_hack_smbexec.yml
@@ -0,0 +1,34 @@
+
+title: smbexec.py Service Installation
+author: Omer Faruk Celik
+date: 2018/03/20
+description: Detects the use of smbexec.py tool by detecting a specific service installation
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ServiceName: BTOBTO
+  SELECTION_3:
+    ServiceFileName: '*\execute.bat'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Penetration Test
+- Unknown
+fields:
+- ServiceName
+- ServiceFileName
+id: 52a85084-6989-40c3-8f32-091e12e13f09
+level: critical
+logsource:
+  product: windows
+  service: system
+modified: 2020/08/23
+references:
+- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+tags:
+- attack.lateral_movement
+- attack.execution
+- attack.t1077
+- attack.t1021.002
+- attack.t1035
+- attack.t1569.002
diff --git a/rules/sigma/windows/builtin/win_hidden_user_creation.yml b/rules/sigma/windows/builtin/win_hidden_user_creation.yml
new file mode 100644
index 00000000..fb45ac19
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_hidden_user_creation.yml
@@ -0,0 +1,28 @@
+
+title: Hidden Local User Creation
+author: Christian Burkard
+date: 2021/05/03
+description: Detects the creation of a local hidden user account which should not
+  happen for event ID 4720.
+detection:
+  SELECTION_1:
+    EventID: 4720
+  SELECTION_2:
+    TargetUserName: '*$'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventCode
+- AccountName
+id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
+level: high
+logsource:
+  product: windows
+  service: security
+references:
+- https://twitter.com/SBousseaden/status/1387743867663958021
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136.001
diff --git a/rules/sigma/windows/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/sigma/windows/builtin/win_hybridconnectionmgr_svc_installation.yml
new file mode 100644
index 00000000..c8b0d585
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_hybridconnectionmgr_svc_installation.yml
@@ -0,0 +1,26 @@
+
+title: HybridConnectionManager Service Installation
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Rule to detect the Hybrid Connection Manager service installation.
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceName: HybridConnectionManager
+  SELECTION_3:
+    ServiceFileName: '*HybridConnectionManager*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of Hybrid Connection Manager via Azure function apps.
+id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
diff --git a/rules/sigma/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/sigma/windows/builtin/win_hybridconnectionmgr_svc_running.yml
new file mode 100644
index 00000000..9710207e
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_hybridconnectionmgr_svc_running.yml
@@ -0,0 +1,30 @@
+
+title: HybridConnectionManager Service Running
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
+detection:
+  SELECTION_1:
+    EventID: 40300
+  SELECTION_2:
+    EventID: 40301
+  SELECTION_3:
+    EventID: 40302
+  SELECTION_4:
+  - HybridConnection
+  - sb://
+  - servicebus.windows.net
+  - HybridConnectionManage
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4))
+falsepositives:
+- Legitimate use of Hybrid Connection Manager via Azure function apps.
+id: b55d23e5-6821-44ff-8a6e-67218891e49f
+level: high
+logsource:
+  product: windows
+  service: Microsoft-ServiceBus-Client
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
diff --git a/rules/sigma/windows/builtin/win_impacket_psexec.yml b/rules/sigma/windows/builtin/win_impacket_psexec.yml
new file mode 100644
index 00000000..aeae3ca0
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_impacket_psexec.yml
@@ -0,0 +1,30 @@
+
+title: Impacket PsExec Execution
+author: Bhabesh Raj
+date: 2020/12/14
+description: Detects execution of Impacket's psexec.py.
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\*\IPC$
+  SELECTION_3:
+    RelativeTargetName:
+    - '*RemCom_stdint*'
+    - '*RemCom_stdoutt*'
+    - '*RemCom_stderrt*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- nothing observed so far
+id: 32d56ea1-417f-44ff-822b-882873f5f43b
+level: high
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
+tags:
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/windows/builtin/win_impacket_secretdump.yml b/rules/sigma/windows/builtin/win_impacket_secretdump.yml
new file mode 100644
index 00000000..d24953e8
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_impacket_secretdump.yml
@@ -0,0 +1,33 @@
+
+title: Possible Impacket SecretDump Remote Activity
+author: Samir Bousseaden, wagga
+date: 2019/04/03
+description: Detect AD credential dumping using impacket secretdump HKTL
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\*\ADMIN$
+  SELECTION_3:
+    RelativeTargetName: '*SYSTEM32\\*'
+  SELECTION_4:
+    RelativeTargetName: '*.tmp*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- pentesting
+id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
+level: high
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+modified: 2021/06/27
+references:
+- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.003
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_clip_services.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_clip_services.yml
new file mode 100644
index 00000000..8d0a93a9
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_clip_services.yml
@@ -0,0 +1,27 @@
+
+title: Invoke-Obfuscation CLIP+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+  SELECTION_1:
+    ImagePath|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
+  SELECTION_2:
+    EventID: 7045
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: f7385ee2-0e0c-11eb-adc1-0242ac120002
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_clip_services_security.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_clip_services_security.yml
new file mode 100644
index 00000000..482b842d
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_clip_services_security.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation CLIP+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+  SELECTION_1:
+    ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
+  SELECTION_2:
+    EventID: 4697
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: f7385ee2-0e0c-11eb-adc1-0242ac120002
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
new file mode 100644
index 00000000..42d9636b
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
@@ -0,0 +1,37 @@
+
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: Detects all variations of obfuscated powershell IEX invocation code generated
+  by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+  SELECTION_3:
+    ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+  SELECTION_4:
+    ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+  SELECTION_5:
+    ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+  SELECTION_6:
+    ImagePath|re: \\*mdr\*\W\s*\)\.Name
+  SELECTION_7:
+    ImagePath|re: \$VerbosePreference\.ToString\(
+  SELECTION_8:
+    ImagePath|re: \String\]\s*\$VerbosePreference
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/16
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml
new file mode 100644
index 00000000..ee6c57d1
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml
@@ -0,0 +1,40 @@
+
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: Detects all variations of obfuscated powershell IEX invocation code generated
+  by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+  SELECTION_3:
+    ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+  SELECTION_4:
+    ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+  SELECTION_5:
+    ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+  SELECTION_6:
+    ServiceFileName|re: \\*mdr\*\W\s*\)\.Name
+  SELECTION_7:
+    ServiceFileName|re: \$VerbosePreference\.ToString\(
+  SELECTION_8:
+    ServiceFileName|re: \String\]\s*\$VerbosePreference
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: fd0f5778-d3cb-4c9a-9695-66759d04702a
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/16
+related:
+- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_stdin_services.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_stdin_services.yml
new file mode 100644
index 00000000..c60be129
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_stdin_services.yml
@@ -0,0 +1,27 @@
+
+title: Invoke-Obfuscation STDIN+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+  SELECTION_1:
+    ImagePath|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
+  SELECTION_2:
+    EventID: 7045
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 72862bf2-0eb1-11eb-adc1-0242ac120002
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/17
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml
new file mode 100644
index 00000000..c8cf3603
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation STDIN+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+  SELECTION_1:
+    ServiceFileName|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
+  SELECTION_2:
+    EventID: 4697
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/17
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 72862bf2-0eb1-11eb-adc1-0242ac120002
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_var_services.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_var_services.yml
new file mode 100644
index 00000000..d95a8dbe
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_var_services.yml
@@ -0,0 +1,27 @@
+
+title: Invoke-Obfuscation VAR+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ImagePath|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/17
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_var_services_security.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_var_services_security.yml
new file mode 100644
index 00000000..f07168f1
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_var_services_security.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation VAR+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: dcf2db1f-f091-425b-a821-c05875b8925a
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/17
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
new file mode 100644
index 00000000..a581eb99
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
@@ -0,0 +1,27 @@
+
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+  SELECTION_1:
+    ImagePath|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+  SELECTION_2:
+    EventID: 7045
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 175997c5-803c-4b08-8bb0-70b099f47595
+level: medium
+logsource:
+  product: windows
+  service: system
+modified: 2021/08/09
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml
new file mode 100644
index 00000000..7c92c4db
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+  SELECTION_1:
+    ServiceFileName|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+  SELECTION_2:
+    EventID: 4697
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 175997c5-803c-4b08-8bb0-70b099f47595
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
new file mode 100644
index 00000000..87b33028
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
@@ -0,0 +1,27 @@
+
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+  SELECTION_1:
+    ImagePath|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
+  SELECTION_2:
+    EventID: 7045
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
+level: medium
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml
new file mode 100644
index 00000000..381f2ff6
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+  SELECTION_1:
+    ServiceFileName|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
+  SELECTION_2:
+    EventID: 4697
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml
new file mode 100644
index 00000000..2525c04a
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml
@@ -0,0 +1,27 @@
+
+title: Invoke-Obfuscation Via Stdin
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+  SELECTION_1:
+    ImagePath|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
+  SELECTION_2:
+    EventID: 7045
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 487c7524-f892-4054-b263-8a0ace63fc25
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml
new file mode 100644
index 00000000..2ac6c448
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation Via Stdin
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+  SELECTION_1:
+    ServiceFileName|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
+  SELECTION_2:
+    EventID: 4697
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 487c7524-f892-4054-b263-8a0ace63fc25
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
new file mode 100644
index 00000000..aff3bd8b
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
@@ -0,0 +1,27 @@
+
+title: Invoke-Obfuscation Via Use Clip
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+  SELECTION_1:
+    ImagePath|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+  SELECTION_2:
+    EventID: 7045
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml
new file mode 100644
index 00000000..6147cc92
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation Via Use Clip
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+  SELECTION_1:
+    ServiceFileName|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+  SELECTION_2:
+    EventID: 4697
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml
new file mode 100644
index 00000000..741f0654
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml
@@ -0,0 +1,27 @@
+
+title: Invoke-Obfuscation Via Use MSHTA
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+  SELECTION_1:
+    ImagePath|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+  SELECTION_2:
+    EventID: 7045
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml
new file mode 100644
index 00000000..80ae5c5e
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation Via Use MSHTA
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+  SELECTION_1:
+    ServiceFileName|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+  SELECTION_2:
+    EventID: 4697
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
new file mode 100644
index 00000000..639bbc88
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
@@ -0,0 +1,27 @@
+
+title: Invoke-Obfuscation Via Use Rundll32
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+  SELECTION_1:
+    ImagePath|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+  SELECTION_2:
+    EventID: 7045
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml
new file mode 100644
index 00000000..7d5b1b16
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation Via Use Rundll32
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+  SELECTION_1:
+    ServiceFileName|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+  SELECTION_2:
+    EventID: 4697
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_var_services.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_var_services.yml
new file mode 100644
index 00000000..42ae63e1
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_var_services.yml
@@ -0,0 +1,27 @@
+
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+  SELECTION_1:
+    ImagePath|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
+  SELECTION_2:
+    EventID: 7045
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_invoke_obfuscation_via_var_services_security.yml b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_var_services_security.yml
new file mode 100644
index 00000000..8aa3705b
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_invoke_obfuscation_via_var_services_security.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+  SELECTION_1:
+    ServiceFileName|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
+  SELECTION_2:
+    EventID: 4697
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_iso_mount.yml b/rules/sigma/windows/builtin/win_iso_mount.yml
new file mode 100644
index 00000000..7fbea3ee
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_iso_mount.yml
@@ -0,0 +1,32 @@
+
+title: ISO Image Mount
+author: Syed Hasan (@syedhasan009)
+date: 2021/05/29
+description: Detects the mount of ISO images on an endpoint
+detection:
+  SELECTION_1:
+    EventID: 4663
+  SELECTION_2:
+    ObjectServer: Security
+  SELECTION_3:
+    ObjectType: File
+  SELECTION_4:
+    ObjectName: \Device\CdRom*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Software installation ISO files
+id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
+level: medium
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Removable Storage"
+    must be configured for Success/Failure
+  product: windows
+  service: security
+references:
+- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
+- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
+- https://twitter.com/MsftSecIntel/status/1257324139515269121
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1566.001
diff --git a/rules/sigma/windows/builtin/win_lm_namedpipe.yml b/rules/sigma/windows/builtin/win_lm_namedpipe.yml
new file mode 100644
index 00000000..1c11df03
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_lm_namedpipe.yml
@@ -0,0 +1,52 @@
+
+title: First Time Seen Remote Named Pipe
+author: Samir Bousseaden
+date: 2019/04/03
+description: This detection excludes known namped pipes accessible remotely and notify
+  on newly observed ones, may help to detect lateral movement and remote exec using
+  named pipes
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\*\IPC$
+  SELECTION_3:
+    EventID: 5145
+  SELECTION_4:
+    ShareName: \\*\IPC$
+  SELECTION_5:
+    RelativeTargetName:
+    - atsvc
+    - samr
+    - lsarpc
+    - winreg
+    - netlogon
+    - srvsvc
+    - protected_storage
+    - wkssvc
+    - browser
+    - netdfs
+    - svcctl
+    - spoolss
+    - ntsvcs
+    - LSM_API_service
+    - HydraLsPipe
+    - TermSrv_API_service
+    - MsFteWds
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3 and SELECTION_4
+    and SELECTION_5))
+falsepositives:
+- update the excluded named pipe to filter out any newly observed legit named pipe
+id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
+level: high
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+references:
+- https://twitter.com/menasec1/status/1104489274387451904
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
diff --git a/rules/sigma/windows/builtin/win_lolbas_execution_of_nltest.yml b/rules/sigma/windows/builtin/win_lolbas_execution_of_nltest.yml
new file mode 100644
index 00000000..c2434bb1
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_lolbas_execution_of_nltest.yml
@@ -0,0 +1,34 @@
+
+title: Correct Execution of Nltest.exe
+author: Arun Chauhan
+date: 2021/10/04
+description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers,
+  domain trusts, parent domain and the current user permissions.
+detection:
+  SELECTION_1:
+    EventID: 4689
+  SELECTION_2:
+    ProcessName: '*nltest.exe'
+  SELECTION_3:
+    Status: '0x0'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Red team activity
+- rare legitimate use by an administrator
+fields:
+- SubjectUserName
+- SubjectDomainName
+id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
+level: high
+logsource:
+  product: windows
+  service: security
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
+- https://attack.mitre.org/software/S0359/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
+- attack.t1018
+- attack.t1016
diff --git a/rules/sigma/windows/builtin/win_lsass_access_non_system_account.yml b/rules/sigma/windows/builtin/win_lsass_access_non_system_account.yml
new file mode 100644
index 00000000..bff50322
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_lsass_access_non_system_account.yml
@@ -0,0 +1,69 @@
+
+title: LSASS Access from Non System Account
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/06/20
+description: Detects potential mimikatz-like tools accessing LSASS from non system
+  account
+detection:
+  SELECTION_1:
+    EventID: 4663
+  SELECTION_2:
+    EventID: 4656
+  SELECTION_3:
+    AccessMask:
+    - '0x40'
+    - '0x1400'
+    - '0x1000'
+    - '0x100000'
+    - '0x1410'
+    - '0x1010'
+    - '0x1438'
+    - '0x143a'
+    - '0x1418'
+    - '0x1f0fff'
+    - '0x1f1fff'
+    - '0x1f2fff'
+    - '0x1f3fff'
+    - '40'
+    - '1400'
+    - '1000'
+    - '100000'
+    - '1410'
+    - '1010'
+    - '1438'
+    - 143a
+    - '1418'
+    - 1f0fff
+    - 1f1fff
+    - 1f2fff
+    - 1f3fff
+  SELECTION_4:
+    ObjectType: Process
+  SELECTION_5:
+    ObjectName: '*\lsass.exe'
+  SELECTION_6:
+    SubjectUserName: '*$'
+  SELECTION_7:
+    ProcessName: C:\Program Files*
+  condition: ((((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    and  not (SELECTION_6)) and  not (SELECTION_7))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- ObjectName
+- SubjectUserName
+- ProcessName
+id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/03/17
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/windows/builtin/win_mal_creddumper.yml b/rules/sigma/windows/builtin/win_mal_creddumper.yml
new file mode 100644
index 00000000..b4318634
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_mal_creddumper.yml
@@ -0,0 +1,41 @@
+
+title: Credential Dumping Tools Service Execution
+author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2017/03/05
+description: Detects well-known credential dumping tools execution via service execution
+  events
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ImagePath:
+    - '*fgexec*'
+    - '*dumpsvc*'
+    - '*cachedump*'
+    - '*mimidrv*'
+    - '*gsecdump*'
+    - '*servpw*'
+    - '*pwdump*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate Administrator using credential dumping tool for password recovery
+id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/21
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
+- attack.t1035
+- attack.t1569.002
+- attack.s0005
diff --git a/rules/sigma/windows/builtin/win_mal_wceaux_dll.yml b/rules/sigma/windows/builtin/win_mal_wceaux_dll.yml
new file mode 100644
index 00000000..9350fc66
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_mal_wceaux_dll.yml
@@ -0,0 +1,33 @@
+
+title: WCE wceaux.dll Access
+author: Thomas Patzke
+date: 2017/06/14
+description: Detects wceaux.dll access while WCE pass-the-hash remote command execution
+  on source host
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    EventID: 4658
+  SELECTION_3:
+    EventID: 4660
+  SELECTION_4:
+    EventID: 4663
+  SELECTION_5:
+    ObjectName: '*\wceaux.dll'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Penetration testing
+id: 1de68c67-af5c-4097-9c85-fe5578e09e67
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.s0005
diff --git a/rules/sigma/windows/builtin/win_metasploit_authentication.yml b/rules/sigma/windows/builtin/win_metasploit_authentication.yml
new file mode 100644
index 00000000..05c52767
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_metasploit_authentication.yml
@@ -0,0 +1,38 @@
+
+title: Metasploit SMB Authentication
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2020/05/06
+description: Alerts on Metasploit host's authentications on the domain.
+detection:
+  SELECTION_1:
+    EventID: 4625
+  SELECTION_2:
+    EventID: 4624
+  SELECTION_3:
+    LogonType: 3
+  SELECTION_4:
+    AuthenticationPackageName: NTLM
+  SELECTION_5:
+    WorkstationName|re: ^[A-Za-z0-9]{16}$
+  SELECTION_6:
+    ProcessName|re: ^$
+  SELECTION_7:
+    EventID: 4776
+  SELECTION_8:
+    Workstation|re: ^[A-Za-z0-9]{16}$
+  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8))
+falsepositives:
+- Linux hostnames composed of 16 characters.
+id: 72124974-a68b-4366-b990-d30e0b2a190d
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
diff --git a/rules/sigma/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
new file mode 100644
index 00000000..fe2c36b0
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -0,0 +1,64 @@
+
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+  a specific service installation
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_10:
+    ImagePath: '*cmd.exe*'
+  SELECTION_11:
+    ImagePath: '*/c*'
+  SELECTION_12:
+    ImagePath: '*echo*'
+  SELECTION_13:
+    ImagePath: '*\pipe\\*'
+  SELECTION_14:
+    ImagePath: '*rundll32*'
+  SELECTION_15:
+    ImagePath: '*.dll,a*'
+  SELECTION_16:
+    ImagePath: '*/p:*'
+  SELECTION_2:
+    ImagePath: '*cmd*'
+  SELECTION_3:
+    ImagePath: '*/c*'
+  SELECTION_4:
+    ImagePath: '*echo*'
+  SELECTION_5:
+    ImagePath: '*\pipe\\*'
+  SELECTION_6:
+    ImagePath: '*%COMSPEC%*'
+  SELECTION_7:
+    ImagePath: '*/c*'
+  SELECTION_8:
+    ImagePath: '*echo*'
+  SELECTION_9:
+    ImagePath: '*\pipe\\*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10
+    and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15
+    and SELECTION_16)))
+falsepositives:
+- Highly unlikely
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ImagePath
+id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+level: critical
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
diff --git a/rules/sigma/windows/builtin/win_mmc20_lateral_movement.yml b/rules/sigma/windows/builtin/win_mmc20_lateral_movement.yml
new file mode 100644
index 00000000..ef77337b
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_mmc20_lateral_movement.yml
@@ -0,0 +1,32 @@
+
+title: MMC20 Lateral Movement
+author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)'
+date: 2020/03/04
+description: Detects MMC20.Application Lateral Movement; specifically looks for the
+  spawning of the parent MMC.exe with a command line of "-Embedding" as a child of
+  svchost.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\svchost.exe'
+  SELECTION_3:
+    Image: '*\mmc.exe'
+  SELECTION_4:
+    CommandLine: '*-Embedding*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/23
+references:
+- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
+tags:
+- attack.execution
+- attack.t1175
+- attack.t1021.003
diff --git a/rules/sigma/windows/builtin/win_moriya_rootkit.yml b/rules/sigma/windows/builtin/win_moriya_rootkit.yml
new file mode 100644
index 00000000..de950763
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_moriya_rootkit.yml
@@ -0,0 +1,27 @@
+
+title: Moriya Rootkit
+author: Bhabesh Raj
+date: 2021/05/06
+description: Detects the use of Moriya rootkit as described in the securelist's Operation
+  TunnelSnake report
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ServiceName: ZzNetSvc
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- None
+id: 25b9c01c-350d-4b95-bed1-836d04a4f324
+level: critical
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/21
+references:
+- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1543.003
diff --git a/rules/sigma/windows/builtin/win_net_ntlm_downgrade.yml b/rules/sigma/windows/builtin/win_net_ntlm_downgrade.yml
new file mode 100644
index 00000000..88b29652
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_net_ntlm_downgrade.yml
@@ -0,0 +1,39 @@
+
+title: NetNTLM Downgrade Attack
+author: Florian Roth, wagga
+date: 2018/03/20
+description: Detects NetNTLM downgrade attack
+detection:
+  SELECTION_1:
+    EventID: 4657
+  SELECTION_2:
+    ObjectName: '*\REGISTRY\MACHINE\SYSTEM*'
+  SELECTION_3:
+    ObjectName: '*ControlSet*'
+  SELECTION_4:
+    ObjectName: '*\Control\Lsa*'
+  SELECTION_5:
+    ObjectValueName:
+    - LmCompatibilityLevel
+    - NtlmMinClientSec
+    - RestrictSendingNTLMTraffic
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
+level: critical
+logsource:
+  definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
+  product: windows
+  service: security
+modified: 2021/06/27
+references:
+- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+related:
+- id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
+  type: derived
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+- attack.t1112
diff --git a/rules/sigma/windows/builtin/win_net_use_admin_share.yml b/rules/sigma/windows/builtin/win_net_use_admin_share.yml
new file mode 100644
index 00000000..27179c34
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_net_use_admin_share.yml
@@ -0,0 +1,32 @@
+
+title: Mounted Windows Admin Shares with net.exe
+author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st,
+  wagga
+date: 2020/10/05
+description: Detects when an admin share is mounted using net.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\net.exe'
+    - '*\net1.exe'
+  SELECTION_3:
+    CommandLine: '* use *'
+  SELECTION_4:
+    CommandLine: '*\\\*\\*$*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Administrators
+id: 3abd6094-7027-475f-9630-8ab9be7b9725
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+references:
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/sigma/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml
new file mode 100644
index 00000000..e4ddbbc5
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml
@@ -0,0 +1,29 @@
+
+title: New or Renamed User Account with '$' in Attribute 'SamAccountName'.
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Detects possible bypass EDR and SIEM via abnormal user account name.
+detection:
+  SELECTION_1:
+    EventID: 4720
+  SELECTION_2:
+    EventID: 4781
+  SELECTION_3:
+    SamAccountName: '*$*'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- EventID
+- SamAccountName
+- SubjectUserName
+id: cfeed607-6aa4-4bbd-9627-b637deb723c8
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
diff --git a/rules/sigma/windows/builtin/win_not_allowed_rdp_access.yml b/rules/sigma/windows/builtin/win_not_allowed_rdp_access.yml
new file mode 100644
index 00000000..f9eb2008
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_not_allowed_rdp_access.yml
@@ -0,0 +1,30 @@
+
+title: Denied Access To Remote Desktop
+author: Pushkarev Dmitry
+date: 2020/06/27
+description: This event is generated when an authenticated user who is not allowed
+  to log on remotely attempts to connect to this computer through Remote Desktop.
+  Often, this event can be generated by attackers when searching for available windows
+  servers in the network.
+detection:
+  SELECTION_1:
+    EventID: 4825
+  condition: SELECTION_1
+falsepositives:
+- Valid user was not added to RDP group
+fields:
+- EventCode
+- AccountName
+- ClientAddress
+id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1076
+- attack.t1021.001
diff --git a/rules/sigma/windows/builtin/win_ntfs_vuln_exploit.yml b/rules/sigma/windows/builtin/win_ntfs_vuln_exploit.yml
new file mode 100644
index 00000000..3e6615c3
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_ntfs_vuln_exploit.yml
@@ -0,0 +1,29 @@
+
+title: NTFS Vulnerability Exploitation
+author: Florian Roth
+date: 2021/01/11
+description: This the exploitation of a NTFS vulnerability as reported without many
+  details via Twitter
+detection:
+  SELECTION_1:
+    EventID: 55
+  SELECTION_2:
+    Origin: File System Driver
+  SELECTION_3:
+    Description: '*contains a corrupted file record*'
+  SELECTION_4:
+    Description: '*The name of the file is "\"*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+id: f14719ce-d3ab-4e25-9ce6-2899092260b0
+level: critical
+logsource:
+  product: windows
+  service: system
+references:
+- https://twitter.com/jonasLyk/status/1347900440000811010
+- https://twitter.com/wdormann/status/1347958161609809921
+tags:
+- attack.impact
+- attack.t1499.001
diff --git a/rules/sigma/windows/builtin/win_overpass_the_hash.yml b/rules/sigma/windows/builtin/win_overpass_the_hash.yml
new file mode 100644
index 00000000..46bb891e
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_overpass_the_hash.yml
@@ -0,0 +1,31 @@
+
+title: Successful Overpass the Hash Attempt
+author: Roberto Rodriguez (source), Dominik Schaudel (rule)
+date: 2018/02/12
+description: Detects successful logon with logon type 9 (NewCredentials) which matches
+  the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    LogonType: 9
+  SELECTION_3:
+    LogonProcessName: seclogo
+  SELECTION_4:
+    AuthenticationPackageName: Negotiate
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Runas command-line tool using /netonly parameter
+id: 192a0330-c20b-4356-90b6-7b7049ae0b87
+level: high
+logsource:
+  product: windows
+  service: security
+references:
+- https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1075
+- attack.s0002
+- attack.t1550.002
diff --git a/rules/sigma/windows/builtin/win_pass_the_hash.yml b/rules/sigma/windows/builtin/win_pass_the_hash.yml
new file mode 100644
index 00000000..5585185a
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_pass_the_hash.yml
@@ -0,0 +1,42 @@
+
+title: Pass the Hash Activity
+author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
+date: 2017/03/08
+description: Detects the attack technique pass the hash which is used to move laterally
+  inside the network
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    EventID: 4625
+  SELECTION_3:
+    LogonType: '3'
+  SELECTION_4:
+    LogonProcessName: NtLmSsp
+  SELECTION_5:
+    WorkstationName: '%Workstations%'
+  SELECTION_6:
+    ComputerName: '%Workstations%'
+  SELECTION_7:
+    AccountName: ANONYMOUS LOGON
+  condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6) and  not (SELECTION_7))
+falsepositives:
+- Administrator activity
+- Penetration tests
+id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
+level: medium
+logsource:
+  definition: The successful use of PtH for lateral movement between workstations
+    would trigger event ID 4624, a failed logon attempt would trigger an event ID
+    4625
+  product: windows
+  service: security
+references:
+- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1075
+- car.2016-04-004
+- attack.t1550.002
diff --git a/rules/sigma/windows/builtin/win_pass_the_hash_2.yml b/rules/sigma/windows/builtin/win_pass_the_hash_2.yml
new file mode 100644
index 00000000..42f919b9
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_pass_the_hash_2.yml
@@ -0,0 +1,44 @@
+
+title: Pass the Hash Activity 2
+author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
+date: 2019/06/14
+description: Detects the attack technique pass the hash which is used to move laterally
+  inside the network
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    SubjectUserSid: S-1-0-0
+  SELECTION_3:
+    LogonType: '3'
+  SELECTION_4:
+    LogonProcessName: NtLmSsp
+  SELECTION_5:
+    KeyLength: '0'
+  SELECTION_6:
+    LogonType: '9'
+  SELECTION_7:
+    LogonProcessName: seclogo
+  SELECTION_8:
+    AccountName: ANONYMOUS LOGON
+  condition: ((SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7))) and  not (SELECTION_8))
+falsepositives:
+- Administrator activity
+- Penetration tests
+id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
+level: medium
+logsource:
+  definition: The successful use of PtH for lateral movement between workstations
+    would trigger event ID 4624
+  product: windows
+  service: security
+references:
+- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+- https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
+- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
+status: stable
+tags:
+- attack.lateral_movement
+- attack.t1075
+- attack.t1550.002
diff --git a/rules/sigma/windows/builtin/win_petitpotam_network_share.yml b/rules/sigma/windows/builtin/win_petitpotam_network_share.yml
new file mode 100644
index 00000000..b47f93f9
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_petitpotam_network_share.yml
@@ -0,0 +1,32 @@
+
+title: Possible PetitPotam Coerce Authentication Attempt
+author: Mauricio Velazco, Michael Haag
+date: 2021/09/02
+description: Detect PetitPotam coerced authentication activity.
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\\*
+  SELECTION_3:
+    ShareName: '*\IPC$'
+  SELECTION_4:
+    RelativeTargetName: lsarpc
+  SELECTION_5:
+    SubjectUserName: ANONYMOUS LOGON
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown. Feedback welcomed.
+id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
+level: high
+logsource:
+  definition: The advanced audit policy setting "Object Access > Detailed File Share"
+    must be configured for Success/Failure
+  product: windows
+  service: security
+references:
+- https://github.com/topotam/PetitPotam
+- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
+tags:
+- attack.credential_access
+- attack.t1187
diff --git a/rules/sigma/windows/builtin/win_petitpotam_susp_tgt_request.yml b/rules/sigma/windows/builtin/win_petitpotam_susp_tgt_request.yml
new file mode 100644
index 00000000..d9e69e88
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_petitpotam_susp_tgt_request.yml
@@ -0,0 +1,42 @@
+
+title: PetitPotam Suspicious Kerberos TGT Request
+author: Mauricio Velazco, Michael Haag
+date: 2021/09/02
+description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer
+  certificate by abusing Active Directory Certificate Services in combination with
+  PetitPotam, the next step would be to leverage the certificate for malicious purposes.
+  One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool
+  like Rubeus. This request will generate a 4768 event with some unusual fields depending
+  on the environment. This analytic will require tuning, we recommend filtering Account_Name
+  to the Domain Controller computer accounts.
+detection:
+  SELECTION_1:
+    EventID: 4768
+  SELECTION_2:
+    TargetUserName: '*$'
+  SELECTION_3:
+    CertThumbprint: '*'
+  SELECTION_4:
+    IpAddress: ::1
+  SELECTION_5:
+    CertThumbprint: ''
+  condition: (((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+    and  not (SELECTION_5))
+falsepositives:
+- False positives are possible if the environment is using certificates for authentication.
+  We recommend filtering Account_Name to the Domain Controller computer accounts.
+id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
+level: high
+logsource:
+  definition: The advanced audit policy setting "Account Logon > Kerberos Authentication
+    Service" must be configured for Success/Failure
+  product: windows
+  service: security
+modified: 2021/09/07
+references:
+- https://github.com/topotam/PetitPotam
+- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
+- https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
+tags:
+- attack.credential_access
+- attack.t1187
diff --git a/rules/sigma/windows/builtin/win_possible_dc_shadow.yml b/rules/sigma/windows/builtin/win_possible_dc_shadow.yml
new file mode 100644
index 00000000..db7a1ae2
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_possible_dc_shadow.yml
@@ -0,0 +1,34 @@
+
+title: Possible DC Shadow
+author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2019/10/25
+description: Detects DCShadow via create new SPN
+detection:
+  SELECTION_1:
+    EventID: 4742
+  SELECTION_2:
+    ServicePrincipalNames: '*GC/*'
+  SELECTION_3:
+    EventID: 5136
+  SELECTION_4:
+    AttributeLDAPDisplayName: servicePrincipalName
+  SELECTION_5:
+    AttributeValue: GC/*
+  condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4 and SELECTION_5))
+falsepositives:
+- Exclude known DCs
+id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/06
+references:
+- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
+- https://twitter.com/gentilkiwi/status/1003236624925413376
+- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1207
diff --git a/rules/sigma/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/sigma/windows/builtin/win_powershell_script_installed_as_service.yml
new file mode 100644
index 00000000..bb086901
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_powershell_script_installed_as_service.yml
@@ -0,0 +1,27 @@
+
+title: PowerShell Scripts Installed as Services
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects powershell script installed as a Service
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ImagePath:
+    - '*powershell*'
+    - '*pwsh*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
diff --git a/rules/sigma/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/sigma/windows/builtin/win_privesc_cve_2020_1472.yml
new file mode 100644
index 00000000..d3a1e278
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_privesc_cve_2020_1472.yml
@@ -0,0 +1,31 @@
+
+title: Possible Zerologon (CVE-2020-1472) Exploitation
+author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community
+date: 2020/10/15
+description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
+detection:
+  SELECTION_1:
+    EventID: 4742
+  SELECTION_2:
+    SubjectUserName: ANONYMOUS LOGON
+  SELECTION_3:
+    TargetUserName: '%DC-MACHINE-NAME%'
+  SELECTION_4:
+    PasswordLastSet: '-'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- automatic DC computer account password change
+- legitimate DC computer account password change
+id: dd7876d8-0f09-11eb-adc1-0242ac120002
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
+- https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
+status: experimental
+tags:
+- attack.t1068
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/builtin/win_protected_storage_service_access.yml b/rules/sigma/windows/builtin/win_protected_storage_service_access.yml
new file mode 100644
index 00000000..9caec014
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_protected_storage_service_access.yml
@@ -0,0 +1,29 @@
+
+title: Protected Storage Service Access
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects access to a protected_storage service over the network. Potential
+  abuse of DPAPI to extract domain backup keys from Domain Controllers
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: '*IPC*'
+  SELECTION_3:
+    RelativeTargetName: protected_storage
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 45545954-4016-43c6-855e-eae8f1c369dc
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021
+- attack.t1021.002
diff --git a/rules/sigma/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml b/rules/sigma/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml
new file mode 100644
index 00000000..56adafad
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml
@@ -0,0 +1,26 @@
+
+title: QuarksPwDump Clearing Access History
+author: Florian Roth
+date: 2017/05/15
+description: Detects QuarksPwDump clearing access history in hive
+detection:
+  SELECTION_1:
+    EventID: 16
+  SELECTION_2:
+    HiveName: '*\AppData\Local\Temp\SAM*'
+  SELECTION_3:
+    HiveName: '*.dmp'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
+level: critical
+logsource:
+  product: windows
+  service: system
+modified: 2019/11/13
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
diff --git a/rules/sigma/windows/builtin/win_rare_schtasks_creations.yml b/rules/sigma/windows/builtin/win_rare_schtasks_creations.yml
new file mode 100644
index 00000000..97b16991
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_rare_schtasks_creations.yml
@@ -0,0 +1,31 @@
+
+title: Rare Schtasks Creations
+author: Florian Roth
+date: 2017/03/23
+description: Detects rare scheduled tasks creations that only appear a few times per
+  time frame and could reveal password dumpers, backdoor installs or other types of
+  malicious code
+detection:
+  SELECTION_1:
+    EventID: 4698
+  condition: SELECTION_1 | count() by TaskName < 5
+falsepositives:
+- Software installation
+- Software updates
+id: b0d77106-7bb0-41fe-bd94-d1752164d066
+level: low
+logsource:
+  definition: The Advanced Audit Policy setting Object Access > Audit Other Object
+    Access Events has to be configured to allow this detection (not in the baseline
+    recommendations by Microsoft). We also recommend extracting the Command field
+    from the embedded XML in the event data.
+  product: windows
+  service: security
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1053
+- car.2013-08-001
+- attack.t1053.005
diff --git a/rules/sigma/windows/builtin/win_rare_service_installs.yml b/rules/sigma/windows/builtin/win_rare_service_installs.yml
new file mode 100644
index 00000000..e1906682
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_rare_service_installs.yml
@@ -0,0 +1,26 @@
+
+title: Rare Service Installs
+author: Florian Roth
+date: 2017/03/08
+description: Detects rare service installs that only appear a few times per time frame
+  and could reveal password dumpers, backdoor installs or other types of malicious
+  services
+detection:
+  SELECTION_1:
+    EventID: 7045
+  condition: SELECTION_1 | count() by ServiceFileName < 5
+falsepositives:
+- Software installation
+- Software updates
+id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
+level: low
+logsource:
+  product: windows
+  service: system
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1050
+- car.2013-09-005
+- attack.t1543.003
diff --git a/rules/sigma/windows/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/sigma/windows/builtin/win_rdp_bluekeep_poc_scanner.yml
new file mode 100644
index 00000000..1fd0973f
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_rdp_bluekeep_poc_scanner.yml
@@ -0,0 +1,26 @@
+
+title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
+author: Florian Roth (rule), Adam Bradbury (idea)
+date: 2019/06/02
+description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable
+  to  CVE-2019-0708 RDP RCE aka BlueKeep
+detection:
+  SELECTION_1:
+    EventID: 4625
+  SELECTION_2:
+    AccountName: AAAAAAA
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 8400629e-79a9-4737-b387-5db940ab2367
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://twitter.com/AdamTheAnalyst/status/1134394070045003776
+- https://github.com/zerosum0x0/CVE-2019-0708
+tags:
+- attack.lateral_movement
+- attack.t1210
+- car.2013-07-002
diff --git a/rules/sigma/windows/builtin/win_rdp_localhost_login.yml b/rules/sigma/windows/builtin/win_rdp_localhost_login.yml
new file mode 100644
index 00000000..a5b60e50
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_rdp_localhost_login.yml
@@ -0,0 +1,31 @@
+
+title: RDP Login from Localhost
+author: Thomas Patzke
+date: 2019/01/28
+description: RDP login with localhost source address may be a tunnelled login
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    LogonType: 10
+  SELECTION_3:
+    IpAddress:
+    - ::1
+    - 127.0.0.1
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 51e33403-2a37-4d66-a574-1fda1782cc31
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1076
+- car.2013-07-002
+- attack.t1021.001
diff --git a/rules/sigma/windows/builtin/win_rdp_potential_cve_2019_0708.yml b/rules/sigma/windows/builtin/win_rdp_potential_cve_2019_0708.yml
new file mode 100644
index 00000000..85fe242b
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_rdp_potential_cve_2019_0708.yml
@@ -0,0 +1,29 @@
+
+title: Potential RDP Exploit CVE-2019-0708
+author: Lionel PRAT, Christophe BROCAS, @atc_project (improvements)
+date: 2019/05/24
+description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
+detection:
+  SELECTION_1:
+    EventID: 56
+  SELECTION_2:
+    EventID: 50
+  SELECTION_3:
+    Source: TermDD
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Bad connections or network interruptions
+id: aaa5b30d-f418-420b-83a0-299cb6024885
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2020/08/23
+references:
+- https://github.com/zerosum0x0/CVE-2019-0708
+- https://github.com/Ekultek/BlueKeep
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1210
+- car.2013-07-002
diff --git a/rules/sigma/windows/builtin/win_rdp_reverse_tunnel.yml b/rules/sigma/windows/builtin/win_rdp_reverse_tunnel.yml
new file mode 100644
index 00000000..1b63af63
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_rdp_reverse_tunnel.yml
@@ -0,0 +1,44 @@
+
+title: RDP over Reverse SSH Tunnel WFP
+author: Samir Bousseaden
+date: 2019/02/16
+description: Detects svchost hosting RDP termsvcs communicating with the loopback
+  address
+detection:
+  SELECTION_1:
+    EventID: 5156
+  SELECTION_2:
+    SourcePort: 3389
+  SELECTION_3:
+    DestAddress:
+    - 127.*
+    - ::1
+  SELECTION_4:
+    DestPort: 3389
+  SELECTION_5:
+    SourceAddress:
+    - 127.*
+    - ::1
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- unknown
+id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/06
+references:
+- https://twitter.com/SBousseaden/status/1096148422984384514
+- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.command_and_control
+- attack.lateral_movement
+- attack.t1076
+- attack.t1090
+- attack.t1090.001
+- attack.t1090.002
+- attack.t1021.001
+- car.2013-07-002
diff --git a/rules/sigma/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/sigma/windows/builtin/win_register_new_logon_process_by_rubeus.yml
new file mode 100644
index 00000000..f13755a6
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_register_new_logon_process_by_rubeus.yml
@@ -0,0 +1,27 @@
+
+title: Register new Logon Process by Rubeus
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+description: Detects potential use of Rubeus via registered new trusted logon process
+detection:
+  SELECTION_1:
+    EventID: 4611
+  SELECTION_2:
+    LogonProcessName: User32LogonProcesss
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 12e6d621-194f-4f59-90cc-1959e21e69f7
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/14
+references:
+- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.t1208
+- attack.t1558.003
diff --git a/rules/sigma/windows/builtin/win_remote_powershell_session.yml b/rules/sigma/windows/builtin/win_remote_powershell_session.yml
new file mode 100644
index 00000000..05c1f437
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_remote_powershell_session.yml
@@ -0,0 +1,31 @@
+
+title: Remote PowerShell Sessions Network Connections (WinRM)
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound
+  connections to ports 5985 OR 5986
+detection:
+  SELECTION_1:
+    EventID: 5156
+  SELECTION_2:
+    DestPort: 5985
+  SELECTION_3:
+    DestPort: 5986
+  SELECTION_4:
+    LayerRTID: 44
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate use of remote PowerShell execution
+id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/05/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/windows/builtin/win_remote_registry_management_using_reg_utility.yml b/rules/sigma/windows/builtin/win_remote_registry_management_using_reg_utility.yml
new file mode 100644
index 00000000..6035d21a
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_remote_registry_management_using_reg_utility.yml
@@ -0,0 +1,32 @@
+
+title: Remote Registry Management Using Reg Utility
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Remote registry management using REG utility from non-admin workstation
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    RelativeTargetName: '*\winreg*'
+  SELECTION_3:
+    IpAddress: '%Admins_Workstations%'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Legitimate usage of remote registry management by administrator
+id: 68fcba0d-73a5-475e-a915-e8b4c576827e
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+- attack.discovery
+- attack.t1012
+- attack.credential_access
+- attack.t1552.002
+- attack.s0075
diff --git a/rules/sigma/windows/builtin/win_root_certificate_installed.yml b/rules/sigma/windows/builtin/win_root_certificate_installed.yml
new file mode 100644
index 00000000..f40b81f4
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_root_certificate_installed.yml
@@ -0,0 +1,31 @@
+
+title: Root Certificate Installed
+author: oscd.community, @redcanary, Zach Stanford @svch0st
+date: 2020/10/10
+description: Adversaries may install a root certificate on a compromised system to
+  avoid warnings when connecting to adversary controlled web servers.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Cert:\LocalMachine\Root*'
+  SELECTION_3:
+    ScriptBlockText: '*Move-Item*'
+  SELECTION_4:
+    ScriptBlockText: '*Import-Certificate*'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to
+  test if GPO push doesn't trigger FP
+id: 42821614-9264-4761-acfc-5772c3286f76
+level: medium
+logsource:
+  product: windows
+  service: powershell
+modified: 2021/09/21
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1553.004
diff --git a/rules/sigma/windows/builtin/win_sam_registry_hive_handle_request.yml b/rules/sigma/windows/builtin/win_sam_registry_hive_handle_request.yml
new file mode 100644
index 00000000..98d776d2
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_sam_registry_hive_handle_request.yml
@@ -0,0 +1,35 @@
+
+title: SAM Registry Hive Handle Request
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/12
+description: Detects handles requested to SAM registry hive
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    ObjectType: Key
+  SELECTION_3:
+    ObjectName: '*\SAM'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ProcessName
+- ObjectName
+id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+- attack.credential_access
+- attack.t1552.002
diff --git a/rules/sigma/windows/builtin/win_scheduled_task_deletion.yml b/rules/sigma/windows/builtin/win_scheduled_task_deletion.yml
new file mode 100644
index 00000000..dc7c8d05
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_scheduled_task_deletion.yml
@@ -0,0 +1,31 @@
+
+title: Scheduled Task Deletion
+author: David Strassegger
+date: 2021/01/22
+description: Detects scheduled task deletion events. Scheduled tasks are likely to
+  be deleted if not used for persistence. Malicious Software often creates tasks directly
+  under the root node e.g. \TASKNAME
+detection:
+  SELECTION_1:
+    EventID: 4699
+  condition: SELECTION_1
+falsepositives:
+- Software installation
+id: 4f86b304-3e02-40e3-aa5d-e88a167c9617
+level: medium
+logsource:
+  definition: The Advanced Audit Policy setting Object Access > Audit Other Object
+    Access Events has to be configured to allow this detection. We also recommend
+    extracting the Command field from the embedded XML in the event data.
+  product: windows
+  service: security
+references:
+- https://twitter.com/matthewdunwoody/status/1352356685982146562
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.t1053
+- car.2013-08-001
+- attack.t1053.005
diff --git a/rules/sigma/windows/builtin/win_scm_database_handle_failure.yml b/rules/sigma/windows/builtin/win_scm_database_handle_failure.yml
new file mode 100644
index 00000000..6f676721
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_scm_database_handle_failure.yml
@@ -0,0 +1,30 @@
+
+title: SCM Database Handle Failure
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/12
+description: Detects non-system users failing to get a handle of the SCM database.
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    ObjectType: SC_MANAGER OBJECT
+  SELECTION_3:
+    ObjectName: servicesactive
+  SELECTION_4:
+    Keywords: Audit Failure
+  SELECTION_5:
+    SubjectLogonId: '0x3e4'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Unknown
+id: 13addce7-47b2-4ca0-a98f-1de964d1d669
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
+status: experimental
+tags:
+- attack.discovery
diff --git a/rules/sigma/windows/builtin/win_scm_database_privileged_operation.yml b/rules/sigma/windows/builtin/win_scm_database_privileged_operation.yml
new file mode 100644
index 00000000..7224c518
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_scm_database_privileged_operation.yml
@@ -0,0 +1,31 @@
+
+title: SCM Database Privileged Operation
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/15
+description: Detects non-system users performing privileged operation os the SCM database
+detection:
+  SELECTION_1:
+    EventID: 4674
+  SELECTION_2:
+    ObjectType: SC_MANAGER OBJECT
+  SELECTION_3:
+    ObjectName: servicesactive
+  SELECTION_4:
+    PrivilegeList: SeTakeOwnershipPrivilege
+  SELECTION_5:
+    SubjectLogonId: '0x3e4'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Unknown
+id: dae8171c-5ec6-4396-b210-8466585b53e9
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548
diff --git a/rules/sigma/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/sigma/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml
new file mode 100644
index 00000000..9bbff293
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml
@@ -0,0 +1,31 @@
+
+title: Remote WMI ActiveScriptEventConsumers
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/09/02
+description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers
+  remotely to move laterally in a network
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    LogonType: 3
+  SELECTION_3:
+    ProcessName: '*scrcons.exe'
+  SELECTION_4:
+    TargetLogonId: '0x3e7'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- SCCM
+id: 9599c180-e3a8-4743-8f92-7fb96d3be648
+level: high
+logsource:
+  product: windows
+  service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1546.003
diff --git a/rules/sigma/windows/builtin/win_security_cobaltstrike_service_installs.yml b/rules/sigma/windows/builtin/win_security_cobaltstrike_service_installs.yml
new file mode 100644
index 00000000..8279ffbd
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_security_cobaltstrike_service_installs.yml
@@ -0,0 +1,50 @@
+
+title: CobaltStrike Service Installations
+author: Florian Roth, Wojciech Lesicki
+date: 2021/05/26
+description: Detects known malicious service installs that appear in cases in which
+  a Cobalt Strike beacon elevates privileges or lateral movement
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName: '*ADMIN$*'
+  SELECTION_3:
+    ServiceFileName: '*.exe*'
+  SELECTION_4:
+    ServiceFileName: '*%COMSPEC%*'
+  SELECTION_5:
+    ServiceFileName: '*start*'
+  SELECTION_6:
+    ServiceFileName: '*powershell*'
+  SELECTION_7:
+    ServiceFileName: '*powershell -nop -w hidden -encodedcommand*'
+  SELECTION_8:
+    ServiceFileName:
+    - '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*'
+    - '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*'
+    - '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and SELECTION_6) or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://www.sans.org/webcasts/119395
+- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
+- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+related:
+- id: 5a105d34-05fc-401e-8553-272b45c1522d
+  type: derived
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1543.003
+- attack.t1569.002
diff --git a/rules/sigma/windows/builtin/win_security_mal_creddumper.yml b/rules/sigma/windows/builtin/win_security_mal_creddumper.yml
new file mode 100644
index 00000000..e4e9a554
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_security_mal_creddumper.yml
@@ -0,0 +1,44 @@
+
+title: Credential Dumping Tools Service Execution
+author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2017/03/05
+description: Detects well-known credential dumping tools execution via service execution
+  events
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName:
+    - '*fgexec*'
+    - '*dumpsvc*'
+    - '*cachedump*'
+    - '*mimidrv*'
+    - '*gsecdump*'
+    - '*servpw*'
+    - '*pwdump*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate Administrator using credential dumping tool for password recovery
+id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+related:
+- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
+  type: derived
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
+- attack.t1035
+- attack.t1569.002
+- attack.s0005
diff --git a/rules/sigma/windows/builtin/win_security_mal_service_installs.yml b/rules/sigma/windows/builtin/win_security_mal_service_installs.yml
new file mode 100644
index 00000000..fd21b5f5
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_security_mal_service_installs.yml
@@ -0,0 +1,36 @@
+
+title: Malicious Service Installations
+author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
+date: 2017/03/27
+description: Detects known malicious service installs that only appear in cases of
+  lateral movement, credential dumping, and other suspicious activities.
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceName: javamtsup
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Penetration testing
+id: cb062102-587e-4414-8efa-dbe3c7bf19c6
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://awakesecurity.com/blog/threat-hunting-for-paexec/
+- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
+- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
+related:
+- id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
+  type: derived
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1003
+- attack.t1035
+- attack.t1050
+- car.2013-09-005
+- attack.t1543.003
+- attack.t1569.002
diff --git a/rules/sigma/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/sigma/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
new file mode 100644
index 00000000..6969a03b
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
@@ -0,0 +1,47 @@
+
+title: Metasploit Or Impacket Service Installation Via SMB PsExec
+author: Bartlomiej Czyz, Relativity
+date: 2021/01/21
+description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and
+  Impacket psexec.py by triggering on specific service installation
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName|re: ^%systemroot%\\[a-zA-Z]{8}\.exe$
+  SELECTION_3:
+    ServiceName|re: (^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)
+  SELECTION_4:
+    ServiceStartType: '3'
+  SELECTION_5:
+    ServiceType: '0x10'
+  SELECTION_6:
+    ServiceName: PSEXESVC
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    and  not (SELECTION_6))
+falsepositives:
+- Possible, different agents with a 8 character binary and a 4, 8 or 16 character
+  service name
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ServiceName
+- ServiceFileName
+id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/23
+references:
+- https://bczyz1.github.io/2021/01/30/psexec.html
+related:
+- id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
+  type: derived
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1570
+- attack.execution
+- attack.t1569.002
diff --git a/rules/sigma/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/sigma/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
new file mode 100644
index 00000000..8da06f13
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
@@ -0,0 +1,67 @@
+
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+  a specific service installation
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_10:
+    ServiceFileName: '*cmd.exe*'
+  SELECTION_11:
+    ServiceFileName: '*/c*'
+  SELECTION_12:
+    ServiceFileName: '*echo*'
+  SELECTION_13:
+    ServiceFileName: '*\pipe\\*'
+  SELECTION_14:
+    ServiceFileName: '*rundll32*'
+  SELECTION_15:
+    ServiceFileName: '*.dll,a*'
+  SELECTION_16:
+    ServiceFileName: '*/p:*'
+  SELECTION_2:
+    ServiceFileName: '*cmd*'
+  SELECTION_3:
+    ServiceFileName: '*/c*'
+  SELECTION_4:
+    ServiceFileName: '*echo*'
+  SELECTION_5:
+    ServiceFileName: '*\pipe\\*'
+  SELECTION_6:
+    ServiceFileName: '*%COMSPEC%*'
+  SELECTION_7:
+    ServiceFileName: '*/c*'
+  SELECTION_8:
+    ServiceFileName: '*echo*'
+  SELECTION_9:
+    ServiceFileName: '*\pipe\\*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10
+    and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15
+    and SELECTION_16)))
+falsepositives:
+- Highly unlikely
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ServiceFileName
+id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+related:
+- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+  type: derived
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
diff --git a/rules/sigma/windows/builtin/win_security_powershell_script_installed_as_service.yml b/rules/sigma/windows/builtin/win_security_powershell_script_installed_as_service.yml
new file mode 100644
index 00000000..435c6e13
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_security_powershell_script_installed_as_service.yml
@@ -0,0 +1,30 @@
+
+title: PowerShell Scripts Installed as Services
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects powershell script installed as a Service
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName:
+    - '*powershell*'
+    - '*pwsh*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+related:
+- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
diff --git a/rules/sigma/windows/builtin/win_security_tap_driver_installation.yml b/rules/sigma/windows/builtin/win_security_tap_driver_installation.yml
new file mode 100644
index 00000000..9aea52b1
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_security_tap_driver_installation.yml
@@ -0,0 +1,27 @@
+
+title: Tap Driver Installation
+author: Daniil Yugoslavskiy, Ian Davis, oscd.community
+date: 2019/10/24
+description: Well-known TAP software installation. Possible preparation for data exfiltration
+  using tunnelling techniques
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName: '*tap0901*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate OpenVPN TAP insntallation
+id: 9c8afa4d-0022-48f0-9456-3712466f9701
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+related:
+- id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
+  type: derived
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048
diff --git a/rules/sigma/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/sigma/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml
new file mode 100644
index 00000000..f68fe8ba
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml
@@ -0,0 +1,29 @@
+
+title: Set OabVirtualDirectory ExternalUrl Property
+author: Jose Rodriguez @Cyb3rPandaH
+date: 2021/03/15
+description: Rule to detect an adversary setting OabVirtualDirectory External URL
+  property to a script
+detection:
+  SELECTION_1:
+  - Set-OabVirtualDirectory
+  SELECTION_2:
+  - ExternalUrl
+  SELECTION_3:
+  - Page_Load
+  SELECTION_4:
+  - script
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 9db37458-4df2-46a5-95ab-307e7f29e675
+level: high
+logsource:
+  product: windows
+  service: msexchange-management
+references:
+- https://twitter.com/OTR_Community/status/1371053369071132675
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
diff --git a/rules/sigma/windows/builtin/win_smb_file_creation_admin_shares.yml b/rules/sigma/windows/builtin/win_smb_file_creation_admin_shares.yml
new file mode 100644
index 00000000..6c275f44
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_smb_file_creation_admin_shares.yml
@@ -0,0 +1,30 @@
+
+title: SMB Create Remote File Admin Share
+author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
+date: 2020/08/06
+description: Look for non-system accounts SMB accessing a file with write (0x2) access
+  mask via administrative share (i.e C$).
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: '*C$'
+  SELECTION_3:
+    AccessMask: '0x2'
+  SELECTION_4:
+    SubjectUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: b210394c-ba12-4f89-9117-44a2464b9511
+level: high
+logsource:
+  product: windows
+  service: security
+references:
+- https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml
+- https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/windows/builtin/win_software_atera_rmm_agent_install.yml b/rules/sigma/windows/builtin/win_software_atera_rmm_agent_install.yml
new file mode 100644
index 00000000..7864a202
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_software_atera_rmm_agent_install.yml
@@ -0,0 +1,26 @@
+
+title: Atera Agent Installation
+author: Bhabesh Raj
+date: 2021/09/01
+description: Detects successful installation of Atera Remote Monitoring & Management
+  (RMM) agent as recently found to be used by Conti operators
+detection:
+  SELECTION_1:
+    EventID: 1033
+  SELECTION_2:
+    Source: MsiInstaller
+  SELECTION_3:
+    Message: '*AteraAgent*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate Atera agent installation
+id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
+level: high
+logsource:
+  product: windows
+  service: application
+references:
+- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
+status: experimental
+tags:
+- attack.t1219
diff --git a/rules/sigma/windows/builtin/win_software_discovery.yml b/rules/sigma/windows/builtin/win_software_discovery.yml
new file mode 100644
index 00000000..680bd85d
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_software_discovery.yml
@@ -0,0 +1,35 @@
+
+title: Detected Windows Software Discovery
+author: Nikita Nazarov, oscd.community
+date: 2020/10/16
+description: Adversaries may attempt to enumerate software for a variety of reasons,
+  such as figuring out what security measures are present or if the compromised system
+  has a version of software that is vulnerable.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*get-itemProperty*'
+  SELECTION_3:
+    ScriptBlockText: '*\software\\*'
+  SELECTION_4:
+    ScriptBlockText: '*select-object*'
+  SELECTION_5:
+    ScriptBlockText: '*format-table*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Legitimate administration activities
+id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
+level: medium
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/09/21
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
+- https://github.com/harleyQu1nn/AggressorScripts
+status: experimental
+tags:
+- attack.discovery
+- attack.t1518
diff --git a/rules/sigma/windows/builtin/win_susp_add_domain_trust.yml b/rules/sigma/windows/builtin/win_susp_add_domain_trust.yml
new file mode 100644
index 00000000..29535917
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_add_domain_trust.yml
@@ -0,0 +1,19 @@
+
+title: Addition of Domain Trusts
+author: Thomas Patzke
+date: 2019/12/03
+description: Addition of domains is seldom and should be verified for legitimacy.
+detection:
+  SELECTION_1:
+    EventID: 4706
+  condition: SELECTION_1
+falsepositives:
+- Legitimate extension of domain structure
+id: 0255a820-e564-4e40-af2b-6ac61160335c
+level: medium
+logsource:
+  product: windows
+  service: security
+status: stable
+tags:
+- attack.persistence
diff --git a/rules/sigma/windows/builtin/win_susp_add_sid_history.yml b/rules/sigma/windows/builtin/win_susp_add_sid_history.yml
new file mode 100644
index 00000000..38e6f1df
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_add_sid_history.yml
@@ -0,0 +1,35 @@
+
+title: Addition of SID History to Active Directory Object
+author: Thomas Patzke, @atc_project (improvements)
+date: 2017/02/19
+description: An attacker can use the SID history attribute to gain additional privileges.
+detection:
+  SELECTION_1:
+    EventID: 4765
+  SELECTION_2:
+    EventID: 4766
+  SELECTION_3:
+    EventID: 4738
+  SELECTION_4:
+    SidHistory:
+    - '-'
+    - '%%1793'
+  SELECTION_5:
+    SidHistory|re: ^$
+  condition: ((SELECTION_1 or SELECTION_2) or ((SELECTION_3 and  not (SELECTION_4))
+    and  not (SELECTION_5)))
+falsepositives:
+- Migration of an account into a new domain
+id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://adsecurity.org/?p=1772
+status: stable
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1178
+- attack.t1134.005
diff --git a/rules/sigma/windows/builtin/win_susp_backup_delete.yml b/rules/sigma/windows/builtin/win_susp_backup_delete.yml
new file mode 100644
index 00000000..fa3701f2
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_backup_delete.yml
@@ -0,0 +1,26 @@
+
+title: Backup Catalog Deleted
+author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
+date: 2017/05/12
+description: Detects backup catalog deletions
+detection:
+  SELECTION_1:
+    EventID: 524
+  SELECTION_2:
+    Source: Microsoft-Windows-Backup
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 9703792d-fd9a-456d-a672-ff92efe4806a
+level: medium
+logsource:
+  product: windows
+  service: application
+references:
+- https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
+- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1107
+- attack.t1070.004
diff --git a/rules/sigma/windows/builtin/win_susp_codeintegrity_check_failure.yml b/rules/sigma/windows/builtin/win_susp_codeintegrity_check_failure.yml
new file mode 100644
index 00000000..70384e41
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_codeintegrity_check_failure.yml
@@ -0,0 +1,24 @@
+
+title: Failed Code Integrity Checks
+author: Thomas Patzke
+date: 2019/12/03
+description: Code integrity failures may indicate tampered executables.
+detection:
+  SELECTION_1:
+    EventID: 5038
+  SELECTION_2:
+    EventID: 6281
+  condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Disk device errors
+id: 470ec5fa-7b4e-4071-b200-4c753100f49b
+level: low
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1009
+- attack.t1027.001
diff --git a/rules/sigma/windows/builtin/win_susp_dhcp_config.yml b/rules/sigma/windows/builtin/win_susp_dhcp_config.yml
new file mode 100644
index 00000000..3f606022
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_dhcp_config.yml
@@ -0,0 +1,28 @@
+
+title: DHCP Server Loaded the CallOut DLL
+author: Dimitrios Slamaris
+date: 2017/05/15
+description: This rule detects a DHCP server in which a specified Callout DLL (in
+  registry) was loaded
+detection:
+  SELECTION_1:
+    EventID: 1033
+  SELECTION_2:
+    Source: Microsoft-Windows-DHCP-Server
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
+level: critical
+logsource:
+  product: windows
+  service: system
+references:
+- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
+- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
+- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/sigma/windows/builtin/win_susp_dhcp_config_failed.yml
new file mode 100644
index 00000000..1781a473
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_dhcp_config_failed.yml
@@ -0,0 +1,33 @@
+
+title: DHCP Server Error Failed Loading the CallOut DLL
+author: Dimitrios Slamaris, @atc_project (fix)
+date: 2017/05/15
+description: This rule detects a DHCP server error in which a specified Callout DLL
+  (in registry) could not be loaded
+detection:
+  SELECTION_1:
+    EventID: 1031
+  SELECTION_2:
+    EventID: 1032
+  SELECTION_3:
+    EventID: 1034
+  SELECTION_4:
+    Source: Microsoft-Windows-DHCP-Server
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 75edd3fd-7146-48e5-9848-3013d7f0282c
+level: critical
+logsource:
+  product: windows
+  service: system
+modified: 2019/07/17
+references:
+- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
+- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
+- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/windows/builtin/win_susp_dns_config.yml b/rules/sigma/windows/builtin/win_susp_dns_config.yml
new file mode 100644
index 00000000..6aaa09e1
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_dns_config.yml
@@ -0,0 +1,28 @@
+
+title: DNS Server Error Failed Loading the ServerLevelPluginDLL
+author: Florian Roth
+date: 2017/05/08
+description: This rule detects a DNS server error in which a specified plugin DLL
+  (in registry) could not be loaded
+detection:
+  SELECTION_1:
+    EventID: 150
+  SELECTION_2:
+    EventID: 770
+  condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unknown
+id: cbe51394-cd93-4473-b555-edf0144952d9
+level: critical
+logsource:
+  product: windows
+  service: dns-server
+references:
+- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+- https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
+- https://twitter.com/gentilkiwi/status/861641945944391680
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/windows/builtin/win_susp_dsrm_password_change.yml b/rules/sigma/windows/builtin/win_susp_dsrm_password_change.yml
new file mode 100644
index 00000000..01ce1c2c
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_dsrm_password_change.yml
@@ -0,0 +1,24 @@
+
+title: Password Change on Directory Service Restore Mode (DSRM) Account
+author: Thomas Patzke
+date: 2017/02/19
+description: The Directory Service Restore Mode (DSRM) account is a local administrator
+  account on Domain Controllers. Attackers may change the password to gain persistence.
+detection:
+  SELECTION_1:
+    EventID: 4794
+  condition: SELECTION_1
+falsepositives:
+- Initial installation of a domain controller
+id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://adsecurity.org/?p=1714
+status: stable
+tags:
+- attack.persistence
+- attack.t1098
diff --git a/rules/sigma/windows/builtin/win_susp_eventlog_cleared.yml b/rules/sigma/windows/builtin/win_susp_eventlog_cleared.yml
new file mode 100644
index 00000000..e930d9a6
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_eventlog_cleared.yml
@@ -0,0 +1,35 @@
+
+title: Eventlog Cleared
+author: Florian Roth
+date: 2017/01/10
+description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil
+  cl" command execution
+detection:
+  SELECTION_1:
+    EventID: 517
+  SELECTION_2:
+    EventID: 1102
+  SELECTION_3:
+    Source: Microsoft-Windows-Eventlog
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Rollout of log collection agents (the setup routine often includes a reset of the
+  local Eventlog)
+- System provisioning (system reset before the golden image creation)
+id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/10/08
+references:
+- https://twitter.com/deviouspolack/status/832535435960209408
+- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+related:
+- id: f2f01843-e7b8-4f95-a35a-d23584476423
+  type: obsoletes
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.t1070.001
+- car.2016-04-002
diff --git a/rules/sigma/windows/builtin/win_susp_failed_guest_logon.yml b/rules/sigma/windows/builtin/win_susp_failed_guest_logon.yml
new file mode 100644
index 00000000..349fe587
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_guest_logon.yml
@@ -0,0 +1,35 @@
+
+title: Suspicious Rejected SMB Guest Logon From IP
+author: Florian Roth, KevTheHermit, fuzzyf10w
+date: 2021/06/30
+description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in
+  Windows Spooler Service
+detection:
+  SELECTION_1:
+    EventID: 31017
+  SELECTION_2:
+    Description: '*Rejected an insecure guest logon*'
+  SELECTION_3:
+    UserName: ''
+  SELECTION_4:
+    ServerName: \1*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Account fallback reasons (after failed login with specific account)
+fields:
+- Computer
+- User
+id: 71886b70-d7b4-4dbf-acce-87d2ca135262
+level: medium
+logsource:
+  product: windows
+  service: smbclient-security
+modified: 2021/07/05
+references:
+- https://twitter.com/KevTheHermit/status/1410203844064301056
+- https://github.com/hhlxf/PrintNightmare
+- https://github.com/afwu/PrintNightmare
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1110.001
diff --git a/rules/sigma/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/sigma/windows/builtin/win_susp_failed_logon_reasons.yml
new file mode 100644
index 00000000..8ee4cd79
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_logon_reasons.yml
@@ -0,0 +1,36 @@
+
+title: Account Tampering - Suspicious Failed Logon Reasons
+author: Florian Roth
+date: 2017/02/19
+description: This method uses uncommon error codes on failed logons to determine suspicious
+  activity and tampering with accounts that have been disabled or somehow restricted.
+detection:
+  SELECTION_1:
+    EventID: 4625
+  SELECTION_2:
+    EventID: 4776
+  SELECTION_3:
+    Status:
+    - '0xC0000072'
+    - '0xC000006F'
+    - '0xC0000070'
+    - '0xC0000413'
+    - '0xC000018C'
+    - '0xC000015B'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- User using a disabled account
+id: 9eb99343-d336-4020-a3cd-67f3819e68ee
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://twitter.com/SBousseaden/status/1101431884540710913
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.initial_access
+- attack.t1078
diff --git a/rules/sigma/windows/builtin/win_susp_failed_logon_source.yml b/rules/sigma/windows/builtin/win_susp_failed_logon_source.yml
new file mode 100644
index 00000000..a7972171
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_logon_source.yml
@@ -0,0 +1,55 @@
+
+title: Failed Logon From Public IP
+author: NVISO
+date: 2020/05/06
+description: A login from a public IP can indicate a misconfigured firewall or network
+  boundary.
+detection:
+  SELECTION_1:
+    EventID: 4625
+  SELECTION_2:
+    IpAddress: '*-*'
+  SELECTION_3:
+    IpAddress:
+    - 10.*
+    - 192.168.*
+    - 172.16.*
+    - 172.17.*
+    - 172.18.*
+    - 172.19.*
+    - 172.20.*
+    - 172.21.*
+    - 172.22.*
+    - 172.23.*
+    - 172.24.*
+    - 172.25.*
+    - 172.26.*
+    - 172.27.*
+    - 172.28.*
+    - 172.29.*
+    - 172.30.*
+    - 172.31.*
+    - 127.*
+    - 169.254.*
+  SELECTION_4:
+    IpAddress: ::1
+  SELECTION_5:
+    IpAddress:
+    - fe80::*
+    - fc00::*
+  condition: (SELECTION_1 and  not ((SELECTION_2 or SELECTION_3 or SELECTION_4 or
+    SELECTION_5)))
+falsepositives:
+- Legitimate logon attempts over the internet
+- IPv4-to-IPv6 mapped IPs
+id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
+level: medium
+logsource:
+  product: windows
+  service: security
+tags:
+- attack.initial_access
+- attack.persistence
+- attack.t1078
+- attack.t1190
+- attack.t1133
diff --git a/rules/sigma/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/sigma/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
new file mode 100644
index 00000000..d133bc09
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
@@ -0,0 +1,27 @@
+
+title: Multiple Users Attempting To Authenticate Using Explicit Credentials
+author: Mauricio Velazco
+date: 2021/06/01
+description: Detects a source user failing to authenticate with multiple users using
+  explicit credentials on a host.
+detection:
+  SELECTION_1:
+    EventID: 4648
+  condition: SELECTION_1 | count(Account_Name) by ComputerName > 10
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/sigma/windows/builtin/win_susp_failed_logons_single_process.yml
new file mode 100644
index 00000000..7b8b972e
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_logons_single_process.yml
@@ -0,0 +1,33 @@
+
+title: Multiple Users Failing to Authenticate from Single Process
+author: Mauricio Velazco
+date: 2021/06/01
+description: Detects failed logins with multiple accounts from a single process on
+  the system.
+detection:
+  SELECTION_1:
+    EventID: 4625
+  SELECTION_2:
+    LogonType: 2
+  SELECTION_3:
+    ProcessName: '-'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3)) | count(TargetUserName)
+    by ProcessName > 10
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: fe563ab6-ded4-4916-b49f-a3a8445fe280
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+- https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source.yml
new file mode 100644
index 00000000..93222d21
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source.yml
@@ -0,0 +1,32 @@
+
+title: Failed Logins with Different Accounts from Single Source System
+author: Florian Roth
+date: 2017/01/10
+description: Detects suspicious failed logins with different user accounts from a
+  single source system
+detection:
+  SELECTION_1:
+    EventID: 529
+  SELECTION_2:
+    EventID: 4625
+  SELECTION_3:
+    TargetUserName: '*'
+  SELECTION_4:
+    WorkstationName: '*'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) | count(TargetUserName)
+    by WorkstationName > 3
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: e98374a6-e2d9-4076-9b5c-11bdb2569995
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1078
diff --git a/rules/sigma/windows/builtin/win_susp_failed_logons_single_source2.yml b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source2.yml
new file mode 100644
index 00000000..23cb0de7
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source2.yml
@@ -0,0 +1,33 @@
+
+title: Failed Logins with Different Accounts from Single Source System
+author: Florian Roth
+date: 2017/01/10
+description: Detects suspicious failed logins with different user accounts from a
+  single source system
+detection:
+  SELECTION_1:
+    EventID: 4776
+  SELECTION_2:
+    TargetUserName: '*'
+  SELECTION_3:
+    Workstation: '*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3) | count(TargetUserName)
+    by Workstation > 3
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+related:
+- id: e98374a6-e2d9-4076-9b5c-11bdb2569995
+  type: derived
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1078
diff --git a/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
new file mode 100644
index 00000000..7202f464
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
@@ -0,0 +1,33 @@
+
+title: Valid Users Failing to Authenticate From Single Source Using Kerberos
+author: Mauricio Velazco, frack113
+date: 2021/06/01
+description: Detects multiple failed logins with multiple valid domain accounts from
+  a single source system using the Kerberos protocol.
+detection:
+  SELECTION_1:
+    EventID: 4771
+  SELECTION_2:
+    Status: '0x18'
+  SELECTION_3:
+    TargetUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3)) | count(TargetUserName)
+    by IpAddress > 10
+falsepositives:
+- Vulnerability scanners
+- Misconfigured systems
+- Remote administration tools
+- VPN terminators
+- Multiuser systems like Citrix server farms
+id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/06
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
new file mode 100644
index 00000000..a37dfc92
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
@@ -0,0 +1,33 @@
+
+title: Disabled Users Failing To Authenticate From Source Using Kerberos
+author: Mauricio Velazco, frack113
+date: 2021/06/01
+description: Detects failed logins with multiple disabled domain accounts from a single
+  source system using the Kerberos protocol.
+detection:
+  SELECTION_1:
+    EventID: 4768
+  SELECTION_2:
+    Status: '0x12'
+  SELECTION_3:
+    TargetUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3)) | count(TargetUserName)
+    by IpAddress > 10
+falsepositives:
+- Vulnerability scanners
+- Misconfigured systems
+- Remote administration tools
+- VPN terminators
+- Multiuser systems like Citrix server farms
+id: 4b6fe998-b69c-46d8-901b-13677c9fb663
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/06
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
new file mode 100644
index 00000000..7197b2b1
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
@@ -0,0 +1,33 @@
+
+title: Invalid Users Failing To Authenticate From Source Using Kerberos
+author: Mauricio Velazco, frack113
+date: 2021/06/01
+description: Detects failed logins with multiple invalid domain accounts from a single
+  source system using the Kerberos protocol.
+detection:
+  SELECTION_1:
+    EventID: 4768
+  SELECTION_2:
+    Status: '0x6'
+  SELECTION_3:
+    TargetUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3)) | count(TargetUserName)
+    by IpAddress > 10
+falsepositives:
+- Vulnerability scanners
+- Misconfigured systems
+- Remote administration tools
+- VPN terminators
+- Multiuser systems like Citrix server farms
+id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/06
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
new file mode 100644
index 00000000..8186a0f4
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
@@ -0,0 +1,32 @@
+
+title: Valid Users Failing to Authenticate from Single Source Using NTLM
+author: Mauricio Velazco
+date: 2021/06/01
+description: Detects failed logins with multiple valid domain accounts from a single
+  source system using the NTLM protocol.
+detection:
+  SELECTION_1:
+    EventID: 4776
+  SELECTION_2:
+    Status: '*0xC000006A'
+  SELECTION_3:
+    TargetUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3)) | count(TargetUserName)
+    by Workstation > 10
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
new file mode 100644
index 00000000..0604c9a4
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
@@ -0,0 +1,32 @@
+
+title: Invalid Users Failing To Authenticate From Single Source Using NTLM
+author: Mauricio Velazco
+date: 2021/06/01
+description: Detects failed logins with multiple invalid domain accounts from a single
+  source system using the NTLM protocol.
+detection:
+  SELECTION_1:
+    EventID: 4776
+  SELECTION_2:
+    Status: '*0xC0000064'
+  SELECTION_3:
+    TargetUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3)) | count(TargetUserName)
+    by Workstation > 10
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: 56d62ef8-3462-4890-9859-7b41e541f8d5
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/sigma/windows/builtin/win_susp_failed_remote_logons_single_source.yml
new file mode 100644
index 00000000..dcc802c5
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_failed_remote_logons_single_source.yml
@@ -0,0 +1,32 @@
+
+title: Multiple Users Remotely Failing To Authenticate From Single Source
+author: Mauricio Velazco
+date: 2021/06/01
+description: Detects a source system failing to authenticate against a remote host
+  with multiple users.
+detection:
+  SELECTION_1:
+    EventID: 4625
+  SELECTION_2:
+    LogonType: 3
+  SELECTION_3:
+    IpAddress: '-'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3)) | count(TargetUserName)
+    by IpAddress > 10
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: add2ef8d-dc91-4002-9e7e-f2702369f53a
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/09
+references:
+- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
+tags:
+- attack.t1110.003
+- attack.initial_access
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/builtin/win_susp_interactive_logons.yml b/rules/sigma/windows/builtin/win_susp_interactive_logons.yml
new file mode 100644
index 00000000..b287f0d8
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_interactive_logons.yml
@@ -0,0 +1,36 @@
+
+title: Interactive Logon to Server Systems
+author: Florian Roth
+date: 2017/03/17
+description: Detects interactive console logons to Server Systems
+detection:
+  SELECTION_1:
+    EventID: 528
+  SELECTION_2:
+    EventID: 529
+  SELECTION_3:
+    EventID: 4624
+  SELECTION_4:
+    EventID: 4625
+  SELECTION_5:
+    LogonType: 2
+  SELECTION_6:
+    ComputerName:
+    - '%ServerSystems%'
+    - '%DomainControllers%'
+  SELECTION_7:
+    LogonProcessName: Advapi
+  SELECTION_8:
+    ComputerName: '%Workstations%'
+  condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5
+    and SELECTION_6) and  not (SELECTION_7 and SELECTION_8))
+falsepositives:
+- Administrative activity via KVM or ILO board
+id: 3ff152b2-1388-4984-9cd9-a323323fdadf
+level: medium
+logsource:
+  product: windows
+  service: security
+tags:
+- attack.lateral_movement
+- attack.t1078
diff --git a/rules/sigma/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/sigma/windows/builtin/win_susp_kerberos_manipulation.yml
new file mode 100644
index 00000000..9fbbc4f9
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_kerberos_manipulation.yml
@@ -0,0 +1,58 @@
+
+title: Kerberos Manipulation
+author: Florian Roth
+date: 2017/02/10
+description: This method triggers on rare Kerberos Failure Codes caused by manipulations
+  of Kerberos messages
+detection:
+  SELECTION_1:
+    EventID: 675
+  SELECTION_2:
+    EventID: 4768
+  SELECTION_3:
+    EventID: 4769
+  SELECTION_4:
+    EventID: 4771
+  SELECTION_5:
+    FailureCode:
+    - '0x9'
+    - '0xA'
+    - '0xB'
+    - '0xF'
+    - '0x10'
+    - '0x11'
+    - '0x13'
+    - '0x14'
+    - '0x1A'
+    - '0x1F'
+    - '0x21'
+    - '0x22'
+    - '0x23'
+    - '0x24'
+    - '0x26'
+    - '0x27'
+    - '0x28'
+    - '0x29'
+    - '0x2C'
+    - '0x2D'
+    - '0x2E'
+    - '0x2F'
+    - '0x31'
+    - '0x32'
+    - '0x3E'
+    - '0x3F'
+    - '0x40'
+    - '0x41'
+    - '0x43'
+    - '0x44'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Faulty legacy applications
+id: f7644214-0eb0-4ace-9455-331ec4c09253
+level: high
+logsource:
+  product: windows
+  service: security
+tags:
+- attack.credential_access
+- attack.t1212
diff --git a/rules/sigma/windows/builtin/win_susp_ldap_dataexchange.yml b/rules/sigma/windows/builtin/win_susp_ldap_dataexchange.yml
new file mode 100644
index 00000000..666a893b
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_ldap_dataexchange.yml
@@ -0,0 +1,35 @@
+
+title: Suspicious LDAP-Attributes Used
+author: xknow @xknow_infosec
+date: 2019/03/24
+description: Detects the usage of particular AttributeLDAPDisplayNames, which are
+  known for data exchange via LDAP by the tool LDAPFragger and are additionally not
+  commonly used in companies.
+detection:
+  SELECTION_1:
+    EventID: 5136
+  SELECTION_2:
+    AttributeValue: '*'
+  SELECTION_3:
+    AttributeLDAPDisplayName:
+    - primaryInternationalISDNNumber
+    - otherFacsimileTelephoneNumber
+    - primaryTelexNumber
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Companies, who may use these default LDAP-Attributes for personal information
+id: d00a9a72-2c09-4459-ad03-5e0a23351e36
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+- https://github.com/fox-it/LDAPFragger
+status: experimental
+tags:
+- attack.t1071
+- attack.t1001.003
+- attack.command_and_control
diff --git a/rules/sigma/windows/builtin/win_susp_local_anon_logon_created.yml b/rules/sigma/windows/builtin/win_susp_local_anon_logon_created.yml
new file mode 100644
index 00000000..be0b662d
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_local_anon_logon_created.yml
@@ -0,0 +1,31 @@
+
+title: Suspicious Windows ANONYMOUS LOGON Local Account Created
+author: James Pemberton / @4A616D6573
+date: 2019/10/31
+description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON,
+  such as using additional spaces. Created as an covering detection for exclusion
+  of Logon Type 3 from ANONYMOUS LOGON accounts.
+detection:
+  SELECTION_1:
+    EventID: 4720
+  SELECTION_2:
+    SamAccountName: '*ANONYMOUS*'
+  SELECTION_3:
+    SamAccountName: '*LOGON*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 1bbf25b9-8038-4154-a50b-118f2a32be27
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/06
+references:
+- https://twitter.com/SBousseaden/status/1189469425482829824
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136
+- attack.t1136.001
+- attack.t1136.002
diff --git a/rules/sigma/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/sigma/windows/builtin/win_susp_logon_explicit_credentials.yml
new file mode 100644
index 00000000..d565d27a
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_logon_explicit_credentials.yml
@@ -0,0 +1,35 @@
+
+title: Suspicious Remote Logon with Explicit Credentials
+author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st
+date: 2020/10/05
+description: Detects suspicious processes logging on with explicit credentials
+detection:
+  SELECTION_1:
+    EventID: 4648
+  SELECTION_2:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\pwsh.exe'
+    - '*\winrs.exe'
+    - '*\wmic.exe'
+    - '*\net.exe'
+    - '*\net1.exe'
+    - '*\reg.exe'
+  SELECTION_3:
+    TargetServerName: localhost
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Administrators that use the RunAS command or scheduled tasks
+id: 941e5c45-cda7-4864-8cea-bbb7458d194a
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+status: experimental
+tags:
+- attack.t1078
+- attack.lateral_movement
diff --git a/rules/sigma/windows/builtin/win_susp_lsass_dump.yml b/rules/sigma/windows/builtin/win_susp_lsass_dump.yml
new file mode 100644
index 00000000..d30ba662
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_lsass_dump.yml
@@ -0,0 +1,31 @@
+
+title: Password Dumper Activity on LSASS
+author: sigma
+date: 2017/02/12
+description: Detects process handle on LSASS process with certain access mask and
+  object type SAM_DOMAIN
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    ProcessName: '*\lsass.exe'
+  SELECTION_3:
+    AccessMask: '0x705'
+  SELECTION_4:
+    ObjectType: SAM_DOMAIN
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/06/21
+references:
+- https://twitter.com/jackcr/status/807385668833968128
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/sigma/windows/builtin/win_susp_lsass_dump_generic.yml
new file mode 100644
index 00000000..1141cf54
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_lsass_dump_generic.yml
@@ -0,0 +1,81 @@
+
+title: Generic Password Dumper Activity on LSASS
+author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich,
+  Aleksey Potapov, oscd.community (update)
+date: 2019/11/01
+description: Detects process handle on LSASS process with certain access mask
+detection:
+  SELECTION_1:
+    ObjectName: '*\lsass.exe'
+  SELECTION_2:
+    EventID: 4656
+  SELECTION_3:
+    AccessMask:
+    - '*0x40*'
+    - '*0x1400*'
+    - '*0x1000*'
+    - '*0x100000*'
+    - '*0x1410*'
+    - '*0x1010*'
+    - '*0x1438*'
+    - '*0x143a*'
+    - '*0x1418*'
+    - '*0x1f0fff*'
+    - '*0x1f1fff*'
+    - '*0x1f2fff*'
+    - '*0x1f3fff*'
+  SELECTION_4:
+    EventID: 4663
+  SELECTION_5:
+    AccessList:
+    - '*4484*'
+    - '*4416*'
+  SELECTION_6:
+    ProcessName:
+    - '*\wmiprvse.exe'
+    - '*\taskmgr.exe'
+    - '*\procexp64.exe'
+    - '*\procexp.exe'
+    - '*\lsm.exe'
+    - '*\csrss.exe'
+    - '*\wininit.exe'
+    - '*\vmtoolsd.exe'
+    - '*\minionhost.exe'
+    - '*\VsTskMgr.exe'
+    - '*\thor64.exe'
+  SELECTION_7:
+    ProcessName:
+    - C:\Windows\System32\\*
+    - C:\Windows\SysWow64\\*
+    - C:\Windows\SysNative\\*
+    - C:\Program Files\\*
+    - C:\Windows\Temp\asgard2-agent\\*
+  SELECTION_8:
+    ProcessName:
+    - C:\Program Files*
+  condition: (((SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+    SELECTION_5))) and  not (SELECTION_6 and SELECTION_7)) and  not (SELECTION_8))
+falsepositives:
+- Legitimate software accessing LSASS process for legitimate reason; update the whitelist
+  with it
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ProcessName
+- ProcessID
+id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/04/19
+references:
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- car.2019-04-004
+- attack.t1003.001
diff --git a/rules/sigma/windows/builtin/win_susp_mshta_execution.yml b/rules/sigma/windows/builtin/win_susp_mshta_execution.yml
new file mode 100644
index 00000000..6dbd6bb3
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_mshta_execution.yml
@@ -0,0 +1,40 @@
+
+title: MSHTA Suspicious Execution 01
+author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
+date: 2019/02/22
+description: Detection for mshta.exe suspicious execution patterns sometimes involving
+  file polyglotism
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\mshta.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*vbscript*'
+    - '*.jpg*'
+    - '*.png*'
+    - '*.lnk*'
+    - '*.xls*'
+    - '*.doc*'
+    - '*.zip*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/23
+references:
+- http://blog.sevagas.com/?Hacking-around-HTA-files
+- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
+- https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.t1218.005
diff --git a/rules/sigma/windows/builtin/win_susp_msmpeng_crash.yml b/rules/sigma/windows/builtin/win_susp_msmpeng_crash.yml
new file mode 100644
index 00000000..194a5597
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_msmpeng_crash.yml
@@ -0,0 +1,37 @@
+
+title: Microsoft Malware Protection Engine Crash
+author: Florian Roth
+date: 2017/05/09
+description: This rule detects a suspicious crash of the Microsoft Malware Protection
+  Engine
+detection:
+  SELECTION_1:
+    Source: Application Error
+  SELECTION_2:
+    EventID: 1000
+  SELECTION_3:
+    Source: Windows Error Reporting
+  SELECTION_4:
+    EventID: 1001
+  SELECTION_5:
+  - MsMpEng.exe
+  SELECTION_6:
+  - mpengine.dll
+  condition: (((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4)) and
+    (SELECTION_5 and SELECTION_6))
+falsepositives:
+- MsMpEng.exe can crash when C:\ is full
+id: 6c82cf5c-090d-4d57-9188-533577631108
+level: high
+logsource:
+  product: windows
+  service: application
+references:
+- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
+- https://technet.microsoft.com/en-us/library/security/4022344
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1211
+- attack.t1562.001
diff --git a/rules/sigma/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml b/rules/sigma/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml
new file mode 100644
index 00000000..e732c2f8
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml
@@ -0,0 +1,34 @@
+
+title: Suspicious Multiple File Rename Or Delete Occurred
+author: Vasiliy Burov, oscd.community
+date: 2020/10/16
+description: Detects multiple file rename or delete events occurrence within a specified
+  period of time by a same user (these events may signalize about ransomware activity).
+detection:
+  SELECTION_1:
+    EventID: 4663
+  SELECTION_2:
+    ObjectType: File
+  SELECTION_3:
+    AccessList: '%%1537'
+  SELECTION_4:
+    Keywords: '0x8020000000000000'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) | count()
+    by SubjectLogonId > 10
+falsepositives:
+- Software uninstallation
+- Files restore activities
+id: 97919310-06a7-482c-9639-92b67ed63cf8
+level: medium
+logsource:
+  definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local
+    Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security
+    Settings/Advanced Audit Policy Configuration/Object Access'
+  product: windows
+  service: security
+references:
+- https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html
+status: experimental
+tags:
+- attack.impact
+- attack.t1486
diff --git a/rules/sigma/windows/builtin/win_susp_net_recon_activity.yml b/rules/sigma/windows/builtin/win_susp_net_recon_activity.yml
new file mode 100644
index 00000000..7a2687a5
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_net_recon_activity.yml
@@ -0,0 +1,45 @@
+
+title: Reconnaissance Activity
+author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements),
+  oscd.community
+date: 2017/03/07
+description: Detects activity as "net user administrator /domain" and "net group domain
+  admins /domain"
+detection:
+  SELECTION_1:
+    EventID: 4661
+  SELECTION_2:
+    ObjectType:
+    - SAM_USER
+    - SAM_GROUP
+  SELECTION_3:
+    ObjectName: S-1-5-21-*
+  SELECTION_4:
+    AccessMask: '0x2d'
+  SELECTION_5:
+    ObjectName:
+    - '*-500'
+    - '*-512'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Administrator activity
+- Penetration tests
+id: 968eef52-9cff-4454-8992-1e74b9cbad6c
+level: high
+logsource:
+  definition: The volume of Event ID 4661 is high on Domain Controllers and therefore
+    "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured
+    in the recommendations for server systems
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
+- attack.t1069
+- attack.t1069.002
+- attack.s0039
diff --git a/rules/sigma/windows/builtin/win_susp_ntlm_auth.yml b/rules/sigma/windows/builtin/win_susp_ntlm_auth.yml
new file mode 100644
index 00000000..ef45d4f1
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_ntlm_auth.yml
@@ -0,0 +1,28 @@
+
+title: NTLM Logon
+author: Florian Roth
+date: 2018/06/08
+description: Detects logons using NTLM, which could be caused by a legacy source or
+  attackers
+detection:
+  SELECTION_1:
+    EventID: 8002
+  SELECTION_2:
+    CallingProcessName: '*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legacy hosts
+id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
+level: low
+logsource:
+  definition: Requires events from Microsoft-Windows-NTLM/Operational
+  product: windows
+  service: ntlm
+references:
+- https://twitter.com/JohnLaTwC/status/1004895028995477505
+- https://goo.gl/PsqrhT
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1075
+- attack.t1550.002
diff --git a/rules/sigma/windows/builtin/win_susp_ntlm_rdp.yml b/rules/sigma/windows/builtin/win_susp_ntlm_rdp.yml
new file mode 100644
index 00000000..8cc21ffe
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_ntlm_rdp.yml
@@ -0,0 +1,33 @@
+
+title: Potential Remote Desktop Connection to Non-Domain Host
+author: James Pemberton
+date: 2020/05/22
+description: Detects logons using NTLM to hosts that are potentially not part of the
+  domain.
+detection:
+  SELECTION_1:
+    EventID: 8001
+  SELECTION_2:
+    TargetName: TERMSRV*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Host connections to valid domains, exclude these.
+- Host connections not using host FQDN.
+- Host connections to external legitimate domains.
+fields:
+- Computer
+- UserName
+- DomainName
+- TargetName
+id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
+level: medium
+logsource:
+  definition: Requires events from Microsoft-Windows-NTLM/Operational
+  product: windows
+  service: ntlm
+references:
+- n/a
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1219
diff --git a/rules/sigma/windows/builtin/win_susp_proceshacker.yml b/rules/sigma/windows/builtin/win_susp_proceshacker.yml
new file mode 100644
index 00000000..fae5bba5
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_proceshacker.yml
@@ -0,0 +1,28 @@
+
+title: ProcessHacker Privilege Elevation
+author: Florian Roth
+date: 2021/05/27
+description: Detects a ProcessHacker tool that elevated privileges to a very high
+  level
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ServiceName: ProcessHacker*
+  SELECTION_3:
+    AccountName: LocalSystem
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely
+id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
+level: high
+logsource:
+  product: windows
+  service: system
+references:
+- https://twitter.com/1kwpeter/status/1397816101455765504
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.t1543.003
+- attack.t1569.002
diff --git a/rules/sigma/windows/builtin/win_susp_psexec.yml b/rules/sigma/windows/builtin/win_susp_psexec.yml
new file mode 100644
index 00000000..c76445aa
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_psexec.yml
@@ -0,0 +1,40 @@
+
+title: Suspicious PsExec Execution
+author: Samir Bousseaden
+date: 2019/04/03
+description: detects execution of psexec or paexec with renamed service name, this
+  rule helps to filter out the noise if psexec is used for legit purposes or if attacker
+  uses a different psexec client other than sysinternal one
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\*\IPC$
+  SELECTION_3:
+    RelativeTargetName:
+    - '*-stdin'
+    - '*-stdout'
+    - '*-stderr'
+  SELECTION_4:
+    EventID: 5145
+  SELECTION_5:
+    ShareName: \\*\IPC$
+  SELECTION_6:
+    RelativeTargetName: PSEXESVC*
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4
+    and SELECTION_5 and SELECTION_6))
+falsepositives:
+- nothing observed so far
+id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
+level: high
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
diff --git a/rules/sigma/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/sigma/windows/builtin/win_susp_raccess_sensitive_fext.yml
new file mode 100644
index 00000000..4692f5d7
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_raccess_sensitive_fext.yml
@@ -0,0 +1,41 @@
+
+title: Suspicious Access to Sensitive File Extensions
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects known sensitive file extensions accessed on a network share
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    RelativeTargetName:
+    - '*.pst'
+    - '*.ost'
+    - '*.msg'
+    - '*.nst'
+    - '*.oab'
+    - '*.edb'
+    - '*.nsf'
+    - '*.bak'
+    - '*.dmp'
+    - '*.kirbi'
+    - '*\groups.xml'
+    - '*.rdp'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Help Desk operator doing backup or re-imaging end user machine or pentest or backup
+  software
+- Users working with these data types or exchanging message files
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- RelativeTargetName
+id: 91c945bc-2ad1-4799-a591-4d00198a1215
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/09
+tags:
+- attack.collection
+- attack.t1039
diff --git a/rules/sigma/windows/builtin/win_susp_rc4_kerberos.yml b/rules/sigma/windows/builtin/win_susp_rc4_kerberos.yml
new file mode 100644
index 00000000..c556f550
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_rc4_kerberos.yml
@@ -0,0 +1,32 @@
+
+title: Suspicious Kerberos RC4 Ticket Encryption
+author: Florian Roth
+date: 2017/02/06
+description: Detects service ticket requests using RC4 encryption type
+detection:
+  SELECTION_1:
+    EventID: 4769
+  SELECTION_2:
+    TicketOptions: '0x40810000'
+  SELECTION_3:
+    TicketEncryptionType: '0x17'
+  SELECTION_4:
+    ServiceName: $*
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Service accounts used on legacy systems (e.g. NetApp)
+- Windows Domains with DFL 2003 and legacy systems
+id: 496a0e47-0a33-4dca-b009-9e6ca3591f39
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/14
+references:
+- https://adsecurity.org/?p=3458
+- https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1208
+- attack.t1558.003
diff --git a/rules/sigma/windows/builtin/win_susp_rottenpotato.yml b/rules/sigma/windows/builtin/win_susp_rottenpotato.yml
new file mode 100644
index 00000000..22ba93aa
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_rottenpotato.yml
@@ -0,0 +1,34 @@
+
+title: RottenPotato Like Attack Pattern
+author: '@SBousseaden, Florian Roth'
+date: 2019/11/15
+description: Detects logon events that have characteristics of events generated during
+  an attack with RottenPotato and the like
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    LogonType: 3
+  SELECTION_3:
+    TargetUserName: ANONYMOUS_LOGON
+  SELECTION_4:
+    WorkstationName: '-'
+  SELECTION_5:
+    IpAddress: 127.0.0.1
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+references:
+- https://twitter.com/SBousseaden/status/1195284233729777665
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.credential_access
+- attack.t1171
+- attack.t1557.001
diff --git a/rules/sigma/windows/builtin/win_susp_sam_dump.yml b/rules/sigma/windows/builtin/win_susp_sam_dump.yml
new file mode 100644
index 00000000..196f3b60
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_sam_dump.yml
@@ -0,0 +1,27 @@
+
+title: SAM Dump to AppData
+author: Florian Roth
+date: 2018/01/27
+description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other
+  password dumpers
+detection:
+  SELECTION_1:
+    EventID: 16
+  SELECTION_2:
+  - \AppData\Local\Temp\SAM-
+  SELECTION_3:
+  - .dmp
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Penetration testing
+id: 839dd1e8-eda8-4834-8145-01beeee33acd
+level: high
+logsource:
+  definition: The source of this type of event is Kernel-General
+  product: windows
+  service: system
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
diff --git a/rules/sigma/windows/builtin/win_susp_sdelete.yml b/rules/sigma/windows/builtin/win_susp_sdelete.yml
new file mode 100644
index 00000000..1495d239
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_sdelete.yml
@@ -0,0 +1,40 @@
+
+title: Secure Deletion with SDelete
+author: Thomas Patzke
+date: 2017/06/14
+description: Detects renaming of file while deletion with SDelete tool.
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    EventID: 4663
+  SELECTION_3:
+    EventID: 4658
+  SELECTION_4:
+    ObjectName:
+    - '*.AAA'
+    - '*.ZZZ'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate usage of SDelete
+id: 39a80702-d7ca-4a83-b776-525b1f86a36d
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/02
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete
+status: experimental
+tags:
+- attack.impact
+- attack.defense_evasion
+- attack.t1107
+- attack.t1070.004
+- attack.t1066
+- attack.t1027.005
+- attack.t1485
+- attack.t1553.002
+- attack.s0195
diff --git a/rules/sigma/windows/builtin/win_susp_time_modification.yml b/rules/sigma/windows/builtin/win_susp_time_modification.yml
new file mode 100644
index 00000000..3fdcf5fd
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_time_modification.yml
@@ -0,0 +1,40 @@
+
+title: Unauthorized System Time Modification
+author: '@neu5ron'
+date: 2019/02/05
+description: Detect scenarios where a potentially unauthorized application or user
+  is modifying the system time.
+detection:
+  SELECTION_1:
+    EventID: 4616
+  SELECTION_2:
+    ProcessName: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
+  SELECTION_3:
+    ProcessName: C:\Windows\System32\VBoxService.exe
+  SELECTION_4:
+    ProcessName: C:\Windows\System32\svchost.exe
+  SELECTION_5:
+    SubjectUserSid: S-1-5-19
+  condition: (SELECTION_1 and  not (((SELECTION_2 or SELECTION_3) or (SELECTION_4
+    and SELECTION_5))))
+falsepositives:
+- HyperV or other virtualization technologies with binary not listed in filter portion
+  of detection
+id: faa031b5-21ed-4e02-8881-2591f98d82ed
+level: medium
+logsource:
+  definition: 'Requirements: Audit Policy : System > Audit Security State Change,
+    Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+    Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
+  product: windows
+  service: security
+modified: 2020/01/27
+references:
+- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
+- Live environment caused by malware
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1099
+- attack.t1070.006
diff --git a/rules/sigma/windows/builtin/win_susp_wmi_login.yml b/rules/sigma/windows/builtin/win_susp_wmi_login.yml
new file mode 100644
index 00000000..f71228a1
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_susp_wmi_login.yml
@@ -0,0 +1,23 @@
+
+title: Login with WMI
+author: Thomas Patzke
+date: 2019/12/04
+description: Detection of logins performed with WMI
+detection:
+  SELECTION_1:
+    EventID: 4624
+  SELECTION_2:
+    ProcessName: '*\WmiPrvSE.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Monitoring tools
+- Legitimate system administration
+id: 5af54681-df95-4c26-854f-2565e13cfab0
+level: low
+logsource:
+  product: windows
+  service: security
+status: stable
+tags:
+- attack.execution
+- attack.t1047
diff --git a/rules/sigma/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/sigma/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
new file mode 100644
index 00000000..04dcba2f
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
@@ -0,0 +1,33 @@
+
+title: Suspicious Outbound Kerberos Connection
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/24
+description: Detects suspicious outbound network activity via kerberos default port
+  indicating possible lateral movement or first stage PrivEsc via delegation.
+detection:
+  SELECTION_1:
+    EventID: 5156
+  SELECTION_2:
+    DestinationPort: 88
+  SELECTION_3:
+    Image:
+    - '*\lsass.exe'
+    - '*\opera.exe'
+    - '*\chrome.exe'
+    - '*\firefox.exe'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Other browsers
+id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2019/11/13
+references:
+- https://github.com/GhostPack/Rubeus
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1208
+- attack.t1558.003
diff --git a/rules/sigma/windows/builtin/win_suspicious_werfault_connection_outbound.yml b/rules/sigma/windows/builtin/win_suspicious_werfault_connection_outbound.yml
new file mode 100644
index 00000000..88227ac5
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_suspicious_werfault_connection_outbound.yml
@@ -0,0 +1,52 @@
+
+title: Suspicious Werfault.exe Network Connection Outbound
+author: Sreeman
+date: 2021/03/09
+description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised
+  systems to legitimate werfault.exe process to avoid detection.
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: werfault.exe
+  SELECTION_3:
+    EventID: 3
+  SELECTION_4:
+    ParentImage: svchost.exe
+  SELECTION_5:
+    DestinationIp:
+    - 104.42.151.234
+    - 104.43.193.48
+    - 52.255.188.83
+    - 13.64.90.137
+    - 168.61.161.212
+    - 13.88.21.125
+    - 40.88.32.150
+    - 52.147.198.201
+    - 52.239.207.100
+    - 52.176.224.96
+    - 2607:7700:0:24:0:1:287e:1894
+    - 10.*
+    - 192.168.*
+    - 127.*
+  SELECTION_6:
+    DestinationHostname:
+    - '*.windowsupdate.com*'
+    - '*.microsoft.com*'
+  condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 and SELECTION_4 and
+    SELECTION_5 and SELECTION_6)))
+falsepositives:
+- Communication to other corporate systems that use IP addresses from public address
+  spaces and Microsoft IP spaces
+id: e12c75f2-d09e-43f6-90e4-6a23842907af
+level: medium
+logsource:
+  category: network_connection
+  product: windows
+modified: 2021/06/11
+references:
+- https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1571
diff --git a/rules/sigma/windows/builtin/win_svcctl_remote_service.yml b/rules/sigma/windows/builtin/win_svcctl_remote_service.yml
new file mode 100644
index 00000000..91c3f669
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_svcctl_remote_service.yml
@@ -0,0 +1,32 @@
+
+title: Remote Service Activity via SVCCTL Named Pipe
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects remote service activity via remote access to the svcctl named
+  pipe
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    ShareName: \\*\IPC$
+  SELECTION_3:
+    RelativeTargetName: svcctl
+  SELECTION_4:
+    Accesses: '*WriteData*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- pentesting
+id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
+level: medium
+logsource:
+  definition: The advanced audit policy setting "Object Access > Audit Detailed File
+    Share" must be configured for Success/Failure
+  product: windows
+  service: security
+references:
+- https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
+tags:
+- attack.lateral_movement
+- attack.persistence
+- attack.t1077
+- attack.t1021.002
diff --git a/rules/sigma/windows/builtin/win_syskey_registry_access.yml b/rules/sigma/windows/builtin/win_syskey_registry_access.yml
new file mode 100644
index 00000000..a03abe07
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_syskey_registry_access.yml
@@ -0,0 +1,34 @@
+
+title: SysKey Registry Keys Access
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/12
+description: Detects handle requests and access operations to specific registry keys
+  to calculate the SysKey
+detection:
+  SELECTION_1:
+    EventID: 4656
+  SELECTION_2:
+    EventID: 4663
+  SELECTION_3:
+    ObjectType: key
+  SELECTION_4:
+    ObjectName:
+    - '*lsa\JD'
+    - '*lsa\GBG'
+    - '*lsa\Skew1'
+    - '*lsa\Data'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
+level: critical
+logsource:
+  product: windows
+  service: security
+modified: 2019/11/10
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
diff --git a/rules/sigma/windows/builtin/win_sysmon_channel_reference_deletion.yml b/rules/sigma/windows/builtin/win_sysmon_channel_reference_deletion.yml
new file mode 100644
index 00000000..2e5ec716
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_sysmon_channel_reference_deletion.yml
@@ -0,0 +1,39 @@
+
+title: Sysmon Channel Reference Deletion
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/07/14
+description: Potential threat actor tampering with Sysmon manifest and eventually
+  disabling it
+detection:
+  SELECTION_1:
+    ObjectName:
+    - '*WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}*'
+    - '*WINEVT\Channels\Microsoft-Windows-Sysmon/Operational*'
+  SELECTION_2:
+    EventID: 4657
+  SELECTION_3:
+    ObjectValueName: Enabled
+  SELECTION_4:
+    NewValue: '0'
+  SELECTION_5:
+    EventID: 4663
+  SELECTION_6:
+    AccessMask: 65536
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6)))
+falsepositives:
+- unknown
+id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://twitter.com/Flangvik/status/1283054508084473861
+- https://twitter.com/SecurityJosh/status/1283027365770276866
+- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
+- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/builtin/win_system_susp_eventlog_cleared.yml b/rules/sigma/windows/builtin/win_system_susp_eventlog_cleared.yml
new file mode 100644
index 00000000..ea185905
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_system_susp_eventlog_cleared.yml
@@ -0,0 +1,35 @@
+
+title: Eventlog Cleared
+author: Florian Roth
+date: 2017/01/10
+description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil
+  cl" command execution
+detection:
+  SELECTION_1:
+    EventID: 104
+  SELECTION_2:
+    Source: Microsoft-Windows-Eventlog
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Rollout of log collection agents (the setup routine often includes a reset of the
+  local Eventlog)
+- System provisioning (system reset before the golden image creation)
+id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/21
+references:
+- https://twitter.com/deviouspolack/status/832535435960209408
+- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+related:
+- id: f2f01843-e7b8-4f95-a35a-d23584476423
+  type: obsoletes
+- id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
+  type: derived
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.t1070.001
+- car.2016-04-002
diff --git a/rules/sigma/windows/builtin/win_tap_driver_installation.yml b/rules/sigma/windows/builtin/win_tap_driver_installation.yml
new file mode 100644
index 00000000..913ab312
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_tap_driver_installation.yml
@@ -0,0 +1,24 @@
+
+title: Tap Driver Installation
+author: Daniil Yugoslavskiy, Ian Davis, oscd.community
+date: 2019/10/24
+description: Well-known TAP software installation. Possible preparation for data exfiltration
+  using tunnelling techniques
+detection:
+  SELECTION_1:
+    EventID: 7045
+  SELECTION_2:
+    ImagePath: '*tap0901*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate OpenVPN TAP insntallation
+id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
+level: medium
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/21
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048
diff --git a/rules/sigma/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/sigma/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
new file mode 100644
index 00000000..47dc4116
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
@@ -0,0 +1,36 @@
+
+title: Transferring Files with Credential Data via Network Shares
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Transferring files with well-known filenames (sensitive files with credential
+  data) using network shares
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    RelativeTargetName:
+    - '*\mimidrv*'
+    - '*\lsass*'
+    - '*\windows\minidump\\*'
+    - '*\hiberfil*'
+    - '*\sqldmpr*'
+    - '*\sam*'
+    - '*\ntds.dit*'
+    - '*\security*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Transferring sensitive files for legitimate administration work by legitimate administrator
+id: 910ab938-668b-401b-b08c-b596e80fdca5
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+- attack.t1003.001
+- attack.t1003.003
diff --git a/rules/sigma/windows/builtin/win_usb_device_plugged.yml b/rules/sigma/windows/builtin/win_usb_device_plugged.yml
new file mode 100644
index 00000000..24d35c90
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_usb_device_plugged.yml
@@ -0,0 +1,27 @@
+
+title: USB Device Plugged
+author: Florian Roth
+date: 2017/11/09
+description: Detects plugged USB devices
+detection:
+  SELECTION_1:
+    EventID: 2003
+  SELECTION_2:
+    EventID: 2100
+  SELECTION_3:
+    EventID: 2102
+  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
+falsepositives:
+- Legitimate administrative activity
+id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4
+level: low
+logsource:
+  product: windows
+  service: driver-framework
+references:
+- https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
+- https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1200
diff --git a/rules/sigma/windows/builtin/win_user_added_to_local_administrators.yml b/rules/sigma/windows/builtin/win_user_added_to_local_administrators.yml
new file mode 100644
index 00000000..0ba30fcc
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_user_added_to_local_administrators.yml
@@ -0,0 +1,30 @@
+
+title: User Added to Local Administrators
+author: Florian Roth
+date: 2017/03/14
+description: This rule triggers on user accounts that are added to the local Administrators
+  group, which could be legitimate activity or a sign of privilege escalation activity
+detection:
+  SELECTION_1:
+    EventID: 4732
+  SELECTION_2:
+    TargetUserName: Administr*
+  SELECTION_3:
+    TargetSid: S-1-5-32-544
+  SELECTION_4:
+    SubjectUserName: '*$'
+  condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Legitimate administrative activity
+id: c265cf08-3f99-46c1-8d59-328247057d57
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/07/07
+status: stable
+tags:
+- attack.privilege_escalation
+- attack.t1078
+- attack.persistence
+- attack.t1098
diff --git a/rules/sigma/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/sigma/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
new file mode 100644
index 00000000..0fbf2966
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
@@ -0,0 +1,31 @@
+
+title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+description: The 'LsaRegisterLogonProcess' function verifies that the application
+  making the function call is a logon process by checking that it has the SeTcbPrivilege
+  privilege set. Possible Rubeus tries to get a handle to LSA.
+detection:
+  SELECTION_1:
+    EventID: 4673
+  SELECTION_2:
+    Service: LsaRegisterLogonProcess()
+  SELECTION_3:
+    Keywords: '0x8010000000000000'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/08/14
+references:
+- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.t1208
+- attack.t1558.003
diff --git a/rules/sigma/windows/builtin/win_user_creation.yml b/rules/sigma/windows/builtin/win_user_creation.yml
new file mode 100644
index 00000000..c0bd2f4c
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_user_creation.yml
@@ -0,0 +1,31 @@
+
+title: Local User Creation
+author: Patrick Bareiss
+date: 2019/04/18
+description: Detects local user creation on windows servers, which shouldn't happen
+  in an Active Directory environment. Apply this Sigma Use Case on your windows server
+  logs and not on your DC logs.
+detection:
+  SELECTION_1:
+    EventID: 4720
+  condition: SELECTION_1
+falsepositives:
+- Domain Controller Logs
+- Local accounts managed by privileged account management tools
+fields:
+- EventCode
+- AccountName
+- AccountDomain
+id: 66b6be3d-55d0-4f47-9855-d69df21740ea
+level: low
+logsource:
+  product: windows
+  service: security
+modified: 2020/08/23
+references:
+- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136
+- attack.t1136.001
diff --git a/rules/sigma/windows/builtin/win_user_driver_loaded.yml b/rules/sigma/windows/builtin/win_user_driver_loaded.yml
new file mode 100644
index 00000000..b98aef90
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_user_driver_loaded.yml
@@ -0,0 +1,51 @@
+
+title: Suspicious Driver Loaded By User
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
+date: 2019/04/08
+description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to
+  load or unload a device driver. With this privilege, the user can dynamically load
+  and unload device drivers or other code in to kernel mode. This user right does
+  not apply to Plug and Play device drivers. If you exclude privileged users/admins
+  and processes, which are allowed to do so, you are maybe left with bad programs
+  trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs)
+  and the usage of Sysinternals and various other tools. So you have to work with
+  a whitelist to find the bad stuff.
+detection:
+  SELECTION_1:
+    EventID: 4673
+  SELECTION_2:
+    PrivilegeList: SeLoadDriverPrivilege
+  SELECTION_3:
+    Service: '-'
+  SELECTION_4:
+    ProcessName:
+    - '*\Windows\System32\Dism.exe'
+    - '*\Windows\System32\rundll32.exe'
+    - '*\Windows\System32\fltMC.exe'
+    - '*\Windows\HelpPane.exe'
+    - '*\Windows\System32\mmc.exe'
+    - '*\Windows\System32\svchost.exe'
+    - '*\Windows\System32\wimserv.exe'
+    - '*\procexp64.exe'
+    - '*\procexp.exe'
+    - '*\procmon64.exe'
+    - '*\procmon.exe'
+    - '*\Google\Chrome\Application\chrome.exe'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs
+  etc. - but not much. You have to baseline this according to your used products and
+  allowed tools. Also try to exclude users, which are allowed to load drivers.'
+id: f63508a0-c809-4435-b3be-ed819394d612
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
+status: experimental
+tags:
+- attack.t1089
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/builtin/win_volume_shadow_copy_mount.yml b/rules/sigma/windows/builtin/win_volume_shadow_copy_mount.yml
new file mode 100644
index 00000000..1f0e03c6
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_volume_shadow_copy_mount.yml
@@ -0,0 +1,26 @@
+
+title: Volume Shadow Copy Mount
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/20
+description: Detects volume shadow copy mount
+detection:
+  SELECTION_1:
+    Source: Microsoft-Windows-Ntfs
+  SELECTION_2:
+    EventID: 98
+  SELECTION_3:
+    DeviceName: '*HarddiskVolumeShadowCopy*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of volume shadow copy mounts (backups maybe).
+id: f512acbf-e662-4903-843e-97ce4652b740
+level: medium
+logsource:
+  product: windows
+  service: system
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
diff --git a/rules/sigma/windows/builtin/win_vssaudit_secevent_source_registration.yml b/rules/sigma/windows/builtin/win_vssaudit_secevent_source_registration.yml
new file mode 100644
index 00000000..24a406e8
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_vssaudit_secevent_source_registration.yml
@@ -0,0 +1,27 @@
+
+title: VSSAudit Security Event Source Registration
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/20
+description: Detects the registration of the security event source VSSAudit. It would
+  usually trigger when volume shadow copy operations happen.
+detection:
+  SELECTION_1:
+    AuditSourceName: VSSAudit
+  SELECTION_2:
+    EventID: 4904
+  SELECTION_3:
+    EventID: 4905
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe.
+id: e9faba72-4974-4ab2-a4c5-46e25ad59e9b
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
diff --git a/rules/sigma/windows/builtin/win_vul_cve_2020_0688.yml b/rules/sigma/windows/builtin/win_vul_cve_2020_0688.yml
new file mode 100644
index 00000000..59a22da0
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_vul_cve_2020_0688.yml
@@ -0,0 +1,31 @@
+
+title: CVE-2020-0688 Exploitation via Eventlog
+author: Florian Roth, wagga
+date: 2020/02/29
+description: Detects the exploitation of Microsoft Exchange vulnerability as described
+  in CVE-2020-0688
+detection:
+  SELECTION_1:
+    EventID: 4
+  SELECTION_2:
+    Source: MSExchange Control Panel
+  SELECTION_3:
+    Level: Error
+  SELECTION_4:
+  - '&__VIEWSTATE='
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: d6266bf5-935e-4661-b477-78772735a7cb
+level: high
+logsource:
+  product: windows
+  service: application
+modified: 2021/06/27
+references:
+- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
+- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
diff --git a/rules/sigma/windows/builtin/win_vul_cve_2020_1472.yml b/rules/sigma/windows/builtin/win_vul_cve_2020_1472.yml
new file mode 100644
index 00000000..bc23abed
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_vul_cve_2020_1472.yml
@@ -0,0 +1,25 @@
+
+title: Vulnerable Netlogon Secure Channel Connection Allowed
+author: NVISO
+date: 2020/09/15
+description: Detects that a vulnerable Netlogon secure channel connection was allowed,
+  which could be an indicator of CVE-2020-1472.
+detection:
+  SELECTION_1:
+    EventID: 5829
+  condition: SELECTION_1
+falsepositives:
+- Unknown
+fields:
+- SAMAccountName
+id: a0cb7110-edf0-47a4-9177-541a4083128a
+level: high
+logsource:
+  product: windows
+  service: system
+modified: 2021/08/09
+references:
+- https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
+status: experimental
+tags:
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml
new file mode 100644
index 00000000..d31eb0df
--- /dev/null
+++ b/rules/sigma/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml
@@ -0,0 +1,29 @@
+
+title: T1047 Wmiprvse Wbemcomn DLL Hijack
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
+  directory over the network for a WMI DLL Hijack scenario.
+detection:
+  SELECTION_1:
+    EventID: 5145
+  SELECTION_2:
+    RelativeTargetName: '*\wbem\wbemcomn.dll'
+  SELECTION_3:
+    SubjectUserName: '*$'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: f6c68d5f-e101-4b86-8c84-7d96851fd65c
+level: critical
+logsource:
+  product: windows
+  service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/windows/create_remote_thread/sysmon_cactustorch.yml b/rules/sigma/windows/create_remote_thread/sysmon_cactustorch.yml
new file mode 100644
index 00000000..efa547f2
--- /dev/null
+++ b/rules/sigma/windows/create_remote_thread/sysmon_cactustorch.yml
@@ -0,0 +1,41 @@
+
+title: CACTUSTORCH Remote Thread Creation
+author: '@SBousseaden (detection), Thomas Patzke (rule)'
+date: 2019/02/01
+description: Detects remote thread creation from CACTUSTORCH as described in references.
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    SourceImage:
+    - '*\System32\cscript.exe'
+    - '*\System32\wscript.exe'
+    - '*\System32\mshta.exe'
+    - '*\winword.exe'
+    - '*\excel.exe'
+  SELECTION_3:
+    TargetImage: '*\SysWOW64\\*'
+  SELECTION_4:
+    StartModule|re: ^$
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 2e4e488a-6164-4811-9ea1-f960c7359c40
+level: high
+logsource:
+  category: create_remote_thread
+  product: windows
+modified: 2020/08/28
+references:
+- https://twitter.com/SBousseaden/status/1090588499517079552
+- https://github.com/mdsecactivebreach/CACTUSTORCH
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1093
+- attack.t1055.012
+- attack.execution
+- attack.t1064
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1218.005
diff --git a/rules/sigma/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/sigma/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
new file mode 100644
index 00000000..4fe3a278
--- /dev/null
+++ b/rules/sigma/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
@@ -0,0 +1,31 @@
+
+title: CobaltStrike Process Injection
+author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
+date: 2018/11/30
+description: Detects a possible remote threat creation with certain characteristics
+  which are typical for Cobalt Strike beacons
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    TargetProcessAddress:
+    - '*0B80'
+    - '*0C7C'
+    - '*0C88'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
+level: high
+logsource:
+  category: create_remote_thread
+  product: windows
+modified: 2020/08/28
+references:
+- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
+- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055
+- attack.t1055.001
diff --git a/rules/sigma/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/sigma/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
new file mode 100644
index 00000000..981bc40e
--- /dev/null
+++ b/rules/sigma/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
@@ -0,0 +1,29 @@
+
+title: CreateRemoteThread API and LoadLibrary
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/11
+description: Detects potential use of CreateRemoteThread api and LoadLibrary function
+  to inject DLL into a process
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    StartModule: '*\kernel32.dll'
+  SELECTION_3:
+    StartFunction: LoadLibraryA
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 052ec6f6-1adc-41e6-907a-f1c813478bee
+level: critical
+logsource:
+  category: create_remote_thread
+  product: windows
+modified: 2020/08/28
+references:
+- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055
+- attack.t1055.001
diff --git a/rules/sigma/windows/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/sigma/windows/create_remote_thread/sysmon_password_dumper_lsass.yml
new file mode 100644
index 00000000..fa0f2607
--- /dev/null
+++ b/rules/sigma/windows/create_remote_thread/sysmon_password_dumper_lsass.yml
@@ -0,0 +1,32 @@
+
+title: Password Dumper Remote Thread in LSASS
+author: Thomas Patzke
+date: 2017/02/19
+description: Detects password dumper activity by monitoring remote thread creation
+  EventID 8 in combination with the lsass.exe process as TargetImage. The process
+  in field Process is the malicious program. A single execution can lead to hundreds
+  of events.
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    StartModule: ''
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Antivirus products
+id: f239b326-2f41-4d6b-9dfa-c846a60ef505
+level: high
+logsource:
+  category: create_remote_thread
+  product: windows
+modified: 2021/06/21
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
+status: stable
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.s0005
+- attack.t1003.001
diff --git a/rules/sigma/windows/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/sigma/windows/create_remote_thread/sysmon_powershell_code_injection.yml
new file mode 100644
index 00000000..3c080014
--- /dev/null
+++ b/rules/sigma/windows/create_remote_thread/sysmon_powershell_code_injection.yml
@@ -0,0 +1,26 @@
+
+title: Accessing WinAPI in PowerShell. Code Injection.
+author: Nikita Nazarov, oscd.community
+date: 2020/10/06
+description: Detecting Code injection with PowerShell in another process
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    SourceImage: '*\powershell.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
+level: high
+logsource:
+  category: create_remote_thread
+  definition: Note that you have to configure logging for CreateRemoteThread in Symson
+    config
+  product: windows
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/sigma/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml
new file mode 100644
index 00000000..c8928d89
--- /dev/null
+++ b/rules/sigma/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml
@@ -0,0 +1,30 @@
+
+title: PowerShell Rundll32 Remote Thread Creation
+author: Florian Roth
+date: 2018/06/25
+description: Detects PowerShell remote thread creation in Rundll32.exe
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    SourceImage: '*\powershell.exe'
+  SELECTION_3:
+    TargetImage: '*\rundll32.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 99b97608-3e21-4bfe-8217-2a127c396a0e
+level: high
+logsource:
+  category: create_remote_thread
+  product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1085
+- attack.t1218.011
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml b/rules/sigma/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml
new file mode 100644
index 00000000..f0402ae0
--- /dev/null
+++ b/rules/sigma/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml
@@ -0,0 +1,88 @@
+
+title: Suspicious Remote Thread Created
+author: Perez Diego (@darkquassar), oscd.community
+date: 2019/10/27
+description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread",
+  however, this is still largely observed in the wild. This rule aims to detect suspicious
+  processes (those we would not expect to behave in this way like word.exe or outlook.exe)
+  creating remote threads on other processes. It is a generalistic rule, but it should
+  have a low FP ratio due to the selected range of processes.
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    SourceImage:
+    - '*\bash.exe'
+    - '*\cvtres.exe'
+    - '*\defrag.exe'
+    - '*\dnx.exe'
+    - '*\esentutl.exe'
+    - '*\excel.exe'
+    - '*\expand.exe'
+    - '*\explorer.exe'
+    - '*\find.exe'
+    - '*\findstr.exe'
+    - '*\forfiles.exe'
+    - '*\git.exe'
+    - '*\gpupdate.exe'
+    - '*\hh.exe'
+    - '*\iexplore.exe'
+    - '*\installutil.exe'
+    - '*\lync.exe'
+    - '*\makecab.exe'
+    - '*\mDNSResponder.exe'
+    - '*\monitoringhost.exe'
+    - '*\msbuild.exe'
+    - '*\mshta.exe'
+    - '*\msiexec.exe'
+    - '*\mspaint.exe'
+    - '*\outlook.exe'
+    - '*\ping.exe'
+    - '*\powerpnt.exe'
+    - '*\powershell.exe'
+    - '*\provtool.exe'
+    - '*\python.exe'
+    - '*\regsvr32.exe'
+    - '*\robocopy.exe'
+    - '*\runonce.exe'
+    - '*\sapcimc.exe'
+    - '*\schtasks.exe'
+    - '*\smartscreen.exe'
+    - '*\spoolsv.exe'
+    - '*\tstheme.exe'
+    - '*\userinit.exe'
+    - '*\vssadmin.exe'
+    - '*\vssvc.exe'
+    - '*\w3wp.exe'
+    - '*\winlogon.exe'
+    - '*\winscp.exe'
+    - '*\wmic.exe'
+    - '*\word.exe'
+    - '*\wscript.exe'
+  SELECTION_3:
+    SourceImage: '*Visual Studio*'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+id: 66d31e5f-52d6-40a4-9615-002d3789a119
+level: high
+logsource:
+  category: create_remote_thread
+  product: windows
+modified: 2021/06/27
+notes:
+- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite
+  for process injection for .NET in-memory offensive tools.
+references:
+- Personal research, statistical analysis
+- https://lolbas-project.github.io
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1055
diff --git a/rules/sigma/windows/create_stream_hash/sysmon_ads_executable.yml b/rules/sigma/windows/create_stream_hash/sysmon_ads_executable.yml
new file mode 100644
index 00000000..85044cb1
--- /dev/null
+++ b/rules/sigma/windows/create_stream_hash/sysmon_ads_executable.yml
@@ -0,0 +1,34 @@
+
+title: Executable in ADS
+author: Florian Roth, @0xrawsec
+date: 2018/06/03
+description: Detects the creation of an ADS data stream that contains an executable
+  (non-empty imphash)
+detection:
+  SELECTION_1:
+    EventID: 15
+  SELECTION_2:
+    Imphash: '00000000000000000000000000000000'
+  SELECTION_3:
+    Imphash|re: ^$
+  condition: (SELECTION_1 and  not ((SELECTION_2) or (SELECTION_3)))
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+- Image
+id: b69888d4-380c-45ce-9cf9-d9ce46e67821
+level: critical
+logsource:
+  category: create_stream_hash
+  definition: 'Requirements: Sysmon config with Imphash logging activated'
+  product: windows
+modified: 2020/08/26
+references:
+- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.s0139
+- attack.t1564.004
diff --git a/rules/sigma/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml b/rules/sigma/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml
new file mode 100644
index 00000000..8df65a8e
--- /dev/null
+++ b/rules/sigma/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml
@@ -0,0 +1,28 @@
+
+title: Exports Registry Key To an Alternate Data Stream
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+description: Exports the target Registry key and hides it in the specified alternate
+  data stream.
+detection:
+  SELECTION_1:
+    EventID: 15
+  SELECTION_2:
+    Image: '*\regedit.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- TargetFilename
+id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
+level: high
+logsource:
+  category: create_stream_hash
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.004
diff --git a/rules/sigma/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml b/rules/sigma/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml
new file mode 100644
index 00000000..69848f23
--- /dev/null
+++ b/rules/sigma/windows/deprecated/process_creation_syncappvpublishingserver_exe.yml
@@ -0,0 +1,25 @@
+
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+author: Ensar Şamil, @sblmsrsn, OSCD Community
+date: 2020/10/05
+description: Detects SyncAppvPublishingServer process execution which usually utilized
+  by adversaries to bypass PowerShell execution restrictions.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\SyncAppvPublishingServer.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- App-V clients
+id: fde7929d-8beb-4a4c-b922-be9974671667
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/11
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/deprecated/sysmon_mimikatz_detection_lsass.yml b/rules/sigma/windows/deprecated/sysmon_mimikatz_detection_lsass.yml
new file mode 100644
index 00000000..a7de7cec
--- /dev/null
+++ b/rules/sigma/windows/deprecated/sysmon_mimikatz_detection_lsass.yml
@@ -0,0 +1,38 @@
+
+title: Mimikatz Detection LSASS Access
+author: Sherif Eldeeb
+date: 2017/10/18
+description: Detects process access to LSASS which is typical for Mimikatz (0x1000
+  PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
+  versions", 0x0010 PROCESS_VM_READ)
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    GrantedAccess:
+    - '0x1410'
+    - '0x1010'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Some security products access LSASS in this way.
+fields:
+- ComputerName
+- User
+- SourceImage
+id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+status: experimental
+tags:
+- attack.t1003
+- attack.s0002
+- attack.credential_access
+- car.2019-04-004
diff --git a/rules/sigma/windows/deprecated/win_susp_esentutl_activity.yml b/rules/sigma/windows/deprecated/win_susp_esentutl_activity.yml
new file mode 100644
index 00000000..e29e58bb
--- /dev/null
+++ b/rules/sigma/windows/deprecated/win_susp_esentutl_activity.yml
@@ -0,0 +1,34 @@
+
+title: Suspicious Esentutl Use
+author: Florian Roth
+date: 2020/05/23
+description: Detects flags often used with the LOLBAS Esentutl for malicious activity.
+  It could be used in rare cases by administrators to access locked files or during
+  maintenance.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* /vss *'
+  SELECTION_3:
+    CommandLine: '* /y *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://lolbas-project.github.io/
+- https://twitter.com/chadtilbury/status/1264226341408452610
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.s0404
+- attack.t1218
diff --git a/rules/sigma/windows/deprecated/win_susp_vssadmin_ntds_activity.yml b/rules/sigma/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
new file mode 100644
index 00000000..8243fbcf
--- /dev/null
+++ b/rules/sigma/windows/deprecated/win_susp_vssadmin_ntds_activity.yml
@@ -0,0 +1,41 @@
+
+title: Activity Related to NTDS.dit Domain Hash Retrieval
+author: Florian Roth, Michael Haag
+date: 2019/01/16
+description: Detects suspicious commands that could be related to activity that uses
+  volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - vssadmin.exe Delete Shadows
+    - 'vssadmin create shadow /for=C:'
+    - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit
+    - copy \\?\GLOBALROOT\Device\\*\config\SAM
+    - 'vssadmin delete shadows /for=C:'
+    - 'reg SAVE HKLM\SYSTEM '
+    - esentutl.exe /y /vss *\ntds.dit*
+    - esentutl.exe /y /vss *\SAM
+    - esentutl.exe /y /vss *\SYSTEM
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: b932b60f-fdda-4d53-8eda-a170c1d97bbd
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
+- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
+- https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
+- https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
+- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
diff --git a/rules/sigma/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml b/rules/sigma/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml
new file mode 100644
index 00000000..07b1bc32
--- /dev/null
+++ b/rules/sigma/windows/dns_query/dns_query_hybridconnectionmgr_servicebus.yml
@@ -0,0 +1,27 @@
+
+title: DNS HybridConnectionManager Service Bus
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Detects Azure Hybrid Connection Manager services querying the Azure service
+  bus service
+detection:
+  SELECTION_1:
+    EventID: 22
+  SELECTION_2:
+    QueryName: '*servicebus.windows.net*'
+  SELECTION_3:
+    Image: '*HybridConnectionManager*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
+id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
+level: high
+logsource:
+  category: dns_query
+  product: windows
+modified: 2021/06/10
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
diff --git a/rules/sigma/windows/dns_query/dns_query_mega_nz.yml b/rules/sigma/windows/dns_query/dns_query_mega_nz.yml
new file mode 100644
index 00000000..de60de21
--- /dev/null
+++ b/rules/sigma/windows/dns_query/dns_query_mega_nz.yml
@@ -0,0 +1,24 @@
+
+title: DNS Query for MEGA.io Upload Domain
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+description: Detects DNS queries for subdomains used for upload to MEGA.io
+detection:
+  SELECTION_1:
+    EventID: 22
+  SELECTION_2:
+    QueryName: '*userstorage.mega.co.nz*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate Mega upload
+id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
+level: high
+logsource:
+  category: dns_query
+  product: windows
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.002
diff --git a/rules/sigma/windows/dns_query/dns_query_possible_dns_rebinding.yml b/rules/sigma/windows/dns_query/dns_query_possible_dns_rebinding.yml
new file mode 100644
index 00000000..3e706528
--- /dev/null
+++ b/rules/sigma/windows/dns_query/dns_query_possible_dns_rebinding.yml
@@ -0,0 +1,75 @@
+
+title: Possible DNS Rebinding
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Detects several different DNS-answers by one domain with IPs from internal
+  and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved
+  in host cache for a while TTL).
+detection:
+  SELECTION_1:
+    EventID: 22
+  SELECTION_2:
+    QueryName: '*'
+  SELECTION_3:
+    QueryStatus: '0'
+  SELECTION_4:
+    QueryResults:
+    - (::ffff:)?10.*
+    - (::ffff:)?192.168.*
+    - (::ffff:)?172.16.*
+    - (::ffff:)?172.17.*
+    - (::ffff:)?172.18.*
+    - (::ffff:)?172.19.*
+    - (::ffff:)?172.20.*
+    - (::ffff:)?172.21.*
+    - (::ffff:)?172.22.*
+    - (::ffff:)?172.23.*
+    - (::ffff:)?172.24.*
+    - (::ffff:)?172.25.*
+    - (::ffff:)?172.26.*
+    - (::ffff:)?172.27.*
+    - (::ffff:)?172.28.*
+    - (::ffff:)?172.29.*
+    - (::ffff:)?172.30.*
+    - (::ffff:)?172.31.*
+    - (::ffff:)?127.*
+  SELECTION_5:
+    QueryName: '*'
+  SELECTION_6:
+    QueryStatus: '0'
+  SELECTION_7:
+    QueryResults:
+    - (::ffff:)?10.*
+    - (::ffff:)?192.168.*
+    - (::ffff:)?172.16.*
+    - (::ffff:)?172.17.*
+    - (::ffff:)?172.18.*
+    - (::ffff:)?172.19.*
+    - (::ffff:)?172.20.*
+    - (::ffff:)?172.21.*
+    - (::ffff:)?172.22.*
+    - (::ffff:)?172.23.*
+    - (::ffff:)?172.24.*
+    - (::ffff:)?172.25.*
+    - (::ffff:)?172.26.*
+    - (::ffff:)?172.27.*
+    - (::ffff:)?172.28.*
+    - (::ffff:)?172.29.*
+    - (::ffff:)?172.30.*
+    - (::ffff:)?172.31.*
+    - (::ffff:)?127.*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+    and SELECTION_6) and  not (SELECTION_7)) | count(QueryName) by ComputerName >
+    3
+id: eb07e747-2552-44cd-af36-b659ae0958e4
+level: medium
+logsource:
+  category: dns_query
+  product: windows
+modified: 2020/08/28
+references:
+- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1189
diff --git a/rules/sigma/windows/dns_query/dns_query_regsvr32_network_activity.yml b/rules/sigma/windows/dns_query/dns_query_regsvr32_network_activity.yml
new file mode 100644
index 00000000..3ead6e60
--- /dev/null
+++ b/rules/sigma/windows/dns_query/dns_query_regsvr32_network_activity.yml
@@ -0,0 +1,40 @@
+
+title: Regsvr32 Network Activity
+author: Dmitriy Lifanov, oscd.community
+date: 2019/10/25
+description: Detects network connections and DNS queries initiated by Regsvr32.exe
+detection:
+  SELECTION_1:
+    EventID: 22
+  SELECTION_2:
+    Image: '*\regsvr32.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- Image
+- DestinationIp
+- DestinationPort
+id: 36e037c4-c228-4866-b6a3-48eb292b9955
+level: high
+logsource:
+  category: dns_query
+  product: windows
+modified: 2021/09/21
+references:
+- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
+related:
+- id: c7e91a02-d771-4a6d-a700-42587e0b1095
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
diff --git a/rules/sigma/windows/driver_load/driver_load_mal_creddumper.yml b/rules/sigma/windows/driver_load/driver_load_mal_creddumper.yml
new file mode 100644
index 00000000..2b983b7a
--- /dev/null
+++ b/rules/sigma/windows/driver_load/driver_load_mal_creddumper.yml
@@ -0,0 +1,44 @@
+
+title: Credential Dumping Tools Service Execution
+author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2017/03/05
+description: Detects well-known credential dumping tools execution via service execution
+  events
+detection:
+  SELECTION_1:
+    EventID: 6
+  SELECTION_2:
+    ImagePath:
+    - '*fgexec*'
+    - '*dumpsvc*'
+    - '*cachedump*'
+    - '*mimidrv*'
+    - '*gsecdump*'
+    - '*servpw*'
+    - '*pwdump*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate Administrator using credential dumping tool for password recovery
+id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
+level: critical
+logsource:
+  category: driver_load
+  product: windows
+modified: 2021/10/14
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+related:
+- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
+  type: derived
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
+- attack.t1035
+- attack.t1569.002
+- attack.s0005
diff --git a/rules/sigma/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
new file mode 100644
index 00000000..42d39074
--- /dev/null
+++ b/rules/sigma/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -0,0 +1,67 @@
+
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+  a specific service installation
+detection:
+  SELECTION_1:
+    EventID: 6
+  SELECTION_10:
+    ImagePath: '*cmd.exe*'
+  SELECTION_11:
+    ImagePath: '*/c*'
+  SELECTION_12:
+    ImagePath: '*echo*'
+  SELECTION_13:
+    ImagePath: '*\pipe\\*'
+  SELECTION_14:
+    ImagePath: '*rundll32*'
+  SELECTION_15:
+    ImagePath: '*.dll,a*'
+  SELECTION_16:
+    ImagePath: '*/p:*'
+  SELECTION_2:
+    ImagePath: '*cmd*'
+  SELECTION_3:
+    ImagePath: '*/c*'
+  SELECTION_4:
+    ImagePath: '*echo*'
+  SELECTION_5:
+    ImagePath: '*\pipe\\*'
+  SELECTION_6:
+    ImagePath: '*%COMSPEC%*'
+  SELECTION_7:
+    ImagePath: '*/c*'
+  SELECTION_8:
+    ImagePath: '*echo*'
+  SELECTION_9:
+    ImagePath: '*\pipe\\*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10
+    and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15
+    and SELECTION_16)))
+falsepositives:
+- Highly unlikely
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ImagePath
+id: d585ab5a-6a69-49a8-96e8-4a726a54de46
+level: critical
+logsource:
+  category: driver_load
+  product: windows
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+related:
+- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+  type: derived
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
diff --git a/rules/sigma/windows/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/sigma/windows/driver_load/driver_load_powershell_script_installed_as_service.yml
new file mode 100644
index 00000000..a2f2f2e3
--- /dev/null
+++ b/rules/sigma/windows/driver_load/driver_load_powershell_script_installed_as_service.yml
@@ -0,0 +1,30 @@
+
+title: PowerShell Scripts Run by a Services
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects powershell script installed as a Service
+detection:
+  SELECTION_1:
+    EventID: 6
+  SELECTION_2:
+    ImageLoaded:
+    - '*powershell*'
+    - '*pwsh*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
+level: high
+logsource:
+  category: driver_load
+  product: windows
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+related:
+- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
diff --git a/rules/sigma/windows/driver_load/driver_load_susp_temp_use.yml b/rules/sigma/windows/driver_load/driver_load_susp_temp_use.yml
new file mode 100644
index 00000000..0e6a74db
--- /dev/null
+++ b/rules/sigma/windows/driver_load/driver_load_susp_temp_use.yml
@@ -0,0 +1,24 @@
+
+title: Suspicious Driver Load from Temp
+author: Florian Roth
+date: 2017/02/12
+description: Detects a driver load from a temporary directory
+detection:
+  SELECTION_1:
+    EventID: 6
+  SELECTION_2:
+    ImageLoaded: '*\Temp\\*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- there is a relevant set of false positives depending on applications in the environment
+id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
+level: high
+logsource:
+  category: driver_load
+  product: windows
+modified: 2020/08/23
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1050
+- attack.t1543.003
diff --git a/rules/sigma/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/sigma/windows/driver_load/driver_load_vuln_dell_driver.yml
new file mode 100644
index 00000000..69574e82
--- /dev/null
+++ b/rules/sigma/windows/driver_load/driver_load_vuln_dell_driver.yml
@@ -0,0 +1,32 @@
+
+title: Vulnerable Dell BIOS Update Driver Load
+author: Florian Roth
+date: 2021/05/05
+description: Detects the load of the vulnerable Dell BIOS update driver as reported
+  in CVE-2021-21551
+detection:
+  SELECTION_1:
+    EventID: 6
+  SELECTION_2:
+    ImageLoaded: '*\DBUtil_2_3.Sys*'
+  SELECTION_3:
+    Hashes:
+    - '*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5*'
+    - '*c948ae14761095e4d76b55d9de86412258be7afd*'
+    - '*c996d7971c49252c582171d9380360f2*'
+    - '*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1*'
+    - '*10b30bdee43b3a2ec4aa63375577ade650269d25*'
+    - '*d2fd132ab7bbc6bbb87a84f026fa0244*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- legitimate BIOS driver updates (should be rare)
+id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
+level: high
+logsource:
+  category: driver_load
+  product: windows
+references:
+- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
+- https://nvd.nist.gov/vuln/detail/cve-2021-21551
+tags:
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/driver_load/driver_load_windivert.yml b/rules/sigma/windows/driver_load/driver_load_windivert.yml
new file mode 100644
index 00000000..202a4b63
--- /dev/null
+++ b/rules/sigma/windows/driver_load/driver_load_windivert.yml
@@ -0,0 +1,30 @@
+
+title: WinDivert Driver Load
+author: Florian Roth
+date: 2021/07/30
+description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection
+  package for Windows
+detection:
+  SELECTION_1:
+    EventID: 6
+  SELECTION_2:
+    ImageLoaded:
+    - '*\WinDivert.sys*'
+    - '*\WinDivert64.sys*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- legitimate WinDivert driver usage
+id: 679085d5-f427-4484-9f58-1dc30a7c426d
+level: high
+logsource:
+  category: driver_load
+  product: windows
+references:
+- https://reqrypt.org/windivert-doc.html
+- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
+status: experimental
+tags:
+- attack.collection
+- attack.defense_evasion
+- attack.t1599.001
+- attack.t1557.001
diff --git a/rules/sigma/windows/file_delete/sysmon_delete_prefetch.yml b/rules/sigma/windows/file_delete/sysmon_delete_prefetch.yml
new file mode 100644
index 00000000..6ba6585f
--- /dev/null
+++ b/rules/sigma/windows/file_delete/sysmon_delete_prefetch.yml
@@ -0,0 +1,31 @@
+
+title: Prefetch File Deletion
+author: Cedric MAURUGEON
+date: 2021/09/29
+description: Detects the deletion of a prefetch file (AntiForensic)
+detection:
+  SELECTION_1:
+    EventID: 23
+  SELECTION_2:
+    EventID: 26
+  SELECTION_3:
+    TargetFilename: C:\Windows\Prefetch\\*
+  SELECTION_4:
+    TargetFilename: '*.pf'
+  SELECTION_5:
+    Image: C:\windows\system32\svchost.exe
+  SELECTION_6:
+    User: NT AUTHORITY\SYSTEM
+  condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5 and SELECTION_6))
+falsepositives:
+- Unknown
+id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
+level: high
+logsource:
+  category: file_delete
+  product: windows
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.004
diff --git a/rules/sigma/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/sigma/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml
new file mode 100644
index 00000000..f002c41d
--- /dev/null
+++ b/rules/sigma/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml
@@ -0,0 +1,30 @@
+
+title: Sysinternals SDelete File Deletion
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection to trigger for the deletion of files by Sysinternals
+  SDelete. It looks for the common name pattern used to rename files.
+detection:
+  SELECTION_1:
+    EventID: 23
+  SELECTION_2:
+    EventID: 26
+  SELECTION_3:
+    TargetFilename:
+    - '*.AAA'
+    - '*.ZZZ'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Legitime usage of SDelete
+id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
+level: medium
+logsource:
+  category: file_delete
+  product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/9
+- https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.004
diff --git a/rules/sigma/windows/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/sigma/windows/file_delete/win_cve_2021_1675_printspooler_del.yml
new file mode 100644
index 00000000..c3d8b864
--- /dev/null
+++ b/rules/sigma/windows/file_delete/win_cve_2021_1675_printspooler_del.yml
@@ -0,0 +1,33 @@
+
+title: Windows Spooler Service Suspicious File Deletion
+author: Bhabesh Raj
+date: 2021/07/01
+description: Detect DLL deletions from Spooler Service driver folder
+detection:
+  SELECTION_1:
+    EventID: 23
+  SELECTION_2:
+    EventID: 26
+  SELECTION_3:
+    Image: '*spoolsv.exe'
+  SELECTION_4:
+    TargetFilename: '*C:\Windows\System32\spool\drivers\x64\3\\*'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
+level: high
+logsource:
+  category: file_delete
+  product: windows
+modified: 2021/08/24
+references:
+- https://github.com/hhlxf/PrintNightmare
+- https://github.com/cube0x0/CVE-2021-1675
+- https://nvd.nist.gov/vuln/detail/cve-2021-1675
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1574
diff --git a/rules/sigma/windows/file_event/file_event_advanced_ip_scanner.yml b/rules/sigma/windows/file_event/file_event_advanced_ip_scanner.yml
new file mode 100644
index 00000000..9cefb6c6
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_advanced_ip_scanner.yml
@@ -0,0 +1,33 @@
+
+title: Advanced IP Scanner
+author: '@ROxPinTeddy'
+date: 2020/05/12
+description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for
+  ransomware groups.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\AppData\Local\Temp\Advanced IP Scanner 2*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate administrative use
+id: fed85bf9-e075-4280-9159-fbe8a023d6fa
+level: medium
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/11
+references:
+- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
+- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
+- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
+- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
+related:
+- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
+  type: derived
+status: experimental
+tags:
+- attack.discovery
+- attack.t1046
diff --git a/rules/sigma/windows/file_event/file_event_apt_unidentified_nov_18.yml b/rules/sigma/windows/file_event/file_event_apt_unidentified_nov_18.yml
new file mode 100644
index 00000000..89c748bd
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_apt_unidentified_nov_18.yml
@@ -0,0 +1,29 @@
+
+title: Unidentified Attacker November 2018
+author: '@41thexplorer, Microsoft Defender ATP'
+date: 2018/11/20
+description: A sigma rule detecting an unidetefied attacker who used phishing emails
+  to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29
+  campaign in 2016.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*ds7002.lnk*'
+  condition: (SELECTION_1 and SELECTION_2)
+id: 3a3f81ca-652c-482b-adeb-b1c804727f74
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/19
+references:
+- https://twitter.com/DrunkBinary/status/1063075530180886529
+related:
+- id: 7453575c-a747-40b9-839b-125a0aae324b
+  type: derived
+status: stable
+tags:
+- attack.execution
+- attack.t1218.011
+- attack.t1085
diff --git a/rules/sigma/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/sigma/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
new file mode 100644
index 00000000..be0b9971
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -0,0 +1,40 @@
+
+title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
+author: Sittikorn S
+date: 2021/07/16
+description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979
+  CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename:
+    - '*C:\Windows\system32\physmem.sys*'
+    - '*C:\Windows\System32\IME\IMEJP\imjpueact.dll*'
+    - '*C:\Windows\system32\ime\IMETC\IMTCPROT.DLL*'
+    - '*C:\Windows\system32\ime\SHARED\imecpmeid.dll*'
+    - '*C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat*'
+    - '*C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat*'
+    - '*C:\Windows\system32\config\config\startwus.dat*'
+    - '*C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
+    - '*C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
+    - '*C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
+level: critical
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/09
+references:
+- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
+- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
+- https://nvd.nist.gov/vuln/detail/cve-2021-33771
+- https://nvd.nist.gov/vuln/detail/cve-2021-31979
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1566
+- attack.t1203
diff --git a/rules/sigma/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules/sigma/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml
new file mode 100644
index 00000000..64cf9111
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml
@@ -0,0 +1,46 @@
+
+title: File Creation by Office Applications
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: This rule will monitor executable and script file creation by office
+  applications. Please add more file extensions or magic bytes to the logic of your
+  choice.
+detection:
+  SELECTION_1:
+    Image:
+    - '*winword.exe'
+    - '*excel.exe'
+    - '*powerpnt.exe'
+  SELECTION_2:
+    FileName:
+    - '*.exe'
+    - '*.dll'
+    - '*.ocx'
+    - '*.com'
+    - '*.ps1'
+    - '*.vbs'
+    - '*.sys'
+    - '*.bat'
+    - '*.scr'
+    - '*.proj'
+  SELECTION_3:
+    FileMagicBytes:
+    - 4D5A*
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 8c6fd6fc-28fc-4597-a86a-fc1de20b039d
+level: high
+logsource:
+  category: file_event
+  product: Windows
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
diff --git a/rules/sigma/windows/file_event/file_event_hack_dumpert.yml b/rules/sigma/windows/file_event/file_event_hack_dumpert.yml
new file mode 100644
index 00000000..b777829b
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_hack_dumpert.yml
@@ -0,0 +1,31 @@
+
+title: Dumpert Process Dumper
+author: Florian Roth
+date: 2020/02/04
+description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
+  process memory
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: C:\Windows\Temp\dumpert.dmp
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Very unlikely
+id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
+level: critical
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/21
+references:
+- https://github.com/outflanknl/Dumpert
+- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
+related:
+- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
+  type: derived
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/windows/file_event/file_event_hktl_createminidump.yml b/rules/sigma/windows/file_event/file_event_hktl_createminidump.yml
new file mode 100644
index 00000000..1fcdc4c9
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_hktl_createminidump.yml
@@ -0,0 +1,29 @@
+
+title: CreateMiniDump Hacktool
+author: Florian Roth
+date: 2019/12/22
+description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process
+  memory for credential extraction on the attacker's machine
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\lsass.dmp'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: db2110f3-479d-42a6-94fb-d35bc1e46492
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/19
+references:
+- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
+related:
+- id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
+  type: derived
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
diff --git a/rules/sigma/windows/file_event/file_event_mal_adwind.yml b/rules/sigma/windows/file_event/file_event_mal_adwind.yml
new file mode 100644
index 00000000..640f36e3
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_mal_adwind.yml
@@ -0,0 +1,35 @@
+
+title: Adwind RAT / JRAT
+author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
+date: 2017/11/10
+description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\AppData\Roaming\Oracle\bin\java*'
+  SELECTION_3:
+    TargetFilename: '*.exe*'
+  SELECTION_4:
+    TargetFilename: '*\Retrive*'
+  SELECTION_5:
+    TargetFilename: '*.vbs*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
+id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/19
+references:
+- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
+- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
+related:
+- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064
diff --git a/rules/sigma/windows/file_event/file_event_moriya_rootkit.yml b/rules/sigma/windows/file_event/file_event_moriya_rootkit.yml
new file mode 100644
index 00000000..b01ef6ea
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_moriya_rootkit.yml
@@ -0,0 +1,30 @@
+
+title: Moriya Rootkit
+author: Bhabesh Raj
+date: 2021/05/06
+description: Detects the use of Moriya rootkit as described in the securelist's Operation
+  TunnelSnake report
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- None
+id: a1507d71-0b60-44f6-b17c-bf53220fdd88
+level: critical
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/21
+references:
+- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
+related:
+- id: 25b9c01c-350d-4b95-bed1-836d04a4f324
+  type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1543.003
diff --git a/rules/sigma/windows/file_event/file_event_pingback_backdoor.yml b/rules/sigma/windows/file_event/file_event_pingback_backdoor.yml
new file mode 100644
index 00000000..de05302b
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_pingback_backdoor.yml
@@ -0,0 +1,29 @@
+
+title: Pingback Backdoor
+author: Bhabesh Raj
+date: 2021/05/05
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
+  as described in the trustwave report
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    Image: '*updata.exe'
+  SELECTION_3:
+    TargetFilename: C:\Windows\oci.dll
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Very unlikely
+id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/09
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+status: experimental
+tags:
+- attack.persistence
+- attack.t1574.001
diff --git a/rules/sigma/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/sigma/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml
new file mode 100644
index 00000000..d6295d34
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml
@@ -0,0 +1,43 @@
+
+title: Created Files by Office Applications
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: This rule will monitor executable and script file creation by office
+  applications. Please add more file extensions or magic bytes to the logic of your
+  choice.
+detection:
+  SELECTION_1:
+    Image:
+    - '*winword.exe'
+    - '*excel.exe'
+    - '*powerpnt.exe'
+  SELECTION_2:
+    TargetFileName:
+    - '*.exe'
+    - '*.dll'
+    - '*.ocx'
+    - '*.com'
+    - '*.ps1'
+    - '*.vbs'
+    - '*.sys'
+    - '*.bat'
+    - '*.scr'
+    - '*.proj'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
+level: high
+logsource:
+  category: file_event
+  product: Windows
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
diff --git a/rules/sigma/windows/file_event/file_event_tool_psexec.yml b/rules/sigma/windows/file_event/file_event_tool_psexec.yml
new file mode 100644
index 00000000..004327bb
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_tool_psexec.yml
@@ -0,0 +1,40 @@
+
+title: PsExec Tool Execution
+author: Thomas Patzke
+date: 2017/06/12
+description: Detects PsExec service installation and execution events (service and
+  Sysmon)
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\PSEXESVC.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- ServiceName
+- ServiceFileName
+- TargetFilename
+- PipeName
+id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
+level: low
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/21
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+related:
+- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+- attack.s0029
diff --git a/rules/sigma/windows/file_event/file_event_uac_bypass_winsat.yml b/rules/sigma/windows/file_event/file_event_uac_bypass_winsat.yml
new file mode 100644
index 00000000..0866da20
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_uac_bypass_winsat.yml
@@ -0,0 +1,30 @@
+
+title: UAC Bypass Abusing Winsat Path Parsing - File
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe
+  (UACMe 52)
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: C:\Users\\*
+  SELECTION_3:
+    TargetFilename:
+    - '*\AppData\Local\Temp\system32\winsat.exe'
+    - '*\AppData\Local\Temp\system32\winmm.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/file_event/file_event_uac_bypass_wmp.yml b/rules/sigma/windows/file_event/file_event_uac_bypass_wmp.yml
new file mode 100644
index 00000000..cdbae4e8
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_uac_bypass_wmp.yml
@@ -0,0 +1,32 @@
+
+title: UAC Bypass Using Windows Media Player - File
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll
+  (UACMe 32)
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: C:\Users\\*
+  SELECTION_3:
+    TargetFilename: '*\AppData\Local\Temp\OskSupport.dll'
+  SELECTION_4:
+    Image: C:\Windows\system32\DllHost.exe
+  SELECTION_5:
+    TargetFilename: C:\Program Files\Windows Media Player\osk.exe
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- Unknown
+id: 68578b43-65df-4f81-9a9b-92f32711a951
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/file_event/file_event_winrm_awl_bypass.yml b/rules/sigma/windows/file_event/file_event_winrm_awl_bypass.yml
new file mode 100644
index 00000000..6add2daf
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_winrm_awl_bypass.yml
@@ -0,0 +1,35 @@
+
+title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
+author: Julia Fomina, oscd.community
+date: 2020/10/06
+description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via
+  winrm.vbs and copied cscript.exe (can be renamed)
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename:
+    - '*WsmPty.xsl'
+    - '*WsmTxt.xsl'
+  SELECTION_3:
+    TargetFilename:
+    - C:\Windows\System32\\*
+    - C:\Windows\SysWOW64\\*
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unlikely
+id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
+level: medium
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/19
+references:
+- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
+related:
+- id: 074e0ded-6ced-4ebd-8b4d-53f55908119
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/windows/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/windows/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml
new file mode 100644
index 00000000..30783eb6
--- /dev/null
+++ b/rules/sigma/windows/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml
@@ -0,0 +1,30 @@
+
+title: Wmiprvse Wbemcomn DLL Hijack
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
+  directory over the network and loading it for a WMI DLL Hijack scenario.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    Image: System
+  SELECTION_3:
+    TargetFilename: '*\wbem\wbemcomn.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
+level: critical
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/09
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/windows/file_event/sysmon_creation_system_file.yml b/rules/sigma/windows/file_event/sysmon_creation_system_file.yml
new file mode 100644
index 00000000..6ce627cf
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_creation_system_file.yml
@@ -0,0 +1,63 @@
+
+title: File Created with System Process Name
+author: Sander Wiebing
+date: 2020/05/26
+description: Detects the creation of a executable with a system process name in a
+  suspicious folder
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename:
+    - '*\svchost.exe'
+    - '*\rundll32.exe'
+    - '*\services.exe'
+    - '*\powershell.exe'
+    - '*\regsvr32.exe'
+    - '*\spoolsv.exe'
+    - '*\lsass.exe'
+    - '*\smss.exe'
+    - '*\csrss.exe'
+    - '*\conhost.exe'
+    - '*\wininit.exe'
+    - '*\lsm.exe'
+    - '*\winlogon.exe'
+    - '*\explorer.exe'
+    - '*\taskhost.exe'
+    - '*\Taskmgr.exe'
+    - '*\taskmgr.exe'
+    - '*\sihost.exe'
+    - '*\RuntimeBroker.exe'
+    - '*\runtimebroker.exe'
+    - '*\smartscreen.exe'
+    - '*\dllhost.exe'
+    - '*\audiodg.exe'
+    - '*\wlanext.exe'
+  SELECTION_3:
+    TargetFilename:
+    - C:\Windows\System32\\*
+    - C:\Windows\system32\\*
+    - C:\Windows\SysWow64\\*
+    - C:\Windows\SysWOW64\\*
+    - C:\Windows\winsxs\\*
+    - C:\Windows\WinSxS\\*
+    - \SystemRoot\System32\\*
+  SELECTION_4:
+    Image:
+    - '*\Windows\System32\dism.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3 and SELECTION_4))
+falsepositives:
+- System processes copied outside the default folder
+fields:
+- Image
+id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/05/16
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.005
diff --git a/rules/sigma/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml b/rules/sigma/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml
new file mode 100644
index 00000000..189b3f81
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_cred_dump_tools_dropped_files.yml
@@ -0,0 +1,57 @@
+
+title: Cred Dump Tools Dropped Files
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/11/01
+description: Files with well-known filenames (parts of credential dump software or
+  files produced by them) creation
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename:
+    - '*\pwdump*'
+    - '*\kirbi*'
+    - '*\pwhashes*'
+    - '*\wce_ccache*'
+    - '*\wce_krbtkts*'
+    - '*\fgdump-log*'
+  SELECTION_3:
+    TargetFilename:
+    - '*\test.pwd'
+    - '*\lsremora64.dll'
+    - '*\lsremora.dll'
+    - '*\fgexec.exe'
+    - '*\wceaux.dll'
+    - '*\SAM.out'
+    - '*\SECURITY.out'
+    - '*\SYSTEM.out'
+    - '*\NTDS.out'
+    - '*\DumpExt.dll'
+    - '*\DumpSvc.exe'
+    - '*\cachedump64.exe'
+    - '*\cachedump.exe'
+    - '*\pstgdump.exe'
+    - '*\servpw.exe'
+    - '*\servpw64.exe'
+    - '*\pwdump.exe'
+    - '*\procdump64.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate Administrator using tool for password recovery
+id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2020/08/23
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.003
+- attack.t1003.004
+- attack.t1003.005
diff --git a/rules/sigma/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/sigma/windows/file_event/sysmon_cve_2021_26858_msexchange.yml
new file mode 100644
index 00000000..d67642c3
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_cve_2021_26858_msexchange.yml
@@ -0,0 +1,39 @@
+
+title: CVE-2021-26858 Exchange Exploitation
+author: Bhabesh Raj
+date: 2021/03/03
+description: Detects possible successful exploitation for vulnerability described
+  in CVE-2021-26858 by looking for | creation of non-standard files on disk by Exchange
+  Server’s Unified Messaging service | which could indicate dropping web shells or
+  other malicious content
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    Image: '*UMWorkerProcess.exe'
+  SELECTION_3:
+    TargetFilename:
+    - '*CacheCleanup.bin'
+    - '*.txt'
+    - '*.LOG'
+    - '*.cfg'
+    - '*cleanup.bin'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- TargetFilename
+id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
+level: critical
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858
+- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+- https://nvd.nist.gov/vuln/detail/cve-2021-26858
+status: experimental
+tags:
+- attack.t1203
+- attack.execution
diff --git a/rules/sigma/windows/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/sigma/windows/file_event/sysmon_detect_powerup_dllhijacking.yml
new file mode 100644
index 00000000..1a080745
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_detect_powerup_dllhijacking.yml
@@ -0,0 +1,32 @@
+
+title: Powerup Write Hijack DLL
+author: Subhash Popuri (@pbssubhash)
+date: 2021/08/21
+description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege
+  escalation. In it's default mode, it builds a self deleting .bat file which executes
+  malicious command. The detection rule relies on creation of the malicious bat file
+  (debug.bat by default).
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    TargetFilename: '*.bat'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Pentest
+- Any powershell script that creates bat files
+id: 602a1f13-c640-4d73-b053-be9a2fa58b96
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1574.001
diff --git a/rules/sigma/windows/file_event/sysmon_ghostpack_safetykatz.yml b/rules/sigma/windows/file_event/sysmon_ghostpack_safetykatz.yml
new file mode 100644
index 00000000..4829dfc3
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_ghostpack_safetykatz.yml
@@ -0,0 +1,26 @@
+
+title: Detection of SafetyKatz
+author: Markus Neis
+date: 2018/07/24
+description: Detects possible SafetyKatz Behaviour
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\Temp\debug.bin'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e074832a-eada-4fd7-94a1-10642b130e16
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2020/08/23
+references:
+- https://github.com/GhostPack/SafetyKatz
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/sigma/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml
new file mode 100644
index 00000000..ff534e89
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml
@@ -0,0 +1,34 @@
+
+title: LSASS Memory Dump File Creation
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: LSASS memory dump creation using operating systems utilities. Procdump
+  will use process name in output file if no name is specified
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*lsass*'
+  SELECTION_3:
+    TargetFilename: '*dmp'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Dumping lsass memory for forensic investigation purposes by legitimate incident
+  responder or forensic invetigator
+- Dumps of another process that contains lsass in its process name (substring)
+fields:
+- ComputerName
+- TargetFilename
+id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/08/16
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules/sigma/windows/file_event/sysmon_non_priv_program_files_move.yml
new file mode 100644
index 00000000..3faf9d2a
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_non_priv_program_files_move.yml
@@ -0,0 +1,37 @@
+
+title: Files Dropped to Program Files by Non-Priviledged Process
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/17
+description: Search for dropping of files to Windows/Program Files fodlers by non-priviledged
+  processes
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    IntegrityLevel: Medium
+  SELECTION_3:
+    TargetFilename:
+    - '*\Program Files\\*'
+    - '*\Program Files (x86)\\*'
+  SELECTION_4:
+    TargetFilename: \Windows\\*
+  SELECTION_5:
+    TargetFilename: '*temp*'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or (SELECTION_4 and  not
+    (SELECTION_5))))
+falsepositives:
+- Unknown
+id: d6d9f4fb-4c1c-4f53-b306-62a22c7c61e1
+level: medium
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/08/14
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-37-638.jpg
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.t1574
+- attack.t1574.010
diff --git a/rules/sigma/windows/file_event/sysmon_office_persistence.yml b/rules/sigma/windows/file_event/sysmon_office_persistence.yml
new file mode 100644
index 00000000..09b9e6de
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_office_persistence.yml
@@ -0,0 +1,40 @@
+
+title: Microsoft Office Add-In Loading
+author: NVISO
+date: 2020/05/11
+description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll
+  are simply .dll fit for Word or Excel).
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\Microsoft\Word\Startup\\*'
+  SELECTION_3:
+    TargetFilename: '*.wll'
+  SELECTION_4:
+    TargetFilename: '*\Microsoft\Excel\Startup\\*'
+  SELECTION_5:
+    TargetFilename: '*.xll'
+  SELECTION_6:
+    TargetFilename: '*\Microsoft\Addins\\*'
+  SELECTION_7:
+    TargetFilename:
+    - '*.xlam'
+    - '*.xla'
+  condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+    SELECTION_5)) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Legitimate add-ins
+id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2020/08/23
+references:
+- Internal Research
+status: experimental
+tags:
+- attack.persistence
+- attack.t1137
+- attack.t1137.006
diff --git a/rules/sigma/windows/file_event/sysmon_outlook_newform.yml b/rules/sigma/windows/file_event/sysmon_outlook_newform.yml
new file mode 100644
index 00000000..bed12314
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_outlook_newform.yml
@@ -0,0 +1,29 @@
+
+title: Outlook Form Installation
+author: Tobias Michalski
+date: 2021/06/10
+description: Detects the creation of new Outlook form which can contain malicious
+  code
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    Image: \outlook.exe
+  SELECTION_3:
+    TargetFilename: '*\appdata\local\microsoft\FORMS\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+id: c3edc6a5-d9d4-48d8-930e-aab518390917
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+status: experimental
+tags:
+- attack.persistence
+- attack.t1137.003
diff --git a/rules/sigma/windows/file_event/sysmon_pcre_net_temp_file.yml b/rules/sigma/windows/file_event/sysmon_pcre_net_temp_file.yml
new file mode 100644
index 00000000..a700c4bc
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_pcre_net_temp_file.yml
@@ -0,0 +1,26 @@
+
+title: PCRE.NET Package Temp Files
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/29
+description: Detects processes creating temp files related to PCRE.NET package
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/08/14
+references:
+- https://twitter.com/rbmaslen/status/1321859647091970051
+- https://twitter.com/tifkin_/status/1321916444557365248
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
diff --git a/rules/sigma/windows/file_event/sysmon_powershell_exploit_scripts.yml b/rules/sigma/windows/file_event/sysmon_powershell_exploit_scripts.yml
new file mode 100644
index 00000000..4d8625cd
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_powershell_exploit_scripts.yml
@@ -0,0 +1,120 @@
+
+title: Malicious PowerShell Commandlet Names
+author: Markus Neis
+date: 2018/04/07
+description: Detects the creation of known powershell scripts for exploitation
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename:
+    - '*\Invoke-DllInjection.ps1'
+    - '*\Invoke-WmiCommand.ps1'
+    - '*\Get-GPPPassword.ps1'
+    - '*\Get-Keystrokes.ps1'
+    - '*\Get-VaultCredential.ps1'
+    - '*\Invoke-CredentialInjection.ps1'
+    - '*\Invoke-Mimikatz.ps1'
+    - '*\Invoke-NinjaCopy.ps1'
+    - '*\Invoke-TokenManipulation.ps1'
+    - '*\Out-Minidump.ps1'
+    - '*\VolumeShadowCopyTools.ps1'
+    - '*\Invoke-ReflectivePEInjection.ps1'
+    - '*\Get-TimedScreenshot.ps1'
+    - '*\Invoke-UserHunter.ps1'
+    - '*\Find-GPOLocation.ps1'
+    - '*\Invoke-ACLScanner.ps1'
+    - '*\Invoke-DowngradeAccount.ps1'
+    - '*\Get-ServiceUnquoted.ps1'
+    - '*\Get-ServiceFilePermission.ps1'
+    - '*\Get-ServicePermission.ps1'
+    - '*\Invoke-ServiceAbuse.ps1'
+    - '*\Install-ServiceBinary.ps1'
+    - '*\Get-RegAutoLogon.ps1'
+    - '*\Get-VulnAutoRun.ps1'
+    - '*\Get-VulnSchTask.ps1'
+    - '*\Get-UnattendedInstallFile.ps1'
+    - '*\Get-WebConfig.ps1'
+    - '*\Get-ApplicationHost.ps1'
+    - '*\Get-RegAlwaysInstallElevated.ps1'
+    - '*\Get-Unconstrained.ps1'
+    - '*\Add-RegBackdoor.ps1'
+    - '*\Add-ScrnSaveBackdoor.ps1'
+    - '*\Gupt-Backdoor.ps1'
+    - '*\Invoke-ADSBackdoor.ps1'
+    - '*\Enabled-DuplicateToken.ps1'
+    - '*\Invoke-PsUaCme.ps1'
+    - '*\Remove-Update.ps1'
+    - '*\Check-VM.ps1'
+    - '*\Get-LSASecret.ps1'
+    - '*\Get-PassHashes.ps1'
+    - '*\Show-TargetScreen.ps1'
+    - '*\Port-Scan.ps1'
+    - '*\Invoke-PoshRatHttp.ps1'
+    - '*\Invoke-PowerShellTCP.ps1'
+    - '*\Invoke-PowerShellWMI.ps1'
+    - '*\Add-Exfiltration.ps1'
+    - '*\Add-Persistence.ps1'
+    - '*\Do-Exfiltration.ps1'
+    - '*\Start-CaptureServer.ps1'
+    - '*\Invoke-ShellCode.ps1'
+    - '*\Get-ChromeDump.ps1'
+    - '*\Get-ClipboardContents.ps1'
+    - '*\Get-FoxDump.ps1'
+    - '*\Get-IndexedItem.ps1'
+    - '*\Get-Screenshot.ps1'
+    - '*\Invoke-Inveigh.ps1'
+    - '*\Invoke-NetRipper.ps1'
+    - '*\Invoke-EgressCheck.ps1'
+    - '*\Invoke-PostExfil.ps1'
+    - '*\Invoke-PSInject.ps1'
+    - '*\Invoke-RunAs.ps1'
+    - '*\MailRaider.ps1'
+    - '*\New-HoneyHash.ps1'
+    - '*\Set-MacAttribute.ps1'
+    - '*\Invoke-DCSync.ps1'
+    - '*\Invoke-PowerDump.ps1'
+    - '*\Exploit-Jboss.ps1'
+    - '*\Invoke-ThunderStruck.ps1'
+    - '*\Invoke-VoiceTroll.ps1'
+    - '*\Set-Wallpaper.ps1'
+    - '*\Invoke-InveighRelay.ps1'
+    - '*\Invoke-PsExec.ps1'
+    - '*\Invoke-SSHCommand.ps1'
+    - '*\Get-SecurityPackages.ps1'
+    - '*\Install-SSP.ps1'
+    - '*\Invoke-BackdoorLNK.ps1'
+    - '*\PowerBreach.ps1'
+    - '*\Get-SiteListPassword.ps1'
+    - '*\Get-System.ps1'
+    - '*\Invoke-BypassUAC.ps1'
+    - '*\Invoke-Tater.ps1'
+    - '*\Invoke-WScriptBypassUAC.ps1'
+    - '*\PowerUp.ps1'
+    - '*\PowerView.ps1'
+    - '*\Get-RickAstley.ps1'
+    - '*\Find-Fruit.ps1'
+    - '*\HTTP-Login.ps1'
+    - '*\Find-TrustedDocuments.ps1'
+    - '*\Invoke-Paranoia.ps1'
+    - '*\Invoke-WinEnum.ps1'
+    - '*\Invoke-ARPScan.ps1'
+    - '*\Invoke-PortScan.ps1'
+    - '*\Invoke-ReverseDNSLookup.ps1'
+    - '*\Invoke-SMBScanner.ps1'
+    - '*\Invoke-Mimikittenz.ps1'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Penetration Tests
+id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/windows/file_event/sysmon_quarkspw_filedump.yml b/rules/sigma/windows/file_event/sysmon_quarkspw_filedump.yml
new file mode 100644
index 00000000..59631cad
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_quarkspw_filedump.yml
@@ -0,0 +1,28 @@
+
+title: QuarksPwDump Dump File
+author: Florian Roth
+date: 2018/02/10
+description: Detects a dump file written by QuarksPwDump password dumper
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\AppData\Local\Temp\SAM-*'
+  SELECTION_3:
+    TargetFilename: '*.dmp*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 847def9e-924d-4e90-b7c4-5f581395a2b4
+level: critical
+logsource:
+  category: file_event
+  product: windows
+modified: 2020/08/23
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
diff --git a/rules/sigma/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml b/rules/sigma/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml
new file mode 100644
index 00000000..90b2f289
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml
@@ -0,0 +1,26 @@
+
+title: RedMimicry Winnti Playbook Dropped File
+author: Alexander Rausch
+date: 2020/06/24
+description: Detects actions caused by the RedMimicry Winnti playbook
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename:
+    - '*gthread-3.6.dll*'
+    - '*sigcmm-2.4.dll*'
+    - '*\Windows\Temp\tmp.bat*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://redmimicry.com
+tags:
+- attack.defense_evasion
+- attack.t1027
diff --git a/rules/sigma/windows/file_event/sysmon_startup_folder_file_write.yml b/rules/sigma/windows/file_event/sysmon_startup_folder_file_write.yml
new file mode 100644
index 00000000..c95ceaf6
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_startup_folder_file_write.yml
@@ -0,0 +1,26 @@
+
+title: Startup Folder File Write
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for files being created in the Windows startup directory.
+  This could be an indicator of persistence.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 2aa0a6b4-a865-495b-ab51-c28249537b75
+level: low
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/12
+- https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
diff --git a/rules/sigma/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/sigma/windows/file_event/sysmon_susp_adsi_cache_usage.yml
new file mode 100644
index 00000000..2192a92f
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_susp_adsi_cache_usage.yml
@@ -0,0 +1,39 @@
+
+title: Suspicious ADSI-Cache Usage By Unknown Tool
+author: xknow @xknow_infosec
+date: 2019/03/24
+description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect
+  tools like LDAPFragger.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*'
+  SELECTION_3:
+    TargetFilename: '*.sch'
+  SELECTION_4:
+    Image:
+    - C:\windows\system32\svchost.exe
+    - C:\windows\system32\dllhost.exe
+    - C:\windows\system32\mmc.exe
+    - C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
+    - C:\Windows\CCM\CcmExec.exe
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity
+  by MMC, Powershell, Windows etc.
+id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+- https://github.com/fox-it/LDAPFragger
+status: experimental
+tags:
+- attack.t1071
+- attack.t1001.003
+- attack.command_and_control
diff --git a/rules/sigma/windows/file_event/sysmon_susp_clr_logs.yml b/rules/sigma/windows/file_event/sysmon_susp_clr_logs.yml
new file mode 100644
index 00000000..eeb2cba7
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_susp_clr_logs.yml
@@ -0,0 +1,33 @@
+
+title: Suspcious CLR Logs Creation
+author: omkar72, oscd.community
+date: 2020/10/12
+description: Detects suspicious .NET assembly executions
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\AppData\Local\Microsoft\CLR*'
+  SELECTION_3:
+    TargetFilename: '*\UsageLogs\\*'
+  SELECTION_4:
+    TargetFilename:
+    - '*mshta*'
+    - '*cscript*'
+    - '*wscript*'
+    - '*regsvr32*'
+    - '*wmic*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: e4b63079-6198-405c-abd7-3fe8b0ce3263
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/file_event/sysmon_susp_desktop_ini.yml b/rules/sigma/windows/file_event/sysmon_susp_desktop_ini.yml
new file mode 100644
index 00000000..1aa2c2c3
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_susp_desktop_ini.yml
@@ -0,0 +1,33 @@
+
+title: Suspicious desktop.ini Action
+author: Maxime Thiebaut (@0xThiebaut)
+date: 2020/03/19
+description: Detects unusual processes accessing desktop.ini, which can be leveraged
+  to alter how Explorer displays a folder's content (i.e. renaming files) without
+  changing them on disk.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\desktop.ini'
+  SELECTION_3:
+    Image:
+    - C:\Windows\explorer.exe
+    - C:\Windows\System32\msiexec.exe
+    - C:\Windows\System32\mmc.exe
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Operations performed through Windows SCCM or equivalent
+id: 81315b50-6b60-4d8f-9928-3466e1022515
+level: medium
+logsource:
+  category: file_event
+  product: windows
+modified: 2020/08/23
+references:
+- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1023
+- attack.t1547.009
diff --git a/rules/sigma/windows/file_event/sysmon_susp_pfx_file_creation.yml b/rules/sigma/windows/file_event/sysmon_susp_pfx_file_creation.yml
new file mode 100644
index 00000000..69228b11
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_susp_pfx_file_creation.yml
@@ -0,0 +1,26 @@
+
+title: Suspicious PFX File Creation
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A general detection for processes creating PFX files. This could be an
+  indicator of an adversary exporting a local certificate to a PFX file.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*.pfx'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- System administrators managing certififcates.
+id: dca1b3e8-e043-4ec8-85d7-867f334b5724
+level: medium
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/14
+- https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.004
diff --git a/rules/sigma/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/sigma/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
new file mode 100644
index 00000000..efb44c6c
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
@@ -0,0 +1,38 @@
+
+title: Suspicious PROCEXP152.sys File Created In TMP
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
+date: 2019/04/08
+description: Detects the creation of the PROCEXP152.sys file in the application-data
+  local temporary folder. This driver is used by Sysinternals Process Explorer but
+  also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),
+  which uses KDU.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\AppData\Local\Temp\\*'
+  SELECTION_3:
+    TargetFilename: '*PROCEXP152.sys'
+  SELECTION_4:
+    Image:
+    - '*\procexp64.exe*'
+    - '*\procexp.exe*'
+    - '*\procmon64.exe*'
+    - '*\procmon.exe*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Other legimate tools using this driver and filename (like Sysinternals). Note -
+  Clever attackers may easily bypass this detection by just renaming the driver filename.
+  Therefore just Medium-level and don't rely on it.
+id: 3da70954-0f2c-4103-adff-b7440368f50e
+level: medium
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+status: experimental
+tags:
+- attack.t1089
+- attack.t1562.001
+- attack.defense_evasion
diff --git a/rules/sigma/windows/file_event/sysmon_suspicious_powershell_profile_create.yml b/rules/sigma/windows/file_event/sysmon_suspicious_powershell_profile_create.yml
new file mode 100644
index 00000000..08781f7b
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_suspicious_powershell_profile_create.yml
@@ -0,0 +1,30 @@
+
+title: Powershell Profile.ps1 Modification
+author: HieuTT35
+date: 2019/10/24
+description: Detects a change in profile.ps1 of the Powershell profile
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\profile.ps1*'
+  SELECTION_3:
+    TargetFilename: '*\My Documents\PowerShell\\*'
+  SELECTION_4:
+    TargetFilename: '*C:\Windows\System32\WindowsPowerShell\v1.0\\*'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- System administrator create Powershell profile manually
+id: b5b78988-486d-4a80-b991-930eff3ff8bf
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2020/08/24
+references:
+- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.013
diff --git a/rules/sigma/windows/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/sigma/windows/file_event/sysmon_tsclient_filewrite_startup.yml
new file mode 100644
index 00000000..2dc971d9
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_tsclient_filewrite_startup.yml
@@ -0,0 +1,25 @@
+
+title: Hijack Legit RDP Session to Move Laterally
+author: Samir Bousseaden
+date: 2019/02/21
+description: Detects the usage of tsclient share to place a backdoor on the RDP source
+  machine's startup folder
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    Image: '*\mstsc.exe'
+  SELECTION_3:
+    TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 52753ea4-b3a0-4365-910d-36cff487b789
+level: high
+logsource:
+  category: file_event
+  product: windows
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1219
diff --git a/rules/sigma/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml b/rules/sigma/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml
new file mode 100644
index 00000000..6fff1ce4
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml
@@ -0,0 +1,28 @@
+
+title: UAC Bypass Using Consent and Comctl32 - File
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll
+  (UACMe 22)
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: C:\Windows\System32\consent.exe.@*
+  SELECTION_3:
+    TargetFilename: '*\comctl32.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml b/rules/sigma/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
new file mode 100644
index 00000000..9bae5cc2
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
@@ -0,0 +1,28 @@
+
+title: UAC Bypass Using .NET Code Profiler on MMC
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe
+  DLL hijacking (UACMe 39)
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: C:\Users\\*
+  SELECTION_3:
+    TargetFilename: '*\AppData\Local\Temp\pe386.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 93a19907-d4f9-4deb-9f91-aac4692776a6
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/sigma/windows/file_event/sysmon_uac_bypass_ieinstal.yml
new file mode 100644
index 00000000..04172c32
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_uac_bypass_ieinstal.yml
@@ -0,0 +1,31 @@
+
+title: UAC Bypass Using IEInstal - File
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    Image: C:\Program Files\Internet Explorer\IEInstal.exe
+  SELECTION_3:
+    TargetFilename: C:\Users\\*
+  SELECTION_4:
+    TargetFilename: '*\AppData\Local\Temp\\*'
+  SELECTION_5:
+    TargetFilename: '*consent.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml b/rules/sigma/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml
new file mode 100644
index 00000000..9d470fc6
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml
@@ -0,0 +1,27 @@
+
+title: UAC Bypass Using MSConfig Token Modification - File
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: C:\Users\\*
+  SELECTION_3:
+    TargetFilename: '*\AppData\Local\Temp\pkgmgr.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 41bb431f-56d8-4691-bb56-ed34e390906f
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/sigma/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml
new file mode 100644
index 00000000..db909df0
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml
@@ -0,0 +1,28 @@
+
+title: UAC Bypass Using NTFS Reparse Point - File
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe
+  DLL hijacking (UACMe 36)
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: C:\Users\\*
+  SELECTION_3:
+    TargetFilename: '*\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/file_event/sysmon_webshell_creation_detect.yml b/rules/sigma/windows/file_event/sysmon_webshell_creation_detect.yml
new file mode 100644
index 00000000..ce9784b2
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_webshell_creation_detect.yml
@@ -0,0 +1,59 @@
+
+title: Windows Webshell Creation
+author: Beyu Denis, oscd.community
+date: 2019/10/22
+description: Possible webshell file creation on a static web site
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_10:
+    TargetFilename: '*.pl*'
+  SELECTION_11:
+    TargetFilename:
+    - '*\AppData\Local\Temp\\*'
+    - '*\Windows\Temp\\*'
+  SELECTION_2:
+    TargetFilename: '*\inetpub\wwwroot\\*'
+  SELECTION_3:
+    TargetFilename:
+    - '*.asp*'
+    - '*.ashx*'
+    - '*.ph*'
+  SELECTION_4:
+    TargetFilename:
+    - '*\AppData\Local\Temp\\*'
+    - '*\Windows\Temp\\*'
+  SELECTION_5:
+    TargetFilename:
+    - '*\www\\*'
+    - '*\htdocs\\*'
+    - '*\html\\*'
+  SELECTION_6:
+    TargetFilename: '*.ph*'
+  SELECTION_7:
+    TargetFilename:
+    - '*\AppData\Local\Temp\\*'
+    - '*\Windows\Temp\\*'
+  SELECTION_8:
+    TargetFilename: '*.jsp'
+  SELECTION_9:
+    TargetFilename: '*\cgi-bin\\*'
+  condition: (SELECTION_1 and ((((SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+    or ((SELECTION_5 and SELECTION_6) and  not (SELECTION_7))) or ((SELECTION_8 or
+    (SELECTION_9 and SELECTION_10)) and  not (SELECTION_11))))
+falsepositives:
+- Legitimate administrator or developer creating legitimate executable files in a
+  web application folder
+id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
+level: critical
+logsource:
+  category: file_event
+  product: windows
+modified: 2020/08/23
+references:
+- PT ESC rule and personal experience
+status: experimental
+tags:
+- attack.persistence
+- attack.t1100
+- attack.t1505.003
diff --git a/rules/sigma/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/sigma/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
new file mode 100644
index 00000000..bb1d6f8c
--- /dev/null
+++ b/rules/sigma/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
@@ -0,0 +1,26 @@
+
+title: WMI Persistence - Script Event Consumer File Write
+author: Thomas Patzke
+date: 2018/03/07
+description: Detects file writes of WMI script event consumer
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    Image: C:\WINDOWS\system32\wbem\scrcons.exe
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
+id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2020/08/23
+references:
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+status: experimental
+tags:
+- attack.t1084
+- attack.t1546.003
+- attack.persistence
diff --git a/rules/sigma/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/sigma/windows/file_event/win_cve_2021_1675_printspooler.yml
new file mode 100644
index 00000000..82dcd034
--- /dev/null
+++ b/rules/sigma/windows/file_event/win_cve_2021_1675_printspooler.yml
@@ -0,0 +1,34 @@
+
+title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
+author: Florian Roth
+date: 2021/06/29
+description: Detects the default filename used in PoC code against print spooler vulnerability
+  CVE-2021-1675
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename:
+    - '*C:\Windows\System32\spool\drivers\x64\3\old\1\123*'
+    - '*C:\Windows\System32\spool\drivers\x64\3\New\\*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- TargetFilename
+id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
+level: critical
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/07/01
+references:
+- https://github.com/hhlxf/PrintNightmare
+- https://github.com/afwu/PrintNightmare
+- https://github.com/cube0x0/CVE-2021-1675
+- https://nvd.nist.gov/vuln/detail/cve-2021-1675
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/file_event/win_file_winword_cve_2021_40444.yml b/rules/sigma/windows/file_event/win_file_winword_cve_2021_40444.yml
new file mode 100644
index 00000000..bf7b4a3d
--- /dev/null
+++ b/rules/sigma/windows/file_event/win_file_winword_cve_2021_40444.yml
@@ -0,0 +1,35 @@
+
+title: Suspicious Word Cab File Write CVE-2021-40444
+author: Florian Roth, Sittikorn S
+date: 2021/09/10
+description: Detects file creation patterns noticeable during the exploitation of
+  CVE-2021-40444
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    Image: \winword.exe
+  SELECTION_3:
+    TargetFilename: '*.cab'
+  SELECTION_4:
+    TargetFilename: '*\Windows\INetCache*'
+  SELECTION_5:
+    TargetFilename: '*\AppData\Local\Temp\\*'
+  SELECTION_6:
+    TargetFilename: '*.inf*'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6)))
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
+level: critical
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/09/13
+references:
+- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
+- https://twitter.com/vanitasnk/status/1437329511142420483?s=21
+status: experimental
diff --git a/rules/sigma/windows/file_event/win_hivenightmare_file_exports.yml b/rules/sigma/windows/file_event/win_hivenightmare_file_exports.yml
new file mode 100644
index 00000000..c95b9e4f
--- /dev/null
+++ b/rules/sigma/windows/file_event/win_hivenightmare_file_exports.yml
@@ -0,0 +1,39 @@
+
+title: Typical HiveNightmare SAM File Export
+author: Florian Roth
+date: 2021/07/23
+description: Detects files written by the different tools that exploit HiveNightmare
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename:
+    - '*\hive_sam_*'
+    - '*\SAM-2021-*'
+    - '*\SAM-2022-*'
+    - '*\SAM-haxx*'
+    - '*\Sam.save*'
+  SELECTION_3:
+    TargetFilename:
+    - C:\windows\temp\sam
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Files that accidentally contain these strings
+fields:
+- CommandLine
+- ParentCommandLine
+id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://github.com/GossiTheDog/HiveNightmare
+- https://github.com/FireFart/hivenightmare/
+- https://github.com/WiredPulse/Invoke-HiveNightmare
+- https://twitter.com/cube0x0/status/1418920190759378944
+- https://nvd.nist.gov/vuln/detail/cve-2021-36934
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.001
diff --git a/rules/sigma/windows/file_event/win_outlook_c2_macro_creation.yml b/rules/sigma/windows/file_event/win_outlook_c2_macro_creation.yml
new file mode 100644
index 00000000..dec1443e
--- /dev/null
+++ b/rules/sigma/windows/file_event/win_outlook_c2_macro_creation.yml
@@ -0,0 +1,29 @@
+
+title: Outlook C2 Macro Creation
+author: '@ScoubiMtl'
+date: 2021/04/05
+description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key.
+  VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both
+  events Registry & File Creation happens at the same time.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*\Microsoft\Outlook\VbaProject.OTM'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- User genuinly creates a VB Macro for their email
+id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
+level: medium
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
+status: experimental
+tags:
+- attack.persistence
+- attack.command_and_control
+- attack.t1137
+- attack.t1008
+- attack.t1546
diff --git a/rules/sigma/windows/file_event/win_rclone_exec_file.yml b/rules/sigma/windows/file_event/win_rclone_exec_file.yml
new file mode 100644
index 00000000..2213fef9
--- /dev/null
+++ b/rules/sigma/windows/file_event/win_rclone_exec_file.yml
@@ -0,0 +1,27 @@
+
+title: Rclone Config File Creation
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+description: Detects Rclone config file being created
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename: '*:\Users\\*'
+  SELECTION_3:
+    TargetFilename: '*\.config\rclone\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate Rclone usage (rare)
+id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
+level: high
+logsource:
+  category: file_event
+  product: windows
+modified: 2021/10/04
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.002
diff --git a/rules/sigma/windows/file_event/win_susp_desktopimgdownldr_file.yml b/rules/sigma/windows/file_event/win_susp_desktopimgdownldr_file.yml
new file mode 100644
index 00000000..12ada67a
--- /dev/null
+++ b/rules/sigma/windows/file_event/win_susp_desktopimgdownldr_file.yml
@@ -0,0 +1,40 @@
+
+title: Suspicious Desktopimgdownldr Target File
+author: Florian Roth
+date: 2020/07/03
+description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores
+  a file to a suspicious location or contains a file with a suspicious extension
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    Image: '*svchost.exe'
+  SELECTION_3:
+    TargetFilename: '*\Personalization\LockScreenImage\\*'
+  SELECTION_4:
+    TargetFilename: '*C:\Windows\\*'
+  SELECTION_5:
+    TargetFilename:
+    - '*.jpg*'
+    - '*.jpeg*'
+    - '*.png*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+    and  not (SELECTION_5))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+fields:
+- CommandLine
+- ParentCommandLine
+id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+- https://twitter.com/SBousseaden/status/1278977301745741825
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1105
diff --git a/rules/sigma/windows/image_load/image_load_pingback_backdoor.yml b/rules/sigma/windows/image_load/image_load_pingback_backdoor.yml
new file mode 100644
index 00000000..df069556
--- /dev/null
+++ b/rules/sigma/windows/image_load/image_load_pingback_backdoor.yml
@@ -0,0 +1,29 @@
+
+title: Pingback Backdoor
+author: Bhabesh Raj
+date: 2021/05/05
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
+  as described in the trustwave report
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*msdtc.exe'
+  SELECTION_3:
+    ImageLoaded: C:\Windows\oci.dll
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Very unlikely
+id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/09/09
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+status: experimental
+tags:
+- attack.persistence
+- attack.t1574.001
diff --git a/rules/sigma/windows/image_load/image_load_silenttrinity_stage_use.yml b/rules/sigma/windows/image_load/image_load_silenttrinity_stage_use.yml
new file mode 100644
index 00000000..bff19ea7
--- /dev/null
+++ b/rules/sigma/windows/image_load/image_load_silenttrinity_stage_use.yml
@@ -0,0 +1,27 @@
+
+title: SILENTTRINITY Stager Execution
+author: Aleksey Potapov, oscd.community
+date: 2019/10/22
+description: Detects SILENTTRINITY stager use
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Description: '*st2stager*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/10/04
+references:
+- https://github.com/byt3bl33d3r/SILENTTRINITY
+related:
+- id: 03552375-cc2c-4883-bbe4-7958d5a980be
+  type: derived
+status: experimental
+tags:
+- attack.command_and_control
diff --git a/rules/sigma/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml
new file mode 100644
index 00000000..9f934c89
--- /dev/null
+++ b/rules/sigma/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml
@@ -0,0 +1,30 @@
+
+title: Wmiprvse Wbemcomn DLL Hijack
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
+  directory over the network and loading it for a WMI DLL Hijack scenario.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*\wmiprvse.exe'
+  SELECTION_3:
+    ImageLoaded: '*\wbem\wbemcomn.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7707a579-e0d8-4886-a853-ce47e4575aaa
+level: critical
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/09/09
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/windows/image_load/process_creation_tttracer_mod_load.yml b/rules/sigma/windows/image_load/process_creation_tttracer_mod_load.yml
new file mode 100644
index 00000000..434af1a5
--- /dev/null
+++ b/rules/sigma/windows/image_load/process_creation_tttracer_mod_load.yml
@@ -0,0 +1,33 @@
+
+title: Time Travel Debugging Utility Usage
+author: Ensar Şamil, @sblmsrsn, @oscd_initiative
+date: 2020/10/06
+description: Detects usage of Time Travel Debugging Utility. Adversaries can execute
+  malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\tttracer.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate usage by software developers/testers
+id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/21
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
+- https://twitter.com/mattifestation/status/1196390321783025666
+- https://twitter.com/oulusoyum/status/1191329746069655553
+related:
+- id: e76c8240-d68f-4773-8880-5c6f63595aaf
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.credential_access
+- attack.t1218
+- attack.t1003.001
diff --git a/rules/sigma/windows/image_load/sysmon_abusing_azure_browser_sso.yml b/rules/sigma/windows/image_load/sysmon_abusing_azure_browser_sso.yml
new file mode 100644
index 00000000..7873f0f6
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_abusing_azure_browser_sso.yml
@@ -0,0 +1,37 @@
+
+title: Abusing Azure Browser SSO
+author: Den Iuzvyk
+date: 2020/07/15
+description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens
+  for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure
+  AD and a user logs in with their Azure AD account) wanting to perform SSO authentication
+  in the browser. An attacker can use this to authenticate to Azure AD in a browser
+  as that user.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded: '*MicrosoftAccountTokenProvider.dll'
+  SELECTION_3:
+    Image:
+    - '*BackgroundTaskHost.exe'
+    - '*devenv.exe'
+    - '*iexplore.exe'
+    - '*MicrosoftEdge.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- unknown
+id: 50f852e6-af22-4c78-9ede-42ef36aa3453
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/12/23
+references:
+- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/sigma/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
new file mode 100644
index 00000000..73c7ca5e
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
@@ -0,0 +1,30 @@
+
+title: Alternate PowerShell Hosts
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/09/12
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+  for powershell.exe
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Description: System.Management.Automation
+  SELECTION_3:
+    ImageLoaded: '*System.Management.Automation*'
+  SELECTION_4:
+    Image: '*\powershell.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: fe6e002f-f244-4278-9263-20e4b593827f
+level: medium
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/05/12
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/image_load/sysmon_foggyweb_nobelium.yml b/rules/sigma/windows/image_load/sysmon_foggyweb_nobelium.yml
new file mode 100644
index 00000000..19a55463
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_foggyweb_nobelium.yml
@@ -0,0 +1,21 @@
+
+title: FoggyWeb Backdoor DLL Loading
+author: Florian Roth
+date: 2021/09/27
+description: Detects DLL image load activity as used by FoggyWeb backdoor loader
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: C:\Windows\ADFS\version.dll
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
+level: critical
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
+status: experimental
diff --git a/rules/sigma/windows/image_load/sysmon_in_memory_powershell.yml b/rules/sigma/windows/image_load/sysmon_in_memory_powershell.yml
new file mode 100644
index 00000000..d8f9da33
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_in_memory_powershell.yml
@@ -0,0 +1,46 @@
+
+title: In-memory PowerShell
+author: Tom Kern, oscd.community, Natalia Shornikova
+date: 2019/11/14
+description: Detects loading of essential DLL used by PowerShell, but not by the process
+  powershell.exe. Detects meterpreter's "load powershell" extension.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\System.Management.Automation.Dll'
+    - '*\System.Management.Automation.ni.Dll'
+  SELECTION_3:
+    Image:
+    - '*\powershell.exe'
+    - '*\powershell_ise.exe'
+    - '*\WINDOWS\System32\sdiagnhost.exe'
+    - '*\mscorsvw.exe'
+    - '*\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
+    - '*\sqlps.exe'
+    - '*\wsmprovhost.exe'
+    - '*\winrshost.exe'
+    - '*\syncappvpublishingserver.exe'
+    - '*\runscripthelper.exe'
+    - '*\ServerManager.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+enrichment:
+- EN_0001_cache_sysmon_event_id_1_info
+- EN_0003_enrich_other_sysmon_events_with_event_id_1_data
+falsepositives:
+- Used by some .NET binaries, minimal on user workstation.
+id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/10/12
+references:
+- https://adsecurity.org/?p=2921
+- https://github.com/p3nt4/PowerShdll
+status: experimental
+tags:
+- attack.t1086
+- attack.t1059.001
+- attack.execution
diff --git a/rules/sigma/windows/image_load/sysmon_pcre_net_load.yml b/rules/sigma/windows/image_load/sysmon_pcre_net_load.yml
new file mode 100644
index 00000000..ce90f8b3
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_pcre_net_load.yml
@@ -0,0 +1,26 @@
+
+title: PCRE.NET Package Image Load
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/29
+description: Detects processes loading modules related to PCRE.NET package
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 84b0a8f3-680b-4096-a45b-e9a89221727c
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/08/14
+references:
+- https://twitter.com/rbmaslen/status/1321859647091970051
+- https://twitter.com/tifkin_/status/1321916444557365248
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
diff --git a/rules/sigma/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/sigma/windows/image_load/sysmon_powershell_execution_moduleload.yml
new file mode 100644
index 00000000..da9cbad9
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_powershell_execution_moduleload.yml
@@ -0,0 +1,33 @@
+
+title: PowerShell Execution
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects execution of PowerShell
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Description: System.Management.Automation
+  SELECTION_3:
+    ImageLoaded: '*System.Management.Automation*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- Image
+- ProcessID
+- ImageLoaded
+id: 867613fb-fa60-4497-a017-a82df74a172c
+level: medium
+logsource:
+  category: image_load
+  product: windows
+modified: 2019/11/10
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/sigma/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
new file mode 100644
index 00000000..25be1a44
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
@@ -0,0 +1,35 @@
+
+title: WMI Script Host Process Image Loaded
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/09/02
+description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe
+  functionality being used via images being loaded by a process.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*\scrcons.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\vbscript.dll'
+    - '*\wbemdisp.dll'
+    - '*\wshom.ocx'
+    - '*\scrrun.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
+level: high
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://twitter.com/HunterPlaybook/status/1301207718355759107
+- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1546.003
diff --git a/rules/sigma/windows/image_load/sysmon_spoolsv_dll_load.yml b/rules/sigma/windows/image_load/sysmon_spoolsv_dll_load.yml
new file mode 100644
index 00000000..e006ed0b
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_spoolsv_dll_load.yml
@@ -0,0 +1,33 @@
+
+title: Windows Spooler Service Suspicious Binary Load
+author: FPT.EagleEye, Thomas Patzke (improvements)
+date: 2021/06/29
+description: Detect DLL Load from Spooler Service backup folder
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*spoolsv.exe'
+  SELECTION_3:
+    ImageLoaded: '*\Windows\System32\spool\drivers\x64\3\\*'
+  SELECTION_4:
+    ImageLoaded: '*.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Loading of legitimate driver
+id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
+level: informational
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/08/24
+references:
+- https://github.com/hhlxf/PrintNightmare
+- https://nvd.nist.gov/vuln/detail/cve-2021-1675
+- https://nvd.nist.gov/vuln/detail/cve-2021-34527
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1574
diff --git a/rules/sigma/windows/image_load/sysmon_susp_fax_dll.yml b/rules/sigma/windows/image_load/sysmon_susp_fax_dll.yml
new file mode 100644
index 00000000..27671f58
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_fax_dll.yml
@@ -0,0 +1,37 @@
+
+title: Fax Service DLL Search Order Hijack
+author: NVISO
+date: 2020/05/04
+description: The Fax service attempts to load ualapi.dll, which is non-existent. An
+  attacker can then (side)load their own malicious DLL using this service.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*fxssvc.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*ualapi.dll'
+  SELECTION_4:
+    ImageLoaded:
+    - C:\Windows\WinSxS\\*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unlikely
+id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://windows-internals.com/faxing-your-way-to-system/
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.t1073
+- attack.t1038
+- attack.t1574.001
+- attack.t1574.002
diff --git a/rules/sigma/windows/image_load/sysmon_susp_image_load.yml b/rules/sigma/windows/image_load/sysmon_susp_image_load.yml
new file mode 100644
index 00000000..64630bd8
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_image_load.yml
@@ -0,0 +1,32 @@
+
+title: Possible Process Hollowing Image Loading
+author: Markus Neis
+date: 2018/01/07
+description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g.
+  through process hollowing by Mimikatz
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\notepad.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\samlib.dll'
+    - '*\WinSCard.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Very likely, needs more tuning
+id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/sigma/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
new file mode 100644
index 00000000..017745c3
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml
@@ -0,0 +1,33 @@
+
+title: dotNET DLL Loaded Via Office Applications
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects any assembly DLL being loaded by an Office Product
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - C:\Windows\assembly\\*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: ff0f2b05-09db-4095-b96d-1b75ca24894a
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/sigma/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
new file mode 100644
index 00000000..5179191a
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
@@ -0,0 +1,33 @@
+
+title: CLR DLL Loaded Via Office Applications
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects CLR DLL being loaded by an Office Product
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\clr.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: d13c43f0-f66b-4279-8b2c-5912077c1780
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/sigma/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
new file mode 100644
index 00000000..a58112dc
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml
@@ -0,0 +1,33 @@
+
+title: GAC DLL Loaded Via Office Applications
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects any GAC DLL being loaded by an Office Product
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - C:\Windows\Microsoft.NET\assembly\GAC_MSIL*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: 90217a70-13fc-48e4-b3db-0d836c5824ac
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/sigma/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
new file mode 100644
index 00000000..b21e9441
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml
@@ -0,0 +1,33 @@
+
+title: Active Directory Parsing DLL Loaded Via Office Applications
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects DSParse DLL being loaded by an Office Product
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\dsparse.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: a2a3b925-7bb0-433b-b508-db9003263cc4
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/sigma/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
new file mode 100644
index 00000000..6d0ffd63
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml
@@ -0,0 +1,33 @@
+
+title: Active Directory Kerberos DLL Loaded Via Office Applications
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects Kerberos DLL being loaded by an Office Product
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\kerberos.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/windows/image_load/sysmon_susp_python_image_load.yml b/rules/sigma/windows/image_load/sysmon_susp_python_image_load.yml
new file mode 100644
index 00000000..f92ee9e2
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_python_image_load.yml
@@ -0,0 +1,29 @@
+
+title: Python Py2Exe Image Load
+author: Patrick St. John, OTR (Open Threat Research)
+date: 2020/05/03
+description: Detects the image load of Python Core indicative of a Python script bundled
+  with Py2Exe.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Description: Python Core
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legit Py2Exe Binaries
+fields:
+- Description
+id: cbb56d62-4060-40f7-9466-d8aaf3123f83
+level: medium
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/05/12
+references:
+- https://www.py2exe.org/
+- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027.002
diff --git a/rules/sigma/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/sigma/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml
new file mode 100644
index 00000000..faff2405
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml
@@ -0,0 +1,35 @@
+
+title: CLR DLL Loaded Via Scripting Applications
+author: omkar72, oscd.community
+date: 2020/10/14
+description: Detects CLR DLL being loaded by an scripting applications
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\mshta.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\clr.dll'
+    - '*\mscoree.dll'
+    - '*\mscorlib.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 4508a70e-97ef-4300-b62b-ff27992990ea
+level: high
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://github.com/tyranid/DotNetToJScript
+- https://thewover.github.io/Introducing-Donut/
+- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/sigma/windows/image_load/sysmon_susp_system_drawing_load.yml
new file mode 100644
index 00000000..0dbc9ee1
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_system_drawing_load.yml
@@ -0,0 +1,28 @@
+
+title: Suspicious System.Drawing Load
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for processes loading System.Drawing.ni.dll. This
+  could be an indicator of potential Screen Capture.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded: '*\System.Drawing.ni.dll'
+  SELECTION_3:
+    Image: '*\WmiPrvSE.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- unknown
+id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
+level: medium
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/16
+- https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html
+status: experimental
+tags:
+- attack.collection
+- attack.t1113
diff --git a/rules/sigma/windows/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/sigma/windows/image_load/sysmon_susp_winword_vbadll_load.yml
new file mode 100644
index 00000000..945e6be0
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_winword_vbadll_load.yml
@@ -0,0 +1,35 @@
+
+title: VBA DLL Loaded Via Microsoft Word
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects DLL's Loaded Via Word Containing VBA Macros
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\VBE7.DLL'
+    - '*\VBEUI.DLL'
+    - '*\VBE7INTL.DLL'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/windows/image_load/sysmon_susp_winword_wmidll_load.yml b/rules/sigma/windows/image_load/sysmon_susp_winword_wmidll_load.yml
new file mode 100644
index 00000000..f74c63d2
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_susp_winword_wmidll_load.yml
@@ -0,0 +1,37 @@
+
+title: Windows Management Instrumentation DLL Loaded Via Microsoft Word
+author: Michael R. (@nahamike01)
+date: 2019/12/26
+description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\outlook.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\wmiutils.dll'
+    - '*\wbemcomn.dll'
+    - '*\wbemprox.dll'
+    - '*\wbemdisp.dll'
+    - '*\wbemsvc.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Possible. Requires further testing.
+id: a457f232-7df9-491d-898f-b5aabd2cbe2f
+level: high
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
+- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
diff --git a/rules/sigma/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/sigma/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
new file mode 100644
index 00000000..78fe68a3
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
@@ -0,0 +1,73 @@
+
+title: Load of dbghelp/dbgcore DLL from Suspicious Process
+author: Perez Diego (@darkquassar), oscd.community, Ecco
+date: 2019/10/27
+description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by
+  suspicious processes. Tools like ProcessHacker and some attacker tradecract use
+  MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity
+  C2 Framework has a module that leverages this API to dump the contents of Lsass.exe
+  and transfer it over the network back to the attacker's machine.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\dbghelp.dll'
+    - '*\dbgcore.dll'
+  SELECTION_3:
+    Image:
+    - '*\msbuild.exe'
+    - '*\cmd.exe'
+    - '*\svchost.exe'
+    - '*\rundll32.exe'
+    - '*\powershell.exe'
+    - '*\word.exe'
+    - '*\excel.exe'
+    - '*\powerpnt.exe'
+    - '*\outlook.exe'
+    - '*\monitoringhost.exe'
+    - '*\wmic.exe'
+    - '*\bash.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\mshta.exe'
+    - '*\regsvr32.exe'
+    - '*\schtasks.exe'
+    - '*\dnx.exe'
+    - '*\regsvcs.exe'
+    - '*\sc.exe'
+    - '*\scriptrunner.exe'
+  SELECTION_4:
+    Image: '*Visual Studio*'
+  SELECTION_5:
+    ImageLoaded:
+    - '*\dbghelp.dll'
+    - '*\dbgcore.dll'
+  SELECTION_6:
+    Signed: 'FALSE'
+  SELECTION_7:
+    Image: '*Visual Studio*'
+  condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+    or ((SELECTION_5 and SELECTION_6) and  not (SELECTION_7))))
+falsepositives:
+- Penetration tests
+fields:
+- ComputerName
+- User
+- Image
+- ImageLoaded
+id: 0e277796-5f23-4e49-a490-483131d4f6e1
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
+- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
+- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/sigma/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
new file mode 100644
index 00000000..c21bce53
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml
@@ -0,0 +1,42 @@
+
+title: Svchost DLL Search Order Hijack
+author: SBousseaden
+date: 2019/10/28
+description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that
+  do not exist within C:\Windows\System32\ by default. An attacker can place their
+  malicious logic within the PROCESS_ATTACH block of their library and restart the
+  aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote
+  machine.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\svchost.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\tsmsisrv.dll'
+    - '*\tsvipsrv.dll'
+    - '*\wlbsctrl.dll'
+  SELECTION_4:
+    ImageLoaded:
+    - C:\Windows\WinSxS\\*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Pentest
+id: 602a1f13-c640-4d73-b053-be9a2fa58b77
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+- attack.t1038
+- attack.t1574.001
diff --git a/rules/sigma/windows/image_load/sysmon_tttracer_mod_load.yml b/rules/sigma/windows/image_load/sysmon_tttracer_mod_load.yml
new file mode 100644
index 00000000..0c26cf85
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_tttracer_mod_load.yml
@@ -0,0 +1,33 @@
+
+title: Time Travel Debugging Utility Usage
+author: Ensar Şamil, @sblmsrsn, @oscd_initiative
+date: 2020/10/06
+description: Detects usage of Time Travel Debugging Utility. Adversaries can execute
+  malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\ttdrecord.dll'
+    - '*\ttdwriter.dll'
+    - '*\ttdloader.dll'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate usage by software developers/testers
+id: e76c8240-d68f-4773-8880-5c6f63595aaf
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/09/21
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
+- https://twitter.com/mattifestation/status/1196390321783025666
+- https://twitter.com/oulusoyum/status/1191329746069655553
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.credential_access
+- attack.t1218
+- attack.t1003.001
diff --git a/rules/sigma/windows/image_load/sysmon_uac_bypass_via_dism.yml b/rules/sigma/windows/image_load/sysmon_uac_bypass_via_dism.yml
new file mode 100644
index 00000000..086be58e
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_uac_bypass_via_dism.yml
@@ -0,0 +1,32 @@
+
+title: UAC Bypass With Fake DLL
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/06
+description: Attempts to load dismcore.dll after dropping it
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image:
+    - '*\dism.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\dismcore.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Pentests
+- Actions of a legitimate telnet client
+id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
+level: high
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1574.002
diff --git a/rules/sigma/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/sigma/windows/image_load/sysmon_uipromptforcreds_dlls.yml
new file mode 100644
index 00000000..36cb7da3
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_uipromptforcreds_dlls.yml
@@ -0,0 +1,34 @@
+
+title: UIPromptForCredentials DLLs
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects potential use of UIPromptForCredentials functions by looking
+  for some of the DLLs needed for it.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\credui.dll'
+    - '*\wincredui.dll'
+  SELECTION_3:
+    OriginalFileName:
+    - credui.dll
+    - wincredui.dll
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- other legitimate processes loading those DLLs in your environment.
+id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
+level: medium
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
+- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
+status: experimental
+tags:
+- attack.credential_access
+- attack.collection
+- attack.t1056.002
diff --git a/rules/sigma/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/sigma/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml
new file mode 100644
index 00000000..c4bc888e
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml
@@ -0,0 +1,28 @@
+
+title: Unsigned Image Loaded Into LSASS Process
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Loading unsigned image (DLL, EXE) into LSASS process
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*\lsass.exe'
+  SELECTION_3:
+    Signed: 'false'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Valid user connecting using RDP
+id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
+level: medium
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/windows/image_load/sysmon_wmi_module_load.yml b/rules/sigma/windows/image_load/sysmon_wmi_module_load.yml
new file mode 100644
index 00000000..e2e25a11
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_wmi_module_load.yml
@@ -0,0 +1,52 @@
+
+title: WMI Modules Loaded
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects non wmiprvse loading WMI modules
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\wmiclnt.dll'
+    - '*\WmiApRpl.dll'
+    - '*\wmiprov.dll'
+    - '*\wmiutils.dll'
+    - '*\wbemcomn.dll'
+    - '*\wbemprox.dll'
+    - '*\WMINet_Utils.dll'
+    - '*\wbemsvc.dll'
+    - '*\fastprox.dll'
+  SELECTION_3:
+    Image:
+    - '*\WmiPrvSE.exe'
+    - '*\WmiApSrv.exe'
+    - '*\svchost.exe'
+    - '*\DeviceCensus.exe'
+    - '*\CompatTelRunner.exe'
+    - '*\sdiagnhost.exe'
+    - '*\SIHClient.exe'
+    - '*\ngentask.exe'
+    - '*\windows\system32\taskhostw.exe'
+    - '*\windows\system32\MoUsoCoreWorker.exe'
+    - '*\windows\system32\wbem\WMIADAP.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- Image
+- ImageLoaded
+id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2021/08/18
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
diff --git a/rules/sigma/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/sigma/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml
new file mode 100644
index 00000000..eaa26ec9
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml
@@ -0,0 +1,28 @@
+
+title: WMI Persistence - Command Line Event Consumer
+author: Thomas Patzke
+date: 2018/03/07
+description: Detects WMI command line event consumers
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: C:\Windows\System32\wbem\WmiPrvSE.exe
+  SELECTION_3:
+    ImageLoaded: '*\wbemcons.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown (data set is too small; further testing needed)
+id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
+level: high
+logsource:
+  category: image_load
+  product: windows
+modified: 2020/08/23
+references:
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+status: experimental
+tags:
+- attack.t1084
+- attack.t1546.003
+- attack.persistence
diff --git a/rules/sigma/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/sigma/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml
new file mode 100644
index 00000000..1c04b346
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml
@@ -0,0 +1,32 @@
+
+title: WMIC Loading Scripting Libraries
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/17
+description: Detects threat actors proxy executing code and bypassing application
+  controls by leveraging wmic and the `/FORMAT` argument switch to download and execute
+  an XSL file (i.e js, vbs, etc).
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*\wmic.exe'
+  SELECTION_3:
+    ImageLoaded:
+    - '*\jscript.dll'
+    - '*\vbscript.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Apparently, wmic os get lastboottuptime loads vbscript.dll
+id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
+level: high
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
+- https://twitter.com/dez_/status/986614411711442944
+- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1220
diff --git a/rules/sigma/windows/image_load/sysmon_wsman_provider_image_load.yml b/rules/sigma/windows/image_load/sysmon_wsman_provider_image_load.yml
new file mode 100644
index 00000000..439e60f7
--- /dev/null
+++ b/rules/sigma/windows/image_load/sysmon_wsman_provider_image_load.yml
@@ -0,0 +1,47 @@
+
+title: Suspicious WSMAN Provider Image Loads
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/24
+description: Detects signs of potential use of the WSMAN provider from uncommon processes
+  locally and remote execution.
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    EventID: 7
+  SELECTION_3:
+    ImageLoaded:
+    - '*\WsmSvc.dll'
+    - '*\WsmAuto.dll'
+    - '*\Microsoft.WSMan.Management.ni.dll'
+  SELECTION_4:
+    OriginalFileName:
+    - WsmSvc.dll
+    - WSMANAUTOMATION.DLL
+    - Microsoft.WSMan.Management.dll
+  SELECTION_5:
+    Image: '*\powershell.exe'
+  SELECTION_6:
+    Image: '*\svchost.exe'
+  SELECTION_7:
+    OriginalFileName: WsmWmiPl.dll
+  condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4) and  not
+    (SELECTION_5)) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unknown
+id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
+level: medium
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://twitter.com/chadtilbury/status/1275851297770610688
+- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
+- https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
+- https://github.com/bohops/WSMan-WinRM
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.lateral_movement
+- attack.t1021.003
diff --git a/rules/sigma/windows/image_load/win_susp_svchost_clfsw32.yml b/rules/sigma/windows/image_load/win_susp_svchost_clfsw32.yml
new file mode 100644
index 00000000..227d4579
--- /dev/null
+++ b/rules/sigma/windows/image_load/win_susp_svchost_clfsw32.yml
@@ -0,0 +1,24 @@
+
+title: APT PRIVATELOG Image Load Pattern
+author: Florian Roth
+date: 2021/09/07
+description: Detects an image load pattern as seen when a tool named PRIVATELOG is
+  used and rarely observed under legitimate circumstances
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    Image: '*\svchost.exe'
+  SELECTION_3:
+    ImageLoaded: '*\clfsw32.dll'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Rarely observed
+id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
+level: high
+logsource:
+  category: image_load
+  product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
+status: experimental
diff --git a/rules/sigma/windows/image_load/win_suspicious_vss_ps_load.yml b/rules/sigma/windows/image_load/win_suspicious_vss_ps_load.yml
new file mode 100644
index 00000000..2d98af3f
--- /dev/null
+++ b/rules/sigma/windows/image_load/win_suspicious_vss_ps_load.yml
@@ -0,0 +1,42 @@
+
+title: Image Load of VSS_PS.dll by Uncommon Executable
+author: Markus Neis, @markus_neis
+date: 2021/07/07
+description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName
+  datapoint
+detection:
+  SELECTION_1:
+    EventID: 7
+  SELECTION_2:
+    ImageLoaded:
+    - '*\vss_ps.dll'
+  SELECTION_3:
+    Image:
+    - '*\svchost.exe'
+    - '*\msiexec.exe'
+    - '*\vssvc.exe'
+    - '*\srtasks.exe'
+    - '*\tiworker.exe'
+    - '*\dllhost.exe'
+    - '*\searchindexer.exe'
+    - '*dismhost.exe'
+    - '*taskhostw.exe'
+    - '*\clussvc.exe'
+  SELECTION_4:
+    Image: '*c:\windows\\*'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3 and SELECTION_4))
+falsepositives:
+- unknown
+id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
+level: high
+logsource:
+  category: image_load
+  product: windows
+references:
+- 1bd85e1caa1415ebdc8852c91e37bbb7
+- https://twitter.com/am0nsec/status/1412232114980982787
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.impact
+- attack.t1490
diff --git a/rules/sigma/windows/malware/av_exploiting.yml b/rules/sigma/windows/malware/av_exploiting.yml
new file mode 100644
index 00000000..5a9cd9ba
--- /dev/null
+++ b/rules/sigma/windows/malware/av_exploiting.yml
@@ -0,0 +1,40 @@
+
+title: Antivirus Exploitation Framework Detection
+author: Florian Roth
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports an exploitation
+  framework
+detection:
+  SELECTION_1:
+    Signature:
+    - '*MeteTool*'
+    - '*MPreter*'
+    - '*Meterpreter*'
+    - '*Metasploit*'
+    - '*PowerSploit*'
+    - '*CobaltSrike*'
+    - '*Swrort*'
+    - '*Rozena*'
+    - '*Backdoor.Cobalt*'
+    - '*CobaltStr*'
+    - '*COBEACON*'
+    - '*Cometer*'
+    - '*Razy*'
+  condition: SELECTION_1
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
+level: critical
+logsource:
+  product: antivirus
+modified: 2019/01/16
+references:
+- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
+tags:
+- attack.execution
+- attack.t1203
+- attack.command_and_control
+- attack.t1219
diff --git a/rules/sigma/windows/malware/av_hacktool.yml b/rules/sigma/windows/malware/av_hacktool.yml
new file mode 100644
index 00000000..c86cbf79
--- /dev/null
+++ b/rules/sigma/windows/malware/av_hacktool.yml
@@ -0,0 +1,30 @@
+
+title: Antivirus Hacktool Detection
+author: Florian Roth
+date: 2021/08/16
+description: Detects a highly relevant Antivirus alert that reports a hack tool or
+  other attack tool
+detection:
+  SELECTION_1:
+    Signature:
+    - HTOOL*
+    - HKTL*
+    - SecurityTool*
+    - ATK/*
+  SELECTION_2:
+    Signature:
+    - '*Hacktool*'
+  condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
+level: high
+logsource:
+  product: antivirus
+references:
+- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
+tags:
+- attack.execution
diff --git a/rules/sigma/windows/malware/av_password_dumper.yml b/rules/sigma/windows/malware/av_password_dumper.yml
new file mode 100644
index 00000000..df07970c
--- /dev/null
+++ b/rules/sigma/windows/malware/av_password_dumper.yml
@@ -0,0 +1,40 @@
+
+title: Antivirus Password Dumper Detection
+author: Florian Roth
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports a password dumper
+detection:
+  SELECTION_1:
+    Signature:
+    - '*DumpCreds*'
+    - '*Mimikatz*'
+    - '*PWCrack*'
+    - '*HTool/WCE*'
+    - '*PSWtool*'
+    - '*PWDump*'
+    - '*SecurityTool*'
+    - '*PShlSpy*'
+    - '*Rubeus*'
+    - '*Kekeo*'
+    - '*LsassDump*'
+    - '*Outflank*'
+  condition: SELECTION_1
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
+level: critical
+logsource:
+  product: antivirus
+modified: 2019/10/04
+references:
+- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
+- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1558
+- attack.t1003.001
+- attack.t1003.002
diff --git a/rules/sigma/windows/malware/av_printernightmare_cve_2021_34527.yml b/rules/sigma/windows/malware/av_printernightmare_cve_2021_34527.yml
new file mode 100644
index 00000000..676fcd5e
--- /dev/null
+++ b/rules/sigma/windows/malware/av_printernightmare_cve_2021_34527.yml
@@ -0,0 +1,29 @@
+
+title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
+author: Sittikorn S, Nuttakorn T
+date: 2021/07/01
+description: Detects the suspicious file that is created from PoC code against Windows
+  Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare),
+  CVE-2021-1675 .
+detection:
+  SELECTION_1:
+    FileName: '*C:\Windows\System32\spool\drivers\x64\\*'
+  condition: SELECTION_1
+falsepositives:
+- Unlikely
+fields:
+- Signature
+- FileName
+- ComputerName
+id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
+level: critical
+logsource:
+  product: antivirus
+references:
+- https://twitter.com/mvelazco/status/1410291741241102338
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
+status: stable
+tags:
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/windows/malware/av_relevant_files.yml b/rules/sigma/windows/malware/av_relevant_files.yml
new file mode 100644
index 00000000..21f2cee7
--- /dev/null
+++ b/rules/sigma/windows/malware/av_relevant_files.yml
@@ -0,0 +1,80 @@
+
+title: Antivirus Relevant File Paths Alerts
+author: Florian Roth, Arnim Rupp
+date: 2018/09/09
+description: Detects an Antivirus alert in a highly relevant file path or with a relevant
+  file name
+detection:
+  SELECTION_1:
+    FileName:
+    - C:\Windows\\*
+    - C:\Temp\\*
+    - C:\PerfLogs\\*
+    - C:\Users\Public\\*
+    - C:\Users\Default\\*
+  SELECTION_2:
+    FileName:
+    - '*\Client\\*'
+    - '*\tsclient\\*'
+    - '*\inetpub\\*'
+    - '*/www/*'
+    - '*apache*'
+    - '*tomcat*'
+    - '*nginx*'
+    - '*weblogic*'
+  SELECTION_3:
+    Filename:
+    - '*.ps1'
+    - '*.psm1'
+    - '*.vbs'
+    - '*.bat'
+    - '*.cmd'
+    - '*.sh'
+    - '*.chm'
+    - '*.xml'
+    - '*.txt'
+    - '*.jsp'
+    - '*.jspx'
+    - '*.asp'
+    - '*.aspx'
+    - '*.ashx'
+    - '*.asax'
+    - '*.asmx'
+    - '*.php'
+    - '*.cfm'
+    - '*.py'
+    - '*.pyc'
+    - '*.pl'
+    - '*.rb'
+    - '*.cgi'
+    - '*.war'
+    - '*.ear'
+    - '*.hta'
+    - '*.lnk'
+    - '*.scf'
+    - '*.sct'
+    - '*.vbe'
+    - '*.wsf'
+    - '*.wsh'
+    - '*.gif'
+    - '*.png'
+    - '*.jpg'
+    - '*.jpeg'
+    - '*.svg'
+    - '*.dat'
+  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
+falsepositives:
+- Unlikely
+fields:
+- Signature
+- User
+id: c9a88268-0047-4824-ba6e-4d81ce0b907c
+level: high
+logsource:
+  product: antivirus
+modified: 2021/05/09
+references:
+- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
+tags:
+- attack.resource_development
+- attack.t1588
diff --git a/rules/sigma/windows/malware/av_webshell.yml b/rules/sigma/windows/malware/av_webshell.yml
new file mode 100644
index 00000000..87f22a1c
--- /dev/null
+++ b/rules/sigma/windows/malware/av_webshell.yml
@@ -0,0 +1,78 @@
+
+title: Antivirus Web Shell Detection
+author: Florian Roth, Arnim Rupp
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports a web shell. It's
+  highly recommended to tune this rule to the specific strings used by your anti virus
+  solution by downloading a big webshell repo from e.g. github and checking the matches.
+detection:
+  SELECTION_1:
+    Signature:
+    - PHP/*
+    - JSP/*
+    - ASP/*
+    - Perl/*
+    - PHP.*
+    - JSP.*
+    - ASP.*
+    - Perl.*
+    - VBS/Uxor*
+    - IIS/BackDoor*
+    - JAVA/Backdoor*
+    - Troj/ASP*
+    - Troj/PHP*
+    - Troj/JSP*
+  SELECTION_2:
+    Signature:
+    - '*Webshell*'
+    - '*Chopper*'
+    - '*SinoChoper*'
+    - '*ASPXSpy*'
+    - '*Aspdoor*'
+    - '*filebrowser*'
+    - '*PHP_*'
+    - '*JSP_*'
+    - '*ASP_*'
+    - '*PHP:*'
+    - '*JSP:*'
+    - '*ASP:*'
+    - '*Perl:*'
+    - '*PHPShell*'
+    - '*Trojan.PHP*'
+    - '*Trojan.ASP*'
+    - '*Trojan.JSP*'
+    - '*Trojan.VBS*'
+    - '*PHP?Agent*'
+    - '*ASP?Agent*'
+    - '*JSP?Agent*'
+    - '*VBS?Agent*'
+    - '*Backdoor?PHP*'
+    - '*Backdoor?JSP*'
+    - '*Backdoor?ASP*'
+    - '*Backdoor?VBS*'
+    - '*Backdoor?Java*'
+  condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: fdf135a2-9241-4f96-a114-bb404948f736
+level: critical
+logsource:
+  product: antivirus
+modified: 2021/05/08
+references:
+- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
+- https://github.com/tennc/webshell
+- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
+- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
+- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
+- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
+- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
+- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
+- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
+tags:
+- attack.persistence
+- attack.t1100
+- attack.t1505.003
diff --git a/rules/sigma/windows/malware/file_event_mal_octopus_scanner.yml b/rules/sigma/windows/malware/file_event_mal_octopus_scanner.yml
new file mode 100644
index 00000000..9e9d151f
--- /dev/null
+++ b/rules/sigma/windows/malware/file_event_mal_octopus_scanner.yml
@@ -0,0 +1,26 @@
+
+title: Octopus Scanner Malware
+author: NVISO
+date: 2020/06/09
+description: Detects Octopus Scanner Malware.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    TargetFilename:
+    - '*\AppData\Local\Microsoft\Cache134.dat'
+    - '*\AppData\Local\Microsoft\ExplorerSync.db'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 805c55d9-31e6-4846-9878-c34c75054fe9
+level: high
+logsource:
+  category: file_event
+  product: windows
+references:
+- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
+status: experimental
+tags:
+- attack.t1195
+- attack.t1195.001
diff --git a/rules/sigma/windows/malware/process_creation_mal_blue_mockingbird.yml b/rules/sigma/windows/malware/process_creation_mal_blue_mockingbird.yml
new file mode 100644
index 00000000..c193a043
--- /dev/null
+++ b/rules/sigma/windows/malware/process_creation_mal_blue_mockingbird.yml
@@ -0,0 +1,38 @@
+
+title: Blue Mockingbird
+author: Trent Liffick (@tliffick)
+date: 2020/05/14
+description: Attempts to detect system changes made by Blue Mockingbird
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\cmd.exe'
+  SELECTION_3:
+    CommandLine: '*sc config*'
+  SELECTION_4:
+    CommandLine: '*wercplsupporte.dll*'
+  SELECTION_5:
+    Image: '*\wmic.exe'
+  SELECTION_6:
+    CommandLine: '*COR_PROFILER'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6)))
+falsepositives:
+- unknown
+id: c3198a27-23a0-4c2c-af19-e5328d49680e
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/11
+references:
+- https://redcanary.com/blog/blue-mockingbird-cryptominer/
+related:
+- id: ce239692-aa94-41b3-b32f-9cab259c96ea
+  type: merged
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
+- attack.t1047
diff --git a/rules/sigma/windows/malware/process_creation_mal_darkside_ransomware.yml b/rules/sigma/windows/malware/process_creation_mal_darkside_ransomware.yml
new file mode 100644
index 00000000..972dd8c1
--- /dev/null
+++ b/rules/sigma/windows/malware/process_creation_mal_darkside_ransomware.yml
@@ -0,0 +1,35 @@
+
+title: DarkSide Ransomware Pattern
+author: Florian Roth
+date: 2021/05/14
+description: Detects DarkSide Ransomware and helpers
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - "*=[char][byte]('0x'+*"
+    - '* -work worker0 -path *'
+  SELECTION_3:
+    ParentCommandLine:
+    - '*DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*'
+  SELECTION_4:
+    Image:
+    - '*\AppData\Local\Temp\\*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- Unknown
+- UAC bypass method used by other malware
+id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+- https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
+- https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
diff --git a/rules/sigma/windows/malware/process_creation_mal_lockergoga_ransomware.yml b/rules/sigma/windows/malware/process_creation_mal_lockergoga_ransomware.yml
new file mode 100644
index 00000000..efe7aeb7
--- /dev/null
+++ b/rules/sigma/windows/malware/process_creation_mal_lockergoga_ransomware.yml
@@ -0,0 +1,26 @@
+
+title: LockerGoga Ransomware
+author: Vasiliy Burov, oscd.community
+date: 2020/10/18
+description: Detects LockerGoga Ransomware command line.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*-i SM-tgytutrc -s*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 74db3488-fd28-480a-95aa-b7af626de068
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
+- https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
+- https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
+status: experimental
+tags:
+- attack.impact
+- attack.t1486
diff --git a/rules/sigma/windows/malware/process_creation_mal_ryuk.yml b/rules/sigma/windows/malware/process_creation_mal_ryuk.yml
new file mode 100644
index 00000000..0a388e82
--- /dev/null
+++ b/rules/sigma/windows/malware/process_creation_mal_ryuk.yml
@@ -0,0 +1,33 @@
+
+title: Ryuk Ransomware
+author: Vasiliy Burov
+date: 2019/08/06
+description: Detects Ryuk Ransomware command lines
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\net.exe'
+    - '*\net1.exe'
+  SELECTION_3:
+    CommandLine: '*stop*'
+  SELECTION_4:
+    CommandLine:
+    - '*samss*'
+    - '*audioendpointbuilder*'
+    - '*unistoresvc_?????*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+id: 0acaad27-9f02-4136-a243-c357202edd74
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
diff --git a/rules/sigma/windows/malware/registry_event_mal_azorult.yml b/rules/sigma/windows/malware/registry_event_mal_azorult.yml
new file mode 100644
index 00000000..ad726d65
--- /dev/null
+++ b/rules/sigma/windows/malware/registry_event_mal_azorult.yml
@@ -0,0 +1,39 @@
+
+title: Registry Entries For Azorult Malware
+author: Trent Liffick
+date: 2020/05/08
+description: Detects the presence of a registry key created during Azorult execution
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventID: 12
+  SELECTION_5:
+    EventID: 13
+  SELECTION_6:
+    TargetObject: '*SYSTEM\\*'
+  SELECTION_7:
+    TargetObject: '*\services\localNETService'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- unknown
+fields:
+- Image
+- TargetObject
+- TargetDetails
+id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
diff --git a/rules/sigma/windows/malware/registry_event_mal_blue_mockingbird.yml b/rules/sigma/windows/malware/registry_event_mal_blue_mockingbird.yml
new file mode 100644
index 00000000..0c355ce1
--- /dev/null
+++ b/rules/sigma/windows/malware/registry_event_mal_blue_mockingbird.yml
@@ -0,0 +1,33 @@
+
+title: Blue Mockingbird
+author: Trent Liffick (@tliffick)
+date: 2020/05/14
+description: Attempts to detect system changes made by Blue Mockingbird
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+id: 92b0b372-a939-44ed-a11b-5136cf680e27
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/11
+references:
+- https://redcanary.com/blog/blue-mockingbird-cryptominer/
+related:
+- id: c3198a27-23a0-4c2c-af19-e5328d49680e
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
+- attack.t1047
diff --git a/rules/sigma/windows/malware/registry_event_mal_flowcloud.yml b/rules/sigma/windows/malware/registry_event_mal_flowcloud.yml
new file mode 100644
index 00000000..db1beb5e
--- /dev/null
+++ b/rules/sigma/windows/malware/registry_event_mal_flowcloud.yml
@@ -0,0 +1,35 @@
+
+title: FlowCloud Malware
+author: NVISO
+date: 2020/06/09
+description: Detects FlowCloud malware from threat group TA410.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}
+    - HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}
+    - HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}
+  SELECTION_5:
+    TargetObject:
+    - HKLM\SYSTEM\Setup\PrintResponsor\\*
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 5118765f-6657-4ddb-a487-d7bd673abbf1
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/07/22
+references:
+- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
+status: experimental
+tags:
+- attack.persistence
+- attack.t1112
diff --git a/rules/sigma/windows/malware/registry_event_mal_ursnif.yml b/rules/sigma/windows/malware/registry_event_mal_ursnif.yml
new file mode 100644
index 00000000..7d6ef855
--- /dev/null
+++ b/rules/sigma/windows/malware/registry_event_mal_ursnif.yml
@@ -0,0 +1,29 @@
+
+title: Ursnif
+author: megan201296
+date: 2019/02/13
+description: Detects new registry key created by Ursnif malware.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 21f17060-b282-4249-ade0-589ea3591558
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
+- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
diff --git a/rules/sigma/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/sigma/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
new file mode 100644
index 00000000..fc2be913
--- /dev/null
+++ b/rules/sigma/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
@@ -0,0 +1,30 @@
+
+title: Silenttrinity Stager Msbuild Activity
+author: Kiran kumar s, oscd.community
+date: 2020/10/11
+description: Detects a possible remote connections to Silenttrinity c2
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    ParentImage: '*\msbuild.exe'
+  SELECTION_3:
+    DestinationPort:
+    - '80'
+    - '443'
+  SELECTION_4:
+    Initiated: 'true'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
+level: high
+logsource:
+  category: network_connection
+  product: windows
+references:
+- https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
+status: experimental
+tags:
+- attack.execution
+- attack.t1127.001
diff --git a/rules/sigma/windows/network_connection/sysmon_dllhost_net_connections.yml b/rules/sigma/windows/network_connection/sysmon_dllhost_net_connections.yml
new file mode 100644
index 00000000..d8311bee
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_dllhost_net_connections.yml
@@ -0,0 +1,52 @@
+
+title: Dllhost Internet Connection
+author: bartblaze
+date: 2020/07/13
+description: Detects Dllhost that communicates with public IP addresses
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\dllhost.exe'
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    DestinationIp:
+    - 10.*
+    - 192.168.*
+    - 172.16.*
+    - 172.17.*
+    - 172.18.*
+    - 172.19.*
+    - 172.20.*
+    - 172.21.*
+    - 172.22.*
+    - 172.23.*
+    - 172.24.*
+    - 172.25.*
+    - 172.26.*
+    - 172.27.*
+    - 172.28.*
+    - 172.29.*
+    - 172.30.*
+    - 172.31.*
+    - 127.*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Communication to other corporate systems that use IP addresses from public address
+  spaces
+id: cfed2f44-16df-4bf3-833a-79405198b277
+level: medium
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://github.com/Neo23x0/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
+- attack.t1559.001
+- attack.t1175
diff --git a/rules/sigma/windows/network_connection/sysmon_malware_backconnect_ports.yml b/rules/sigma/windows/network_connection/sysmon_malware_backconnect_ports.yml
new file mode 100644
index 00000000..88f7e2a4
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_malware_backconnect_ports.yml
@@ -0,0 +1,110 @@
+
+title: Suspicious Typical Malware Back Connect Ports
+author: Florian Roth
+date: 2017/03/19
+description: Detects programs that connect to typical malware back connect ports based
+  on statistical analysis from two different sandbox system databases
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Initiated: 'true'
+  SELECTION_3:
+    DestinationPort:
+    - '4443'
+    - '2448'
+    - '8143'
+    - '1777'
+    - '1443'
+    - '243'
+    - '65535'
+    - '13506'
+    - '3360'
+    - '200'
+    - '198'
+    - '49180'
+    - '13507'
+    - '6625'
+    - '4444'
+    - '4438'
+    - '1904'
+    - '13505'
+    - '13504'
+    - '12102'
+    - '9631'
+    - '5445'
+    - '2443'
+    - '777'
+    - '13394'
+    - '13145'
+    - '12103'
+    - '5552'
+    - '3939'
+    - '3675'
+    - '666'
+    - '473'
+    - '5649'
+    - '4455'
+    - '4433'
+    - '1817'
+    - '100'
+    - '65520'
+    - '1960'
+    - '1515'
+    - '743'
+    - '700'
+    - '14154'
+    - '14103'
+    - '14102'
+    - '12322'
+    - '10101'
+    - '7210'
+    - '4040'
+    - '9943'
+  SELECTION_4:
+    EventID: 3
+  SELECTION_5:
+    Image: '*\Program Files*'
+  SELECTION_6:
+    DestinationIp:
+    - 10.*
+    - 192.168.*
+    - 172.16.*
+    - 172.17.*
+    - 172.18.*
+    - 172.19.*
+    - 172.20.*
+    - 172.21.*
+    - 172.22.*
+    - 172.23.*
+    - 172.24.*
+    - 172.25.*
+    - 172.26.*
+    - 172.27.*
+    - 172.28.*
+    - 172.29.*
+    - 172.30.*
+    - 172.31.*
+    - 127.*
+  SELECTION_7:
+    DestinationIsIpv6: 'false'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+    and (SELECTION_5 or (SELECTION_6 and SELECTION_7)))))
+falsepositives:
+- unknown
+id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
+level: medium
+logsource:
+  category: network_connection
+  definition: 'Use the following config to generate the necessary Event ID 10 Process
+    Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
+    onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+  product: windows
+modified: 2020/08/24
+references:
+- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1571
+- attack.t1043
diff --git a/rules/sigma/windows/network_connection/sysmon_notepad_network_connection.yml b/rules/sigma/windows/network_connection/sysmon_notepad_network_connection.yml
new file mode 100644
index 00000000..a3b04bc1
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_notepad_network_connection.yml
@@ -0,0 +1,30 @@
+
+title: Notepad Making Network Connection
+author: EagleEye Team
+date: 2020/05/14
+description: Detects suspicious network connection by Notepad
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\notepad.exe'
+  SELECTION_3:
+    DestinationPort: '9100'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- None observed so far
+id: e81528db-fc02-45e8-8e98-4e84aba1f10b
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
+- https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
+status: experimental
+tags:
+- attack.command_and_control
+- attack.execution
+- attack.defense_evasion
+- attack.t1055
diff --git a/rules/sigma/windows/network_connection/sysmon_powershell_network_connection.yml b/rules/sigma/windows/network_connection/sysmon_powershell_network_connection.yml
new file mode 100644
index 00000000..58f7e71b
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_powershell_network_connection.yml
@@ -0,0 +1,62 @@
+
+title: PowerShell Network Connections
+author: Florian Roth
+date: 2017/03/13
+description: Detects a Powershell process that opens network connections - check for
+  suspicious target ports and target systems - adjust to your environment (e.g. extend
+  filters with company's ip range')
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    DestinationIsIpv6: 'false'
+  SELECTION_5:
+    DestinationIp:
+    - 10.*
+    - 192.168.*
+    - 172.16.*
+    - 172.17.*
+    - 172.18.*
+    - 172.19.*
+    - 172.20.*
+    - 172.21.*
+    - 172.22.*
+    - 172.23.*
+    - 172.24.*
+    - 172.25.*
+    - 172.26.*
+    - 172.27.*
+    - 172.28.*
+    - 172.29.*
+    - 172.30.*
+    - 172.31.*
+    - 127.0.0.1*
+  SELECTION_6:
+    DestinationIsIpv6: 'false'
+  SELECTION_7:
+    User: NT AUTHORITY\SYSTEM
+  SELECTION_8:
+    User: '*AUT*'
+  SELECTION_9:
+    User: '* NT*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9))
+falsepositives:
+- Administrative scripts
+id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
+level: low
+logsource:
+  category: network_connection
+  product: windows
+modified: 2021/06/14
+references:
+- https://www.youtube.com/watch?v=DLtJTxMWZ2o
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/sigma/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
new file mode 100644
index 00000000..e72a8a6f
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_rdp_reverse_tunnel.yml
@@ -0,0 +1,41 @@
+
+title: RDP Over Reverse SSH Tunnel
+author: Samir Bousseaden
+date: 2019/02/16
+description: Detects svchost hosting RDP termsvcs communicating with the loopback
+  address and on TCP port 3389
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\svchost.exe'
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    SourcePort: 3389
+  SELECTION_5:
+    DestinationIp:
+    - 127.*
+  SELECTION_6:
+    DestinationIp:
+    - ::1
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and (SELECTION_5
+    or SELECTION_6))
+falsepositives:
+- unknown
+id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2021/05/11
+references:
+- https://twitter.com/SBousseaden/status/1096148422984384514
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1572
+- attack.lateral_movement
+- attack.t1021.001
+- attack.t1076
+- car.2013-07-002
diff --git a/rules/sigma/windows/network_connection/sysmon_regsvr32_network_activity.yml b/rules/sigma/windows/network_connection/sysmon_regsvr32_network_activity.yml
new file mode 100644
index 00000000..8bba95c9
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_regsvr32_network_activity.yml
@@ -0,0 +1,37 @@
+
+title: Regsvr32 Network Activity
+author: Dmitriy Lifanov, oscd.community
+date: 2019/10/25
+description: Detects network connections and DNS queries initiated by Regsvr32.exe
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\regsvr32.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- Image
+- DestinationIp
+- DestinationPort
+id: c7e91a02-d771-4a6d-a700-42587e0b1095
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2021/09/21
+references:
+- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
+status: experimental
+tags:
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
diff --git a/rules/sigma/windows/network_connection/sysmon_remote_powershell_session_network.yml b/rules/sigma/windows/network_connection/sysmon_remote_powershell_session_network.yml
new file mode 100644
index 00000000..52bcf32d
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_remote_powershell_session_network.yml
@@ -0,0 +1,34 @@
+
+title: Remote PowerShell Session
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects remote PowerShell connections by monitoring network outbound
+  connections to ports 5985 or 5986 from a non-network service account.
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    DestinationPort: 5985
+  SELECTION_3:
+    DestinationPort: 5986
+  SELECTION_4:
+    User: NT AUTHORITY\NETWORK SERVICE
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
+id: c539afac-c12a-46ed-b1bd-5a5567c9f045
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
diff --git a/rules/sigma/windows/network_connection/sysmon_rundll32_net_connections.yml b/rules/sigma/windows/network_connection/sysmon_rundll32_net_connections.yml
new file mode 100644
index 00000000..9f88bd02
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_rundll32_net_connections.yml
@@ -0,0 +1,51 @@
+
+title: Rundll32 Internet Connection
+author: Florian Roth
+date: 2017/11/04
+description: Detects a rundll32 that communicates with public IP addresses
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*\rundll32.exe'
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    DestinationIp:
+    - 10.*
+    - 192.168.*
+    - 172.16.*
+    - 172.17.*
+    - 172.18.*
+    - 172.19.*
+    - 172.20.*
+    - 172.21.*
+    - 172.22.*
+    - 172.23.*
+    - 172.24.*
+    - 172.25.*
+    - 172.26.*
+    - 172.27.*
+    - 172.28.*
+    - 172.29.*
+    - 172.30.*
+    - 172.31.*
+    - 127.*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Communication to other corporate systems that use IP addresses from public address
+  spaces
+id: cdc8da7d-c303-42f8-b08c-b4ab47230263
+level: medium
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+- attack.t1085
+- attack.execution
diff --git a/rules/sigma/windows/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/sigma/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
new file mode 100644
index 00000000..fe34a3c4
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
@@ -0,0 +1,42 @@
+
+title: Suspicious Program Location with Network Connections
+author: Florian Roth
+date: 2017/03/19
+description: Detects programs with network connections running in suspicious files
+  system locations
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image:
+    - '*\Users\All Users\\*'
+    - '*\Users\Default\\*'
+    - '*\Users\Public\\*'
+    - '*\Users\Contacts\\*'
+    - '*\Users\Searches\\*'
+    - '*\config\systemprofile\\*'
+    - '*\Windows\Fonts\\*'
+    - '*\Windows\IME\\*'
+    - '*\Windows\addins\\*'
+  SELECTION_3:
+    Image:
+    - '*\$Recycle.bin'
+  SELECTION_4:
+    Image:
+    - C:\Perflogs\\*
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
+level: high
+logsource:
+  category: network_connection
+  definition: Use the following config to generate the necessary Event ID 3 Network
+    Connection events
+  product: windows
+references:
+- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/windows/network_connection/sysmon_susp_rdp.yml b/rules/sigma/windows/network_connection/sysmon_susp_rdp.yml
new file mode 100644
index 00000000..52d85c23
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_susp_rdp.yml
@@ -0,0 +1,51 @@
+
+title: Suspicious Outbound RDP Connections
+author: Markus Neis - Swisscom
+date: 2019/05/15
+description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible
+  lateral movement
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    DestinationPort: 3389
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    Image:
+    - '*\mstsc.exe'
+    - '*\RTSApp.exe'
+    - '*\RTS2App.exe'
+    - '*\RDCMan.exe'
+    - '*\ws_TunnelService.exe'
+    - '*\RSSensor.exe'
+    - '*\RemoteDesktopManagerFree.exe'
+    - '*\RemoteDesktopManager.exe'
+    - '*\RemoteDesktopManager64.exe'
+    - '*\mRemoteNG.exe'
+    - '*\mRemote.exe'
+    - '*\Terminals.exe'
+    - '*\spiceworks-finder.exe'
+    - '*\FSDiscovery.exe'
+    - '*\FSAssessment.exe'
+    - '*\MobaRTE.exe'
+    - '*\chrome.exe'
+    - '*\thor.exe'
+    - '*\thor64.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Other Remote Desktop RDP tools
+id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.001
+- attack.t1076
+- car.2013-07-002
diff --git a/rules/sigma/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/sigma/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml
new file mode 100644
index 00000000..8d9c613b
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml
@@ -0,0 +1,38 @@
+
+title: Suspicious Outbound Kerberos Connection
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/24
+description: Detects suspicious outbound network activity via kerberos default port
+  indicating possible lateral movement or first stage PrivEsc via delegation.
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    DestinationPort: 88
+  SELECTION_3:
+    Initiated: 'true'
+  SELECTION_4:
+    Image:
+    - '*\lsass.exe'
+    - '*\opera.exe'
+    - '*\chrome.exe'
+    - '*\firefox.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Other browsers
+id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://github.com/GhostPack/Rubeus
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1558
+- attack.t1208
+- attack.lateral_movement
+- attack.t1550.003
+- attack.t1097
diff --git a/rules/sigma/windows/network_connection/sysmon_win_binary_github_com.yml b/rules/sigma/windows/network_connection/sysmon_win_binary_github_com.yml
new file mode 100644
index 00000000..80024fbc
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_win_binary_github_com.yml
@@ -0,0 +1,37 @@
+
+title: Microsoft Binary Github Communication
+author: Michael Haag (idea), Florian Roth (rule)
+date: 2017/08/24
+description: Detects an executable in the Windows folder accessing github.com
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Initiated: 'true'
+  SELECTION_3:
+    DestinationHostname:
+    - '*.github.com'
+    - '*.githubusercontent.com'
+  SELECTION_4:
+    Image: C:\Windows\\*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+- '@subTee in your network'
+id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
+level: high
+logsource:
+  category: network_connection
+  product: windows
+modified: 2020/08/24
+references:
+- https://twitter.com/M_haggis/status/900741347035889665
+- https://twitter.com/M_haggis/status/1032799638213066752
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1105
+- attack.exfiltration
+- attack.t1567.001
+- attack.t1048
diff --git a/rules/sigma/windows/network_connection/sysmon_win_binary_susp_com.yml b/rules/sigma/windows/network_connection/sysmon_win_binary_susp_com.yml
new file mode 100644
index 00000000..2ba79e73
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_win_binary_susp_com.yml
@@ -0,0 +1,32 @@
+
+title: Microsoft Binary Suspicious Communication Endpoint
+author: Florian Roth
+date: 2018/08/30
+description: Detects an executable in the Windows folder accessing suspicious domains
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Initiated: 'true'
+  SELECTION_3:
+    DestinationHostname:
+    - '*dl.dropboxusercontent.com'
+    - '*.pastebin.com'
+    - '*.githubusercontent.com'
+  SELECTION_4:
+    Image: C:\Windows\\*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
+level: high
+logsource:
+  category: network_connection
+  product: windows
+references:
+- https://twitter.com/M_haggis/status/900741347035889665
+- https://twitter.com/M_haggis/status/1032799638213066752
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1105
diff --git a/rules/sigma/windows/network_connection/sysmon_wuauclt_network_connection.yml b/rules/sigma/windows/network_connection/sysmon_wuauclt_network_connection.yml
new file mode 100644
index 00000000..78ff9b9b
--- /dev/null
+++ b/rules/sigma/windows/network_connection/sysmon_wuauclt_network_connection.yml
@@ -0,0 +1,27 @@
+
+title: Wuauclt Network Connection
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
+  proxy execute code and making a network connections. One could easily make the DLL
+  spawn a new process and inject to it to proxy the network connection and bypass
+  this rule.
+detection:
+  SELECTION_1:
+    EventID: 3
+  SELECTION_2:
+    Image: '*wuauclt*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of wuauclt.exe over the network.
+id: c649a6c7-cd8c-4a78-9c04-000fc76df954
+level: medium
+logsource:
+  category: network_connection
+  product: windows
+references:
+- https://dtm.uk/wuauclt/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/other/win_defender_amsi_trigger.yml b/rules/sigma/windows/other/win_defender_amsi_trigger.yml
new file mode 100644
index 00000000..c195f99c
--- /dev/null
+++ b/rules/sigma/windows/other/win_defender_amsi_trigger.yml
@@ -0,0 +1,25 @@
+
+title: Windows Defender AMSI Trigger Detected
+author: Bhabesh Raj
+date: 2020/09/14
+description: Detects triggering of AMSI by Windows Defender.
+detection:
+  SELECTION_1:
+    EventID: 1116
+  SELECTION_2:
+    Source Name: AMSI
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unlikely
+id: ea9bf0fa-edec-4fb8-8b78-b119f2528186
+level: high
+logsource:
+  product: windows
+  service: windefend
+modified: 2021/08/06
+references:
+- https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
+status: stable
+tags:
+- attack.execution
+- attack.t1059
diff --git a/rules/sigma/windows/other/win_defender_bypass.yml b/rules/sigma/windows/other/win_defender_bypass.yml
new file mode 100644
index 00000000..7d087d3d
--- /dev/null
+++ b/rules/sigma/windows/other/win_defender_bypass.yml
@@ -0,0 +1,33 @@
+
+title: Windows Defender Exclusion Set
+author: '@BarryShooshooga'
+date: 2019/10/26
+description: Detects scenarios where an windows defender exclusion was added in registry
+  where an entity would want to bypass antivirus scanning from windows defender
+detection:
+  SELECTION_1:
+    EventID: 4657
+  SELECTION_2:
+    EventID: 4656
+  SELECTION_3:
+    EventID: 4660
+  SELECTION_4:
+    EventID: 4663
+  SELECTION_5:
+    ObjectName: '*\Microsoft\Windows Defender\Exclusions\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Intended inclusions by administrator
+id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+level: high
+logsource:
+  definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit
+    Policy, Registry System Access Control (SACL): Auditing/User'
+  product: windows
+  service: security
+references:
+- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/windows/other/win_defender_disabled.yml b/rules/sigma/windows/other/win_defender_disabled.yml
new file mode 100644
index 00000000..27c285ee
--- /dev/null
+++ b/rules/sigma/windows/other/win_defender_disabled.yml
@@ -0,0 +1,31 @@
+
+title: Windows Defender Threat Detection Disabled
+author: Ján Trenčanský, frack113
+date: 2020/07/28
+description: Detects disabling Windows Defender threat protection
+detection:
+  SELECTION_1:
+    EventID: 5001
+  SELECTION_2:
+    EventID: 5010
+  SELECTION_3:
+    EventID: 5012
+  SELECTION_4:
+    EventID: 5101
+  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
+falsepositives:
+- Administrator actions
+id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
+level: high
+logsource:
+  product: windows
+  service: windefend
+modified: 2021/09/21
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/windows/other/win_defender_exclusions.yml b/rules/sigma/windows/other/win_defender_exclusions.yml
new file mode 100644
index 00000000..568a4d98
--- /dev/null
+++ b/rules/sigma/windows/other/win_defender_exclusions.yml
@@ -0,0 +1,26 @@
+
+title: Windows Defender Exclusions Added
+author: Christian Burkard
+date: 2021/07/06
+description: Detects the Setting of Windows Defender Exclusions
+detection:
+  SELECTION_1:
+    EventID: 5007
+  SELECTION_2:
+    New Value: '*\Microsoft\Windows Defender\Exclusions*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrator actions
+id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
+level: medium
+logsource:
+  product: windows
+  service: windefend
+modified: 2021/09/21
+references:
+- https://twitter.com/_nullbind/status/1204923340810543109
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/windows/other/win_defender_history_delete.yml b/rules/sigma/windows/other/win_defender_history_delete.yml
new file mode 100644
index 00000000..0328eb8f
--- /dev/null
+++ b/rules/sigma/windows/other/win_defender_history_delete.yml
@@ -0,0 +1,30 @@
+
+title: Windows Defender Malware Detection History Deletion
+author: Cian Heasley
+date: 2020/08/13
+description: Windows Defender logs when the history of detected infections is deleted.
+  Log file will contain the message "Windows Defender Antivirus has removed history
+  of malware and other potentially unwanted software".
+detection:
+  SELECTION_1:
+    EventID: 1013
+  SELECTION_2:
+    EventType: 4
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Deletion of Defender malware detections history for legitimate reasons
+fields:
+- EventID
+- EventType
+id: 2afe6582-e149-11ea-87d0-0242ac130003
+level: high
+logsource:
+  product: windows
+  service: windefend
+modified: 2021/05/30
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.001
diff --git a/rules/sigma/windows/other/win_defender_psexec_wmi_asr.yml b/rules/sigma/windows/other/win_defender_psexec_wmi_asr.yml
new file mode 100644
index 00000000..13818d8f
--- /dev/null
+++ b/rules/sigma/windows/other/win_defender_psexec_wmi_asr.yml
@@ -0,0 +1,32 @@
+
+title: PSExec and WMI Process Creations Block
+author: Bhabesh Raj
+date: 2020/07/14
+description: Detects blocking of process creations originating from PSExec and WMI
+  commands
+detection:
+  SELECTION_1:
+    EventID: 1121
+  SELECTION_2:
+    ProcessName:
+    - '*\wmiprvse.exe'
+    - '*\psexesvc.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
+level: high
+logsource:
+  definition: 'Requirements:Enabled Block process creations originating from PSExec
+    and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
+  product: windows_defender
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands
+- https://twitter.com/duff22b/status/1280166329660497920
+status: experimental
+tags:
+- attack.execution
+- attack.lateral_movement
+- attack.t1047
+- attack.t1035
+- attack.t1569.002
diff --git a/rules/sigma/windows/other/win_defender_tamper_protection_trigger.yml b/rules/sigma/windows/other/win_defender_tamper_protection_trigger.yml
new file mode 100644
index 00000000..5798cdf7
--- /dev/null
+++ b/rules/sigma/windows/other/win_defender_tamper_protection_trigger.yml
@@ -0,0 +1,28 @@
+
+title: Microsoft Defender Tamper Protection Trigger
+author: Bhabesh Raj
+date: 2021/07/05
+description: Detects block of attempt to disable real time protection of Microsoft
+  Defender by tamper protection
+detection:
+  SELECTION_1:
+    EventID: 5013
+  SELECTION_2:
+    Value:
+    - '*\Windows Defender\DisableAntiSpyware = 0x1()'
+    - '*\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
+  condition: ((SELECTION_1) and SELECTION_2)
+falsepositives:
+- Administrator actions
+id: 49e5bc24-8b86-49f1-b743-535f332c2856
+level: critical
+logsource:
+  product: windows
+  service: windefend
+references:
+- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/windows/other/win_defender_threat.yml b/rules/sigma/windows/other/win_defender_threat.yml
new file mode 100644
index 00000000..bd01bd2d
--- /dev/null
+++ b/rules/sigma/windows/other/win_defender_threat.yml
@@ -0,0 +1,28 @@
+
+title: Windows Defender Threat Detected
+author: Ján Trenčanský
+date: 2020/07/28
+description: Detects all actions taken by Windows Defender malware detection engines
+detection:
+  SELECTION_1:
+    EventID: 1006
+  SELECTION_2:
+    EventID: 1116
+  SELECTION_3:
+    EventID: 1015
+  SELECTION_4:
+    EventID: 1117
+  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
+falsepositives:
+- unlikely
+id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
+level: high
+logsource:
+  product: windows
+  service: windefend
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+status: stable
+tags:
+- attack.execution
+- attack.t1059
diff --git a/rules/sigma/windows/other/win_exchange_proxyshell_certificate_generation.yml b/rules/sigma/windows/other/win_exchange_proxyshell_certificate_generation.yml
new file mode 100644
index 00000000..6e81d25a
--- /dev/null
+++ b/rules/sigma/windows/other/win_exchange_proxyshell_certificate_generation.yml
@@ -0,0 +1,34 @@
+
+title: Certificate Request Export to Exchange Webserver
+author: Max Altgelt
+date: 2021/08/23
+description: Detects a write of an Exchange CSR to an untypical directory or with
+  aspx name suffix which can be used to place a webshell
+detection:
+  SELECTION_1:
+  - New-ExchangeCertificate
+  SELECTION_2:
+  - ' -GenerateRequest'
+  SELECTION_3:
+  - ' -BinaryEncoded'
+  SELECTION_4:
+  - ' -RequestFile'
+  SELECTION_5:
+  - \\\\localhost\\C$
+  - \\\\127.0.0.1\\C$
+  - C:\\inetpub
+  - .aspx
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and (SELECTION_5))
+falsepositives:
+- unlikely
+id: b7bc7038-638b-4ffd-880c-292c692209ef
+level: critical
+logsource:
+  product: windows
+  service: msexchange-management
+references:
+- https://twitter.com/GossiTheDog/status/1429175908905127938
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
diff --git a/rules/sigma/windows/other/win_exchange_proxyshell_mailbox_export.yml b/rules/sigma/windows/other/win_exchange_proxyshell_mailbox_export.yml
new file mode 100644
index 00000000..ff00aace
--- /dev/null
+++ b/rules/sigma/windows/other/win_exchange_proxyshell_mailbox_export.yml
@@ -0,0 +1,38 @@
+
+title: Mailbox Export to Exchange Webserver
+author: Florian Roth, Rich Warren, Christian Burkard
+date: 2021/08/09
+description: Detects a successful export of an Exchange mailbox to untypical directory
+  or with aspx name suffix which can be used to place a webshell or the needed role
+  assignment for it
+detection:
+  SELECTION_1:
+  - New-MailboxExportRequest
+  SELECTION_2:
+  - ' -Mailbox '
+  SELECTION_3:
+  - -FilePath "\\localhost\C$
+  - -FilePath "\\127.0.0.1\C$
+  - .aspx
+  SELECTION_4:
+  - New-ManagementRoleAssignment
+  SELECTION_5:
+  - ' -Role "Mailbox Import Export"'
+  SELECTION_6:
+  - ' -User '
+  condition: (((SELECTION_1 and SELECTION_2) and (SELECTION_3)) or (SELECTION_4 and
+    SELECTION_5 and SELECTION_6))
+falsepositives:
+- unlikely
+id: 516376b4-05cd-4122-bae0-ad7641c38d48
+level: critical
+logsource:
+  product: windows
+  service: msexchange-management
+modified: 2021/08/11
+references:
+- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
diff --git a/rules/sigma/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/sigma/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml
new file mode 100644
index 00000000..c2261028
--- /dev/null
+++ b/rules/sigma/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml
@@ -0,0 +1,27 @@
+
+title: Remove Exported Mailbox from Exchange Webserver
+author: Christian Burkard
+date: 2021/08/27
+description: Detects removal of an exported Exchange mailbox which could be to cover
+  tracks from ProxyShell exploit
+detection:
+  SELECTION_1:
+  - Remove-MailboxExportRequest
+  SELECTION_2:
+  - ' -Identity '
+  SELECTION_3:
+  - ' -Confirm "False"'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
+level: high
+logsource:
+  product: windows
+  service: msexchange-management
+references:
+- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070
diff --git a/rules/sigma/windows/other/win_exchange_transportagent_failed.yml b/rules/sigma/windows/other/win_exchange_transportagent_failed.yml
new file mode 100644
index 00000000..61c5afe1
--- /dev/null
+++ b/rules/sigma/windows/other/win_exchange_transportagent_failed.yml
@@ -0,0 +1,27 @@
+
+title: Failed MSExchange Transport Agent Installation
+author: Tobias Michalski
+date: 2021/06/08
+description: Detects a failed installation of a Exchange Transport Agent
+detection:
+  SELECTION_1:
+    EventID: 6
+  SELECTION_2:
+  - Install-TransportAgent
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator
+  for this.
+fields:
+- AssemblyPath
+id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
+level: high
+logsource:
+  product: windows
+  service: msexchange-management
+references:
+- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.002
diff --git a/rules/sigma/windows/other/win_lateral_movement_condrv.yml b/rules/sigma/windows/other/win_lateral_movement_condrv.yml
new file mode 100644
index 00000000..313514f4
--- /dev/null
+++ b/rules/sigma/windows/other/win_lateral_movement_condrv.yml
@@ -0,0 +1,35 @@
+
+title: Lateral Movement Indicator ConDrv
+author: Janantha Marasinghe
+date: 2021/04/27
+description: This event was observed on the target host during lateral movement. The
+  process name within the event contains the process spawned post compromise. Account
+  Name within the event contains the compromised user account name. This event should
+  to be correlated with 4624 and 4688 for further intrusion context.
+detection:
+  SELECTION_1:
+    EventID: 4674
+  SELECTION_2:
+    ObjectServer: Security
+  SELECTION_3:
+    ObjectType: File
+  SELECTION_4:
+    ObjectName: \Device\ConDrv
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Penetration tests where lateral movement has occurred. This event will be created
+  on the target host.
+id: 29d31aee-30f4-4006-85a9-a4a02d65306c
+level: high
+logsource:
+  product: windows
+  service: security
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
+- https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
+status: stable
+tags:
+- attack.lateral_movement
+- attack.execution
+- attack.t1021
+- attack.t1059
diff --git a/rules/sigma/windows/other/win_ldap_recon.yml b/rules/sigma/windows/other/win_ldap_recon.yml
new file mode 100644
index 00000000..1b33d585
--- /dev/null
+++ b/rules/sigma/windows/other/win_ldap_recon.yml
@@ -0,0 +1,81 @@
+
+title: LDAP Reconnaissance / Active Directory Enumeration
+author: Adeem Mawani
+date: 2021/06/22
+description: Detects possible Active Directory enumeration via LDAP
+detection:
+  SELECTION_1:
+    EventID: 30
+  SELECTION_2:
+    SearchFilter:
+    - '*(groupType:1.2.840.113556.1.4.803:=2147483648)*'
+    - '*(groupType:1.2.840.113556.1.4.803:=2147483656)*'
+    - '*(groupType:1.2.840.113556.1.4.803:=2147483652)*'
+    - '*(groupType:1.2.840.113556.1.4.803:=2147483650)*'
+    - '*(sAMAccountType=805306369)*'
+    - '*(sAMAccountType=805306368)*'
+    - '*(sAMAccountType=536870913)*'
+    - '*(sAMAccountType=536870912)*'
+    - '*(sAMAccountType=268435457)*'
+    - '*(sAMAccountType=268435456)*'
+    - '*(objectCategory=groupPolicyContainer)*'
+    - '*(objectCategory=organizationalUnit)*'
+    - '*(objectCategory=Computer)*'
+    - '*(objectCategory=nTDSDSA)*'
+    - '*(objectCategory=server)*'
+    - '*(objectCategory=domain)*'
+    - '*(objectCategory=person)*'
+    - '*(objectCategory=group)*'
+    - '*(objectCategory=user)*'
+    - '*(objectClass=trustedDomain)*'
+    - '*(objectClass=computer)*'
+    - '*(objectClass=server)*'
+    - '*(objectClass=group)*'
+    - '*(objectClass=user)*'
+    - '*(primaryGroupID=521)*'
+    - '*(primaryGroupID=516)*'
+    - '*(primaryGroupID=515)*'
+    - '*(primaryGroupID=512)*'
+    - '*Domain Admins*'
+  SELECTION_3:
+    EventID: 30
+  SELECTION_4:
+    SearchFilter:
+    - '*(domainSid=*)*'
+    - '*(objectSid=*)*'
+  SELECTION_5:
+    EventID: 30
+  SELECTION_6:
+    SearchFilter:
+    - '*(userAccountControl:1.2.840.113556.1.4.803:=4194304)*'
+    - '*(userAccountControl:1.2.840.113556.1.4.803:=2097152)*'
+    - '*!(userAccountControl:1.2.840.113556.1.4.803:=1048574)*'
+    - '*(userAccountControl:1.2.840.113556.1.4.803:=524288)*'
+    - '*(userAccountControl:1.2.840.113556.1.4.803:=65536)*'
+    - '*(userAccountControl:1.2.840.113556.1.4.803:=8192)*'
+    - '*(userAccountControl:1.2.840.113556.1.4.803:=544)*'
+    - '*!(UserAccountControl:1.2.840.113556.1.4.803:=2)*'
+    - '*msDS-AllowedToActOnBehalfOfOtherIdentity*'
+    - '*msDS-AllowedToDelegateTo*'
+    - '*(accountExpires=9223372036854775807)*'
+    - '*(accountExpires=0)*'
+    - '*(adminCount=1)*'
+    - '*ms-MCS-AdmPwd*'
+  condition: (((SELECTION_1 and SELECTION_2) and  not (SELECTION_3 and SELECTION_4))
+    or (SELECTION_5 and SELECTION_6))
+id: 31d68132-4038-47c7-8f8e-635a39a7c174
+level: medium
+logsource:
+  category: ldap_query
+  definition: Requires Microsoft-Windows-LDAP-Client/Debug ETW logging
+  product: windows
+references:
+- https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
+- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
+- https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs
+status: experimental
+tags:
+- attack.discovery
+- attack.t1069.002
+- attack.t1087.002
+- attack.t1482
diff --git a/rules/sigma/windows/other/win_pcap_drivers.yml b/rules/sigma/windows/other/win_pcap_drivers.yml
new file mode 100644
index 00000000..41f30ba2
--- /dev/null
+++ b/rules/sigma/windows/other/win_pcap_drivers.yml
@@ -0,0 +1,42 @@
+
+title: Windows Pcap Drivers
+author: Cian Heasley
+date: 2020/06/10
+description: Detects Windows Pcap driver installation based on a list of associated
+  .sys files.
+detection:
+  SELECTION_1:
+    EventID: 4697
+  SELECTION_2:
+    ServiceFileName:
+    - '*pcap*'
+    - '*npcap*'
+    - '*npf*'
+    - '*nm3*'
+    - '*ndiscap*'
+    - '*nmnt*'
+    - '*windivert*'
+    - '*USBPcap*'
+    - '*pktmon*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventID
+- ServiceFileName
+- Account_Name
+- Computer_Name
+- Originating_Computer
+- ServiceName
+id: 7b687634-ab20-11ea-bb37-0242ac130002
+level: medium
+logsource:
+  product: windows
+  service: security
+references:
+- https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
+status: experimental
+tags:
+- attack.discovery
+- attack.credential_access
+- attack.t1040
diff --git a/rules/sigma/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/sigma/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml
new file mode 100644
index 00000000..a4a4b044
--- /dev/null
+++ b/rules/sigma/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml
@@ -0,0 +1,29 @@
+
+title: Zerologon Exploitation Using Well-known Tools
+author: Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community
+date: 2020/10/13
+description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472)
+  vulnerability using mimikatz zerologon module or other exploits from machine with
+  "kali" hostname.
+detection:
+  SELECTION_1:
+    EventID:
+    - '5805'
+    - '5723'
+  SELECTION_2:
+  - kali
+  - mimikatz
+  condition: (SELECTION_1 and (SELECTION_2))
+id: 18f37338-b9bd-4117-a039-280c81f7a596
+level: critical
+logsource:
+  product: windows
+  service: system
+modified: 2021/05/30
+references:
+- https://www.secura.com/blog/zero-logon
+- https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
+status: stable
+tags:
+- attack.t1210
+- attack.lateral_movement
diff --git a/rules/sigma/windows/other/win_rare_schtask_creation.yml b/rules/sigma/windows/other/win_rare_schtask_creation.yml
new file mode 100644
index 00000000..2c57427f
--- /dev/null
+++ b/rules/sigma/windows/other/win_rare_schtask_creation.yml
@@ -0,0 +1,24 @@
+
+title: Rare Scheduled Task Creations
+author: Florian Roth
+date: 2017/03/17
+description: This rule detects rare scheduled task creations. Typically software gets
+  installed on multiple systems and not only on a few. The aggregation and count function
+  selects tasks with rare names.
+detection:
+  SELECTION_1:
+    EventID: 106
+  condition: SELECTION_1 | count() by TaskName < 5
+falsepositives:
+- Software installation
+id: b20f6158-9438-41be-83da-a5a16ac90c2b
+level: low
+logsource:
+  product: windows
+  service: taskscheduler
+status: experimental
+tags:
+- attack.persistence
+- attack.t1053
+- attack.s0111
+- attack.t1053.005
diff --git a/rules/sigma/windows/other/win_security_wmi_persistence.yml b/rules/sigma/windows/other/win_security_wmi_persistence.yml
new file mode 100644
index 00000000..8d6da1ba
--- /dev/null
+++ b/rules/sigma/windows/other/win_security_wmi_persistence.yml
@@ -0,0 +1,34 @@
+
+title: WMI Persistence
+author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
+date: 2017/08/22
+description: Detects suspicious WMI event filter and command line event consumer based
+  on WMI and Security Logs.
+detection:
+  SELECTION_1:
+    EventID: 4662
+  SELECTION_2:
+    ObjectType: WMI Namespace
+  SELECTION_3:
+    ObjectName: '*subscription*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown (data set is too small; further testing needed)
+id: f033f3f3-fd24-4995-97d8-a3bb17550a88
+level: medium
+logsource:
+  product: windows
+  service: security
+modified: 2021/09/21
+references:
+- https://twitter.com/mattifestation/status/899646620148539397
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+related:
+- id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
+  type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1084
+- attack.t1546.003
diff --git a/rules/sigma/windows/other/win_system_defender_disabled.yml b/rules/sigma/windows/other/win_system_defender_disabled.yml
new file mode 100644
index 00000000..95c99955
--- /dev/null
+++ b/rules/sigma/windows/other/win_system_defender_disabled.yml
@@ -0,0 +1,32 @@
+
+title: Windows Defender Threat Detection Disabled
+author: Ján Trenčanský, frack113
+date: 2020/07/28
+description: Detects disabling Windows Defender threat protection
+detection:
+  SELECTION_1:
+    EventID: 7036
+  SELECTION_2:
+  - Windows Defender Antivirus Service
+  SELECTION_3:
+  - stopped
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrator actions
+id: 6c0a7755-6d31-44fa-80e1-133e57752680
+level: high
+logsource:
+  category: system
+  product: windows
+modified: 2021/09/21
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+related:
+- id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
+  type: derived
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/windows/other/win_tool_psexec.yml b/rules/sigma/windows/other/win_tool_psexec.yml
new file mode 100644
index 00000000..716d9d1c
--- /dev/null
+++ b/rules/sigma/windows/other/win_tool_psexec.yml
@@ -0,0 +1,41 @@
+
+title: PsExec Tool Execution
+author: Thomas Patzke
+date: 2017/06/12
+description: Detects PsExec service installation and execution events (service and
+  Sysmon)
+detection:
+  SELECTION_1:
+    ServiceName: PSEXESVC
+  SELECTION_2:
+    EventID: 7045
+  SELECTION_3:
+    ServiceFileName: '*\PSEXESVC.exe'
+  SELECTION_4:
+    EventID: 7036
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- ServiceName
+- ServiceFileName
+- TargetFilename
+- PipeName
+id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+level: low
+logsource:
+  product: windows
+  service: system
+modified: 2021/09/21
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+- attack.s0029
diff --git a/rules/sigma/windows/other/win_wmi_persistence.yml b/rules/sigma/windows/other/win_wmi_persistence.yml
new file mode 100644
index 00000000..12064004
--- /dev/null
+++ b/rules/sigma/windows/other/win_wmi_persistence.yml
@@ -0,0 +1,35 @@
+
+title: WMI Persistence
+author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
+date: 2017/08/22
+description: Detects suspicious WMI event filter and command line event consumer based
+  on WMI and Security Logs.
+detection:
+  SELECTION_1:
+    EventID: 5861
+  SELECTION_2:
+  - ActiveScriptEventConsumer
+  - CommandLineEventConsumer
+  - CommandLineTemplate
+  SELECTION_3:
+    EventID: 5859
+  condition: ((SELECTION_1 and (SELECTION_2)) or SELECTION_3)
+falsepositives:
+- Unknown (data set is too small; further testing needed)
+id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
+level: medium
+logsource:
+  definition: WMI Namespaces Auditing and SACL should be configured, EventID 5861
+    and 5859 detection requires Windows 10, 2012 and higher
+  product: windows
+  service: wmi
+modified: 2021/09/21
+references:
+- https://twitter.com/mattifestation/status/899646620148539397
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1084
+- attack.t1546.003
diff --git a/rules/sigma/windows/pipe_created/pipe_created_tool_psexec.yml b/rules/sigma/windows/pipe_created/pipe_created_tool_psexec.yml
new file mode 100644
index 00000000..7d107cc6
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/pipe_created_tool_psexec.yml
@@ -0,0 +1,42 @@
+
+title: PsExec Tool Execution
+author: Thomas Patzke
+date: 2017/06/12
+description: Detects PsExec service installation and execution events (service and
+  Sysmon)
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName: \PSEXESVC
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- ServiceName
+- ServiceFileName
+- TargetFilename
+- PipeName
+id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
+level: low
+logsource:
+  category: pipe_created
+  product: windows
+modified: 2021/09/21
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+related:
+- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+- attack.s0029
diff --git a/rules/sigma/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/sigma/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
new file mode 100644
index 00000000..9bef3ed3
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
@@ -0,0 +1,38 @@
+
+title: Alternate PowerShell Hosts Pipe
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+  for powershell.exe
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName: \PSHost*
+  SELECTION_4:
+    Image:
+    - '*\powershell.exe'
+    - '*\powershell_ise.exe'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and  not (SELECTION_4))
+falsepositives:
+- Programs using PowerShell directly without invocation of a dedicated interpreter.
+fields:
+- ComputerName
+- User
+- Image
+- PipeName
+id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
+level: medium
+logsource:
+  category: pipe_created
+  product: windows
+modified: 2019/11/10
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/windows/pipe_created/sysmon_apt_turla_namedpipes.yml b/rules/sigma/windows/pipe_created/sysmon_apt_turla_namedpipes.yml
new file mode 100644
index 00000000..92b3e043
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_apt_turla_namedpipes.yml
@@ -0,0 +1,31 @@
+
+title: Turla Group Named Pipes
+author: Markus Neis
+date: 2017/11/06
+description: Detects a named pipe used by Turla group samples
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - \atctl
+    - \userpipe
+    - \iehelper
+    - \sdlrpc
+    - \comnap
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: 739915e4-1e70-4778-8b8a-17db02f66db1
+level: critical
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for PipeEvents in Symson config
+  product: windows
+references:
+- Internal Research
+status: experimental
+tags:
+- attack.g0010
diff --git a/rules/sigma/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml b/rules/sigma/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml
new file mode 100644
index 00000000..964ae1f2
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml
@@ -0,0 +1,35 @@
+
+title: Cred Dump-Tools Named Pipes
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/11/01
+description: Detects well-known credential dumping tools execution via specific named
+  pipes
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - '*\lsadump*'
+    - '*\cachedump*'
+    - '*\wceservicepipe*'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Legitimate Administrator using tool for password recovery
+id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
+level: critical
+logsource:
+  category: pipe_created
+  product: windows
+modified: 2020/08/28
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
diff --git a/rules/sigma/windows/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/sigma/windows/pipe_created/sysmon_efspotato_namedpipe.yml
new file mode 100644
index 00000000..377d9980
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_efspotato_namedpipe.yml
@@ -0,0 +1,31 @@
+
+title: EfsPotato Named Pipe
+author: Florian Roth
+date: 2021/08/23
+description: Detects the pattern of a pipe name as used by the tool EfsPotato
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - '*\pipe\\*'
+    - '*\pipe\srvsvc*'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2
+level: critical
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for PipeEvents in Sysmon config
+  product: windows
+references:
+- https://twitter.com/SBousseaden/status/1429530155291193354?s=20
+- https://github.com/zcgonvh/EfsPotato
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/sigma/windows/pipe_created/sysmon_mal_cobaltstrike.yml
new file mode 100644
index 00000000..6da4dde1
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_mal_cobaltstrike.yml
@@ -0,0 +1,46 @@
+
+title: CobaltStrike Named Pipe
+author: Florian Roth, Wojciech Lesicki
+date: 2021/05/25
+description: Detects the creation of a named pipe as used by CobaltStrike
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName: '*\MSSE-*'
+  SELECTION_4:
+    PipeName: '*-server*'
+  SELECTION_5:
+    PipeName: \postex_*
+  SELECTION_6:
+    PipeName: \postex_ssh_*
+  SELECTION_7:
+    PipeName: \status_*
+  SELECTION_8:
+    PipeName: \msagent_*
+  condition: ((SELECTION_1 or SELECTION_2) and ((SELECTION_3 and SELECTION_4) or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
+level: critical
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). In the current popular sysmon configuration
+    (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have
+    to add it yourself or use this extended version that logs the Named Pipes used
+    in this Sigma repo (https://github.com/Neo23x0/sysmon-config)
+  product: windows
+references:
+- https://twitter.com/d4rksystem/status/1357010969264873472
+- https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
+- https://github.com/Neo23x0/sigma/issues/253
+- https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/sigma/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
new file mode 100644
index 00000000..85900e8e
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
@@ -0,0 +1,75 @@
+
+title: CobaltStrike Named Pipe Pattern Regex
+author: Florian Roth
+date: 2021/07/30
+description: Detects the creation of a named pipe matching a pattern used by CobaltStrike
+  Malleable C2 profiles
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_10:
+    PipeName|re: \\\\ntsvcs_[0-9a-f]{2}
+  SELECTION_11:
+    PipeName|re: \\\\scerpc_?[0-9a-f]{2}
+  SELECTION_12:
+    PipeName|re: \\\\PGMessagePipe[0-9a-f]{2}
+  SELECTION_13:
+    PipeName|re: \\\\MsFteWds[0-9a-f]{2}
+  SELECTION_14:
+    PipeName|re: \\\\f4c3[0-9a-f]{2}
+  SELECTION_15:
+    PipeName|re: \\\\fullduplex_[0-9a-f]{2}
+  SELECTION_16:
+    PipeName|re: \\\\msrpc_[0-9a-f]{4}
+  SELECTION_17:
+    PipeName|re: \\\\win\\\\msrpc_[0-9a-f]{2}
+  SELECTION_18:
+    PipeName|re: \\\\f53f[0-9a-f]{2}
+  SELECTION_19:
+    PipeName|re: \\\\rpc_[0-9a-f]{2}
+  SELECTION_2:
+    EventID: 18
+  SELECTION_20:
+    PipeName|re: \\\\spoolss_[0-9a-f]{2}
+  SELECTION_21:
+    PipeName|re: \\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,
+  SELECTION_3:
+    PipeName|re: \\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}
+  SELECTION_4:
+    PipeName|re: \\\\wkssvc_?[0-9a-f]{2}
+  SELECTION_5:
+    PipeName|re: \\\\ntsvcs[0-9a-f]{2}
+  SELECTION_6:
+    PipeName|re: \\\\DserNamePipe[0-9a-f]{2}
+  SELECTION_7:
+    PipeName|re: \\\\SearchTextHarvester[0-9a-f]{2}
+  SELECTION_8:
+    PipeName|re: \\\\mypipe\-(?:f|h)[0-9a-f]{2}
+  SELECTION_9:
+    PipeName|re: \\\\windows\.update\.manager[0-9a-f]{2,3}
+  condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or
+    SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or
+    SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or
+    SELECTION_21))
+falsepositives:
+- Unknown
+id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
+level: critical
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). In the current popular sysmon configuration
+    (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have
+    to add it yourself or use this extended version that logs the Named Pipes used
+    in this Sigma repo (https://github.com/Neo23x0/sysmon-config)
+  product: windows
+modified: 2021/09/02
+references:
+- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/windows/pipe_created/sysmon_mal_namedpipes.yml b/rules/sigma/windows/pipe_created/sysmon_mal_namedpipes.yml
new file mode 100644
index 00000000..ee7b2a27
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_mal_namedpipes.yml
@@ -0,0 +1,49 @@
+
+title: Malicious Named Pipe
+author: Florian Roth, blueteam0ps
+date: 2017/11/06
+description: Detects the creation of a named pipe used by known APT malware
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - \isapi_http
+    - \isapi_dg
+    - \isapi_dg2
+    - \sdlrpc
+    - \ahexec
+    - \winsession
+    - \lsassw
+    - \46a676ab7f179e511e30dd2dc41bd388
+    - \9f81f59bc58452127884ce513865ed20
+    - \e710f28d59aa529d6792ca6ff0ca1b34
+    - \rpchlp_3
+    - \NamePipe_MoreWindows
+    - \pcheap_reuse
+    - \gruntsvc
+    - \583da945-62af-10e8-4902-a8f205c72b2e
+    - \bizkaz
+    - \svcctl
+    - \Posh*
+    - \jaccdpqnvbrrxlaf
+    - \csexecsvc
+    - \6e7645c4-32c5-4fe3-aabf-e94c2f4370e7
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
+level: critical
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for PipeEvents in Sysmon config
+  product: windows
+references:
+- Various sources
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/windows/pipe_created/sysmon_powershell_execution_pipe.yml b/rules/sigma/windows/pipe_created/sysmon_powershell_execution_pipe.yml
new file mode 100644
index 00000000..d0b1567f
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_powershell_execution_pipe.yml
@@ -0,0 +1,26 @@
+
+title: T1086 PowerShell Execution
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/09/12
+description: Detects execution of PowerShell
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName: \PSHost*
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
+level: informational
+logsource:
+  category: pipe_created
+  product: windows
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml b/rules/sigma/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml
new file mode 100644
index 00000000..eb11448d
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml
@@ -0,0 +1,31 @@
+
+title: PsExec Pipes Artifacts
+author: Nikita Nazarov, oscd.community
+date: 2020/05/10
+description: Detecting use PsExec via Pipe Creation/Access to pipes
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - psexec*
+    - paexec*
+    - remcom*
+    - csexec*
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Legitimate Administrator activity
+id: 9e77ed63-2ecf-4c7b-b09d-640834882028
+level: medium
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for PipeEvents in Symson config
+  product: windows
+references:
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
diff --git a/rules/sigma/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml b/rules/sigma/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml
new file mode 100644
index 00000000..7715b1ee
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml
@@ -0,0 +1,37 @@
+
+title: ADFS Database Named Pipe Connection
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2021/10/08
+description: Detects suspicious local connections via a named pipe to the AD FS configuration
+  database (Windows Internal Database). Used to access information such as the AD
+  FS configuration settings which contains sensitive information used to sign SAML
+  tokens.
+detection:
+  SELECTION_1:
+    PipeName: \MICROSOFT##WID\tsql\query
+  SELECTION_2:
+    Image:
+    - '*Microsoft.IdentityServer.ServiceHost.exe'
+    - '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
+    - '*AzureADConnect.exe'
+    - '*Microsoft.Tri.Sensor.exe'
+    - '*wsmprovhost.exe'
+    - '*mmc.exe'
+    - '*sqlservr.exe'
+  condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- Processes in the filter condition
+id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
+level: critical
+logsource:
+  product: windows
+  service: pipe_connected
+modified: 2021/10/08
+references:
+- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
+- https://o365blog.com/post/adfs/
+- https://github.com/Azure/SimuLand
+status: experimental
+tags:
+- attack.collection
+- attack.t1005
diff --git a/rules/sigma/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/sigma/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
new file mode 100644
index 00000000..9783bdd7
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
@@ -0,0 +1,73 @@
+
+title: CobaltStrike Named Pipe Patterns
+author: Florian Roth, Christian Burkard
+date: 2021/07/30
+description: Detects the creation of a named pipe with a pattern found in CobaltStrike
+  malleable C2 profiles
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    PipeName:
+    - \mojo.5688.8052.183894939787088877*
+    - \mojo.5688.8052.35780273329370473*
+    - \mypipe-f*
+    - \mypipe-h*
+    - \ntsvcs*
+    - \scerpc*
+    - \win_svc*
+    - \spoolss*
+    - \msrpc_*
+    - \win\msrpc_*
+    - \wkssvc*
+    - \f53f*
+    - \windows.update.manager*
+    - \SearchTextHarvester*
+    - \DserNamePipe*
+    - \PGMessagePipe*
+    - \MsFteWds*
+    - \f4c3*
+    - \fullduplex_*
+    - \rpc_*
+  SELECTION_4:
+    PipeName:
+    - \demoagent_11
+    - \demoagent_22
+  SELECTION_5:
+    PipeName: \Winsock2\CatalogChangeListener-*
+  SELECTION_6:
+    PipeName: '*-0,'
+  SELECTION_7:
+    PipeName:
+    - \wkssvc
+    - \spoolss
+    - \scerpc
+    - \ntsvcs
+    - \SearchTextHarvester
+    - \PGMessagePipe
+    - \MsFteWds
+  condition: ((SELECTION_1 or SELECTION_2) and ((SELECTION_3 or SELECTION_4) or (SELECTION_5
+    and SELECTION_6)) and  not (SELECTION_7))
+falsepositives:
+- Chrome instances using the exactly same name pipe named mojo.something
+id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
+level: high
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). In the current popular sysmon configuration
+    (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have
+    to add it yourself or use this extended version that logs the Named Pipes used
+    in this Sigma repo (https://github.com/Neo23x0/sysmon-config)
+  product: windows
+modified: 2021/08/26
+references:
+- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/sigma/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml
new file mode 100644
index 00000000..25709e5f
--- /dev/null
+++ b/rules/sigma/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml
@@ -0,0 +1,28 @@
+
+title: WMI Event Consumer Created Named Pipe
+author: Florian Roth
+date: 2021/09/01
+description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe
+detection:
+  SELECTION_1:
+    EventID: 17
+  SELECTION_2:
+    EventID: 18
+  SELECTION_3:
+    Image: '*\scrcons.exe'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb
+level: high
+logsource:
+  category: pipe_created
+  definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+    config (Event ID 17 and Event ID 18). In the current popular sysmon configuration
+    (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have
+    to add it yourself or use this extended version that logs the Named Pipes used
+    in this Sigma repo (https://github.com/Neo23x0/sysmon-config)
+  product: windows
+references:
+- https://github.com/RiccardoAncarani/LiquidSnake
+status: experimental
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml
new file mode 100644
index 00000000..3cdd5505
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml
@@ -0,0 +1,35 @@
+
+title: Alternate PowerShell Hosts
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/11
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+  for powershell.exe
+detection:
+  SELECTION_1:
+    EventID: 400
+  SELECTION_2:
+    HostApplication: '*'
+  SELECTION_3:
+    HostApplication: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Programs using PowerShell directly without invocation of a dedicated interpreter
+- MSP Detection Searcher
+- Citrix ConfigSync.ps1
+id: d7326048-328b-4d5e-98af-86e84b17c765
+level: medium
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/09/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+related:
+- id: 64e8e417-c19a-475a-8d19-98ea705394cc
+  type: derived
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_classic_powercat.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_powercat.yml
new file mode 100644
index 00000000..3e90e6d1
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_powercat.yml
@@ -0,0 +1,34 @@
+
+title: Netcat The Powershell Version
+author: frack113
+date: 2021/07/21
+description: Adversaries may use a non-application layer protocol for communication
+  between host and C2 server or among infected hosts within a network
+detection:
+  SELECTION_1:
+    EventID: 400
+  SELECTION_2:
+    HostApplication:
+    - '*powercat *'
+    - '*powercat.ps1*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c5b20776-639a-49bf-94c7-84f912b91c15
+level: medium
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/09/07
+references:
+- https://nmap.org/ncat/
+- https://github.com/besimorhino/powercat
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
+related:
+- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
+  type: derived
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1095
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml
new file mode 100644
index 00000000..0efa8ae3
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml
@@ -0,0 +1,35 @@
+
+title: Remote PowerShell Session
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects remote PowerShell sessions
+detection:
+  SELECTION_1:
+    EventID: 400
+  SELECTION_2:
+    HostName: ServerRemoteHost
+  SELECTION_3:
+    HostApplication: '*wsmprovhost.exe*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use remote PowerShell sessions
+id: 60167e5c-84b2-4c95-a7ac-86281f27c445
+level: high
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/09/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+related:
+- id: 96b9f619-aa91-478f-bacb-c3e50f8df575
+  type: derived
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
new file mode 100644
index 00000000..6cf210da
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
@@ -0,0 +1,40 @@
+
+title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
+author: frack113
+date: 2021/07/13
+description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
+  that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
+detection:
+  SELECTION_1:
+    HostApplication: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
+  SELECTION_2:
+    HostApplication:
+    - '*-ModuleName *'
+    - '*-ModulePath *'
+    - '*-ScriptBlock *'
+    - '*-RemoteFXvGPUDisablementFilePath*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: f65e22f9-819e-4f96-9c7b-498364ae7a25
+level: medium
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+related:
+- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml
new file mode 100644
index 00000000..0effda91
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml
@@ -0,0 +1,34 @@
+
+title: Zip A Folder With PowerShell For Staging In Temp
+author: frack113
+date: 2021/07/20
+description: Use living off the land tools to zip a file and stage it in the Windows
+  temporary folder for later exfiltration
+detection:
+  SELECTION_1:
+    HostApplication: '*Compress-Archive *'
+  SELECTION_2:
+    HostApplication: '* -Path *'
+  SELECTION_3:
+    HostApplication: '* -DestinationPath *'
+  SELECTION_4:
+    HostApplication: '*$env:TEMP\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 71ff406e-b633-4989-96ec-bc49d825a412
+level: medium
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+related:
+- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+  type: derived
+status: experimental
+tags:
+- attack.collection
+- attack.t1074.001
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml
new file mode 100644
index 00000000..86fec49a
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml
@@ -0,0 +1,32 @@
+
+title: Suspicious PowerShell Download
+author: Florian Roth
+date: 2017/03/05
+description: Detects suspicious PowerShell download command
+detection:
+  SELECTION_1:
+    EventID: 400
+  SELECTION_2:
+    HostApplication: '*System.Net.WebClient*'
+  SELECTION_3:
+    HostApplication: '*.DownloadFile(*'
+  SELECTION_4:
+    HostApplication: '*.DownloadString(*'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- PowerShell scripts that download content from the Internet
+id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
+level: medium
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/09/21
+related:
+- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml
new file mode 100644
index 00000000..bf046280
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml
@@ -0,0 +1,37 @@
+
+title: Delete Volume Shadow Copies Via WMI With PowerShell
+author: frack113
+date: 2021/06/03
+description: Shadow Copies deletion using operating systems utilities via PowerShell
+detection:
+  SELECTION_1:
+    HostApplication: '*Get-WmiObject*'
+  SELECTION_2:
+    HostApplication: '* Win32_Shadowcopy*'
+  SELECTION_3:
+    HostApplication:
+    - '*Delete()*'
+    - '*Remove-WmiObject*'
+  SELECTION_4:
+    EventID: 400
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate Administrator deletes Shadow Copies using operating systems utilities
+  for legitimate reason
+fields:
+- HostApplication
+id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
+level: critical
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/08/28
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
+- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
+- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
+status: experimental
+tags:
+- attack.impact
+- attack.t1490
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_downgrade_attack.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_downgrade_attack.yml
new file mode 100644
index 00000000..7abf18f6
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_downgrade_attack.yml
@@ -0,0 +1,31 @@
+
+title: PowerShell Downgrade Attack
+author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
+date: 2017/03/22
+description: Detects PowerShell downgrade attack by comparing the host versions with
+  the actually used engine version 2.0
+detection:
+  SELECTION_1:
+    EventID: 400
+  SELECTION_2:
+    EngineVersion: 2.*
+  SELECTION_3:
+    HostVersion: 2.*
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Penetration Test
+- Unknown
+id: 6331d09b-4785-4c13-980f-f96661356249
+level: medium
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+references:
+- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml
new file mode 100644
index 00000000..1ca34713
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml
@@ -0,0 +1,34 @@
+
+title: PowerShell Called from an Executable Version Mismatch
+author: Sean Metcalf (source), Florian Roth (rule)
+date: 2017/03/05
+description: Detects PowerShell called from an executable by the version mismatch
+  method
+detection:
+  SELECTION_1:
+    EventID: 400
+  SELECTION_2:
+    EngineVersion:
+    - 2.*
+    - 4.*
+    - 5.*
+  SELECTION_3:
+    HostVersion: 3.*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Penetration Tests
+- Unknown
+id: c70e019b-1479-4b65-b0cc-cd0c6093a599
+level: high
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+references:
+- https://adsecurity.org/?p=2921
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_renamed_powershell.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_renamed_powershell.yml
new file mode 100644
index 00000000..1dc14c8d
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_renamed_powershell.yml
@@ -0,0 +1,31 @@
+
+title: Renamed Powershell Under Powershell Channel
+author: Harish Segar, frack113
+date: 2020/06/29
+description: Detects renamed powershell
+detection:
+  SELECTION_1:
+    EventID: 400
+  SELECTION_2:
+    HostName: ConsoleHost
+  SELECTION_3:
+    HostApplication:
+    - powershell.exe*
+    - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- unknown
+id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
+level: low
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/08/18
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: test
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml
new file mode 100644
index 00000000..8c790814
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml
@@ -0,0 +1,33 @@
+
+title: Tamper Windows Defender
+author: frack113
+date: 2021/06/07
+description: Attempting to disable scheduled scanning and other parts of windows defender
+  atp.
+detection:
+  SELECTION_1:
+    EventID: 600
+  SELECTION_2:
+    HostApplication: '*Set-MpPreference*'
+  SELECTION_3:
+    HostApplication:
+    - '*-DisableRealtimeMonitoring 1*'
+    - '*-DisableBehaviorMonitoring 1*'
+    - '*-DisableScriptScanning 1*'
+    - '*-DisableBlockAtFirstSeen 1*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: ec19ebab-72dc-40e1-9728-4c0b805d722c
+level: high
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/08/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml
new file mode 100644
index 00000000..113645d7
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml
@@ -0,0 +1,31 @@
+
+title: Suspicious Non PowerShell WSMAN COM Provider
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/24
+description: Detects suspicious use of the WSMAN provider without PowerShell.exe as
+  the host application.
+detection:
+  SELECTION_1:
+    ProviderName: WSMan
+  SELECTION_2:
+    HostApplication: '*powershell*'
+  condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- Unknown
+id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
+level: medium
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/08/30
+references:
+- https://twitter.com/chadtilbury/status/1275851297770610688
+- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
+- https://github.com/bohops/WSMan-WinRM
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.lateral_movement
+- attack.t1021.003
diff --git a/rules/sigma/windows/powershell/powershell_classic/powershell_xor_commandline.yml b/rules/sigma/windows/powershell/powershell_classic/powershell_xor_commandline.yml
new file mode 100644
index 00000000..8cd5062f
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_classic/powershell_xor_commandline.yml
@@ -0,0 +1,31 @@
+
+title: Suspicious XOR Encoded PowerShell Command Line
+author: Teymur Kheirkhabarov, Harish Segar (rule)
+date: 2020/06/29
+description: Detects suspicious powershell process which includes bxor command, alternative
+  obfuscation method to b64 encoded commands.
+detection:
+  SELECTION_1:
+    EventID: 400
+  SELECTION_2:
+    HostName: ConsoleHost
+  SELECTION_3:
+    HostApplication:
+    - '*bxor*'
+    - '*join*'
+    - '*char*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
+level: medium
+logsource:
+  definition: fields have to be extract from event
+  product: windows
+  service: powershell-classic
+modified: 2021/08/28
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/sigma/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml
new file mode 100644
index 00000000..6448f538
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml
@@ -0,0 +1,32 @@
+
+title: Alternate PowerShell Hosts
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/11
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+  for powershell.exe
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    ContextInfo: '*'
+  SELECTION_3:
+    ContextInfo: '*powershell.exe*'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Programs using PowerShell directly without invocation of a dedicated interpreter
+- MSP Detection Searcher
+- Citrix ConfigSync.ps1
+id: 64e8e417-c19a-475a-8d19-98ea705394cc
+level: medium
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/09/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/sigma/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml
new file mode 100644
index 00000000..9099136d
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml
@@ -0,0 +1,42 @@
+
+title: Bad Opsec Powershell Code Artifacts
+author: ok @securonix invrep_de, oscd.community
+date: 2020/10/09
+description: Focuses on trivial artifacts observed in variants of prevalent offensive
+  ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,
+  Powersploit, and other attack payloads that often undergo minimal changes by attackers
+  due to bad opsec.
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload:
+    - '*$DoIt*'
+    - '*harmj0y*'
+    - '*mattifestation*'
+    - '*_RastaMouse*'
+    - '*tifkin_*'
+    - '*0xdeadbeef*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Moderate-to-low; Despite the shorter length/lower entropy for some of these, because
+  of high specificity, fp appears to be fairly limited in many environments.
+id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
+level: critical
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
+- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
+- https://www.mdeditor.tw/pl/pgRt
+related:
+- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/sigma/windows/powershell/powershell_module/powershell_clear_powershell_history.yml
new file mode 100644
index 00000000..80fb93d2
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_clear_powershell_history.yml
@@ -0,0 +1,42 @@
+
+title: Clear PowerShell History
+author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/25
+description: Detects keywords that could indicate clearing PowerShell history
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload:
+    - '*del*'
+    - '*Remove-Item*'
+    - '*rm*'
+  SELECTION_3:
+    Payload: '*(Get-PSReadlineOption).HistorySavePath*'
+  SELECTION_4:
+    Payload: '*Set-PSReadlineOption*'
+  SELECTION_5:
+    Payload: '*–HistorySaveStyle*'
+  SELECTION_6:
+    Payload: '*SaveNothing*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and SELECTION_6)))
+falsepositives:
+- Legitimate PowerShell scripts
+id: f99276ad-d122-4989-a09a-d00904a5f9d2
+level: medium
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2020/11/28
+references:
+- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
+related:
+- id: dfba4ce1-e0ea-495f-986e-97140f31af2d
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.003
+- attack.t1146
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/sigma/windows/powershell/powershell_module/powershell_decompress_commands.yml
new file mode 100644
index 00000000..295c8f08
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_decompress_commands.yml
@@ -0,0 +1,31 @@
+
+title: PowerShell Decompress Commands
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for specific decompress commands in PowerShell logs.
+  This could be an adversary decompressing files.
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload: '*Expand-Archive*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
+level: informational
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/8
+- https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html
+related:
+- id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/sigma/windows/powershell/powershell_module/powershell_get_clipboard.yml
new file mode 100644
index 00000000..85d9456a
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_get_clipboard.yml
@@ -0,0 +1,31 @@
+
+title: PowerShell Get Clipboard
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for the Get-Clipboard commands in PowerShell logs.
+  This could be an adversary capturing clipboard contents.
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload: '*Get-Clipboard*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
+level: medium
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/16
+- https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
+related:
+- id: 5486f63a-aa4c-488d-9a61-c9192853099f
+  type: derived
+status: experimental
+tags:
+- attack.collection
+- attack.t1115
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml
new file mode 100644
index 00000000..6184e363
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation CLIP+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
+level: high
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 73e67340-0d25-11eb-adc1-0242ac120002
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml
new file mode 100644
index 00000000..976895c4
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml
@@ -0,0 +1,44 @@
+
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: Detects all variations of obfuscated powershell IEX invocation code generated
+  by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+  SELECTION_3:
+    Payload|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+  SELECTION_4:
+    Payload|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+  SELECTION_5:
+    Payload|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+  SELECTION_6:
+    Payload|re: \\\\*mdr\\\\*\W\s*\)\.Name
+  SELECTION_7:
+    Payload|re: \$VerbosePreference\.ToString\(
+  SELECTION_8:
+    Payload|re: \String\]\s*\$VerbosePreference
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: 2f211361-7dce-442d-b78a-c04039677378
+level: high
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+related:
+- id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml
new file mode 100644
index 00000000..28b41cc7
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation STDIN+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
+level: high
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 779c8c12-0eb1-11eb-adc1-0242ac120002
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml
new file mode 100644
index 00000000..369eac7f
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation VAR+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
+level: high
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml
new file mode 100644
index 00000000..0bc19a74
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
+level: medium
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml
new file mode 100644
index 00000000..a677e012
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: a23791fe-8846-485a-b16b-ca691e1b03d4
+level: medium
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml
new file mode 100644
index 00000000..da15627c
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation Via Stdin
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
+level: high
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml
new file mode 100644
index 00000000..e69a7375
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml
@@ -0,0 +1,30 @@
+
+title: Invoke-Obfuscation Via Use Clip
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
+level: high
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml
new file mode 100644
index 00000000..e3b53014
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation Via Use MSHTA
+author: Nikita Nazarov, oscd.community
+date: 2020/10/08
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
+level: high
+logsource:
+  definition: PowerShell Module Logging must be enabledd
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: e55a5195-4724-480e-a77e-3ebe64bd3759
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml
new file mode 100644
index 00000000..80330a47
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation Via Use Rundll32
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
+level: high
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml
new file mode 100644
index 00000000..f86e34c8
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml
@@ -0,0 +1,31 @@
+
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    Payload|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
+level: high
+logsource:
+  definition: PowerShell Module Logging must be enabledd
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+- id: e54f5149-6ba3-49cf-b153-070d24679126
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_powercat.yml b/rules/sigma/windows/powershell/powershell_module/powershell_powercat.yml
new file mode 100644
index 00000000..9e8ca4ea
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_powercat.yml
@@ -0,0 +1,31 @@
+
+title: Netcat The Powershell Version
+author: frack113
+date: 2021/07/21
+description: Adversaries may use a non-application layer protocol for communication
+  between host and C2 server or among infected hosts within a network
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    ContextInfo:
+    - '*powercat *'
+    - '*powercat.ps1*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
+level: medium
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/09/07
+references:
+- https://nmap.org/ncat/
+- https://github.com/besimorhino/powercat
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1095
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/sigma/windows/powershell/powershell_module/powershell_remote_powershell_session.yml
new file mode 100644
index 00000000..2c6ef1dd
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_remote_powershell_session.yml
@@ -0,0 +1,32 @@
+
+title: Remote PowerShell Session
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects remote PowerShell sessions
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    ContextInfo: '* = ServerRemoteHost *'
+  SELECTION_3:
+    ContextInfo: '*wsmprovhost.exe*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use remote PowerShell sessions
+id: 96b9f619-aa91-478f-bacb-c3e50f8df575
+level: high
+logsource:
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/09/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/sigma/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml
new file mode 100644
index 00000000..1d136398
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml
@@ -0,0 +1,39 @@
+
+title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
+author: frack113
+date: 2021/07/13
+description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
+  that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    ContextInfo: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
+  SELECTION_3:
+    ContextInfo:
+    - '*-ModuleName *'
+    - '*-ModulePath *'
+    - '*-ScriptBlock *'
+    - '*-RemoteFXvGPUDisablementFilePath*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 38a7625e-b2cb-485d-b83d-aff137d859f4
+level: medium
+logsource:
+  definition: PowerShell Module Logging must be enabledd
+  product: windows
+  service: powershell
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/sigma/windows/powershell/powershell_module/powershell_susp_zip_compress.yml
new file mode 100644
index 00000000..fe41efea
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_module/powershell_susp_zip_compress.yml
@@ -0,0 +1,36 @@
+
+title: Zip A Folder With PowerShell For Staging In Temp
+author: frack113
+date: 2021/07/20
+description: Use living off the land tools to zip a file and stage it in the Windows
+  temporary folder for later exfiltration
+detection:
+  SELECTION_1:
+    EventID: 4103
+  SELECTION_2:
+    ContextInfo: '*Compress-Archive *'
+  SELECTION_3:
+    ContextInfo: '* -Path *'
+  SELECTION_4:
+    ContextInfo: '* -DestinationPath *'
+  SELECTION_5:
+    ContextInfo: '*$env:TEMP\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: daf7eb81-35fd-410d-9d7a-657837e602bb
+level: medium
+logsource:
+  definition: PowerShell Module Logging must be enabledd
+  product: windows
+  service: powershell
+modified: 2021/10/09
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+related:
+- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+  type: derived
+status: experimental
+tags:
+- attack.collection
+- attack.t1074.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_accessing_win_api.yml b/rules/sigma/windows/powershell/powershell_script/powershell_accessing_win_api.yml
new file mode 100644
index 00000000..68cee9f1
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_accessing_win_api.yml
@@ -0,0 +1,74 @@
+
+title: Accessing WinAPI in PowerShell
+author: Nikita Nazarov, oscd.community
+date: 2020/10/06
+description: Detecting use WinAPI Functions in PowerShell
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*WaitForSingleObject*'
+    - '*QueueUserApc*'
+    - '*RtlCreateUserThread*'
+    - '*OpenProcess*'
+    - '*VirtualAlloc*'
+    - '*VirtualFree*'
+    - '*WriteProcessMemory*'
+    - '*CreateUserThread*'
+    - '*CloseHandle*'
+    - '*GetDelegateForFunctionPointer*'
+    - '*CreateThread*'
+    - '*memcpy*'
+    - '*LoadLibrary*'
+    - '*GetModuleHandle*'
+    - '*GetProcAddress*'
+    - '*VirtualProtect*'
+    - '*FreeLibrary*'
+    - '*ReadProcessMemory*'
+    - '*CreateRemoteThread*'
+    - '*AdjustTokenPrivileges*'
+    - '*WriteByte*'
+    - '*WriteInt32*'
+    - '*OpenThreadToken*'
+    - '*PtrToString*'
+    - '*FreeHGlobal*'
+    - '*ZeroFreeGlobalAllocUnicode*'
+    - '*OpenProcessToken*'
+    - '*GetTokenInformation*'
+    - '*SetThreadToken*'
+    - '*ImpersonateLoggedOnUser*'
+    - '*RevertToSelf*'
+    - '*GetLogonSessionData*'
+    - '*CreateProcessWithToken*'
+    - '*DuplicateTokenEx*'
+    - '*OpenWindowStation*'
+    - '*OpenDesktop*'
+    - '*MiniDumpWriteDump*'
+    - '*AddSecurityPackage*'
+    - '*EnumerateSecurityPackages*'
+    - '*GetProcessHandle*'
+    - '*DangerousGetHandle*'
+    - '*kernel32*'
+    - '*Advapi32*'
+    - '*msvcrt*'
+    - '*ntdll*'
+    - '*user32*'
+    - '*secur32*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
+id: 03d83090-8cba-44a0-b02f-0b756a050306
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/08/04
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1106
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_adrecon_execution.yml b/rules/sigma/windows/powershell/powershell_script/powershell_adrecon_execution.yml
new file mode 100644
index 00000000..f9eed4aa
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_adrecon_execution.yml
@@ -0,0 +1,30 @@
+
+title: PowerShell ADRecon Execution
+author: Bhabesh Raj
+date: 2021/07/16
+description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been
+  reported to be actively used by FIN7
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*Function Get-ADRExcelComOb*'
+    - '*ADRecon-Report.xlsx*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: bf72941a-cba0-41ea-b18c-9aca3925690d
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+references:
+- https://github.com/sense-of-security/ADRecon
+- https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
+status: experimental
+tags:
+- attack.discovery
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_automated_collection.yml b/rules/sigma/windows/powershell/powershell_script/powershell_automated_collection.yml
new file mode 100644
index 00000000..46f12b02
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_automated_collection.yml
@@ -0,0 +1,41 @@
+
+title: Automated Collection Command PowerShell
+author: frack113
+date: 2021/07/28
+description: Once established within a system or network, an adversary may use automated
+  techniques for collecting internal data.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*.doc*'
+    - '*.docx*'
+    - '*.xls*'
+    - '*.xlsx*'
+    - '*.ppt*'
+    - '*.pptx*'
+    - '*.rtf*'
+    - '*.pdf*'
+    - '*.txt*'
+  SELECTION_3:
+    ScriptBlockText: '*Get-ChildItem*'
+  SELECTION_4:
+    ScriptBlockText: '* -Recurse *'
+  SELECTION_5:
+    ScriptBlockText: '* -Include *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: c1dda054-d638-4c16-afc8-53e007f3fbc5
+level: medium
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1119
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml b/rules/sigma/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml
new file mode 100644
index 00000000..eef3f81e
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml
@@ -0,0 +1,29 @@
+
+title: Execution via CL_Invocation.ps1
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*CL_Invocation.ps1*'
+  SELECTION_3:
+    ScriptBlockText: '*SyncInvoke*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 4cd29327-685a-460e-9dac-c3ab96e549dc
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+- https://twitter.com/bohops/status/948061991012327424
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml b/rules/sigma/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml
new file mode 100644
index 00000000..d7fdeb8b
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml
@@ -0,0 +1,30 @@
+
+title: Execution via CL_Invocation.ps1 (2 Lines)
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*CL_Invocation.ps1*'
+    - '*SyncInvoke*'
+  condition: (SELECTION_1 and SELECTION_2) | count(ScriptBlockText) by Computer >
+    2
+falsepositives:
+- Unknown
+id: f588e69b-0750-46bb-8f87-0e9320d57536
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+- https://twitter.com/bohops/status/948061991012327424
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml b/rules/sigma/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml
new file mode 100644
index 00000000..d4c05a46
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml
@@ -0,0 +1,30 @@
+
+title: Execution via CL_Mutexverifiers.ps1
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
+  module
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*CL_Mutexverifiers.ps1*'
+  SELECTION_3:
+    ScriptBlockText: '*runAfterCancelProcess*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+- https://twitter.com/pabraeken/status/995111125447577600
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/sigma/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml
new file mode 100644
index 00000000..5d4f6921
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml
@@ -0,0 +1,31 @@
+
+title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
+  module
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*CL_Mutexverifiers.ps1*'
+    - '*runAfterCancelProcess*'
+  condition: (SELECTION_1 and SELECTION_2) | count(ScriptBlockText) by Computer >
+    2
+falsepositives:
+- Unknown
+id: 6609c444-9670-4eab-9636-fe4755a851ce
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+- https://twitter.com/pabraeken/status/995111125447577600
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_create_local_user.yml b/rules/sigma/windows/powershell/powershell_script/powershell_create_local_user.yml
new file mode 100644
index 00000000..79d58161
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_create_local_user.yml
@@ -0,0 +1,30 @@
+
+title: PowerShell Create Local User
+author: '@ROxPinTeddy'
+date: 2020/04/11
+description: Detects creation of a local user via PowerShell
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*New-LocalUser*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate user creation
+id: 243de76f-4725-4f2e-8225-a8a69b15ad61
+level: medium
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/08/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.persistence
+- attack.t1136.001
+- attack.t1136
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_data_compressed.yml b/rules/sigma/windows/powershell/powershell_script/powershell_data_compressed.yml
new file mode 100644
index 00000000..f929c7da
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_data_compressed.yml
@@ -0,0 +1,33 @@
+
+title: Data Compressed - PowerShell
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: An adversary may compress data (e.g., sensitive documents) that is collected
+  prior to exfiltration in order to make it portable and minimize the amount of data
+  sent over the network.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*-Recurse*'
+  SELECTION_3:
+    ScriptBlockText: '*|*'
+  SELECTION_4:
+    ScriptBlockText: '*Compress-Archive*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Highly likely if archive operations are done via PowerShell.
+id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
+level: low
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/07/06
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1560
+- attack.t1002
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_detect_vm_env.yml b/rules/sigma/windows/powershell/powershell_script/powershell_detect_vm_env.yml
new file mode 100644
index 00000000..391c8b81
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_detect_vm_env.yml
@@ -0,0 +1,33 @@
+
+title: Powershell Detect Virtualization Environment
+author: frack113
+date: 2021/08/03
+description: Adversaries may employ various system checks to detect and avoid virtualization
+  and analysis environments. This may include changing behaviors based on the results
+  of checks for the presence of artifacts indicative of a virtual machine environment
+  (VME) or sandbox
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Get-WmiObject*'
+  SELECTION_3:
+    ScriptBlockText:
+    - '*MSAcpi_ThermalZoneTemperature*'
+    - '*Win32_ComputerSystem*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: d93129cd-1ee0-479f-bc03-ca6f129882e3
+level: medium
+logsource:
+  definition: EnableScriptBlockLogging must be set to enable
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
+- https://techgenix.com/malicious-powershell-scripts-evade-detection/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1497.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_dnscat_execution.yml b/rules/sigma/windows/powershell/powershell_script/powershell_dnscat_execution.yml
new file mode 100644
index 00000000..ee63b69a
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_dnscat_execution.yml
@@ -0,0 +1,27 @@
+
+title: Dnscat Execution
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+description: Dnscat exfiltration tool execution
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Start-Dnscat2*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
+id: a6d67db4-6220-436d-8afc-f3842fe05d43
+level: critical
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2020/08/24
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml b/rules/sigma/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml
new file mode 100644
index 00000000..eb64e0fd
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml
@@ -0,0 +1,31 @@
+
+title: PowerShell ICMP Exfiltration
+author: Bartlomiej Czyz @bczyz1, oscd.community
+date: 2020/10/10
+description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may
+  steal data by exfiltrating it over an un-encrypted network protocol other than that
+  of the existing command and control channel.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*New-Object*'
+  SELECTION_3:
+    ScriptBlockText: '*System.Net.NetworkInformation.Ping*'
+  SELECTION_4:
+    ScriptBlockText: '*.Send(*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate usage of System.Net.NetworkInformation.Ping class
+id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
+level: medium
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048.003
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_nightmare.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_nightmare.yml
new file mode 100644
index 00000000..d0a6ddee
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_nightmare.yml
@@ -0,0 +1,25 @@
+
+title: PrintNightmare Powershell Exploitation
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects Commandlet name for PrintNightmare exploitation.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Invoke-Nightmare*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
+level: high
+logsource:
+  definition: Script Block Logging must be enable
+  product: windows
+  service: powershell
+modified: 2021/08/31
+references:
+- https://github.com/calebstewart/CVE-2021-1675
+status: test
+tags:
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
new file mode 100644
index 00000000..b7a9eba4
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+
+title: Invoke-Obfuscation CLIP+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 73e67340-0d25-11eb-adc1-0242ac120002
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
new file mode 100644
index 00000000..6457598d
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
@@ -0,0 +1,41 @@
+
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: Detects all variations of obfuscated powershell IEX invocation code generated
+  by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+  SELECTION_3:
+    ScriptBlockText|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+  SELECTION_4:
+    ScriptBlockText|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+  SELECTION_5:
+    ScriptBlockText|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+  SELECTION_6:
+    ScriptBlockText|re: \\\\*mdr\\\\*\W\s*\)\.Name
+  SELECTION_7:
+    ScriptBlockText|re: \$VerbosePreference\.ToString\(
+  SELECTION_8:
+    ScriptBlockText|re: \String\]\s*\$VerbosePreference
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
new file mode 100644
index 00000000..3ee4178a
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+
+title: Invoke-Obfuscation STDIN+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 779c8c12-0eb1-11eb-adc1-0242ac120002
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
new file mode 100644
index 00000000..5b7fcf10
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+
+title: Invoke-Obfuscation VAR+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
new file mode 100644
index 00000000..1f60f702
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
+level: medium
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
new file mode 100644
index 00000000..9b29b8cd
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
+level: medium
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
new file mode 100644
index 00000000..871e6ce1
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+
+title: Invoke-Obfuscation Via Stdin
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
new file mode 100644
index 00000000..9b58ffb0
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+
+title: Invoke-Obfuscation Via Use Clip
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
new file mode 100644
index 00000000..d00b373f
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+
+title: Invoke-Obfuscation Via Use MSHTA
+author: Nikita Nazarov, oscd.community
+date: 2020/10/08
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e55a5195-4724-480e-a77e-3ebe64bd3759
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
new file mode 100644
index 00000000..98a14913
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+
+title: Invoke-Obfuscation Via Use Rundll32
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
new file mode 100644
index 00000000..dafe6471
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e54f5149-6ba3-49cf-b153-070d24679126
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/10/07
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_keylogging.yml b/rules/sigma/windows/powershell/powershell_script/powershell_keylogging.yml
new file mode 100644
index 00000000..d9044899
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_keylogging.yml
@@ -0,0 +1,31 @@
+
+title: Powershell Keylogging
+author: frack113
+date: 2021/07/30
+description: Adversaries may log user keystrokes to intercept credentials as the user
+  types them.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Get-Keystrokes*'
+  SELECTION_3:
+    ScriptBlockText: '*Get-ProcAddress user32.dll GetAsyncKeyState*'
+  SELECTION_4:
+    ScriptBlockText: '*Get-ProcAddress user32.dll GetForegroundWindow*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- Unknown
+id: 34f90d3c-c297-49e9-b26d-911b05a4866c
+level: medium
+logsource:
+  definition: EnableScriptBlockLogging must be set to enable
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1
+status: experimental
+tags:
+- attack.collection
+- attack.t1056.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/sigma/windows/powershell/powershell_script/powershell_malicious_commandlets.yml
new file mode 100644
index 00000000..793cecb4
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_malicious_commandlets.yml
@@ -0,0 +1,125 @@
+
+title: Malicious PowerShell Commandlets
+author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update),
+  oscd.community (update)
+date: 2017/03/05
+description: Detects Commandlet names from well-known PowerShell exploitation frameworks
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*Invoke-DllInjection*'
+    - '*Invoke-Shellcode*'
+    - '*Invoke-WmiCommand*'
+    - '*Get-GPPPassword*'
+    - '*Get-Keystrokes*'
+    - '*Get-TimedScreenshot*'
+    - '*Get-VaultCredential*'
+    - '*Invoke-CredentialInjection*'
+    - '*Invoke-Mimikatz*'
+    - '*Invoke-NinjaCopy*'
+    - '*Invoke-TokenManipulation*'
+    - '*Out-Minidump*'
+    - '*VolumeShadowCopyTools*'
+    - '*Invoke-ReflectivePEInjection*'
+    - '*Invoke-UserHunter*'
+    - '*Find-GPOLocation*'
+    - '*Invoke-ACLScanner*'
+    - '*Invoke-DowngradeAccount*'
+    - '*Get-ServiceUnquoted*'
+    - '*Get-ServiceFilePermission*'
+    - '*Get-ServicePermission*'
+    - '*Invoke-ServiceAbuse*'
+    - '*Install-ServiceBinary*'
+    - '*Get-RegAutoLogon*'
+    - '*Get-VulnAutoRun*'
+    - '*Get-VulnSchTask*'
+    - '*Get-UnattendedInstallFile*'
+    - '*Get-ApplicationHost*'
+    - '*Get-RegAlwaysInstallElevated*'
+    - '*Get-Unconstrained*'
+    - '*Add-RegBackdoor*'
+    - '*Add-ScrnSaveBackdoor*'
+    - '*Gupt-Backdoor*'
+    - '*Invoke-ADSBackdoor*'
+    - '*Enabled-DuplicateToken*'
+    - '*Invoke-PsUaCme*'
+    - '*Remove-Update*'
+    - '*Check-VM*'
+    - '*Get-LSASecret*'
+    - '*Get-PassHashes*'
+    - '*Show-TargetScreen*'
+    - '*Port-Scan*'
+    - '*Invoke-PoshRatHttp*'
+    - '*Invoke-PowerShellTCP*'
+    - '*Invoke-PowerShellWMI*'
+    - '*Add-Exfiltration*'
+    - '*Add-Persistence*'
+    - '*Do-Exfiltration*'
+    - '*Start-CaptureServer*'
+    - '*Get-ChromeDump*'
+    - '*Get-ClipboardContents*'
+    - '*Get-FoxDump*'
+    - '*Get-IndexedItem*'
+    - '*Get-Screenshot*'
+    - '*Invoke-Inveigh*'
+    - '*Invoke-NetRipper*'
+    - '*Invoke-EgressCheck*'
+    - '*Invoke-PostExfil*'
+    - '*Invoke-PSInject*'
+    - '*Invoke-RunAs*'
+    - '*MailRaider*'
+    - '*New-HoneyHash*'
+    - '*Set-MacAttribute*'
+    - '*Invoke-DCSync*'
+    - '*Invoke-PowerDump*'
+    - '*Exploit-Jboss*'
+    - '*Invoke-ThunderStruck*'
+    - '*Invoke-VoiceTroll*'
+    - '*Set-Wallpaper*'
+    - '*Invoke-InveighRelay*'
+    - '*Invoke-PsExec*'
+    - '*Invoke-SSHCommand*'
+    - '*Get-SecurityPackages*'
+    - '*Install-SSP*'
+    - '*Invoke-BackdoorLNK*'
+    - '*PowerBreach*'
+    - '*Get-SiteListPassword*'
+    - '*Get-System*'
+    - '*Invoke-BypassUAC*'
+    - '*Invoke-Tater*'
+    - '*Invoke-WScriptBypassUAC*'
+    - '*PowerUp*'
+    - '*PowerView*'
+    - '*Get-RickAstley*'
+    - '*Find-Fruit*'
+    - '*HTTP-Login*'
+    - '*Find-TrustedDocuments*'
+    - '*Invoke-Paranoia*'
+    - '*Invoke-WinEnum*'
+    - '*Invoke-ARPScan*'
+    - '*Invoke-PortScan*'
+    - '*Invoke-ReverseDNSLookup*'
+    - '*Invoke-SMBScanner*'
+    - '*Invoke-Mimikittenz*'
+    - '*Invoke-AllChecks*'
+  SELECTION_3:
+    ScriptBlockText: '*Get-SystemDriveInfo*'
+  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Penetration testing
+id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+level: high
+logsource:
+  definition: Script Block Logging must be enable
+  product: windows
+  service: powershell
+modified: 2021/08/21
+references:
+- https://adsecurity.org/?p=2921
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_malicious_keywords.yml b/rules/sigma/windows/powershell/powershell_script/powershell_malicious_keywords.yml
new file mode 100644
index 00000000..fceca17e
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_malicious_keywords.yml
@@ -0,0 +1,48 @@
+
+title: Malicious PowerShell Keywords
+author: Sean Metcalf (source), Florian Roth (rule)
+date: 2017/03/05
+description: Detects keywords from well-known PowerShell exploitation frameworks
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*AdjustTokenPrivileges*'
+    - '*IMAGE_NT_OPTIONAL_HDR64_MAGIC*'
+    - '*Microsoft.Win32.UnsafeNativeMethods*'
+    - '*ReadProcessMemory.Invoke*'
+    - '*SE_PRIVILEGE_ENABLED*'
+    - '*LSA_UNICODE_STRING*'
+    - '*MiniDumpWriteDump*'
+    - '*PAGE_EXECUTE_READ*'
+    - '*SECURITY_DELEGATION*'
+    - '*TOKEN_ADJUST_PRIVILEGES*'
+    - '*TOKEN_ALL_ACCESS*'
+    - '*TOKEN_ASSIGN_PRIMARY*'
+    - '*TOKEN_DUPLICATE*'
+    - '*TOKEN_ELEVATION*'
+    - '*TOKEN_IMPERSONATE*'
+    - '*TOKEN_INFORMATION_CLASS*'
+    - '*TOKEN_PRIVILEGES*'
+    - '*TOKEN_QUERY*'
+    - '*Metasploit*'
+    - '*Mimikatz*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Penetration tests
+id: f62176f3-8128-4faa-bf6c-83261322e5eb
+level: high
+logsource:
+  definition: It is recommended to use the new "Script Block Logging" of PowerShell
+    v5 https://adsecurity.org/?p=2277
+  product: windows
+  service: powershell
+modified: 2021/08/21
+references:
+- https://adsecurity.org/?p=2921
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/sigma/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml
new file mode 100644
index 00000000..6e893205
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml
@@ -0,0 +1,27 @@
+
+title: Live Memory Dump Using Powershell
+author: Max Altgelt
+date: 2021/09/21
+description: Detects usage of a PowerShell command to dump the live memory of a Windows
+  machine
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Get-StorageDiagnosticInfo*'
+  SELECTION_3:
+    ScriptBlockText: '*-IncludeLiveDump*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Diagnostics
+id: cd185561-4760-45d6-a63e-a51325112cae
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+references:
+- https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo
+status: experimental
+tags:
+- attack.t1003
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml b/rules/sigma/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml
new file mode 100644
index 00000000..99b051ff
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml
@@ -0,0 +1,98 @@
+
+title: Malicious Nishang PowerShell Commandlets
+author: Alec Costello
+date: 2019/05/16
+description: Detects Commandlet names and arguments from the Nishang exploitation
+  framework
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*Add-ConstrainedDelegationBackdoor*'
+    - '*Set-DCShadowPermissions*'
+    - '*DNS_TXT_Pwnage*'
+    - '*Execute-OnTime*'
+    - '*HTTP-Backdoor*'
+    - '*Set-RemotePSRemoting*'
+    - '*Set-RemoteWMI*'
+    - '*Invoke-AmsiBypass*'
+    - '*Out-CHM*'
+    - '*Out-HTA*'
+    - '*Out-SCF*'
+    - '*Out-SCT*'
+    - '*Out-Shortcut*'
+    - '*Out-WebQuery*'
+    - '*Out-Word*'
+    - '*Enable-Duplication*'
+    - '*Remove-Update*'
+    - '*Download-Execute-PS*'
+    - '*Download_Execute*'
+    - '*Execute-Command-MSSQL*'
+    - '*Execute-DNSTXT-Code*'
+    - '*Out-RundllCommand*'
+    - '*Copy-VSS*'
+    - '*FireBuster*'
+    - '*FireListener*'
+    - '*Get-Information*'
+    - '*Get-PassHints*'
+    - '*Get-WLAN-Keys*'
+    - '*Get-Web-Credentials*'
+    - '*Invoke-CredentialsPhish*'
+    - '*Invoke-MimikatzWDigestDowngrade*'
+    - '*Invoke-SSIDExfil*'
+    - '*Invoke-SessionGopher*'
+    - '*Keylogger*'
+    - '*Invoke-Interceptor*'
+    - '*Create-MultipleSessions*'
+    - '*Invoke-NetworkRelay*'
+    - '*Run-EXEonRemote*'
+    - '*Invoke-Prasadhak*'
+    - '*Invoke-BruteForce*'
+    - '*Password-List*'
+    - '*Invoke-JSRatRegsvr*'
+    - '*Invoke-JSRatRundll*'
+    - '*Invoke-PoshRatHttps*'
+    - '*Invoke-PowerShellIcmp*'
+    - '*Invoke-PowerShellUdp*'
+    - '*Invoke-PSGcat*'
+    - '*Invoke-PsGcatAgent*'
+    - '*Remove-PoshRat*'
+    - '*Add-Persistance*'
+    - '*ExetoText*'
+    - '*Invoke-Decode*'
+    - '*Invoke-Encode*'
+    - '*Parse_Keys*'
+    - '*Remove-Persistence*'
+    - '*StringtoBase64*'
+    - '*TexttoExe*'
+    - '*Powerpreter*'
+    - '*Nishang*'
+    - '*DataToEncode*'
+    - '*LoggedKeys*'
+    - '*OUT-DNSTXT*'
+    - '*ExfilOption*'
+    - '*DumpCerts*'
+    - '*DumpCreds*'
+    - '*Shellcode32*'
+    - '*Shellcode64*'
+    - '*NotAllNameSpaces*'
+    - '*exfill*'
+    - '*FakeDC*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Penetration testing
+id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/08/21
+references:
+- https://github.com/samratashok/nishang
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/sigma/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml
new file mode 100644
index 00000000..61bcbd1f
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml
@@ -0,0 +1,37 @@
+
+title: NTFS Alternate Data Stream
+author: Sami Ruohonen
+date: 2018/07/24
+description: Detects writing data into NTFS alternate data streams from powershell.
+  Needs Script Block Logging.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*set-content*'
+    - '*add-content*'
+  SELECTION_3:
+    ScriptBlockText:
+    - '*-stream*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 8c521530-5169-495d-a199-0a3a881ad24e
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/08/21
+references:
+- http://www.powertheshell.com/ntfsstreams/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.004
+- attack.t1096
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml b/rules/sigma/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml
new file mode 100644
index 00000000..4738f736
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml
@@ -0,0 +1,151 @@
+
+title: Malicious PowerView PowerShell Commandlets
+author: Bhabesh Raj
+date: 2021/05/18
+description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*Export-PowerViewCSV*'
+    - '*Get-IPAddress*'
+    - '*Resolve-IPAddress*'
+    - '*Convert-NameToSid*'
+    - '*ConvertTo-SID*'
+    - '*Convert-ADName*'
+    - '*ConvertFrom-UACValue*'
+    - '*Add-RemoteConnection*'
+    - '*Remove-RemoteConnection*'
+    - '*Invoke-UserImpersonation*'
+    - '*Invoke-RevertToSelf*'
+    - '*Request-SPNTicket*'
+    - '*Get-DomainSPNTicket*'
+    - '*Invoke-Kerberoast*'
+    - '*Get-PathAcl*'
+    - '*Get-DNSZone*'
+    - '*Get-DomainDNSZone*'
+    - '*Get-DNSRecord*'
+    - '*Get-DomainDNSRecord*'
+    - '*Get-NetDomain*'
+    - '*Get-Domain*'
+    - '*Get-NetDomainController*'
+    - '*Get-DomainController*'
+    - '*Get-NetForest*'
+    - '*Get-Forest*'
+    - '*Get-NetForestDomain*'
+    - '*Get-ForestDomain*'
+    - '*Get-NetForestCatalog*'
+    - '*Get-ForestGlobalCatalog*'
+    - '*Find-DomainObjectPropertyOutlier*'
+    - '*Get-NetUser*'
+    - '*Get-DomainUser*'
+    - '*New-DomainUser*'
+    - '*Set-DomainUserPassword*'
+    - '*Get-UserEvent*'
+    - '*Get-DomainUserEvent*'
+    - '*Get-NetComputer*'
+    - '*Get-DomainComputer*'
+    - '*Get-ADObject*'
+    - '*Get-DomainObject*'
+    - '*Set-ADObject*'
+    - '*Set-DomainObject*'
+    - '*Get-ObjectAcl*'
+    - '*Get-DomainObjectAcl*'
+    - '*Add-ObjectAcl*'
+    - '*Add-DomainObjectAcl*'
+    - '*Invoke-ACLScanner*'
+    - '*Find-InterestingDomainAcl*'
+    - '*Get-NetOU*'
+    - '*Get-DomainOU*'
+    - '*Get-NetSite*'
+    - '*Get-DomainSite*'
+    - '*Get-NetSubnet*'
+    - '*Get-DomainSubnet*'
+    - '*Get-DomainSID*'
+    - '*Get-NetGroup*'
+    - '*Get-DomainGroup*'
+    - '*New-DomainGroup*'
+    - '*Find-ManagedSecurityGroups*'
+    - '*Get-DomainManagedSecurityGroup*'
+    - '*Get-NetGroupMember*'
+    - '*Get-DomainGroupMember*'
+    - '*Add-DomainGroupMember*'
+    - '*Get-NetFileServer*'
+    - '*Get-DomainFileServer*'
+    - '*Get-DFSshare*'
+    - '*Get-DomainDFSShare*'
+    - '*Get-NetGPO*'
+    - '*Get-DomainGPO*'
+    - '*Get-NetGPOGroup*'
+    - '*Get-DomainGPOLocalGroup*'
+    - '*Find-GPOLocation*'
+    - '*Get-DomainGPOUserLocalGroupMapping*'
+    - '*Find-GPOComputerAdmin*'
+    - '*Get-DomainGPOComputerLocalGroupMapping*'
+    - '*Get-DomainPolicy*'
+    - '*Get-NetLocalGroup*'
+    - '*Get-NetLocalGroupMember*'
+    - '*Get-NetShare*'
+    - '*Get-NetLoggedon*'
+    - '*Get-NetSession*'
+    - '*Get-LoggedOnLocal*'
+    - '*Get-RegLoggedOn*'
+    - '*Get-NetRDPSession*'
+    - '*Invoke-CheckLocalAdminAccess*'
+    - '*Test-AdminAccess*'
+    - '*Get-SiteName*'
+    - '*Get-NetComputerSiteName*'
+    - '*Get-Proxy*'
+    - '*Get-WMIRegProxy*'
+    - '*Get-LastLoggedOn*'
+    - '*Get-WMIRegLastLoggedOn*'
+    - '*Get-CachedRDPConnection*'
+    - '*Get-WMIRegCachedRDPConnection*'
+    - '*Get-RegistryMountedDrive*'
+    - '*Get-WMIRegMountedDrive*'
+    - '*Get-NetProcess*'
+    - '*Get-WMIProcess*'
+    - '*Find-InterestingFile*'
+    - '*Invoke-UserHunter*'
+    - '*Find-DomainUserLocation*'
+    - '*Invoke-ProcessHunter*'
+    - '*Find-DomainProcess*'
+    - '*Invoke-EventHunter*'
+    - '*Find-DomainUserEvent*'
+    - '*Invoke-ShareFinder*'
+    - '*Find-DomainShare*'
+    - '*Invoke-FileFinder*'
+    - '*Find-InterestingDomainShareFile*'
+    - '*Find-LocalAdminAccess*'
+    - '*Invoke-EnumerateLocalAdmin*'
+    - '*Find-DomainLocalGroupMember*'
+    - '*Get-NetDomainTrust*'
+    - '*Get-DomainTrust*'
+    - '*Get-NetForestTrust*'
+    - '*Get-ForestTrust*'
+    - '*Find-ForeignUser*'
+    - '*Get-DomainForeignUser*'
+    - '*Find-ForeignGroup*'
+    - '*Get-DomainForeignGroupMember*'
+    - '*Invoke-MapDomainTrust*'
+    - '*Get-DomainTrustMapping*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Should not be any as administrators do not use this tool
+id: dcd74b95-3f36-4ed9-9598-0490951643aa
+level: high
+logsource:
+  definition: Script Block Logging must be enable
+  product: windows
+  service: powershell
+modified: 2021/08/21
+references:
+- https://powersploit.readthedocs.io/en/stable/Recon/README
+- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
+- https://thedfirreport.com/2020/10/08/ryuks-return
+- https://adsecurity.org/?p=2277
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_prompt_credentials.yml b/rules/sigma/windows/powershell/powershell_script/powershell_prompt_credentials.yml
new file mode 100644
index 00000000..9d38cd82
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_prompt_credentials.yml
@@ -0,0 +1,29 @@
+
+title: PowerShell Credential Prompt
+author: John Lambert (idea), Florian Roth (rule)
+date: 2017/04/09
+description: Detects PowerShell calling a credential prompt
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*PromptForCredential*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: ca8b77a9-d499-4095-b793-5d5f330d450e
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/08/04
+references:
+- https://twitter.com/JohnLaTwC/status/850381440629981184
+- https://t.co/ezOTGy1a1G
+status: experimental
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_psattack.yml b/rules/sigma/windows/powershell/powershell_script/powershell_psattack.yml
new file mode 100644
index 00000000..8306bd54
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_psattack.yml
@@ -0,0 +1,27 @@
+
+title: PowerShell PSAttack
+author: Sean Metcalf (source), Florian Roth (rule)
+date: 2017/03/05
+description: Detects the use of PSAttack PowerShell hack tool
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*PS ATTACK!!!*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Pentesters
+id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/08/21
+references:
+- https://adsecurity.org/?p=2921
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_shellcode_b64.yml b/rules/sigma/windows/powershell/powershell_script/powershell_shellcode_b64.yml
new file mode 100644
index 00000000..0a19b285
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_shellcode_b64.yml
@@ -0,0 +1,34 @@
+
+title: PowerShell ShellCode
+author: David Ledbetter (shellcode), Florian Roth (rule)
+date: 2018/11/17
+description: Detects Base64 encoded Shellcode
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*AAAAYInlM*'
+  SELECTION_3:
+    ScriptBlockText:
+    - '*OiCAAAAYInlM*'
+    - '*OiJAAAAYInlM*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
+level: critical
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2020/12/01
+references:
+- https://twitter.com/cyb3rops/status/1063072865992523776
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml b/rules/sigma/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml
new file mode 100644
index 00000000..580ee0cb
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml
@@ -0,0 +1,30 @@
+
+title: Malicious ShellIntel PowerShell Commandlets
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects Commandlet names from ShellIntel exploitation scripts.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*Invoke-SMBAutoBrute*'
+    - '*Invoke-GPOLinks*'
+    - '*Out-Minidump*'
+    - '*Invoke-Potato*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
+level: high
+logsource:
+  definition: Script Block Logging must be enable
+  product: windows
+  service: powershell
+modified: 2021/08/21
+references:
+- https://github.com/Shellntel/scripts/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml b/rules/sigma/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml
new file mode 100644
index 00000000..c87cac7c
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml
@@ -0,0 +1,31 @@
+
+title: Powershell Store File In Alternate Data Stream
+author: frack113
+date: 2021/09/02
+description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Start-Process*'
+  SELECTION_3:
+    ScriptBlockText: '*-FilePath "$env:comspec" *'
+  SELECTION_4:
+    ScriptBlockText: '*-ArgumentList *'
+  SELECTION_5:
+    ScriptBlockText: '*>*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
+level: medium
+logsource:
+  definition: EnableScriptBlockLogging must be set to enable
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.004
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/sigma/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml
new file mode 100644
index 00000000..3d560728
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml
@@ -0,0 +1,33 @@
+
+title: Zip A Folder With PowerShell For Staging In Temp
+author: frack113
+date: 2021/07/20
+description: Use living off the land tools to zip a file and stage it in the Windows
+  temporary folder for later exfiltration
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Compress-Archive *'
+  SELECTION_3:
+    ScriptBlockText: '* -Path *'
+  SELECTION_4:
+    ScriptBlockText: '* -DestinationPath *'
+  SELECTION_5:
+    ScriptBlockText: '*$env:TEMP\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+level: medium
+logsource:
+  definition: Script Block Logging must be enable
+  product: windows
+  service: powershell
+modified: 2021/10/09
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1074.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml
new file mode 100644
index 00000000..bce06c29
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml
@@ -0,0 +1,30 @@
+
+title: Suspicious Export-PfxCertificate
+author: Florian Roth
+date: 2021/04/23
+description: Detects Commandlet that is used to export certificates from the local
+  certificate store and sometimes used by threat actors to steal private keys from
+  compromised machines
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Export-PfxCertificate*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate certificate exports invoked by administrators or users (depends on processes
+  in the environment - filter if unusable)
+id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
+level: high
+logsource:
+  definition: Script Block Logging must be enable
+  product: windows
+  service: powershell
+modified: 2021/08/04
+references:
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
+- https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.004
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml
new file mode 100644
index 00000000..953344bf
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml
@@ -0,0 +1,28 @@
+
+title: PowerShell Get-Process LSASS in ScriptBlock
+author: Florian Roth
+date: 2021/04/23
+description: Detects a Get-Process command on lsass process, which is in almost all
+  cases a sign of malicious activity
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Get-Process lsass*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate certificate exports invoked by administrators or users (depends on processes
+  in the environment - filter if unusable)
+id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
+level: high
+logsource:
+  definition: Script Block Logging must be enable
+  product: windows
+  service: powershell
+modified: 2021/08/04
+references:
+- https://twitter.com/PythonResponder/status/1385064506049630211
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_keywords.yml b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_keywords.yml
new file mode 100644
index 00000000..64311b7d
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_keywords.yml
@@ -0,0 +1,41 @@
+
+title: Suspicious PowerShell Keywords
+author: Florian Roth, Perez Diego (@darkquassar)
+date: 2019/02/11
+description: Detects keywords that could indicate the use of some PowerShell exploitation
+  framework
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*System.Reflection.Assembly.Load($*'
+    - '*[System.Reflection.Assembly]::Load($*'
+    - '*[Reflection.Assembly]::Load($*'
+    - '*System.Reflection.AssemblyName*'
+    - '*Reflection.Emit.AssemblyBuilderAccess*'
+    - '*Runtime.InteropServices.DllImportAttribute*'
+    - '*SuspendThread*'
+    - '*rundll32*'
+    - '*Invoke-WMIMethod*'
+    - '*http://127.0.0.1*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Penetration tests
+id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
+level: high
+logsource:
+  definition: Script block logging must be enabled for 4104
+  product: windows
+  service: powershell
+modified: 2021/08/30
+references:
+- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
+- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
+- https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
+- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml
new file mode 100644
index 00000000..75c1160c
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml
@@ -0,0 +1,31 @@
+
+title: Powershell Local Email Collection
+author: frack113
+date: 2021/07/21
+description: Adversaries may target user email on local systems to collect sensitive
+  information. Files containing email data can be acquired from a user’s local system,
+  such as Outlook storage or cache files.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*Get-Inbox.ps1*'
+    - '*Microsoft.Office.Interop.Outlook*'
+    - '*Microsoft.Office.Interop.Outlook.olDefaultFolders*'
+    - '*-comobject outlook.application*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
+level: medium
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1114.001
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml
new file mode 100644
index 00000000..ab4788f6
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml
@@ -0,0 +1,29 @@
+
+title: PowerShell Deleted Mounted Share
+author: oscd.community, @redcanary, Zach Stanford @svch0st
+date: 2020/10/08
+description: Detects when when a mounted share is removed. Adversaries may remove
+  share connections that are no longer useful in order to clean up traces of their
+  operation
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*Remove-SmbShare*'
+    - '*Remove-FileShare*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrators or Power users may remove their shares via cmd line
+id: 66a4d409-451b-4151-94f4-a55d559c49b0
+level: medium
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.005
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_recon.yml b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_recon.yml
new file mode 100644
index 00000000..5adff1f6
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_recon.yml
@@ -0,0 +1,31 @@
+
+title: Recon Information for Export with PowerShell
+author: frack113
+date: 2021/07/30
+description: Once established within a system or network, an adversary may use automated
+  techniques for collecting internal data
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*Get-Service *'
+    - '*Get-ChildItem *'
+    - '*Get-Process *'
+  SELECTION_3:
+    ScriptBlockText: '*> $env:TEMP\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: a9723fcc-881c-424c-8709-fd61442ab3c3
+level: medium
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1119
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml
new file mode 100644
index 00000000..62dd85f3
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml
@@ -0,0 +1,26 @@
+
+title: Powershell Suspicious Win32_PnPEntity
+author: frack113
+date: 2021/08/23
+description: Adversaries may attempt to gather information about attached peripheral
+  devices and components connected to a computer system.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Win32_PnPEntity*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- admin script
+id: b26647de-4feb-4283-af6b-6117661283c5
+level: low
+logsource:
+  definition: EnableScriptBlockLogging must be set to enable
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
+status: experimental
+tags:
+- attack.discovery
+- attack.t1120
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_timestomp.yml b/rules/sigma/windows/powershell/powershell_script/powershell_timestomp.yml
new file mode 100644
index 00000000..6eca8c2b
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_timestomp.yml
@@ -0,0 +1,35 @@
+
+title: Powershell Timestomp
+author: frack113
+date: 2021/08/03
+description: Adversaries may modify file time attributes to hide new or changes to
+  existing files. Timestomping is a technique that modifies the timestamps of a file
+  (the modify, access, create, and change times), often to mimic files that are in
+  the same folder.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*.CreationTime =*'
+    - '*.LastWriteTime =*'
+    - '*.LastAccessTime =*'
+    - '*[IO.File]::SetCreationTime*'
+    - '*[IO.File]::SetLastAccessTime*'
+    - '*[IO.File]::SetLastWriteTime*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- legitime admin script
+id: c6438007-e081-42ce-9483-b067fbef33c3
+level: medium
+logsource:
+  definition: EnableScriptBlockLogging must be set to enable
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+- https://www.offensive-security.com/metasploit-unleashed/timestomp/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.006
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_trigger_profiles.yml b/rules/sigma/windows/powershell/powershell_script/powershell_trigger_profiles.yml
new file mode 100644
index 00000000..dea6fc05
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_trigger_profiles.yml
@@ -0,0 +1,34 @@
+
+title: Powershell Trigger Profiles by Add_Content
+author: frack113
+date: 2021/08/18
+description: Adversaries may gain persistence and elevate privileges by executing
+  malicious content triggered by PowerShell profiles.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Add-Content*'
+  SELECTION_3:
+    ScriptBlockText: '*$profile*'
+  SELECTION_4:
+    ScriptBlockText: '*-Value*'
+  SELECTION_5:
+    ScriptBlockText:
+    - '*Start-Process*'
+    - '*""*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
+level: medium
+logsource:
+  definition: EnableScriptBlockLogging must be set to enable
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1546.013
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_web_request.yml b/rules/sigma/windows/powershell/powershell_script/powershell_web_request.yml
new file mode 100644
index 00000000..89e01487
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_web_request.yml
@@ -0,0 +1,38 @@
+
+title: Windows PowerShell Web Request
+author: James Pemberton / @4A616D6573
+date: 2019/10/24
+description: Detects the use of various web request methods (including aliases) via
+  Windows PowerShell command
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*Invoke-WebRequest*'
+    - '*iwr *'
+    - '*wget *'
+    - '*curl *'
+    - '*Net.WebClient*'
+    - '*Start-BitsTransfer*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
+id: 1139d2e2-84b1-4226-b445-354492eba8ba
+level: medium
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/09/21
+references:
+- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
+- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
+related:
+- id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml b/rules/sigma/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml
new file mode 100644
index 00000000..b3eaa6ba
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml
@@ -0,0 +1,33 @@
+
+title: Windows Firewall Profile Disabled
+author: Austin Songer @austinsonger
+date: 2021/10/12
+description: Detects when a user disables the Windows Firewall via a Profile to help
+  evade defense.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*Set-NetFirewallProfile*'
+  SELECTION_3:
+    ScriptBlockText: '*-Profile*'
+  SELECTION_4:
+    ScriptBlockText: '*-Enabled*'
+  SELECTION_5:
+    ScriptBlockText: '*False*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 488b44e7-3781-4a71-888d-c95abfacf44d
+level: high
+logsource:
+  product: windows
+  service: powershell
+references:
+- https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
+- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
+- http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
+- http://woshub.com/manage-windows-firewall-powershell/
+status: experimental
+tags:
+- attack.defense_evasion
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml b/rules/sigma/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml
new file mode 100644
index 00000000..c76c087f
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml
@@ -0,0 +1,37 @@
+
+title: Winlogon Helper DLL
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: Winlogon.exe is a Windows component responsible for actions at logon/logoff
+  as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry
+  entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\
+  and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage
+  additional helper programs and functionalities that support Winlogon. Malicious
+  modifications to these Registry keys may cause Winlogon to load and execute malicious
+  DLLs and/or executables.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*CurrentVersion\Winlogon*'
+  SELECTION_3:
+    ScriptBlockText:
+    - '*Set-ItemProperty*'
+    - '*New-Item*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 851c506b-6b7c-4ce2-8802-c703009d03c0
+level: medium
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2020/12/01
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.004
+- attack.t1004
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_wmi_persistence.yml b/rules/sigma/windows/powershell/powershell_script/powershell_wmi_persistence.yml
new file mode 100644
index 00000000..933759ee
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_wmi_persistence.yml
@@ -0,0 +1,37 @@
+
+title: Powershell WMI Persistence
+author: frack113
+date: 2021/08/19
+description: Adversaries may establish persistence and elevate privileges by executing
+  malicious content triggered by a Windows Management Instrumentation (WMI) event
+  subscription.
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText: '*New-CimInstance *'
+  SELECTION_3:
+    ScriptBlockText: '*-Namespace root/subscription *'
+  SELECTION_4:
+    ScriptBlockText: '*-Property *'
+  SELECTION_5:
+    ScriptBlockText: '*-ClassName __EventFilter *'
+  SELECTION_6:
+    ScriptBlockText: '*-ClassName CommandLineEventConsumer *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+    or SELECTION_6))
+falsepositives:
+- Unknown
+id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
+level: medium
+logsource:
+  definition: EnableScriptBlockLogging must be set to enable
+  product: windows
+  service: powershell
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
+- https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1546.003
diff --git a/rules/sigma/windows/powershell/powershell_script/powershell_wmimplant.yml b/rules/sigma/windows/powershell/powershell_script/powershell_wmimplant.yml
new file mode 100644
index 00000000..c7503b32
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_script/powershell_wmimplant.yml
@@ -0,0 +1,46 @@
+
+title: WMImplant Hack Tool
+author: NVISO
+date: 2020/03/26
+description: Detects parameters used by WMImplant
+detection:
+  SELECTION_1:
+    EventID: 4104
+  SELECTION_2:
+    ScriptBlockText:
+    - '*WMImplant*'
+    - '* change_user *'
+    - '* gen_cli *'
+    - '* command_exec *'
+    - '* disable_wdigest *'
+    - '* disable_winrm *'
+    - '* enable_wdigest *'
+    - '* enable_winrm *'
+    - '* registry_mod *'
+    - '* remote_posh *'
+    - '* sched_job *'
+    - '* service_mod *'
+    - '* process_kill *'
+    - '* active_users *'
+    - '* basic_info *'
+    - '* power_off *'
+    - '* vacant_system *'
+    - '* logon_events *'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrative scripts that use the same keywords.
+id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
+level: high
+logsource:
+  definition: Script block logging must be enabled
+  product: windows
+  service: powershell
+modified: 2021/08/30
+references:
+- https://github.com/FortyNorthSecurity/WMImplant
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_suspicious_download.yml b/rules/sigma/windows/powershell/powershell_suspicious_download.yml
new file mode 100644
index 00000000..5f437bc0
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_suspicious_download.yml
@@ -0,0 +1,25 @@
+
+title: Suspicious PowerShell Download
+author: Florian Roth
+date: 2017/03/05
+description: Detects suspicious PowerShell download command
+detection:
+  SELECTION_1:
+  - System.Net.WebClient
+  SELECTION_2:
+  - .DownloadFile(
+  - .DownloadString(
+  condition: (SELECTION_1 and (SELECTION_2))
+falsepositives:
+- PowerShell scripts that download content from the Internet
+id: 65531a81-a694-4e31-ae04-f8ba5bc33759
+level: medium
+logsource:
+  product: windows
+  service: powershell
+modified: 2021/09/21
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_suspicious_invocation_generic.yml b/rules/sigma/windows/powershell/powershell_suspicious_invocation_generic.yml
new file mode 100644
index 00000000..f54581ce
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_suspicious_invocation_generic.yml
@@ -0,0 +1,30 @@
+
+title: Suspicious PowerShell Invocations - Generic
+author: Florian Roth (rule)
+date: 2017/03/12
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+  SELECTION_1:
+  - ' -enc '
+  - ' -EncodedCommand '
+  SELECTION_2:
+  - ' -w hidden '
+  - ' -window hidden '
+  - ' -windowstyle hidden '
+  SELECTION_3:
+  - ' -noni '
+  - ' -noninteractive '
+  condition: ((SELECTION_1) and (SELECTION_2) and (SELECTION_3))
+falsepositives:
+- Penetration tests
+- Very special / sneaky PowerShell scripts
+id: 3d304fda-78aa-43ed-975c-d740798a49c1
+level: high
+logsource:
+  product: windows
+  service: powershell
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/sigma/windows/powershell/powershell_suspicious_invocation_specific.yml
new file mode 100644
index 00000000..b7cf187e
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_suspicious_invocation_specific.yml
@@ -0,0 +1,78 @@
+
+title: Suspicious PowerShell Invocations - Specific
+author: Florian Roth (rule), Jonhnathan Ribeiro
+date: 2017/03/05
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+  SELECTION_1:
+  - ' -w '
+  SELECTION_10:
+  - bypass
+  SELECTION_11:
+  - -Enc
+  SELECTION_12:
+  - powershell
+  SELECTION_13:
+  - reg
+  SELECTION_14:
+  - add
+  SELECTION_15:
+  - HKCU\software\microsoft\windows\currentversion\run
+  SELECTION_16:
+  - bypass
+  SELECTION_17:
+  - -noprofile
+  SELECTION_18:
+  - -windowstyle
+  SELECTION_19:
+  - hidden
+  SELECTION_2:
+  - hidden
+  SELECTION_20:
+  - new-object
+  SELECTION_21:
+  - system.net.webclient
+  SELECTION_22:
+  - .download
+  SELECTION_23:
+  - iex
+  SELECTION_24:
+  - New-Object
+  SELECTION_25:
+  - Net.WebClient
+  SELECTION_26:
+  - .Download
+  SELECTION_3:
+  - -nop
+  SELECTION_4:
+  - ' -c '
+  SELECTION_5:
+  - '[Convert]::FromBase64String'
+  SELECTION_6:
+  - -noni
+  SELECTION_7:
+  - iex
+  SELECTION_8:
+  - New-Object
+  SELECTION_9:
+  - -ep
+  condition: ((((SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+    ((SELECTION_6 and SELECTION_7 and SELECTION_8) or SELECTION_5)) or (SELECTION_9
+    and SELECTION_10 and SELECTION_11))) or (SELECTION_12 and SELECTION_13 and SELECTION_14
+    and SELECTION_15)) or (SELECTION_16 and SELECTION_17 and SELECTION_18 and SELECTION_19
+    and SELECTION_20 and SELECTION_21 and SELECTION_22)) or (SELECTION_23 and SELECTION_24
+    and SELECTION_25 and SELECTION_26))
+falsepositives:
+- Penetration tests
+id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
+level: high
+logsource:
+  definition: Script block logging must be enabled for 4104, Module Logging must be
+    enabled for 4103
+  product: windows
+  service: powershell
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/powershell/powershell_syncappvpublishingserver_exe.yml b/rules/sigma/windows/powershell/powershell_syncappvpublishingserver_exe.yml
new file mode 100644
index 00000000..52059627
--- /dev/null
+++ b/rules/sigma/windows/powershell/powershell_syncappvpublishingserver_exe.yml
@@ -0,0 +1,24 @@
+
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+author: Ensar Şamil, @sblmsrsn, OSCD Community
+date: 2020/10/05
+description: Detects SyncAppvPublishingServer process execution which usually utilized
+  by adversaries to bypass PowerShell execution restrictions.
+detection:
+  condition: SyncAppvPublishingServer.exe
+falsepositives:
+- App-V clients
+id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
+level: medium
+logsource:
+  product: windows
+  service: powershell
+modified: 2021/09/11
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+related:
+- id: fde7929d-8beb-4a4c-b922-be9974671667
+  type: derived
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_access/sysmon_cmstp_execution_by_access.yml b/rules/sigma/windows/process_access/sysmon_cmstp_execution_by_access.yml
new file mode 100644
index 00000000..2e1b415e
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_cmstp_execution_by_access.yml
@@ -0,0 +1,37 @@
+
+title: CMSTP Execution Process Access
+author: Nik Seetharaman
+date: 2018/07/16
+description: Detects various indicators of Microsoft Connection Manager Profile Installer
+  execution
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*cmlua.dll*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: 3b4b232a-af90-427c-a22f-30b0c0837b95
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/27
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1218.003
+- attack.t1191
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.g0069
+- attack.g0080
+- car.2019-04-001
diff --git a/rules/sigma/windows/process_access/sysmon_cmstp_execution_by_access.yml.yml b/rules/sigma/windows/process_access/sysmon_cmstp_execution_by_access.yml.yml
new file mode 100644
index 00000000..2e1b415e
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_cmstp_execution_by_access.yml.yml
@@ -0,0 +1,37 @@
+
+title: CMSTP Execution Process Access
+author: Nik Seetharaman
+date: 2018/07/16
+description: Detects various indicators of Microsoft Connection Manager Profile Installer
+  execution
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*cmlua.dll*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: 3b4b232a-af90-427c-a22f-30b0c0837b95
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/27
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1218.003
+- attack.t1191
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.g0069
+- attack.g0080
+- car.2019-04-001
diff --git a/rules/sigma/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml b/rules/sigma/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml
new file mode 100644
index 00000000..0aaa09de
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml
@@ -0,0 +1,32 @@
+
+title: CobaltStrike BOF Injection Pattern
+author: Christian Burkard
+date: 2021/08/04
+description: Detects a typical pattern of a CobaltStrike BOF which inject into other
+  processes
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace|re: ^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$
+  SELECTION_3:
+    GrantedAccess:
+    - '0x1028'
+    - '0x1fffff'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 09706624-b7f6-455d-9d02-adee024cee1d
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/boku7/injectAmsiBypass
+- https://github.com/boku7/spawn
+status: experimental
+tags:
+- attack.execution
+- attack.t1106
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml.yml b/rules/sigma/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml.yml
new file mode 100644
index 00000000..87b32a79
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml.yml
@@ -0,0 +1,32 @@
+
+title: CobaltStrike BOF Injection Pattern
+author: Christian Burkard
+date: 2021/08/04
+description: Detects a typical pattern of a CobaltStrike BOF which inject into other
+  processes
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace|re: ^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$
+  SELECTION_3:
+    GrantedAccess: '0x1028'
+  SELECTION_4:
+    GrantedAccess: '0x1fffff'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 09706624-b7f6-455d-9d02-adee024cee1d
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/boku7/injectAmsiBypass
+- https://github.com/boku7/spawn
+status: experimental
+tags:
+- attack.execution
+- attack.t1106
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/sigma/windows/process_access/sysmon_cred_dump_lsass_access.yml
new file mode 100644
index 00000000..dc437516
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_cred_dump_lsass_access.yml
@@ -0,0 +1,65 @@
+
+title: Credentials Dumping Tools Accessing LSASS Memory
+author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas
+  Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
+  (update)
+date: 2017/02/16
+description: Detects process access LSASS memory which is typical for credentials
+  dumping tools
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    GrantedAccess:
+    - '*0x40*'
+    - '*0x1000*'
+    - '*0x1400*'
+    - '*0x100000*'
+    - '*0x1410*'
+    - '*0x1010*'
+    - '*0x1438*'
+    - '*0x143a*'
+    - '*0x1418*'
+    - '*0x1f0fff*'
+    - '*0x1f1fff*'
+    - '*0x1f2fff*'
+    - '*0x1f3fff*'
+  SELECTION_4:
+    ProcessName:
+    - '*\wmiprvse.exe'
+    - '*\taskmgr.exe'
+    - '*\procexp64.exe'
+    - '*\procexp.exe'
+    - '*\lsm.exe'
+    - '*\MsMpEng.exe'
+    - '*\csrss.exe'
+    - '*\wininit.exe'
+    - '*\vmtoolsd.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Legitimate software accessing LSASS process for legitimate reason; update the whitelist
+  with it
+fields:
+- ComputerName
+- User
+- SourceImage
+id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/05/16
+references:
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002
+- car.2019-04-004
diff --git a/rules/sigma/windows/process_access/sysmon_cred_dump_lsass_access.yml.yml b/rules/sigma/windows/process_access/sysmon_cred_dump_lsass_access.yml.yml
new file mode 100644
index 00000000..7369cfa6
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_cred_dump_lsass_access.yml.yml
@@ -0,0 +1,92 @@
+
+title: Credentials Dumping Tools Accessing LSASS Memory
+author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas
+  Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
+  (update)
+date: 2017/02/16
+description: Detects process access LSASS memory which is typical for credentials
+  dumping tools
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_10:
+    GrantedAccess: '*0x1438*'
+  SELECTION_11:
+    GrantedAccess: '*0x143a*'
+  SELECTION_12:
+    GrantedAccess: '*0x1418*'
+  SELECTION_13:
+    GrantedAccess: '*0x1f0fff*'
+  SELECTION_14:
+    GrantedAccess: '*0x1f1fff*'
+  SELECTION_15:
+    GrantedAccess: '*0x1f2fff*'
+  SELECTION_16:
+    GrantedAccess: '*0x1f3fff*'
+  SELECTION_17:
+    EventID: 10
+  SELECTION_18:
+    ProcessName: '*\wmiprvse.exe'
+  SELECTION_19:
+    ProcessName: '*\taskmgr.exe'
+  SELECTION_2:
+    EventID: 10
+  SELECTION_20:
+    ProcessName: '*\procexp64.exe'
+  SELECTION_21:
+    ProcessName: '*\procexp.exe'
+  SELECTION_22:
+    ProcessName: '*\lsm.exe'
+  SELECTION_23:
+    ProcessName: '*\MsMpEng.exe'
+  SELECTION_24:
+    ProcessName: '*\csrss.exe'
+  SELECTION_25:
+    ProcessName: '*\wininit.exe'
+  SELECTION_26:
+    ProcessName: '*\vmtoolsd.exe'
+  SELECTION_3:
+    TargetImage: '*\lsass.exe'
+  SELECTION_4:
+    GrantedAccess: '*0x40*'
+  SELECTION_5:
+    GrantedAccess: '*0x1000*'
+  SELECTION_6:
+    GrantedAccess: '*0x1400*'
+  SELECTION_7:
+    GrantedAccess: '*0x100000*'
+  SELECTION_8:
+    GrantedAccess: '*0x1410*'
+  SELECTION_9:
+    GrantedAccess: '*0x1010*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or
+    SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or
+    SELECTION_16)) and  not ((SELECTION_17 and (SELECTION_18 or SELECTION_19 or SELECTION_20
+    or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+    or SELECTION_26))))
+falsepositives:
+- Legitimate software accessing LSASS process for legitimate reason; update the whitelist
+  with it
+fields:
+- ComputerName
+- User
+- SourceImage
+id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/05/16
+references:
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002
+- car.2019-04-004
diff --git a/rules/sigma/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml b/rules/sigma/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml
new file mode 100644
index 00000000..00bce1d0
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml
@@ -0,0 +1,25 @@
+
+title: Direct Syscall of NtOpenProcess
+author: Christian Burkard
+date: 2021/07/28
+description: Detects the usage of the direct syscall of NtOpenProcess which might
+  be done from a CobaltStrike BOF.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: UNKNOWN*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
+status: experimental
+tags:
+- attack.execution
+- attack.t1106
diff --git a/rules/sigma/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml.yml b/rules/sigma/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml.yml
new file mode 100644
index 00000000..00bce1d0
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_direct_syscall_ntopenprocess.yml.yml
@@ -0,0 +1,25 @@
+
+title: Direct Syscall of NtOpenProcess
+author: Christian Burkard
+date: 2021/07/28
+description: Detects the usage of the direct syscall of NtOpenProcess which might
+  be done from a CobaltStrike BOF.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: UNKNOWN*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
+status: experimental
+tags:
+- attack.execution
+- attack.t1106
diff --git a/rules/sigma/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/sigma/windows/process_access/sysmon_in_memory_assembly_execution.yml
new file mode 100644
index 00000000..cf9e8515
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_in_memory_assembly_execution.yml
@@ -0,0 +1,76 @@
+
+title: Suspicious In-Memory Module Execution
+author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
+date: 2019/10/27
+description: Detects the access to processes by other suspicious processes which have
+  reflectively loaded libraries in their memory space. An example is SilentTrinity
+  C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack
+  call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as
+  the module name. Usually this means the stack call points to a module that was reflectively
+  loaded in memory. Adding to this, it is not common to see such few calls in the
+  stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most
+  of the functions required by the process to execute certain routines are already
+  present in memory, not requiring any calls to external libraries. The latter should
+  also be considered suspicious.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_10:
+    EventID: 10
+  SELECTION_11:
+    CallTrace: '*UNKNOWN*'
+  SELECTION_12:
+    GrantedAccess:
+    - '0x1F0FFF'
+    - '0x1F1FFF'
+    - '0x143A'
+    - '0x1410'
+    - '0x1010'
+    - '0x1F2FFF'
+    - '0x1F3FFF'
+    - '0x1FFFFF'
+  SELECTION_13:
+    SourceImage:
+    - '*\Windows\System32\sdiagnhost.exe'
+  SELECTION_2:
+    EventID: 10
+  SELECTION_3:
+    CallTrace: '*C:\\Windows\\SYSTEM32\\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*|C:\\Windows\\System32\\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*|UNKNOWN(*'
+  SELECTION_6:
+    CallTrace: '*)*'
+  SELECTION_7:
+    CallTrace: '*UNKNOWN(*'
+  SELECTION_8:
+    CallTrace: '*)|UNKNOWN(*'
+  SELECTION_9:
+    CallTrace: '*)'
+  condition: (SELECTION_1 and ((SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+    SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9)))
+    or ((SELECTION_10 and SELECTION_11 and SELECTION_12) and  not (SELECTION_13))))
+falsepositives:
+- Low
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
+level: critical
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/05/16
+references:
+- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1055.001
+- attack.t1055.002
+- attack.t1055
diff --git a/rules/sigma/windows/process_access/sysmon_in_memory_assembly_execution.yml.yml b/rules/sigma/windows/process_access/sysmon_in_memory_assembly_execution.yml.yml
new file mode 100644
index 00000000..7c4c0ae9
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_in_memory_assembly_execution.yml.yml
@@ -0,0 +1,83 @@
+
+title: Suspicious In-Memory Module Execution
+author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
+date: 2019/10/27
+description: Detects the access to processes by other suspicious processes which have
+  reflectively loaded libraries in their memory space. An example is SilentTrinity
+  C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack
+  call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as
+  the module name. Usually this means the stack call points to a module that was reflectively
+  loaded in memory. Adding to this, it is not common to see such few calls in the
+  stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most
+  of the functions required by the process to execute certain routines are already
+  present in memory, not requiring any calls to external libraries. The latter should
+  also be considered suspicious.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_10:
+    CallTrace: '*UNKNOWN*'
+  SELECTION_11:
+    GrantedAccess: '0x1F0FFF'
+  SELECTION_12:
+    GrantedAccess: '0x1F1FFF'
+  SELECTION_13:
+    GrantedAccess: '0x143A'
+  SELECTION_14:
+    GrantedAccess: '0x1410'
+  SELECTION_15:
+    GrantedAccess: '0x1010'
+  SELECTION_16:
+    GrantedAccess: '0x1F2FFF'
+  SELECTION_17:
+    GrantedAccess: '0x1F3FFF'
+  SELECTION_18:
+    GrantedAccess: '0x1FFFFF'
+  SELECTION_19:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*C:\\Windows\\SYSTEM32\\ntdll.dll+*'
+  SELECTION_20:
+    SourceImage: '*\Windows\System32\sdiagnhost.exe'
+  SELECTION_3:
+    CallTrace: '*|C:\\Windows\\System32\\KERNELBASE.dll+*'
+  SELECTION_4:
+    CallTrace: '*|UNKNOWN(*'
+  SELECTION_5:
+    CallTrace: '*)*'
+  SELECTION_6:
+    CallTrace: '*UNKNOWN(*'
+  SELECTION_7:
+    CallTrace: '*)|UNKNOWN(*'
+  SELECTION_8:
+    CallTrace: '*)'
+  SELECTION_9:
+    EventID: 10
+  condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or ((SELECTION_9 and SELECTION_10
+    and (SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+    or SELECTION_16 or SELECTION_17 or SELECTION_18)) and  not ((SELECTION_19 and
+    SELECTION_20)))))
+falsepositives:
+- Low
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
+level: critical
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/05/16
+references:
+- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1055.001
+- attack.t1055.002
+- attack.t1055
diff --git a/rules/sigma/windows/process_access/sysmon_invoke_phantom.yml b/rules/sigma/windows/process_access/sysmon_invoke_phantom.yml
new file mode 100644
index 00000000..359a6225
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_invoke_phantom.yml
@@ -0,0 +1,33 @@
+
+title: Suspect Svchost Memory Asccess
+author: Tim Burrell
+date: 2020/01/02
+description: Detects suspect access to svchost process memory such as that used by
+  Invoke-Phantom to kill the winRM windows event logging service.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\windows\system32\svchost.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1f3fff'
+  SELECTION_4:
+    CallTrace:
+    - '*unknown*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2020/08/24
+references:
+- https://github.com/hlldz/Invoke-Phant0m
+- https://twitter.com/timbmsft/status/900724491076214784
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.002
+- attack.t1089
diff --git a/rules/sigma/windows/process_access/sysmon_invoke_phantom.yml.yml b/rules/sigma/windows/process_access/sysmon_invoke_phantom.yml.yml
new file mode 100644
index 00000000..79196691
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_invoke_phantom.yml.yml
@@ -0,0 +1,32 @@
+
+title: Suspect Svchost Memory Asccess
+author: Tim Burrell
+date: 2020/01/02
+description: Detects suspect access to svchost process memory such as that used by
+  Invoke-Phantom to kill the winRM windows event logging service.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\windows\system32\svchost.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1f3fff'
+  SELECTION_4:
+    CallTrace: '*unknown*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2020/08/24
+references:
+- https://github.com/hlldz/Invoke-Phant0m
+- https://twitter.com/timbmsft/status/900724491076214784
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.002
+- attack.t1089
diff --git a/rules/sigma/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/sigma/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml
new file mode 100644
index 00000000..c7344327
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml
@@ -0,0 +1,36 @@
+
+title: Credential Dumping by LaZagne
+author: Bhabesh Raj, Jonhnathan Ribeiro
+date: 2020/09/09
+description: Detects LSASS process access by LaZagne for credential dumping.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    CallTrace: '*C:\\Windows\\SYSTEM32\\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*|C:\\Windows\\System32\\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*_ctypes.pyd+*'
+  SELECTION_6:
+    CallTrace: '*python27.dll+*'
+  SELECTION_7:
+    GrantedAccess: '0x1FFFFF'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown
+id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://twitter.com/bh4b3sh/status/1303674603819081728
+status: stable
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.s0349
diff --git a/rules/sigma/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml.yml b/rules/sigma/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml.yml
new file mode 100644
index 00000000..c7344327
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml.yml
@@ -0,0 +1,36 @@
+
+title: Credential Dumping by LaZagne
+author: Bhabesh Raj, Jonhnathan Ribeiro
+date: 2020/09/09
+description: Detects LSASS process access by LaZagne for credential dumping.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    CallTrace: '*C:\\Windows\\SYSTEM32\\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*|C:\\Windows\\System32\\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*_ctypes.pyd+*'
+  SELECTION_6:
+    CallTrace: '*python27.dll+*'
+  SELECTION_7:
+    GrantedAccess: '0x1FFFFF'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown
+id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://twitter.com/bh4b3sh/status/1303674603819081728
+status: stable
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.s0349
diff --git a/rules/sigma/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml b/rules/sigma/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml
new file mode 100644
index 00000000..70671a30
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml
@@ -0,0 +1,29 @@
+
+title: LittleCorporal Generated Maldoc Injection
+author: Christian Burkard
+date: 2021/08/09
+description: Detects the process injection of a LittleCorporal generated Maldoc.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    SourceImage: '*winword.exe'
+  SELECTION_3:
+    CallTrace: '*:\Windows\Microsoft.NET\Framework64\v2.*'
+  SELECTION_4:
+    CallTrace: '*UNKNOWN*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/connormcgarr/LittleCorporal
+status: experimental
+tags:
+- attack.execution
+- attack.t1204.002
+- attack.t1055.003
diff --git a/rules/sigma/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml.yml b/rules/sigma/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml.yml
new file mode 100644
index 00000000..70671a30
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_littlecorporal_generated_maldoc.yml.yml
@@ -0,0 +1,29 @@
+
+title: LittleCorporal Generated Maldoc Injection
+author: Christian Burkard
+date: 2021/08/09
+description: Detects the process injection of a LittleCorporal generated Maldoc.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    SourceImage: '*winword.exe'
+  SELECTION_3:
+    CallTrace: '*:\Windows\Microsoft.NET\Framework64\v2.*'
+  SELECTION_4:
+    CallTrace: '*UNKNOWN*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/connormcgarr/LittleCorporal
+status: experimental
+tags:
+- attack.execution
+- attack.t1204.002
+- attack.t1055.003
diff --git a/rules/sigma/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/sigma/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml
new file mode 100644
index 00000000..5bc48ff5
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml
@@ -0,0 +1,32 @@
+
+title: Load Undocumented Autoelevated COM Interface
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+description: COM interface (EditionUpgradeManager) that is not used by standard executables.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*editionupgrademanagerobj.dll*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: fb3722e4-1a06-46b6-b772-253e2e7db933
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
+- https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml.yml b/rules/sigma/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml.yml
new file mode 100644
index 00000000..5bc48ff5
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml.yml
@@ -0,0 +1,32 @@
+
+title: Load Undocumented Autoelevated COM Interface
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+description: COM interface (EditionUpgradeManager) that is not used by standard executables.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    CallTrace: '*editionupgrademanagerobj.dll*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: fb3722e4-1a06-46b6-b772-253e2e7db933
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
+- https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml b/rules/sigma/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml
new file mode 100644
index 00000000..1797721a
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml
@@ -0,0 +1,31 @@
+
+title: Lsass Memory Dump via Comsvcs DLL
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll
+  via rundll32 to perform a memory dump from lsass.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    SourceImage: C:\Windows\System32\rundll32.exe
+  SELECTION_4:
+    CallTrace: '*comsvcs.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: a49fa4d5-11db-418c-8473-1e014a8dd462
+level: critical
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://twitter.com/shantanukhande/status/1229348874298388484
+- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
diff --git a/rules/sigma/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml.yml b/rules/sigma/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml.yml
new file mode 100644
index 00000000..1797721a
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml.yml
@@ -0,0 +1,31 @@
+
+title: Lsass Memory Dump via Comsvcs DLL
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll
+  via rundll32 to perform a memory dump from lsass.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    SourceImage: C:\Windows\System32\rundll32.exe
+  SELECTION_4:
+    CallTrace: '*comsvcs.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: a49fa4d5-11db-418c-8473-1e014a8dd462
+level: critical
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://twitter.com/shantanukhande/status/1229348874298388484
+- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
diff --git a/rules/sigma/windows/process_access/sysmon_lsass_memdump.yml b/rules/sigma/windows/process_access/sysmon_lsass_memdump.yml
new file mode 100644
index 00000000..0d7e7e72
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_lsass_memdump.yml
@@ -0,0 +1,34 @@
+
+title: LSASS Memory Dump
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects process LSASS memory dump using procdump or taskmgr based on
+  the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1fffff'
+  SELECTION_4:
+    CallTrace:
+    - '*dbghelp.dll*'
+    - '*dbgcore.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002
diff --git a/rules/sigma/windows/process_access/sysmon_lsass_memdump.yml.yml b/rules/sigma/windows/process_access/sysmon_lsass_memdump.yml.yml
new file mode 100644
index 00000000..4a894a4c
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_lsass_memdump.yml.yml
@@ -0,0 +1,37 @@
+
+title: LSASS Memory Dump
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects process LSASS memory dump using procdump or taskmgr based on
+  the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    EventID: 10
+  SELECTION_3:
+    TargetImage: '*\lsass.exe'
+  SELECTION_4:
+    GrantedAccess: '0x1fffff'
+  SELECTION_5:
+    CallTrace: '*dbghelp.dll*'
+  SELECTION_6:
+    CallTrace: '*dbgcore.dll*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and SELECTION_4 and (SELECTION_5
+    or SELECTION_6))
+falsepositives:
+- unknown
+id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002
diff --git a/rules/sigma/windows/process_access/sysmon_malware_verclsid_shellcode.yml b/rules/sigma/windows/process_access/sysmon_malware_verclsid_shellcode.yml
new file mode 100644
index 00000000..3ad5ee8f
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_malware_verclsid_shellcode.yml
@@ -0,0 +1,40 @@
+
+title: Malware Shellcode in Verclsid Target Process
+author: John Lambert (tech), Florian Roth (rule)
+date: 2017/03/04
+description: Detects a process access to verclsid.exe that injects shellcode from
+  a Microsoft Office application / VBA macro
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\verclsid.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1FFFFF'
+  SELECTION_4:
+    CallTrace: '*|UNKNOWN(*'
+  SELECTION_5:
+    CallTrace: '*VBE7.DLL*'
+  SELECTION_6:
+    SourceImage: '*\Microsoft Office\\*'
+  SELECTION_7:
+    CallTrace: '*|UNKNOWN*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
+    SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- unknown
+id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
+level: high
+logsource:
+  category: process_access
+  definition: 'Use the following config to generate the necessary Event ID 10 Process
+    Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
+    onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+  product: windows
+references:
+- https://twitter.com/JohnLaTwC/status/837743453039534080
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/windows/process_access/sysmon_malware_verclsid_shellcode.yml.yml b/rules/sigma/windows/process_access/sysmon_malware_verclsid_shellcode.yml.yml
new file mode 100644
index 00000000..ab1541cb
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_malware_verclsid_shellcode.yml.yml
@@ -0,0 +1,42 @@
+
+title: Malware Shellcode in Verclsid Target Process
+author: John Lambert (tech), Florian Roth (rule)
+date: 2017/03/04
+description: Detects a process access to verclsid.exe that injects shellcode from
+  a Microsoft Office application / VBA macro
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    EventID: 10
+  SELECTION_3:
+    TargetImage: '*\verclsid.exe'
+  SELECTION_4:
+    GrantedAccess: '0x1FFFFF'
+  SELECTION_5:
+    CallTrace: '*|UNKNOWN(*'
+  SELECTION_6:
+    CallTrace: '*VBE7.DLL*'
+  SELECTION_7:
+    SourceImage: '*\Microsoft Office\\*'
+  SELECTION_8:
+    CallTrace: '*|UNKNOWN*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and ((SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8)))
+falsepositives:
+- unknown
+id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
+level: high
+logsource:
+  category: process_access
+  definition: 'Use the following config to generate the necessary Event ID 10 Process
+    Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
+    onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+  product: windows
+references:
+- https://twitter.com/JohnLaTwC/status/837743453039534080
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/windows/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/sigma/windows/process_access/sysmon_mimikatz_trough_winrm.yml
new file mode 100644
index 00000000..7a508673
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_mimikatz_trough_winrm.yml
@@ -0,0 +1,36 @@
+
+title: Mimikatz through Windows Remote Management
+author: Patryk Prauze - ING Tech
+date: 2019/05/20
+description: Detects usage of mimikatz through WinRM protocol by monitoring access
+  to lsass process by wsmprovhost.exe.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    SourceImage: C:\Windows\system32\wsmprovhost.exe
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- low
+id: aa35a627-33fb-4d04-a165-d33b4afca3e8
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
+status: stable
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003.001
+- attack.t1003
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
+- attack.s0002
diff --git a/rules/sigma/windows/process_access/sysmon_mimikatz_trough_winrm.yml.yml b/rules/sigma/windows/process_access/sysmon_mimikatz_trough_winrm.yml.yml
new file mode 100644
index 00000000..7a508673
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_mimikatz_trough_winrm.yml.yml
@@ -0,0 +1,36 @@
+
+title: Mimikatz through Windows Remote Management
+author: Patryk Prauze - ING Tech
+date: 2019/05/20
+description: Detects usage of mimikatz through WinRM protocol by monitoring access
+  to lsass process by wsmprovhost.exe.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    SourceImage: C:\Windows\system32\wsmprovhost.exe
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- low
+id: aa35a627-33fb-4d04-a165-d33b4afca3e8
+level: high
+logsource:
+  category: process_access
+  product: windows
+modified: 2021/06/21
+references:
+- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
+status: stable
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003.001
+- attack.t1003
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
+- attack.s0002
diff --git a/rules/sigma/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml b/rules/sigma/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml
new file mode 100644
index 00000000..0b85033c
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml
@@ -0,0 +1,37 @@
+
+title: Credential Dumping by Pypykatz
+author: Bhabesh Raj
+date: 2021/08/03
+description: Detects LSASS process access by pypykatz for credential dumping.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    CallTrace: '*C:\Windows\SYSTEM32\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*C:\Windows\System32\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*libffi-7.dll*'
+  SELECTION_6:
+    CallTrace: '*_ctypes.pyd+*'
+  SELECTION_7:
+    CallTrace: '*python3*.dll+*'
+  SELECTION_8:
+    GrantedAccess: '0x1FFFFF'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8)
+falsepositives:
+- Unknown
+id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/skelsec/pypykatz
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
diff --git a/rules/sigma/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml.yml b/rules/sigma/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml.yml
new file mode 100644
index 00000000..0b85033c
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml.yml
@@ -0,0 +1,37 @@
+
+title: Credential Dumping by Pypykatz
+author: Bhabesh Raj
+date: 2021/08/03
+description: Detects LSASS process access by pypykatz for credential dumping.
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\lsass.exe'
+  SELECTION_3:
+    CallTrace: '*C:\Windows\SYSTEM32\ntdll.dll+*'
+  SELECTION_4:
+    CallTrace: '*C:\Windows\System32\KERNELBASE.dll+*'
+  SELECTION_5:
+    CallTrace: '*libffi-7.dll*'
+  SELECTION_6:
+    CallTrace: '*_ctypes.pyd+*'
+  SELECTION_7:
+    CallTrace: '*python3*.dll+*'
+  SELECTION_8:
+    GrantedAccess: '0x1FFFFF'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8)
+falsepositives:
+- Unknown
+id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
+level: critical
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/skelsec/pypykatz
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
diff --git a/rules/sigma/windows/process_access/sysmon_svchost_cred_dump.yml b/rules/sigma/windows/process_access/sysmon_svchost_cred_dump.yml
new file mode 100644
index 00000000..e3be6658
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_svchost_cred_dump.yml
@@ -0,0 +1,27 @@
+
+title: SVCHOST Credential Dump
+author: Florent Labouyrie
+date: 2021/04/30
+description: Detects when a process, such as mimikatz, accesses the memory of svchost
+  to dump credentials
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\svchost.exe'
+  SELECTION_3:
+    GrantedAccess: '0x143a'
+  SELECTION_4:
+    SourceImage:
+    - '*\services.exe'
+    - '*\msiexec.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Non identified legit exectubale
+id: 174afcfa-6e40-4ae9-af64-496546389294
+level: critical
+logsource:
+  category: process_access
+  product: windows
+tags:
+- attack.t1548
diff --git a/rules/sigma/windows/process_access/sysmon_svchost_cred_dump.yml.yml b/rules/sigma/windows/process_access/sysmon_svchost_cred_dump.yml.yml
new file mode 100644
index 00000000..e7268d26
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_svchost_cred_dump.yml.yml
@@ -0,0 +1,32 @@
+
+title: SVCHOST Credential Dump
+author: Florent Labouyrie
+date: 2021/04/30
+description: Detects when a process, such as mimikatz, accesses the memory of svchost
+  to dump credentials
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    EventID: 10
+  SELECTION_3:
+    TargetImage: '*\svchost.exe'
+  SELECTION_4:
+    GrantedAccess: '0x143a'
+  SELECTION_5:
+    EventID: 10
+  SELECTION_6:
+    SourceImage: '*\services.exe'
+  SELECTION_7:
+    SourceImage: '*\msiexec.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    ((SELECTION_5 and (SELECTION_6 or SELECTION_7))))
+falsepositives:
+- Non identified legit exectubale
+id: 174afcfa-6e40-4ae9-af64-496546389294
+level: critical
+logsource:
+  category: process_access
+  product: windows
+tags:
+- attack.t1548
diff --git a/rules/sigma/windows/process_access/sysmon_uac_bypass_wow64_logger.yml b/rules/sigma/windows/process_access/sysmon_uac_bypass_wow64_logger.yml
new file mode 100644
index 00000000..95c8faa9
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_uac_bypass_wow64_logger.yml
@@ -0,0 +1,30 @@
+
+title: UAC Bypass Using WOW64 Logger DLL Hijack
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe
+  30)
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    SourceImage: '*:\Windows\SysWOW64\\*'
+  SELECTION_3:
+    GrantedAccess: '0x1fffff'
+  SELECTION_4:
+    CallTrace: UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_access/sysmon_uac_bypass_wow64_logger.yml.yml b/rules/sigma/windows/process_access/sysmon_uac_bypass_wow64_logger.yml.yml
new file mode 100644
index 00000000..95c8faa9
--- /dev/null
+++ b/rules/sigma/windows/process_access/sysmon_uac_bypass_wow64_logger.yml.yml
@@ -0,0 +1,30 @@
+
+title: UAC Bypass Using WOW64 Logger DLL Hijack
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe
+  30)
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    SourceImage: '*:\Windows\SysWOW64\\*'
+  SELECTION_3:
+    GrantedAccess: '0x1fffff'
+  SELECTION_4:
+    CallTrace: UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
+level: high
+logsource:
+  category: process_access
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/sigma/windows/process_access/win_susp_shell_spawn_from_winrm.yml
new file mode 100644
index 00000000..1be3400d
--- /dev/null
+++ b/rules/sigma/windows/process_access/win_susp_shell_spawn_from_winrm.yml
@@ -0,0 +1,35 @@
+
+title: Suspicious Shells Spawn by WinRM
+author: Andreas Hunkeler (@Karneades), Markus Neis
+date: 2021/05/20
+description: Detects suspicious shell spawn from WinRM host process
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\wsmprovhost.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\sh.exe'
+    - '*\bash.exe'
+    - '*\powershell.exe'
+    - '*\schtasks.exe'
+    - '*\certutil.exe'
+    - '*\whoami.exe'
+    - '*\bitsadmin.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate WinRM usage
+id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/22
+status: experimental
+tags:
+- attack.t1190
+- attack.initial_access
+- attack.persistence
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/process_access/win_susp_shell_spawn_from_winrm.yml.yml b/rules/sigma/windows/process_access/win_susp_shell_spawn_from_winrm.yml.yml
new file mode 100644
index 00000000..81d9da08
--- /dev/null
+++ b/rules/sigma/windows/process_access/win_susp_shell_spawn_from_winrm.yml.yml
@@ -0,0 +1,42 @@
+
+title: Suspicious Shells Spawn by WinRM
+author: Andreas Hunkeler (@Karneades), Markus Neis
+date: 2021/05/20
+description: Detects suspicious shell spawn from WinRM host process
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    Image: '*\bitsadmin.exe'
+  SELECTION_2:
+    ParentImage: '*\wsmprovhost.exe'
+  SELECTION_3:
+    Image: '*\cmd.exe'
+  SELECTION_4:
+    Image: '*\sh.exe'
+  SELECTION_5:
+    Image: '*\bash.exe'
+  SELECTION_6:
+    Image: '*\powershell.exe'
+  SELECTION_7:
+    Image: '*\schtasks.exe'
+  SELECTION_8:
+    Image: '*\certutil.exe'
+  SELECTION_9:
+    Image: '*\whoami.exe'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10))
+falsepositives:
+- Legitimate WinRM usage
+id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/22
+status: experimental
+tags:
+- attack.t1190
+- attack.initial_access
+- attack.persistence
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml b/rules/sigma/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml
new file mode 100644
index 00000000..4ed438a4
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml
@@ -0,0 +1,37 @@
+
+title: Abusing Windows Telemetry For Persistence
+author: Sreeman
+date: 2020/09/29
+description: Windows telemetry makes use of the binary CompatTelRunner.exe to run
+  a variety of commands and perform the actual telemetry collections. This binary
+  was created to be easily extensible, and to that end, it relies on the registry
+  to instruct on which commands to run. The problem is, it will run any arbitrary
+  command without restriction of location or type.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i).*schtasks.*(-|/)r.*\\\\Application Experience\\\\Microsoft
+      Compatibility Appraiser.*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- none
+fields:
+- EventID
+- CommandLine
+- TargetObject
+- Details
+id: f548a603-c9f2-4c89-b511-b089f7e94549
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/09
+references:
+- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.persistence
+- attack.t1112
+- attack.t1053
diff --git a/rules/sigma/windows/process_creation/process_creation_advanced_ip_scanner.yml b/rules/sigma/windows/process_creation/process_creation_advanced_ip_scanner.yml
new file mode 100644
index 00000000..cbe02627
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_advanced_ip_scanner.yml
@@ -0,0 +1,30 @@
+
+title: Advanced IP Scanner
+author: '@ROxPinTeddy'
+date: 2020/05/12
+description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for
+  ransomware groups.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\advanced_ip_scanner*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate administrative use
+id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/12
+references:
+- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
+- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
+- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
+- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
+status: experimental
+tags:
+- attack.discovery
+- attack.t1046
diff --git a/rules/sigma/windows/process_creation/process_creation_alternate_data_streams.yml b/rules/sigma/windows/process_creation/process_creation_alternate_data_streams.yml
new file mode 100644
index 00000000..77dcc021
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_alternate_data_streams.yml
@@ -0,0 +1,51 @@
+
+title: Execute From Alternate Data Streams
+author: frack113
+date: 2021/09/01
+description: Adversaries may use NTFS file attributes to hide their malicious data
+  in order to evade detection
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '* /E *'
+  SELECTION_11:
+    CommandLine: '*esentutl *'
+  SELECTION_12:
+    CommandLine: '* /y *'
+  SELECTION_13:
+    CommandLine: '* /d *'
+  SELECTION_14:
+    CommandLine: '* /o *'
+  SELECTION_2:
+    CommandLine: '*txt:*'
+  SELECTION_3:
+    CommandLine: '*type *'
+  SELECTION_4:
+    CommandLine: '* > *'
+  SELECTION_5:
+    CommandLine: '*makecab *'
+  SELECTION_6:
+    CommandLine: '*.cab*'
+  SELECTION_7:
+    CommandLine: '*reg *'
+  SELECTION_8:
+    CommandLine: '* export *'
+  SELECTION_9:
+    CommandLine: '*regedit *'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)
+    or (SELECTION_11 and SELECTION_12 and SELECTION_13 and SELECTION_14)))
+falsepositives:
+- Unknown
+id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.004
diff --git a/rules/sigma/windows/process_creation/process_creation_apt_gallium.yml b/rules/sigma/windows/process_creation/process_creation_apt_gallium.yml
new file mode 100644
index 00000000..26b228dc
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_apt_gallium.yml
@@ -0,0 +1,35 @@
+
+title: GALLIUM Artefacts
+author: Tim Burrell
+date: 2020/02/07
+description: Detects artefacts associated with activity group GALLIUM - Microsoft
+  Threat Intelligence Center indicators released in December 2019.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    sha1:
+    - e570585edc69f9074cb5e8a790708336bd45ca0f
+  SELECTION_3:
+    Image:
+    - '*:\Program Files(x86)\\*'
+    - '*:\Program Files\\*'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- unknown
+id: 18739897-21b1-41da-8ee4-5b786915a676
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+related:
+- id: 440a56bf-7873-4439-940a-1c8a671073c2
+  type: derived
+status: experimental
+tags:
+- attack.credential_access
+- attack.command_and_control
diff --git a/rules/sigma/windows/process_creation/process_creation_apt_gallium_sha1.yml b/rules/sigma/windows/process_creation/process_creation_apt_gallium_sha1.yml
new file mode 100644
index 00000000..e8b2636e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_apt_gallium_sha1.yml
@@ -0,0 +1,46 @@
+
+title: GALLIUM Artefacts
+author: Tim Burrell
+date: 2020/02/07
+description: Detects artefacts associated with activity group GALLIUM - Microsoft
+  Threat Intelligence Center indicators released in December 2019.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    sha1:
+    - 53a44c2396d15c3a03723fa5e5db54cafd527635
+    - 9c5e496921e3bc882dc40694f1dcc3746a75db19
+    - aeb573accfd95758550cf30bf04f389a92922844
+    - 79ef78a797403a4ed1a616c68e07fff868a8650a
+    - 4f6f38b4cec35e895d91c052b1f5a83d665c2196
+    - 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d
+    - e841a63e47361a572db9a7334af459ddca11347a
+    - c28f606df28a9bc8df75a4d5e5837fc5522dd34d
+    - 2e94b305d6812a9f96e6781c888e48c7fb157b6b
+    - dd44133716b8a241957b912fa6a02efde3ce3025
+    - 8793bf166cb89eb55f0593404e4e933ab605e803
+    - a39b57032dbb2335499a51e13470a7cd5d86b138
+    - 41cc2b15c662bc001c0eb92f6cc222934f0beeea
+    - d209430d6af54792371174e70e27dd11d3def7a7
+    - 1c6452026c56efd2c94cea7e0f671eb55515edb0
+    - c6b41d3afdcdcaf9f442bbe772f5da871801fd5a
+    - 4923d460e22fbbf165bbbaba168e5a46b8157d9f
+    - f201504bd96e81d0d350c3a8332593ee1c9e09de
+    - ddd2db1127632a2a52943a2fe516a2e7d05d70d2
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 440a56bf-7873-4439-940a-1c8a671073c2
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+status: experimental
+tags:
+- attack.credential_access
+- attack.command_and_control
diff --git a/rules/sigma/windows/process_creation/process_creation_apt_pandemic.yml b/rules/sigma/windows/process_creation/process_creation_apt_pandemic.yml
new file mode 100644
index 00000000..ddf58638
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_apt_pandemic.yml
@@ -0,0 +1,36 @@
+
+title: Pandemic Registry Key
+author: Florian Roth
+date: 2017/06/01
+description: Detects Pandemic Windows Implant
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*loaddll -a *'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- Image
+- User
+- TargetObject
+id: 9fefd33c-339d-4495-9cba-b96ca006f512
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/12
+references:
+- https://wikileaks.org/vault7/#Pandemic
+- https://twitter.com/MalwareJake/status/870349480356454401
+related:
+- id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
+  type: derived
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1105
diff --git a/rules/sigma/windows/process_creation/process_creation_apt_slingshot.yml b/rules/sigma/windows/process_creation/process_creation_apt_slingshot.yml
new file mode 100644
index 00000000..e1901c9a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_apt_slingshot.yml
@@ -0,0 +1,33 @@
+
+title: Defrag Deactivation
+author: Florian Roth, Bartlomiej Czyz (@bczyz1)
+date: 2019/03/04
+description: Detects the deactivation and disabling of the Scheduled defragmentation
+  task as seen by Slingshot APT group
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\schtasks.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*/delete*'
+    - '*/change*'
+  SELECTION_4:
+    CommandLine: '*/TN*'
+  SELECTION_5:
+    CommandLine: '*\Microsoft\Windows\Defrag\ScheduledDefrag*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 958d81aa-8566-4cea-a565-59ccd4df27b0
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://securelist.com/apt-slingshot/84312/
+tags:
+- attack.persistence
+- attack.s0111
diff --git a/rules/sigma/windows/process_creation/process_creation_apt_turla_commands_critical.yml b/rules/sigma/windows/process_creation/process_creation_apt_turla_commands_critical.yml
new file mode 100644
index 00000000..8b67f48a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_apt_turla_commands_critical.yml
@@ -0,0 +1,35 @@
+
+title: Turla Group Lateral Movement
+author: Markus Neis
+date: 2017/11/07
+description: Detects automated lateral movement by Turla group
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - net use \\%DomainController%\C$ "P@ssw0rd" *
+    - dir c:\\*.doc* /s
+    - dir %TEMP%\\*.exe
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://securelist.com/the-epic-turla-operation/65545/
+status: experimental
+tags:
+- attack.g0010
+- attack.execution
+- attack.t1059
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
+- attack.discovery
+- attack.t1083
+- attack.t1135
diff --git a/rules/sigma/windows/process_creation/process_creation_apt_wocao.yml b/rules/sigma/windows/process_creation/process_creation_apt_wocao.yml
new file mode 100644
index 00000000..89e3ba6a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_apt_wocao.yml
@@ -0,0 +1,48 @@
+
+title: Operation Wocao Activity
+author: Florian Roth, frack113
+date: 2019/12/20
+description: Detects activity mentioned in Operation Wocao report
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*checkadmin.exe 127.0.0.1 -all*'
+    - '*netsh advfirewall firewall add rule name=powershell dir=in*'
+    - '*cmd /c powershell.exe -ep bypass -file c:\s.ps1*'
+    - '*/tn win32times /f*'
+    - '*create win32times binPath=*'
+    - '*\c$\windows\system32\devmgr.dll*'
+    - '* -exec bypass -enc JgAg*'
+    - '*type *keepass\KeePass.config.xml*'
+    - '*iie.exe iie.txt*'
+    - '*reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\\*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrators that use checkadmin.exe tool to enumerate local administrators
+id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
+- https://twitter.com/SBousseaden/status/1207671369963646976
+related:
+- id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
+  type: derived
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+- attack.defense_evasion
+- attack.t1036.004
+- attack.t1036
+- attack.t1027
+- attack.execution
+- attack.t1053.005
+- attack.t1053
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/process_creation_automated_collection.yml b/rules/sigma/windows/process_creation/process_creation_automated_collection.yml
new file mode 100644
index 00000000..156d4a86
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_automated_collection.yml
@@ -0,0 +1,45 @@
+
+title: Automated Collection Command Prompt
+author: frack113
+date: 2021/07/28
+description: Once established within a system or network, an adversary may use automated
+  techniques for collecting internal data.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*.doc*'
+    - '*.docx*'
+    - '*.xls*'
+    - '*.xlsx*'
+    - '*.ppt*'
+    - '*.pptx*'
+    - '*.rtf*'
+    - '*.pdf*'
+    - '*.txt*'
+  SELECTION_3:
+    CommandLine: '*dir *'
+  SELECTION_4:
+    CommandLine: '* /b *'
+  SELECTION_5:
+    CommandLine: '* /s *'
+  SELECTION_6:
+    OriginalFileName: FINDSTR.EXE
+  SELECTION_7:
+    CommandLine: '* /e *'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unknown
+id: f576a613-2392-4067-9d1a-9345fb58d8d1
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1119
diff --git a/rules/sigma/windows/process_creation/process_creation_c3_load_by_rundll32.yml b/rules/sigma/windows/process_creation/process_creation_c3_load_by_rundll32.yml
new file mode 100644
index 00000000..bc1e8098
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_c3_load_by_rundll32.yml
@@ -0,0 +1,28 @@
+
+title: F-Secure C3 Load by Rundll32
+author: Alfie Champion (ajpc500)
+date: 2021/06/02
+description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*rundll32.exe*'
+  SELECTION_3:
+    CommandLine: '*.dll*'
+  SELECTION_4:
+    CommandLine: '*StartNodeRelay*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/FSecureLABS/C3/blob/master/Src/NodeRelayDll/NodeRelayDll.cpp#L12
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/process_creation_clip.yml b/rules/sigma/windows/process_creation/process_creation_clip.yml
new file mode 100644
index 00000000..bf91eaa3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_clip.yml
@@ -0,0 +1,26 @@
+
+title: Use of CLIP
+author: frack113
+date: 2021/07/27
+description: Adversaries may collect data stored in the clipboard from users copying
+  information within or between applications.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    OriginalFileName: clip.exe
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: ddeff553-5233-4ae9-bbab-d64d2bd634be
+level: low
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1115
diff --git a/rules/sigma/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/sigma/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml
new file mode 100644
index 00000000..d44fdbef
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml
@@ -0,0 +1,31 @@
+
+title: CobaltStrike Load by Rundll32
+author: Wojciech Lesicki
+date: 2021/06/01
+description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs
+  from the command line.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*rundll32.exe*'
+  SELECTION_3:
+    CommandLine: '*.dll*'
+  SELECTION_4:
+    CommandLine: '*StartW*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.cobaltstrike.com/help-windows-executable
+- https://redcanary.com/threat-detection-report/
+- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/process_creation_command_execution_by_office_applications.yml b/rules/sigma/windows/process_creation/process_creation_command_execution_by_office_applications.yml
new file mode 100644
index 00000000..5ec7a6ec
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_command_execution_by_office_applications.yml
@@ -0,0 +1,36 @@
+
+title: WMI Command Execution by Office Applications
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: Initial execution of malicious document calls wmic Win32_Process::Create
+  to execute the file with regsvr32
+detection:
+  SELECTION_1:
+    EventLog: EDR
+  SELECTION_2:
+    EventType: WMIExecution
+  SELECTION_3:
+    WMIcommand: '*Win32_Process\:\:Create*'
+  SELECTION_4:
+    Image:
+    - '*\winword.exe'
+    - '*\excel.exe'
+    - '*\powerpnt.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
+level: high
+logsource:
+  category: process_creation
+  product: EndPoint Detection Logs
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/process_creation_conti_cmd_ransomware.yml b/rules/sigma/windows/process_creation/process_creation_conti_cmd_ransomware.yml
new file mode 100644
index 00000000..7650a607
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_conti_cmd_ransomware.yml
@@ -0,0 +1,37 @@
+
+title: Conti Ransomware Execution
+author: frack113
+date: 2021/10/12
+description: Conti ransomware command line ioc
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*-m *'
+  SELECTION_3:
+    CommandLine: '*-net *'
+  SELECTION_4:
+    CommandLine: '*-size *'
+  SELECTION_5:
+    CommandLine: '*-nomutex *'
+  SELECTION_6:
+    CommandLine: '*-p \\\*'
+  SELECTION_7:
+    CommandLine: '*$*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown should be low
+id: 689308fc-cfba-4f72-9897-796c1dc61487
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
+- https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
+status: experimental
+tags:
+- attack.impact
+- attack.s0575
+- attack.t1486
diff --git a/rules/sigma/windows/process_creation/process_creation_coti_sqlcmd.yml b/rules/sigma/windows/process_creation/process_creation_coti_sqlcmd.yml
new file mode 100644
index 00000000..e390a5b9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_coti_sqlcmd.yml
@@ -0,0 +1,34 @@
+
+title: Conti Backup Database
+author: frack113
+date: 2021/08/16
+description: Detects a command used by conti to dump database
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*sqlcmd *'
+    - '*sqlcmd.exe*'
+  SELECTION_3:
+    CommandLine: '* -S localhost *'
+  SELECTION_4:
+    CommandLine:
+    - '*sys.sysprocesses*'
+    - '*master.dbo.sysdatabases*'
+    - '*BACKUP DATABASE*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 2f47f1fd-0901-466e-a770-3b7092834a1b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816?s=20
+- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
+- https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
+status: experimental
+tags:
+- attack.collection
diff --git a/rules/sigma/windows/process_creation/process_creation_discover_private_keys.yml b/rules/sigma/windows/process_creation/process_creation_discover_private_keys.yml
new file mode 100644
index 00000000..4123a159
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_discover_private_keys.yml
@@ -0,0 +1,44 @@
+
+title: Discover Private Keys
+author: frack113
+date: 2021/07/20
+description: Adversaries may search for private key certificate files on compromised
+  systems for insecurely stored credential
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*dir *'
+    - '*findstr *'
+  SELECTION_3:
+    CommandLine:
+    - '*.key*'
+    - '*.pgp*'
+    - '*.gpg*'
+    - '*.ppk*'
+    - '*.p12*'
+    - '*.pem*'
+    - '*.pfx*'
+    - '*.cer*'
+    - '*.p7b*'
+    - '*.asc*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.004
diff --git a/rules/sigma/windows/process_creation/process_creation_dns_serverlevelplugindll.yml b/rules/sigma/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
new file mode 100644
index 00000000..d8758df3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
@@ -0,0 +1,43 @@
+
+title: DNS ServerLevelPluginDll Install
+author: Florian Roth
+date: 2017/05/08
+description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter
+  in Registry, which can be used to execute code in context of the DNS server (restart
+  required)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\dnscmd.exe'
+  SELECTION_3:
+    CommandLine: '*/config*'
+  SELECTION_4:
+    CommandLine: '*/serverlevelplugindll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- Image
+- User
+- TargetObject
+id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/12
+references:
+- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+related:
+- id: e61e8a88-59a9-451c-874e-70fcc9740d67
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+- attack.t1112
diff --git a/rules/sigma/windows/process_creation/process_creation_dotnet.yml b/rules/sigma/windows/process_creation/process_creation_dotnet.yml
new file mode 100644
index 00000000..05f07ba5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_dotnet.yml
@@ -0,0 +1,37 @@
+
+title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
+author: Beyu Denis, oscd.community
+date: 2020/10/18
+description: dotnet.exe will execute any DLL and execute unsigned code
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*.dll'
+    - '*.csproj'
+  SELECTION_3:
+    Image:
+    - '*\dotnet.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- System administrator Usage
+- Penetration test
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml
+- https://twitter.com/_felamos/status/1204705548668555264
+- https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
+status: experimental
+tags:
+- attack.execution
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/process_creation_hack_dumpert.yml b/rules/sigma/windows/process_creation/process_creation_hack_dumpert.yml
new file mode 100644
index 00000000..99503438
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_hack_dumpert.yml
@@ -0,0 +1,28 @@
+
+title: Dumpert Process Dumper
+author: Florian Roth
+date: 2020/02/04
+description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
+  process memory
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Imphash: 09D278F9DE118EF09163C6140255C690
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Very unlikely
+id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/21
+references:
+- https://github.com/outflanknl/Dumpert
+- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
diff --git a/rules/sigma/windows/process_creation/process_creation_infdefaultinstall.yml b/rules/sigma/windows/process_creation/process_creation_infdefaultinstall.yml
new file mode 100644
index 00000000..b808f3ef
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_infdefaultinstall.yml
@@ -0,0 +1,33 @@
+
+title: InfDefaultInstall.exe .inf Execution
+author: frack113
+date: 2021/07/13
+description: Executes SCT script using scrobj.dll from a command in entered into a
+  specially prepared INF file.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*InfDefaultInstall.exe *'
+  SELECTION_3:
+    CommandLine: '*.inf*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: ce7cf472-6fcc-490a-9481-3786840b5d9b
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/sigma/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
new file mode 100644
index 00000000..2692492b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
@@ -0,0 +1,42 @@
+
+title: LOLBAS Data Exfiltration by DataSvcUtil.exe
+author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
+date: 2021/09/30
+description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*/in:*'
+  SELECTION_3:
+    CommandLine: '*/out:*'
+  SELECTION_4:
+    Image:
+    - '*\DataSvcUtil.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- DataSvcUtil.exe being used may be performed by a system administrator.
+- Verify whether the user identity, user agent, and/or hostname should be making changes
+  in your environment.
+- DataSvcUtil.exe being executed from unfamiliar users should be investigated. If
+  known behavior is causing false positives, it can be exempted from the rule.
+- Penetration Testing
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: e290b10b-1023-4452-a4a9-eb31a9013b3a
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
+- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
+- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
+- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567
diff --git a/rules/sigma/windows/process_creation/process_creation_lolbins_by_office_applications.yml b/rules/sigma/windows/process_creation/process_creation_lolbins_by_office_applications.yml
new file mode 100644
index 00000000..4efea4e6
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_lolbins_by_office_applications.yml
@@ -0,0 +1,37 @@
+
+title: New Lolbin Process by Office Applications
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: This rule will monitor any office apps that spins up a new LOLBin process.
+  This activity is pretty suspicious and should be investigated.
+detection:
+  SELECTION_1:
+    Image:
+    - '*regsvr32'
+    - '*rundll32'
+    - '*msiexec'
+    - '*mshta'
+    - '*verclsid'
+  SELECTION_2:
+    ParentImage:
+    - '*winword.exe'
+    - '*excel.exe'
+    - '*powerpnt.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
+level: high
+logsource:
+  category: process_creation
+  product: Windows
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml b/rules/sigma/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml
new file mode 100644
index 00000000..18111329
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml
@@ -0,0 +1,34 @@
+
+title: Lolbins Process Creation with WmiPrvse
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: This rule will monitor LOLBin process creations by wmiprvse. Add more
+  LOLBins to rule logic if needed.
+detection:
+  SELECTION_1:
+    Image:
+    - '*regsvr32'
+    - '*rundll32'
+    - '*msiexec'
+    - '*mshta'
+    - '*verclsid'
+  SELECTION_2:
+    ParentImage: '*\wbem\WmiPrvSE.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
+level: high
+logsource:
+  category: process_creation
+  product: Windows
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/process_creation_msdeploy.yml b/rules/sigma/windows/process_creation/process_creation_msdeploy.yml
new file mode 100644
index 00000000..830f1258
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_msdeploy.yml
@@ -0,0 +1,39 @@
+
+title: Execute Files with Msdeploy.exe
+author: Beyu Denis, oscd.community
+date: 2020/10/18
+description: Detects file execution using the msdeploy.exe lolbin
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*verb:sync*'
+  SELECTION_3:
+    CommandLine: '*-source:RunCommand*'
+  SELECTION_4:
+    CommandLine: '*-dest:runCommand*'
+  SELECTION_5:
+    Image:
+    - '*\msdeploy.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- System administrator Usage
+- Penetration test
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml
+- https://twitter.com/pabraeken/status/995837734379032576
+- https://twitter.com/pabraeken/status/999090532839313408
+status: experimental
+tags:
+- attack.execution
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml b/rules/sigma/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml
new file mode 100644
index 00000000..5e16099f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml
@@ -0,0 +1,41 @@
+
+title: Office Applications Spawning Wmi Cli
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: Initial execution of malicious document calls wmic to execute the file
+  with regsvr32
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: \wbem\WMIC.exe
+  SELECTION_3:
+    CommandLine: '*wmic *'
+  SELECTION_4:
+    OriginalFileName: wmic.exe
+  SELECTION_5:
+    Description: WMI Commandline Utility
+  SELECTION_6:
+    ParentPrcessName:
+    - '*winword.exe'
+    - '*excel.exe'
+    - '*powerpnt.exe'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+    and SELECTION_6)
+falsepositives:
+- Unknown
+id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/sigma/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml
new file mode 100644
index 00000000..6b83c280
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml
@@ -0,0 +1,55 @@
+
+title: Excel Proxy Executing Regsvr32 With Payload
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: Excel called wmic to finally proxy execute regsvr32 with the payload.
+  An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But
+  we have command-line in the event which allow us to "restore" this suspicious parent-child
+  chain and detect it. Monitor process creation with "wmic process call create" and
+  LOLBins in command-line with parent Office application processes.
+detection:
+  SELECTION_1:
+    Image: '*\wbem\WMIC.exe'
+  SELECTION_2:
+    ProcessCommandLine: '*wmic *'
+  SELECTION_3:
+    OriginalFileName: wmic.exe
+  SELECTION_4:
+    Description: WMI Commandline Utility
+  SELECTION_5:
+    CommandLine:
+    - '*regsvr32*'
+    - '*rundll32*'
+    - '*msiexec*'
+    - '*mshta*'
+    - '*verclsid*'
+  SELECTION_6:
+    ParentImage:
+    - '*winword.exe'
+    - '*excel.exe'
+    - '*powerpnt.exe'
+  SELECTION_7:
+    processCommandLine: '*process*'
+  SELECTION_8:
+    processCommandLine: '*create*'
+  SELECTION_9:
+    processCommandLine: '*call*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)
+falsepositives:
+- Unknown
+id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
+level: high
+logsource:
+  category: process_creation
+  product: Windows
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/sigma/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
new file mode 100644
index 00000000..312d3ab9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
@@ -0,0 +1,51 @@
+
+title: Excel Proxy Executing Regsvr32 With Payload
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: Excel called wmic to finally proxy execute regsvr32 with the payload.
+  An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But
+  we have command-line in the event which allow us to "restore" this suspicious parent-child
+  chain and detect it. Monitor process creation with "wmic process call create" and
+  LOLBins in command-line with parent Office application processes.
+detection:
+  SELECTION_1:
+    ProcessCommandLine:
+    - '*regsvr32*'
+    - '*rundll32*'
+    - '*msiexec*'
+    - '*mshta*'
+    - '*verclsid*'
+  SELECTION_2:
+    Image: '*\wbem\WMIC.exe'
+  SELECTION_3:
+    ProcessCommandLine: '*wmic *'
+  SELECTION_4:
+    ParentImage:
+    - '*winword.exe'
+    - '*excel.exe'
+    - '*powerpnt.exe'
+  SELECTION_5:
+    processCommandLine: '*process*'
+  SELECTION_6:
+    processCommandLine: '*create*'
+  SELECTION_7:
+    processCommandLine: '*call*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown
+id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
+level: high
+logsource:
+  category: process_creation
+  product: Windows
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml b/rules/sigma/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml
new file mode 100644
index 00000000..f23daba4
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_office_spawning_wmi_commandline.yml
@@ -0,0 +1,36 @@
+
+title: Office Applications Spawning Wmi Cli
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: Initial execution of malicious document calls wmic to execute the file
+  with regsvr32
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\wbem\WMIC.exe'
+  SELECTION_3:
+    ProcessCommandLine: '*wmic *'
+  SELECTION_4:
+    ParentImage:
+    - winword.exe
+    - excel.exe
+    - powerpnt.exe
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 04f5363a-6bca-42ff-be70-0d28bf629ead
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/process_creation_pingback_backdoor.yml b/rules/sigma/windows/process_creation/process_creation_pingback_backdoor.yml
new file mode 100644
index 00000000..864e6773
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_pingback_backdoor.yml
@@ -0,0 +1,36 @@
+
+title: Pingback Backdoor
+author: Bhabesh Raj
+date: 2021/05/05
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
+  as described in the trustwave report
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*updata.exe'
+  SELECTION_3:
+    CommandLine: '*config*'
+  SELECTION_4:
+    CommandLine: '*msdtc*'
+  SELECTION_5:
+    CommandLine: '*start*'
+  SELECTION_6:
+    CommandLine: '*auto*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Very unlikely
+id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/09
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+status: experimental
+tags:
+- attack.persistence
+- attack.t1574.001
diff --git a/rules/sigma/windows/process_creation/process_creation_powershell_web_request.yml b/rules/sigma/windows/process_creation/process_creation_powershell_web_request.yml
new file mode 100644
index 00000000..cb796c59
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_powershell_web_request.yml
@@ -0,0 +1,34 @@
+
+title: Windows PowerShell Web Request
+author: James Pemberton / @4A616D6573
+date: 2019/10/24
+description: Detects the use of various web request methods (including aliases) via
+  Windows PowerShell command
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*Invoke-WebRequest*'
+    - '*iwr *'
+    - '*wget *'
+    - '*curl *'
+    - '*Net.WebClient*'
+    - '*Start-BitsTransfer*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
+id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/21
+references:
+- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
+- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/process_creation_protocolhandler_suspicious_file.yml b/rules/sigma/windows/process_creation/process_creation_protocolhandler_suspicious_file.yml
new file mode 100644
index 00000000..08ee1334
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_protocolhandler_suspicious_file.yml
@@ -0,0 +1,34 @@
+
+title: ProtocolHandler.exe Downloaded Suspicious File
+author: frack113
+date: 2021/07/13
+description: Emulates attack via documents through protocol handler in Microsoft Office.
+  On successful execution you should see Microsoft Word launch a blank file.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\protocolhandler.exe'
+  SELECTION_3:
+    CommandLine: '*"ms-word*'
+  SELECTION_4:
+    CommandLine: '*.docx"*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/process_creation_root_certificate_installed.yml b/rules/sigma/windows/process_creation/process_creation_root_certificate_installed.yml
new file mode 100644
index 00000000..5d17a358
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_root_certificate_installed.yml
@@ -0,0 +1,39 @@
+
+title: Root Certificate Installed
+author: oscd.community, @redcanary, Zach Stanford @svch0st
+date: 2020/10/10
+description: Adversaries may install a root certificate on a compromised system to
+  avoid warnings when connecting to adversary controlled web servers.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*root*'
+  SELECTION_3:
+    Image: '*\certutil.exe'
+  SELECTION_4:
+    CommandLine: '*-addstore*'
+  SELECTION_5:
+    Image: '*\CertMgr.exe'
+  SELECTION_6:
+    CommandLine: '*/add*'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6)))
+falsepositives:
+- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to
+  test if GPO push doesn't trigger FP
+id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/21
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+related:
+- id: 42821614-9264-4761-acfc-5772c3286f76
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1553.004
diff --git a/rules/sigma/windows/process_creation/process_creation_sdelete.yml b/rules/sigma/windows/process_creation/process_creation_sdelete.yml
new file mode 100644
index 00000000..863a6111
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_sdelete.yml
@@ -0,0 +1,35 @@
+
+title: Sysinternals SDelete Delete File
+author: frack113
+date: 2021/06/03
+description: Use of SDelete to erase a file not the free space
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    OriginalFileName: sdelete.exe
+  SELECTION_3:
+    CommandLine:
+    - '* -h*'
+    - '* -c*'
+    - '* -z*'
+    - '* /?*'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- System administrator Usage
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: a4824fca-976f-4964-b334-0621379e84c4
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
+status: experimental
+tags:
+- attack.impact
+- attack.t1485
diff --git a/rules/sigma/windows/process_creation/process_creation_software_discovery.yml b/rules/sigma/windows/process_creation/process_creation_software_discovery.yml
new file mode 100644
index 00000000..4225cf8a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_software_discovery.yml
@@ -0,0 +1,40 @@
+
+title: Detected Windows Software Discovery
+author: Nikita Nazarov, oscd.community
+date: 2020/10/16
+description: Adversaries may attempt to enumerate software for a variety of reasons,
+  such as figuring out what security measures are present or if the compromised system
+  has a version of software that is vulnerable.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\reg.exe'
+  SELECTION_3:
+    CommandLine: '*query*'
+  SELECTION_4:
+    CommandLine: '*\software\\*'
+  SELECTION_5:
+    CommandLine: '*/v*'
+  SELECTION_6:
+    CommandLine: '*svcversion*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Legitimate administration activities
+id: e13f668e-7f95-443d-98d2-1816a7648a7b
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/21
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
+- https://github.com/harleyQu1nn/AggressorScripts
+related:
+- id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
+  type: derived
+status: experimental
+tags:
+- attack.discovery
+- attack.t1518
diff --git a/rules/sigma/windows/process_creation/process_creation_stickykey_like_backdoor.yml b/rules/sigma/windows/process_creation/process_creation_stickykey_like_backdoor.yml
new file mode 100644
index 00000000..3c0d6bf0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_stickykey_like_backdoor.yml
@@ -0,0 +1,43 @@
+
+title: Sticky Key Like Backdoor Usage
+author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
+date: 2018/03/15
+description: Detects the usage and installation of a backdoor that uses an option
+  to register a malicious debugger for built-in tools that are accessible in the login
+  screen
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\winlogon.exe'
+  SELECTION_3:
+    Image: '*\cmd.exe'
+  SELECTION_4:
+    CommandLine:
+    - '*sethc.exe*'
+    - '*utilman.exe*'
+    - '*osk.exe*'
+    - '*Magnify.exe*'
+    - '*Narrator.exe*'
+    - '*DisplaySwitch.exe*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/12
+references:
+- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+related:
+- id: baca5663-583c-45f9-b5dc-ea96a22ce542
+  type: derived
+tags:
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1015
+- attack.t1546.008
+- car.2014-11-003
+- car.2014-11-008
diff --git a/rules/sigma/windows/process_creation/process_creation_susp_7z.yml b/rules/sigma/windows/process_creation/process_creation_susp_7z.yml
new file mode 100644
index 00000000..89b4264d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_susp_7z.yml
@@ -0,0 +1,37 @@
+
+title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
+author: frack113
+date: 2021/07/27
+description: An adversary may compress or encrypt data that is collected prior to
+  exfiltration using 3rd party utilities
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*7z.exe*'
+    - '*7za.exe*'
+  SELECTION_3:
+    CommandLine: '* -p*'
+  SELECTION_4:
+    CommandLine:
+    - '* a *'
+    - '* u *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Command line parameter combinations that contain all included strings
+fields:
+- CommandLine
+- ParentCommandLine
+- CurrentDirectory
+id: 9fbf5927-5261-4284-a71d-f681029ea574
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1560.001
diff --git a/rules/sigma/windows/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml b/rules/sigma/windows/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml
new file mode 100644
index 00000000..6db8e7ed
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml
@@ -0,0 +1,41 @@
+
+title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
+author: frack113
+date: 2021/07/13
+description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
+  that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
+  SELECTION_3:
+    CommandLine:
+    - '*-ModuleName *'
+    - '*-ModulePath *'
+    - '*-ScriptBlock *'
+    - '*-RemoteFXvGPUDisablementFilePath*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+related:
+- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/process_creation_susp_recon.yml b/rules/sigma/windows/process_creation/process_creation_susp_recon.yml
new file mode 100644
index 00000000..07c6cc1d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_susp_recon.yml
@@ -0,0 +1,31 @@
+
+title: Recon Information for Export with Command Prompt
+author: frack113
+date: 2021/07/30
+description: Once established within a system or network, an adversary may use automated
+  techniques for collecting internal data.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\tree.com'
+    - '*\WMIC.exe'
+    - '*\doskey.exe'
+    - '*\sc.exe'
+  SELECTION_3:
+    ParentCommandLine: '* > %TEMP%\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: aa2efee7-34dd-446e-8a37-40790a66efd7
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1119
diff --git a/rules/sigma/windows/process_creation/process_creation_susp_winzip.yml b/rules/sigma/windows/process_creation/process_creation_susp_winzip.yml
new file mode 100644
index 00000000..6d165697
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_susp_winzip.yml
@@ -0,0 +1,34 @@
+
+title: Compress Data and Lock With Password for Exfiltration With WINZIP
+author: frack113
+date: 2021/07/27
+description: An adversary may compress or encrypt data that is collected prior to
+  exfiltration using 3rd party utilities
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*winzip.exe*'
+    - '*winzip64.exe*'
+  SELECTION_3:
+    CommandLine:
+    - '*-s"*'
+  SELECTION_4:
+    CommandLine:
+    - '* -min *'
+    - '* -a *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1560.001
diff --git a/rules/sigma/windows/process_creation/process_creation_susp_zip_compress.yml b/rules/sigma/windows/process_creation/process_creation_susp_zip_compress.yml
new file mode 100644
index 00000000..4afc6d49
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_susp_zip_compress.yml
@@ -0,0 +1,35 @@
+
+title: Zip A Folder With PowerShell For Staging In Temp
+author: frack113
+date: 2021/07/20
+description: Use living off the land tools to zip a file and stage it in the Windows
+  temporary folder for later exfiltration
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*Compress-Archive *'
+  SELECTION_3:
+    CommandLine: '* -Path *'
+  SELECTION_4:
+    CommandLine: '* -DestinationPath *'
+  SELECTION_5:
+    CommandLine: '*$env:TEMP\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+related:
+- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+  type: derived
+status: experimental
+tags:
+- attack.collection
+- attack.t1074.001
diff --git a/rules/sigma/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml b/rules/sigma/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
new file mode 100644
index 00000000..9979f413
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
@@ -0,0 +1,36 @@
+
+title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code
+author: frack113
+date: 2021/07/12
+description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\SyncAppvPublishingServer.exe'
+  SELECTION_3:
+    CommandLine: '*"n; *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- App-V clients
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: fbd7c32d-db2a-4418-b92c-566eb8911133
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/12
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+related:
+- id: fde7929d-8beb-4a4c-b922-be9974671667
+  type: obsoletes
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/sigma/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
new file mode 100644
index 00000000..3472d02b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
@@ -0,0 +1,34 @@
+
+title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
+author: frack113
+date: 2021/07/16
+description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\SyncAppvPublishingServer.vbs*'
+  SELECTION_3:
+    CommandLine: '*"n;*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/12
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.t1216
diff --git a/rules/sigma/windows/process_creation/process_creation_sysinternals_eula_accepted.yml b/rules/sigma/windows/process_creation/process_creation_sysinternals_eula_accepted.yml
new file mode 100644
index 00000000..e7722dd8
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_sysinternals_eula_accepted.yml
@@ -0,0 +1,30 @@
+
+title: Usage of Sysinternals Tools
+author: Markus Neis
+date: 2017/08/28
+description: Detects the usage of Sysinternals Tools due to accepteula key being added
+  to Registry
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* -accepteula*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of SysInternals tools
+- Programs that use the same Registry Key
+id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/12
+references:
+- https://twitter.com/Moti_B/status/1008587936735035392
+related:
+- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
+  type: derived
+status: experimental
+tags:
+- attack.resource_development
+- attack.t1588.002
diff --git a/rules/sigma/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml b/rules/sigma/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml
new file mode 100644
index 00000000..23ca6e38
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml
@@ -0,0 +1,37 @@
+
+title: UAC Bypass via Event Viewer
+author: Florian Roth
+date: 2017/03/19
+description: Detects UAC bypass method using Windows event viewer
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\eventvwr.exe'
+  SELECTION_3:
+    Image: '*\mmc.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: be344333-921d-4c4d-8bb8-e584cf584780
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/12
+references:
+- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
+- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
+related:
+- id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1088
+- attack.t1548.002
+- car.2019-04-001
diff --git a/rules/sigma/windows/process_creation/process_creation_tool_psexec.yml b/rules/sigma/windows/process_creation/process_creation_tool_psexec.yml
new file mode 100644
index 00000000..4476fa14
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_tool_psexec.yml
@@ -0,0 +1,42 @@
+
+title: PsExec Tool Execution
+author: Thomas Patzke
+date: 2017/06/12
+description: Detects PsExec service installation and execution events (service and
+  Sysmon)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\PSEXESVC.exe'
+  SELECTION_3:
+    User: NT AUTHORITY\SYSTEM*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- ServiceName
+- ServiceFileName
+- TargetFilename
+- PipeName
+id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/21
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+related:
+- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+- attack.s0029
diff --git a/rules/sigma/windows/process_creation/process_creation_win_exchange_transportagent.yml b/rules/sigma/windows/process_creation/process_creation_win_exchange_transportagent.yml
new file mode 100644
index 00000000..93108f3d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creation_win_exchange_transportagent.yml
@@ -0,0 +1,28 @@
+
+title: MSExchange Transport Agent Installation
+author: Tobias Michalski
+date: 2021/06/08
+description: Detects the Installation of a Exchange Transport Agent
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*Install-TransportAgent*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator
+  for this.
+fields:
+- AssemblyPath
+id: 83809e84-4475-4b69-bc3e-4aad8568612f
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.002
diff --git a/rules/sigma/windows/process_creation/process_creationn_apt_chafer_mar18.yml b/rules/sigma/windows/process_creation/process_creationn_apt_chafer_mar18.yml
new file mode 100644
index 00000000..5b4bb2eb
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_creationn_apt_chafer_mar18.yml
@@ -0,0 +1,57 @@
+
+title: Chafer Activity
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
+  in March 2018
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    ParentImage: '*\Autoit*'
+  SELECTION_2:
+    CommandLine: '*\Service.exe*'
+  SELECTION_3:
+    CommandLine:
+    - '*i'
+    - '*u'
+  SELECTION_4:
+    CommandLine: '*\microsoft\Taskbar\autoit3.exe'
+  SELECTION_5:
+    CommandLine: C:\wsc.exe*
+  SELECTION_6:
+    Image: '*\Windows\Temp\DB\\*'
+  SELECTION_7:
+    Image: '*.exe'
+  SELECTION_8:
+    CommandLine: '*\nslookup.exe*'
+  SELECTION_9:
+    CommandLine: '*-q=TXT*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 or SELECTION_5)
+    or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
+falsepositives:
+- Unknown
+id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+related:
+- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+  type: derived
+tags:
+- attack.persistence
+- attack.g0049
+- attack.t1053
+- attack.t1053.005
+- attack.s0111
+- attack.t1050
+- attack.t1543.003
+- attack.defense_evasion
+- attack.t1112
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
diff --git a/rules/sigma/windows/process_creation/process_mailboxexport_share.yml b/rules/sigma/windows/process_creation/process_mailboxexport_share.yml
new file mode 100644
index 00000000..95071c03
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_mailboxexport_share.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious PowerShell Mailbox Export to Share
+author: Florian Roth
+date: 2021/08/07
+description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox
+  to a local share, as used in ProxyShell exploitations
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*New-MailboxExport*'
+  SELECTION_3:
+    CommandLine: '* -Mailbox *'
+  SELECTION_4:
+    CommandLine: '* -FilePath \\127.0.0.1\C$*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 889719ef-dd62-43df-86c3-768fb08dc7c0
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://youtu.be/5mqid-7zp8k?t=2481
+- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
+- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.resource_development
+- attack.t1584.006
diff --git a/rules/sigma/windows/process_creation/process_susp_esentutl_params.yml b/rules/sigma/windows/process_creation/process_susp_esentutl_params.yml
new file mode 100644
index 00000000..c1f06134
--- /dev/null
+++ b/rules/sigma/windows/process_creation/process_susp_esentutl_params.yml
@@ -0,0 +1,36 @@
+
+title: Esentutl Gather Credentials
+author: sam0x90
+date: 2021/08/06
+description: Conti recommendation to its affiliates to use esentult to access NTDS
+  dumped file. Trickbot also uses this utilities to get MSEdge info via its module
+  pwgrab.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*esentutl*'
+  SELECTION_3:
+    CommandLine: '* /p*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- To be determined
+fields:
+- User
+- CommandLine
+- ParentCommandLine
+- CurrentDirectory
+id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816
+- https://attack.mitre.org/software/S0404/
+- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.003
diff --git a/rules/sigma/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/sigma/windows/process_creation/sysmon_abusing_debug_privilege.yml
new file mode 100644
index 00000000..810a8011
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_abusing_debug_privilege.yml
@@ -0,0 +1,50 @@
+
+title: Abused Debug Privilege by Arbitrary Parent Processes
+author: Semanur Guneysu @semanurtg, oscd.community
+date: 2020/10/28
+description: Detection of unusual child processes by different system processes
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\winlogon.exe'
+    - '*\services.exe'
+    - '*\lsass.exe'
+    - '*\csrss.exe'
+    - '*\smss.exe'
+    - '*\wininit.exe'
+    - '*\spoolsv.exe'
+    - '*\searchindexer.exe'
+  SELECTION_3:
+    Image:
+    - '*\powershell.exe'
+    - '*\cmd.exe'
+  SELECTION_4:
+    User:
+    - NT AUTHORITY\SYSTEM*
+    - AUTORITE NT\Sys*
+  SELECTION_5:
+    CommandLine: '* route *'
+  SELECTION_6:
+    CommandLine: '* ADD *'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5 and SELECTION_6))
+falsepositives:
+- unknown
+fields:
+- ParentImage
+- Image
+- User
+- CommandLine
+id: d522eca2-2973-4391-a3e0-ef0374321dae
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548
diff --git a/rules/sigma/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/sigma/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml
new file mode 100644
index 00000000..5e6561e5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml
@@ -0,0 +1,35 @@
+
+title: Accesschk Usage After Privilege Escalation
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+description: Accesschk is an access and privilege audit tool developed by SysInternal
+  and often being used by attacker to verify if a privilege escalation process successful
+  or not
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    IntegrityLevel: Medium
+  SELECTION_3:
+    Product: '*AccessChk'
+  SELECTION_4:
+    Description: '*Reports effective permissions*'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- System administrator Usage
+- Penetration test
+fields:
+- IntegrityLevel
+- Product
+- Description
+id: c625d754-6a3d-4f65-9c9a-536aea960d37
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg
+status: experimental
+tags:
+- attack.discovery
+- attack.t1069.001
diff --git a/rules/sigma/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/sigma/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
new file mode 100644
index 00000000..fdd4403a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
@@ -0,0 +1,37 @@
+
+title: Always Install Elevated MSI Spawned Cmd And Powershell
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+description: This rule will looks for Windows Installer service (msiexec.exe) spawned
+  command line and/or powershell
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+  SELECTION_3:
+    ParentImage: '*\Windows\Installer\\*'
+  SELECTION_4:
+    ParentImage: '*msi*'
+  SELECTION_5:
+    ParentImage:
+    - '*tmp'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Penetration test
+fields:
+- Image
+- ParentImage
+id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/sigma/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
new file mode 100644
index 00000000..911fc9aa
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
@@ -0,0 +1,46 @@
+
+title: Always Install Elevated Windows Installer
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+description: This rule will looks for Windows Installer service (msiexec.exe) when
+  it tries to install MSI packages with SYSTEM privilege
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    User:
+    - NT AUTHORITY\SYSTEM*
+    - AUTORITE NT\Sys*
+  SELECTION_3:
+    Image: '*\Windows\Installer\\*'
+  SELECTION_4:
+    Image: '*msi*'
+  SELECTION_5:
+    Image:
+    - '*tmp'
+  SELECTION_6:
+    Image:
+    - '*\msiexec.exe'
+  SELECTION_7:
+    IntegrityLevel: System
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- System administrator Usage
+- Penetration test
+fields:
+- IntegrityLevel
+- User
+- Image
+id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/26
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml b/rules/sigma/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml
new file mode 100644
index 00000000..3e0b8cdb
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_apt_muddywater_dnstunnel.yml
@@ -0,0 +1,33 @@
+
+title: DNS Tunnel Technique from MuddyWater
+author: '@caliskanfurkan_'
+date: 2020/06/04
+description: Detecting DNS tunnel activity for Muddywater actor
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\powershell.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\excel.exe'
+  SELECTION_4:
+    CommandLine:
+    - '*DataExchange.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 36222790-0d43-4fe8-86e4-674b27809543
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
+- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
diff --git a/rules/sigma/windows/process_creation/sysmon_apt_sourgrum.yml b/rules/sigma/windows/process_creation/sysmon_apt_sourgrum.yml
new file mode 100644
index 00000000..eddf6811
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_apt_sourgrum.yml
@@ -0,0 +1,48 @@
+
+title: SOURGUM Actor Behaviours
+author: MSTIC, FPT.EagleEye
+date: 2021/06/15
+description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*windows\system32\Physmem.sys*'
+  SELECTION_3:
+    Image:
+    - '*Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
+    - '*Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
+    - '*Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
+  SELECTION_4:
+    EventID: 1
+  SELECTION_5:
+    Image:
+    - '*windows\system32\filepath2*'
+    - '*windows\system32\ime*'
+  SELECTION_6:
+    CommandLine:
+    - '*reg add*'
+  SELECTION_7:
+    CommandLine:
+    - '*HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32*'
+    - '*HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32*'
+  condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unknown
+id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/30
+references:
+- https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
+- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml
+- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
+status: experimental
+tags:
+- attack.t1546
+- attack.t1546.015
+- attack.persistence
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml b/rules/sigma/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
new file mode 100644
index 00000000..33f81cd8
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
@@ -0,0 +1,38 @@
+
+title: Atlassian Confluence CVE-2021-26084
+author: Bhabesh Raj
+date: 2021/09/08
+description: Detects spawning of suspicious child processes by Atlassian Confluence
+  server which may indicate successful exploitation of CVE-2021-26084
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\Atlassian\Confluence\jre\bin\java.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*cmd /c*'
+    - '*cmd /k*'
+    - '*powershell*'
+    - '*certutil*'
+    - '*curl*'
+    - '*whoami*'
+    - '*ipconfig*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 245f92e3-c4da-45f1-9070-bc552e06db11
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
+- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
+- https://github.com/h3v0x/CVE-2021-26084_Confluence
+status: experimental
+tags:
+- attack.initial_access
+- attack.execution
+- attack.t1190
+- attack.t1059
diff --git a/rules/sigma/windows/process_creation/sysmon_cmstp_execution_by_creation.yml b/rules/sigma/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
new file mode 100644
index 00000000..f03dc1eb
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
@@ -0,0 +1,34 @@
+
+title: CMSTP Execution Process Creation
+author: Nik Seetharaman
+date: 2018/07/16
+description: Detects various indicators of Microsoft Connection Manager Profile Installer
+  execution
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\cmstp.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/12/23
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+status: stable
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1191
+- attack.t1218.003
+- attack.g0069
+- car.2019-04-001
diff --git a/rules/sigma/windows/process_creation/sysmon_creation_mavinject_dll.yml b/rules/sigma/windows/process_creation/sysmon_creation_mavinject_dll.yml
new file mode 100644
index 00000000..28c3af54
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_creation_mavinject_dll.yml
@@ -0,0 +1,37 @@
+
+title: Mavinject Inject DLL Into Running Process
+author: frack113
+date: 2021/07/12
+description: Injects arbitrary DLL into running process specified by process ID. Requires
+  Windows 10.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* /INJECTRUNNING*'
+  SELECTION_3:
+    CommandLine: '*.dll*'
+  SELECTION_4:
+    OriginalFileName: '*mavinject*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.collection
+- attack.t1218
+- attack.t1056.004
diff --git a/rules/sigma/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml b/rules/sigma/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml
new file mode 100644
index 00000000..0c7f2a3d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml
@@ -0,0 +1,32 @@
+
+title: CVE-2021-26857 Exchange Exploitation
+author: Bhabesh Raj
+date: 2021/03/03
+description: Detects possible successful exploitation for vulnerability described
+  in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server’s
+  Unified Messaging service
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*UMWorkerProcess.exe'
+  SELECTION_3:
+    Image:
+    - '*wermgr.exe'
+    - '*WerFault.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857
+- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+- https://nvd.nist.gov/vuln/detail/cve-2021-26857
+status: experimental
+tags:
+- attack.t1203
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/sysmon_expand_cabinet_files.yml b/rules/sigma/windows/process_creation/sysmon_expand_cabinet_files.yml
new file mode 100644
index 00000000..9a05f81f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_expand_cabinet_files.yml
@@ -0,0 +1,42 @@
+
+title: Cabinet File Expansion
+author: Bhabesh Raj
+date: 2021/07/30
+description: Adversaries can use the inbuilt expand utility to decompress cab files
+  as seen in recent Iranian MeteorExpress attack
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\expand.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*.cab*'
+    - '*/F:*'
+    - '*-F:*'
+    - '*C:\ProgramData\\*'
+    - '*C:\Public\\*'
+    - '*\AppData\Local\Temp\\*'
+    - '*\AppData\Roaming\Temp\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- System administrator Usage
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 9f107a84-532c-41af-b005-8d12a607639f
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/31
+references:
+- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
+- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
+status: experimental
+tags:
+- attack.execution
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/sysmon_hack_wce.yml b/rules/sigma/windows/process_creation/sysmon_hack_wce.yml
new file mode 100644
index 00000000..996a2872
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_hack_wce.yml
@@ -0,0 +1,37 @@
+
+title: Windows Credential Editor
+author: Florian Roth
+date: 2019/12/31
+description: Detects the use of Windows Credential Editor (WCE)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    Imphash:
+    - a53a02b997935fd8eedcb5f7abab9b9f
+    - e96a73c7bf33a464c510ede582318bf2
+  SELECTION_4:
+    CommandLine: '*.exe -S'
+  SELECTION_5:
+    ParentImage: '*\services.exe'
+  SELECTION_6:
+    Image: '*\clussvc.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or (SELECTION_4 and SELECTION_5)))
+    and  not (SELECTION_6))
+falsepositives:
+- Another service that uses a single -s command line switch
+id: 7aa7009a-28b9-4344-8c1f-159489a390df
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/15
+references:
+- https://www.ampliasecurity.com/research/windows-credentials-editor/
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.s0005
diff --git a/rules/sigma/windows/process_creation/sysmon_high_integrity_sdclt.yml b/rules/sigma/windows/process_creation/sysmon_high_integrity_sdclt.yml
new file mode 100644
index 00000000..92ec9d82
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_high_integrity_sdclt.yml
@@ -0,0 +1,29 @@
+
+title: High Integrity Sdclt Process
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for sdclt being spawned as an elevated process. This
+  could be an indicator of sdclt being used for bypass UAC techniques.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*sdclt.exe'
+  SELECTION_3:
+    IntegrityLevel: High
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 40f9af16-589d-4984-b78d-8c2aec023197
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/6
+- https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/sigma/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
new file mode 100644
index 00000000..4c4689fc
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
@@ -0,0 +1,38 @@
+
+title: Logon Scripts (UserInitMprLogonScript)
+author: Tom Ueltschi (@c_APT_ure)
+date: 2019/01/12
+description: Detects creation or execution of UserInitMprLogonScript persistence method
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    ParentImage: '*\userinit.exe'
+  SELECTION_4:
+    Image: '*\explorer.exe'
+  SELECTION_5:
+    CommandLine:
+    - '*netlogon.bat*'
+    - '*UsrLogon.cmd*'
+  SELECTION_6:
+    CommandLine: '*UserInitMprLogonScript*'
+  condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 and  not (SELECTION_4))
+    and  not (SELECTION_5)) or SELECTION_6))
+falsepositives:
+- exclude legitimate logon scripts
+- penetration tests, red teaming
+id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/26
+references:
+- https://attack.mitre.org/techniques/T1037/
+status: experimental
+tags:
+- attack.t1037
+- attack.t1037.001
+- attack.persistence
diff --git a/rules/sigma/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/sigma/windows/process_creation/sysmon_long_powershell_commandline.yml
new file mode 100644
index 00000000..13385e3f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_long_powershell_commandline.yml
@@ -0,0 +1,33 @@
+
+title: Too Long PowerShell Commandlines
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects Too long PowerShell command lines
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*powershell*'
+    - '*pwsh*'
+  SELECTION_3:
+    Description: Windows Powershell
+  SELECTION_4:
+    Product: PowerShell Core 6
+  SELECTION_5:
+    CommandLine|re: .{1000,}
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Unknown
+id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/sysmon_netcat_execution.yml b/rules/sigma/windows/process_creation/sysmon_netcat_execution.yml
new file mode 100644
index 00000000..b3a01fae
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_netcat_execution.yml
@@ -0,0 +1,33 @@
+
+title: Ncat Execution
+author: frack113
+date: 2021/07/21
+description: Adversaries may use a non-application layer protocol for communication
+  between host and C2 server or among infected hosts within a network
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\ncat.exe'
+  SELECTION_3:
+    CommandLine:
+    - '* -lvp *'
+    - '* -l --proxy-type http *'
+    - '* --exec cmd.exe *'
+    - '* -vnl --exec *'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Legitimate ncat use
+id: e31033fc-33f0-4020-9a16-faf9b31cbf08
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://nmap.org/ncat/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1095
diff --git a/rules/sigma/windows/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/sigma/windows/process_creation/sysmon_proxy_execution_wuauclt.yml
new file mode 100644
index 00000000..772e528c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_proxy_execution_wuauclt.yml
@@ -0,0 +1,39 @@
+
+title: Proxy Execution via Wuauclt
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth
+date: 2020/10/12
+description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
+  proxy execute code.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*wuauclt*'
+  SELECTION_3:
+    OriginalFileName: wuauclt.exe
+  SELECTION_4:
+    CommandLine: '*UpdateDeploymentProvider*'
+  SELECTION_5:
+    CommandLine: '*.dll*'
+  SELECTION_6:
+    CommandLine: '*RunHandlerComServer*'
+  SELECTION_7:
+    CommandLine:
+    - '* /UpdateDeploymentProvider UpdateDeploymentProvider.dll *'
+    - '* wuaueng.dll *'
+  condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5
+    and SELECTION_6)) and  not (SELECTION_7))
+falsepositives:
+- Unknown
+id: af77cf95-c469-471c-b6a0-946c685c4798
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/10
+references:
+- https://dtm.uk/wuauclt/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/sysmon_rclone_execution.yml b/rules/sigma/windows/process_creation/sysmon_rclone_execution.yml
new file mode 100644
index 00000000..b847a568
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_rclone_execution.yml
@@ -0,0 +1,53 @@
+
+title: RClone Execution
+author: Bhabesh Raj, Sittikorn S
+date: 2021/05/10
+description: Detects execution of RClone utility for exfiltration as used by various
+  ransomwares strains like REvil, Conti, FiveHands, etc
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Description: Rsync for cloud storage
+  SELECTION_3:
+    CommandLine: '*--config *'
+  SELECTION_4:
+    CommandLine: '*--no-check-certificate *'
+  SELECTION_5:
+    CommandLine: '* copy *'
+  SELECTION_6:
+    Image:
+    - '*\rclone.exe'
+  SELECTION_7:
+    CommandLine:
+    - '*mega*'
+    - '*pcloud*'
+    - '*ftp*'
+    - '*--progress*'
+    - '*--ignore-existing*'
+    - '*--auto-confirm*'
+    - '*--transfers*'
+    - '*--multi-thread-streams*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Legitimate RClone use
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: a0d63692-a531-4912-ad39-4393325b2a9c
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/29
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
+- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.002
diff --git a/rules/sigma/windows/process_creation/sysmon_remove_windows_defender_definition_files.yml b/rules/sigma/windows/process_creation/sysmon_remove_windows_defender_definition_files.yml
new file mode 100644
index 00000000..2cfdf710
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_remove_windows_defender_definition_files.yml
@@ -0,0 +1,35 @@
+
+title: Remove Windows Defender Definition Files
+author: frack113
+date: 2021/07/07
+description: Adversaries may disable security tools to avoid possible detection of
+  their tools and activities by removing Windows Defender Definition Files
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    OriginalFileName: MpCmdRun.exe
+  SELECTION_3:
+    CommandLine: '* -RemoveDefinitions*'
+  SELECTION_4:
+    CommandLine: '* -All*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/sysmon_sdclt_child_process.yml b/rules/sigma/windows/process_creation/sysmon_sdclt_child_process.yml
new file mode 100644
index 00000000..6f3c9696
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_sdclt_child_process.yml
@@ -0,0 +1,26 @@
+
+title: Sdclt Child Processes
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for sdclt spawning new processes. This could be an
+  indicator of sdclt being used for bypass UAC techniques.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\sdclt.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: da2738f2-fadb-4394-afa7-0a0674885afa
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/6
+- https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/sysmon_susp_plink_remote_forward.yml b/rules/sigma/windows/process_creation/sysmon_susp_plink_remote_forward.yml
new file mode 100644
index 00000000..70e384ab
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_susp_plink_remote_forward.yml
@@ -0,0 +1,29 @@
+
+title: Suspicious Plink Remote Forwarding
+author: Florian Roth
+date: 2021/01/19
+description: Detects suspicious Plink tunnel remote forarding to a local port
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Description: Command-line SSH, Telnet, and Rlogin client
+  SELECTION_3:
+    CommandLine: '* -R *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative activity using a remote port forwarding to a local port
+id: 48a61b29-389f-4032-b317-b30de6b95314
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
+- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1572
+- attack.lateral_movement
+- attack.t1021.001
diff --git a/rules/sigma/windows/process_creation/sysmon_susp_service_modification.yml b/rules/sigma/windows/process_creation/sysmon_susp_service_modification.yml
new file mode 100644
index 00000000..f13fd76e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_susp_service_modification.yml
@@ -0,0 +1,37 @@
+
+title: Stop Or Remove Antivirus Service
+author: frack113
+date: 2021/07/07
+description: Adversaries may disable security tools to avoid possible detection of
+  their tools and activities by stopping antivirus service
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*Stop-Service *'
+    - '*Remove-Service *'
+  SELECTION_3:
+    CommandLine:
+    - '* McAfeeDLPAgentService*'
+    - '* Trend Micro Deep Security Manager*'
+    - '* TMBMServer*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/sysmon_susp_webdav_client_execution.yml b/rules/sigma/windows/process_creation/sysmon_susp_webdav_client_execution.yml
new file mode 100644
index 00000000..b5323fd2
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_susp_webdav_client_execution.yml
@@ -0,0 +1,29 @@
+
+title: Suspicious WebDav Client Execution
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for svchost.exe spawning rundll32.exe with command
+  arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator
+  of exfiltration or use of WebDav to launch code (hosted on WebDav Server).
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\rundll32.exe'
+  SELECTION_3:
+    CommandLine: '*C:\windows\system32\davclnt.dll,DavSetCookie*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/17
+- https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048.003
diff --git a/rules/sigma/windows/process_creation/sysmon_uninstall_crowdstrike_falcon.yml b/rules/sigma/windows/process_creation/sysmon_uninstall_crowdstrike_falcon.yml
new file mode 100644
index 00000000..cae61af4
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_uninstall_crowdstrike_falcon.yml
@@ -0,0 +1,34 @@
+
+title: Uninstall Crowdstrike Falcon
+author: frack113
+date: 2021/07/12
+description: Adversaries may disable security tools to avoid possible detection of
+  their tools and activities by uninstalling Crowdstrike Falcon
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\WindowsSensor.exe*'
+  SELECTION_3:
+    CommandLine: '* /uninstall*'
+  SELECTION_4:
+    CommandLine: '* /quiet*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Uninstall by admin
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: f0f7be61-9cf5-43be-9836-99d6ef448a18
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml b/rules/sigma/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml
new file mode 100644
index 00000000..291620cc
--- /dev/null
+++ b/rules/sigma/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml
@@ -0,0 +1,45 @@
+
+title: VMToolsd Suspicious Child Process
+author: behops, Bhabesh Raj
+date: 2021/10/08
+description: Detects suspicious child process creations of VMware Tools process which
+  may indicate persistence setup
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\vmtoolsd.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\rundll32.exe'
+    - '*\regsvr32.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+  SELECTION_4:
+    CommandLine:
+    - '*\VMware\VMware Tools\poweron-vm-default.bat*'
+    - '*\VMware\VMware Tools\poweroff-vm-default.bat*'
+    - '*\VMware\VMware Tools\resume-vm-default.bat*'
+    - '*\VMware\VMware Tools\suspend-vm-default.bat*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Legitimate use by adminstrator
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: 5687f942-867b-4578-ade7-1e341c46e99a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/10/10
+references:
+- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
+status: experimental
+tags:
+- attack.execution
+- attack.persistence
+- attack.t1059
diff --git a/rules/sigma/windows/process_creation/win_ad_find_discovery.yml b/rules/sigma/windows/process_creation/win_ad_find_discovery.yml
new file mode 100644
index 00000000..88760312
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_ad_find_discovery.yml
@@ -0,0 +1,47 @@
+
+title: AdFind Usage Detection
+author: Janantha Marasinghe (https://github.com/blueteam0ps)
+date: 2021/02/02
+description: AdFind continues to be seen across majority of breaches. It is used to
+  domain trust discovery to plan out subsequent steps in the attack chain.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*domainlist*'
+    - '*trustdmp*'
+    - '*dcmodes*'
+    - '*adinfo*'
+    - '* dclist *'
+    - '*computer_pwdnotreqd*'
+    - '*objectcategory=*'
+    - '*-subnets -f*'
+    - '*name="Domain Admins"*'
+    - '*-sc u:*'
+    - '*domainncs*'
+    - '*dompol*'
+    - '* oudmp *'
+    - '*subnetdmp*'
+    - '*gpodmp*'
+    - '*fspdmp*'
+    - '*users_noexpire*'
+    - '*computers_active*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Admin activity
+id: 9a132afa-654e-11eb-ae93-0242ac130002
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/02/02
+references:
+- https://thedfirreport.com/2020/05/08/adfind-recon/
+- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
+- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
+- attack.t1018
diff --git a/rules/sigma/windows/process_creation/win_anydesk_silent_install.yml b/rules/sigma/windows/process_creation/win_anydesk_silent_install.yml
new file mode 100644
index 00000000..1a6558b0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_anydesk_silent_install.yml
@@ -0,0 +1,33 @@
+
+title: AnyDesk Silent Installation
+author: Ján Trenčanský
+date: 2021/08/06
+description: AnyDesk Remote Desktop silent installation can be used by attacker to
+  gain remote access.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*--install*'
+  SELECTION_3:
+    CommandLine: '*--start-with-win*'
+  SELECTION_4:
+    CommandLine: '*--silent*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate deployment of AnyDesk
+fields:
+- CommandLine
+- ParentCommandLine
+- CurrentDirectory
+id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
+- https://support.anydesk.com/Automatic_Deployment
+status: experimental
+tags:
+- attack.t1219
diff --git a/rules/sigma/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/sigma/windows/process_creation/win_apt_apt29_thinktanks.yml
new file mode 100644
index 00000000..b3e7713d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_apt29_thinktanks.yml
@@ -0,0 +1,35 @@
+
+title: APT29
+author: Florian Roth
+date: 2018/12/04
+description: This method detects a suspicious PowerShell command line combination
+  as used by APT29 in a campaign against U.S. think tanks.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*-noni*'
+  SELECTION_3:
+    CommandLine: '*-ep*'
+  SELECTION_4:
+    CommandLine: '*bypass*'
+  SELECTION_5:
+    CommandLine: '*$*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- unknown
+id: 033fe7d6-66d1-4240-ac6b-28908009c71f
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/26
+references:
+- https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
+- https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
+tags:
+- attack.execution
+- attack.g0016
+- attack.t1086
+- attack.t1059
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_apt_babyshark.yml b/rules/sigma/windows/process_creation/win_apt_babyshark.yml
new file mode 100644
index 00000000..e4cf610c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_babyshark.yml
@@ -0,0 +1,37 @@
+
+title: Baby Shark Activity
+author: Florian Roth
+date: 2019/02/24
+description: Detects activity that could be related to Baby Shark malware
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
+    - powershell.exe mshta.exe http*
+    - cmd.exe /c taskkill /im cmd.exe
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/26
+references:
+- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
+- attack.t1086
+- attack.t1059.003
+- attack.t1059.001
+- attack.discovery
+- attack.t1012
+- attack.defense_evasion
+- attack.t1170
+- attack.t1218
+- attack.t1218.005
diff --git a/rules/sigma/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/sigma/windows/process_creation/win_apt_bear_activity_gtr19.yml
new file mode 100644
index 00000000..cc6f853d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_bear_activity_gtr19.yml
@@ -0,0 +1,50 @@
+
+title: Judgement Panda Credential Access Activity
+author: Florian Roth
+date: 2019/02/21
+description: Detects Russian group activity as described in Global Threat Report 2019
+  by Crowdstrike
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*-snapshot*'
+  SELECTION_11:
+    CommandLine: '*""*'
+  SELECTION_12:
+    CommandLine: '*c:\users\\*'
+  SELECTION_2:
+    Image: '*\xcopy.exe'
+  SELECTION_3:
+    CommandLine: '*/S*'
+  SELECTION_4:
+    CommandLine: '*/E*'
+  SELECTION_5:
+    CommandLine: '*/C*'
+  SELECTION_6:
+    CommandLine: '*/Q*'
+  SELECTION_7:
+    CommandLine: '*/H*'
+  SELECTION_8:
+    CommandLine: '*\\\*'
+  SELECTION_9:
+    Image: '*\adexplorer.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10
+    and SELECTION_11 and SELECTION_12)))
+falsepositives:
+- unknown
+id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/26
+references:
+- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+tags:
+- attack.credential_access
+- attack.t1081
+- attack.t1003
+- attack.t1552.001
+- attack.t1003.003
diff --git a/rules/sigma/windows/process_creation/win_apt_bluemashroom.yml b/rules/sigma/windows/process_creation/win_apt_bluemashroom.yml
new file mode 100644
index 00000000..1aa02e81
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_bluemashroom.yml
@@ -0,0 +1,30 @@
+
+title: BlueMashroom DLL Load
+author: Florian Roth
+date: 2019/10/02
+description: Detects a suspicious DLL loading from AppData Local path as described
+  in BlueMashroom report
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\AppData\Local\\*'
+  SELECTION_3:
+    CommandLine: '*\regsvr32*'
+  SELECTION_4:
+    CommandLine: '*,DllEntry*'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unlikely
+id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1117
+- attack.t1218.010
diff --git a/rules/sigma/windows/process_creation/win_apt_cloudhopper.yml b/rules/sigma/windows/process_creation/win_apt_cloudhopper.yml
new file mode 100644
index 00000000..d7924e7b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_cloudhopper.yml
@@ -0,0 +1,32 @@
+
+title: WMIExec VBS Script
+author: Florian Roth
+date: 2017/04/07
+description: Detects suspicious file execution by wscript and cscript
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\cscript.exe'
+  SELECTION_3:
+    CommandLine: '*.vbs*'
+  SELECTION_4:
+    CommandLine: '*/shell*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: 966e4016-627f-44f7-8341-f394905c361f
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+tags:
+- attack.execution
+- attack.g0045
+- attack.t1064
+- attack.t1059.005
diff --git a/rules/sigma/windows/process_creation/win_apt_dragonfly.yml b/rules/sigma/windows/process_creation/win_apt_dragonfly.yml
new file mode 100644
index 00000000..04fb0b6c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_dragonfly.yml
@@ -0,0 +1,24 @@
+
+title: CrackMapExecWin
+author: Markus Neis
+date: 2018/04/08
+description: Detects CrackMapExecWin Activity as Described by NCSC
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\crackmapexec.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- None
+id: 04d9079e-3905-4b70-ad37-6bdf11304965
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
+status: experimental
+tags:
+- attack.g0035
diff --git a/rules/sigma/windows/process_creation/win_apt_elise.yml b/rules/sigma/windows/process_creation/win_apt_elise.yml
new file mode 100644
index 00000000..d0f2dd4f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_elise.yml
@@ -0,0 +1,33 @@
+
+title: Elise Backdoor
+author: Florian Roth
+date: 2018/01/31
+description: Detects Elise backdoor acitivty as used by APT32
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: C:\Windows\SysWOW64\cmd.exe
+  SELECTION_3:
+    CommandLine: '*\Windows\Caches\NavShExt.dll *'
+  SELECTION_4:
+    CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- Unknown
+id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/26
+references:
+- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
+status: experimental
+tags:
+- attack.g0030
+- attack.g0050
+- attack.s0081
+- attack.execution
+- attack.t1059
+- attack.t1059.003
diff --git a/rules/sigma/windows/process_creation/win_apt_emissarypanda_sep19.yml b/rules/sigma/windows/process_creation/win_apt_emissarypanda_sep19.yml
new file mode 100644
index 00000000..ebb10f90
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_emissarypanda_sep19.yml
@@ -0,0 +1,30 @@
+
+title: Emissary Panda Malware SLLauncher
+author: Florian Roth
+date: 2018/09/03
+description: Detects the execution of DLL side-loading malware used by threat group
+  Emissary Panda aka APT27
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\sllauncher.exe'
+  SELECTION_3:
+    Image: '*\svchost.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/27
+references:
+- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
+- https://twitter.com/cyb3rops/status/1168863899531132929
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/windows/process_creation/win_apt_empiremonkey.yml b/rules/sigma/windows/process_creation/win_apt_empiremonkey.yml
new file mode 100644
index 00000000..94ae08ec
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_empiremonkey.yml
@@ -0,0 +1,29 @@
+
+title: Empire Monkey
+author: Markus Neis
+date: 2019/04/02
+description: Detects EmpireMonkey APT reported Activity
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*/i:%APPDATA%\logs.txt scrobj.dll'
+  SELECTION_3:
+    Image: '*\cutil.exe'
+  SELECTION_4:
+    Description: Microsoft(C) Registerserver
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Very Unlikely
+id: 10152a7b-b566-438f-a33c-390b607d1c8d
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/27
+references:
+- https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
+tags:
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
diff --git a/rules/sigma/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/sigma/windows/process_creation/win_apt_equationgroup_dll_u_load.yml
new file mode 100644
index 00000000..94f1794d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_equationgroup_dll_u_load.yml
@@ -0,0 +1,32 @@
+
+title: Equation Group DLL_U Load
+author: Florian Roth
+date: 2019/03/04
+description: Detects a specific tool and export used by EquationGroup
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\rundll32.exe'
+  SELECTION_3:
+    CommandLine: '*,dll_u'
+  SELECTION_4:
+    CommandLine: '* -export dll_u *'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- Unknown
+id: d465d1d8-27a2-4cca-9621-a800f37cf72e
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/27
+references:
+- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
+- https://securelist.com/apt-slingshot/84312/
+- https://twitter.com/cyb3rops/status/972186477512839170
+tags:
+- attack.g0020
+- attack.defense_evasion
+- attack.t1085
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/sigma/windows/process_creation/win_apt_evilnum_jul20.yml
new file mode 100644
index 00000000..41625fdd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_evilnum_jul20.yml
@@ -0,0 +1,37 @@
+
+title: EvilNum Golden Chickens Deployment via OCX Files
+author: Florian Roth
+date: 2020/07/10
+description: Detects Golden Chickens deployment method as used by Evilnum in report
+  published in July 2020
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*regsvr32*'
+  SELECTION_3:
+    CommandLine: '*/s*'
+  SELECTION_4:
+    CommandLine: '*/i*'
+  SELECTION_5:
+    CommandLine: '*\AppData\Roaming\\*'
+  SELECTION_6:
+    CommandLine: '*.ocx*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Unknown
+id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/27
+references:
+- https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
+- https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1085
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/win_apt_greenbug_may20.yml b/rules/sigma/windows/process_creation/win_apt_greenbug_may20.yml
new file mode 100644
index 00000000..264040d5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_greenbug_may20.yml
@@ -0,0 +1,62 @@
+
+title: Greenbug Campaign Indicators
+author: Florian Roth
+date: 2020/05/20
+description: Detects tools and process executions as observed in a Greenbug campaign
+  in May 2020
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*bitsadmin*'
+  SELECTION_3:
+    CommandLine: '*/transfer*'
+  SELECTION_4:
+    CommandLine: '*CSIDL_APPDATA*'
+  SELECTION_5:
+    CommandLine:
+    - '*CSIDL_SYSTEM_DRIVE*'
+  SELECTION_6:
+    CommandLine:
+    - '*\msf.ps1*'
+    - '*8989 -e cmd.exe*'
+    - '*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill*'
+    - '*-nop -w hidden -c $k=new-object*'
+    - '*[Net.CredentialCache]::DefaultCredentials;IEX *'
+    - '* -nop -w hidden -c $m=new-object net.webclient;$m*'
+    - '*-noninteractive -executionpolicy bypass whoami*'
+    - '*-noninteractive -executionpolicy bypass netstat -a*'
+    - '*L3NlcnZlcj1*'
+  SELECTION_7:
+    Image:
+    - '*\adobe\Adobe.exe'
+    - '*\oracle\local.exe'
+    - '*\revshell.exe'
+    - '*infopagesbackup\ncat.exe'
+    - '*CSIDL_SYSTEM\cmd.exe'
+    - '*\programdata\oracle\java.exe'
+    - '*CSIDL_COMMON_APPDATA\comms\comms.exe'
+    - '*\Programdata\VMware\Vmware.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or SELECTION_5
+    or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unknown
+id: 3711eee4-a808-4849-8a14-faf733da3612
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/21
+references:
+- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
+status: experimental
+tags:
+- attack.g0049
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.command_and_control
+- attack.t1105
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.005
diff --git a/rules/sigma/windows/process_creation/win_apt_hafnium.yml b/rules/sigma/windows/process_creation/win_apt_hafnium.yml
new file mode 100644
index 00000000..7f34eaad
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_hafnium.yml
@@ -0,0 +1,93 @@
+
+title: Exchange Exploitation Activity
+author: Florian Roth
+date: 2021/03/09
+description: Detects activity observed by different researchers to be HAFNIUM group
+  activity (or related) on Exchange servers
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*Temp\__output*'
+  SELECTION_11:
+    CommandLine: '*%TEMP%\execute.bat*'
+  SELECTION_12:
+    Image: '*Users\Public\opera\Opera_browser.exe'
+  SELECTION_13:
+    Image: '*Opera_browser.exe'
+  SELECTION_14:
+    ParentImage:
+    - '*\services.exe'
+    - '*\svchost.exe'
+  SELECTION_15:
+    Image: '*\ProgramData\VSPerfMon\\*'
+  SELECTION_16:
+    CommandLine: '* -t7z *'
+  SELECTION_17:
+    CommandLine: '*C:\Programdata\pst*'
+  SELECTION_18:
+    CommandLine: '*\it.zip*'
+  SELECTION_19:
+    Image: '*\makecab.exe'
+  SELECTION_2:
+    CommandLine: '*attrib*'
+  SELECTION_20:
+    CommandLine:
+    - '*Microsoft\Exchange Server\\*'
+    - '*inetpub\wwwroot*'
+  SELECTION_21:
+    CommandLine:
+    - '*\Temp\xx.bat*'
+    - '*Windows\WwanSvcdcs*'
+    - '*Windows\Temp\cw.exe*'
+  SELECTION_22:
+    CommandLine: '*\comsvcs.dll*'
+  SELECTION_23:
+    CommandLine: '*Minidump*'
+  SELECTION_24:
+    CommandLine: '*\inetpub\wwwroot*'
+  SELECTION_25:
+    CommandLine: '*dsquery*'
+  SELECTION_26:
+    CommandLine: '* -uco *'
+  SELECTION_27:
+    CommandLine: '*\inetpub\wwwroot*'
+  SELECTION_3:
+    CommandLine: '* +h *'
+  SELECTION_4:
+    CommandLine: '* +s *'
+  SELECTION_5:
+    CommandLine: '* +r *'
+  SELECTION_6:
+    CommandLine: '*.aspx*'
+  SELECTION_7:
+    CommandLine: '*schtasks*'
+  SELECTION_8:
+    CommandLine: '*VSPerfMon*'
+  SELECTION_9:
+    CommandLine: '*vssadmin list shadows*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)
+    or SELECTION_11 or SELECTION_12 or (SELECTION_13 and SELECTION_14) or SELECTION_15
+    or (SELECTION_16 and SELECTION_17 and SELECTION_18) or (SELECTION_19 and SELECTION_20)
+    or SELECTION_21 or (SELECTION_22 and SELECTION_23 and SELECTION_24) or (SELECTION_25
+    and SELECTION_26 and SELECTION_27)))
+falsepositives:
+- Unknown
+id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/03/16
+references:
+- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
+- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
+- https://twitter.com/GadixCRK/status/1369313704869834753?s=20
+- https://twitter.com/BleepinComputer/status/1372218235949617161
+status: experimental
+tags:
+- attack.persistence
+- attack.t1546
+- attack.t1053
diff --git a/rules/sigma/windows/process_creation/win_apt_hurricane_panda.yml b/rules/sigma/windows/process_creation/win_apt_hurricane_panda.yml
new file mode 100644
index 00000000..2eb25834
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_hurricane_panda.yml
@@ -0,0 +1,32 @@
+
+title: Hurricane Panda Activity
+author: Florian Roth
+date: 2019/03/04
+description: Detects Hurricane Panda Activity
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*localgroup*'
+  SELECTION_3:
+    CommandLine: '*admin*'
+  SELECTION_4:
+    CommandLine: '*/add*'
+  SELECTION_5:
+    CommandLine:
+    - '*\Win64.exe*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or SELECTION_5))
+falsepositives:
+- Unknown
+id: 0eb2107b-a596-422e-b123-b389d5594ed7
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.g0009
+- attack.t1068
diff --git a/rules/sigma/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/sigma/windows/process_creation/win_apt_judgement_panda_gtr19.yml
new file mode 100644
index 00000000..d6ede255
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_judgement_panda_gtr19.yml
@@ -0,0 +1,42 @@
+
+title: Judgement Panda Exfil Activity
+author: Florian Roth
+date: 2019/02/21
+description: Detects Judgement Panda activity as described in Global Threat Report
+  2019 by Crowdstrike
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*eprod.ldf'
+  SELECTION_3:
+    CommandLine:
+    - '*\ldifde.exe -f -n *'
+    - '*\7za.exe a 1.7z *'
+    - '*\aaaa\procdump64.exe*'
+    - '*\aaaa\netsess.exe*'
+    - '*\aaaa\7za.exe*'
+    - '*copy .\1.7z \\*'
+    - '*copy \\client\c$\aaaa\\*'
+  SELECTION_4:
+    Image: C:\Users\Public\7za.exe
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/27
+references:
+- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+tags:
+- attack.lateral_movement
+- attack.g0010
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.exfiltration
+- attack.t1002
+- attack.t1560.001
diff --git a/rules/sigma/windows/process_creation/win_apt_ke3chang_regadd.yml b/rules/sigma/windows/process_creation/win_apt_ke3chang_regadd.yml
new file mode 100644
index 00000000..a3c317a8
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_ke3chang_regadd.yml
@@ -0,0 +1,31 @@
+
+title: Ke3chang Registry Key Modifications
+author: Markus Neis, Swisscom
+date: 2020/06/18
+description: Detects Registry modifications performed by Ke3chang malware in campaigns
+  running in 2019 and 2020
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force*'
+    - '*-Property String -name Check_Associations -value*'
+    - '*-Property DWORD -name IEHarden -value 0 -Force*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Will need to be looked for combinations of those processes
+id: 7b544661-69fc-419f-9a59-82ccc328f205
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
+- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
+status: experimental
+tags:
+- attack.g0004
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/win_apt_lazarus_activity_apr21.yml b/rules/sigma/windows/process_creation/win_apt_lazarus_activity_apr21.yml
new file mode 100644
index 00000000..c64a23b1
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_lazarus_activity_apr21.yml
@@ -0,0 +1,40 @@
+
+title: Lazarus Activity
+author: Bhabesh Raj
+date: 2021/04/20
+description: Detects different process creation events as described in Malwarebytes's
+  threat report on Lazarus group activity
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*mshta*'
+  SELECTION_3:
+    CommandLine: '*.zip*'
+  SELECTION_4:
+    ParentImage:
+    - C:\Windows\System32\wbem\wmiprvse.exe
+  SELECTION_5:
+    Image:
+    - C:\Windows\System32\mshta.exe
+  SELECTION_6:
+    ParentImage:
+    - '*:\Users\Public\\*'
+  SELECTION_7:
+    Image:
+    - C:\Windows\System32\rundll32.exe
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Should not be any false positives
+id: 4a12fa47-c735-4032-a214-6fab5b120670
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+references:
+- https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
+status: experimental
+tags:
+- attack.g0032
diff --git a/rules/sigma/windows/process_creation/win_apt_lazarus_activity_dec20.yml b/rules/sigma/windows/process_creation/win_apt_lazarus_activity_dec20.yml
new file mode 100644
index 00000000..256d2819
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_lazarus_activity_dec20.yml
@@ -0,0 +1,43 @@
+
+title: Lazarus Activity
+author: Florian Roth
+date: 2020/12/23
+description: Detects different process creation events as described in various threat
+  reports on Lazarus group activity
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*reg.exe save hklm\sam %temp%\~reg_sam.save*'
+    - '*1q2w3e4r@#$@#$@#$*'
+    - '* -hp1q2w3e4 *'
+    - '*.dat data03 10000 -p *'
+  SELECTION_3:
+    CommandLine: '*process call create*'
+  SELECTION_4:
+    CommandLine: '* > %temp%\~*'
+  SELECTION_5:
+    CommandLine: '*netstat -aon | find *'
+  SELECTION_6:
+    CommandLine: '* > %temp%\~*'
+  SELECTION_7:
+    CommandLine:
+    - '*.255 10 C:\ProgramData\\*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6) or SELECTION_7))
+falsepositives:
+- Overlap with legitimate process activity in some cases (especially selection 3 and
+  4)
+id: 24c4d154-05a4-4b99-b57d-9b977472443a
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+references:
+- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
+- https://www.hvs-consulting.de/lazarus-report/
+status: experimental
+tags:
+- attack.g0032
diff --git a/rules/sigma/windows/process_creation/win_apt_lazarus_loader.yml b/rules/sigma/windows/process_creation/win_apt_lazarus_loader.yml
new file mode 100644
index 00000000..fb8a26f1
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_lazarus_loader.yml
@@ -0,0 +1,45 @@
+
+title: Lazarus Loaders
+author: Florian Roth, wagga
+date: 2020/12/23
+description: Detects different loaders as described in various threat reports on Lazarus
+  group activity
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*cmd.exe /c *'
+  SELECTION_3:
+    CommandLine: '* -p 0x*'
+  SELECTION_4:
+    CommandLine:
+    - '*C:\ProgramData\\*'
+    - '*C:\RECYCLER\\*'
+  SELECTION_5:
+    CommandLine: '*rundll32.exe *'
+  SELECTION_6:
+    CommandLine: '*C:\ProgramData\\*'
+  SELECTION_7:
+    CommandLine:
+    - '*.bin,*'
+    - '*.tmp,*'
+    - '*.dat,*'
+    - '*.io,*'
+    - '*.ini,*'
+    - '*.db,*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6 and SELECTION_7)))
+falsepositives:
+- unknown
+id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+references:
+- https://www.hvs-consulting.de/lazarus-report/
+- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
+status: experimental
+tags:
+- attack.g0032
diff --git a/rules/sigma/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/sigma/windows/process_creation/win_apt_lazarus_session_highjack.yml
new file mode 100644
index 00000000..10d97282
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_lazarus_session_highjack.yml
@@ -0,0 +1,32 @@
+
+title: Lazarus Session Highjacker
+author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
+date: 2020/06/03
+description: Detects executables launched outside their default directories as used
+  by Lazarus Group (Bluenoroff)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\msdtc.exe'
+    - '*\gpvc.exe'
+  SELECTION_3:
+    Image:
+    - C:\Windows\System32\\*
+    - C:\Windows\SysWOW64\\*
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- unknown
+id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.005
diff --git a/rules/sigma/windows/process_creation/win_apt_mustangpanda.yml b/rules/sigma/windows/process_creation/win_apt_mustangpanda.yml
new file mode 100644
index 00000000..868b160f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_mustangpanda.yml
@@ -0,0 +1,44 @@
+
+title: Mustang Panda Dropper
+author: Florian Roth, oscd.community
+date: 2019/10/30
+description: Detects specific process parameters as used by Mustang Panda droppers
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*Temp\wtask.exe /create*'
+    - '*%windir:~-3,1%%PUBLIC:~-9,1%*'
+    - '*/tn "Security Script *'
+    - '*%windir:~-1,1%*'
+  SELECTION_3:
+    CommandLine: '*/E:vbscript*'
+  SELECTION_4:
+    CommandLine: '*C:\Users\\*'
+  SELECTION_5:
+    CommandLine: '*.txt*'
+  SELECTION_6:
+    CommandLine: '*/F*'
+  SELECTION_7:
+    Image: '*Temp\winwsh.exe'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6) or SELECTION_7))
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
+- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/
+- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
+status: experimental
+tags:
+- attack.t1587.001
+- attack.resource_development
diff --git a/rules/sigma/windows/process_creation/win_apt_revil_kaseya.yml b/rules/sigma/windows/process_creation/win_apt_revil_kaseya.yml
new file mode 100644
index 00000000..03f7b9f9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_revil_kaseya.yml
@@ -0,0 +1,47 @@
+
+title: REvil Kaseya Incident Malware Patterns
+author: Florian Roth
+date: 2021/07/03
+description: Detects process command line patterns and locations used by REvil group
+  in Kaseya incident (can also match on other malware)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*C:\Windows\cert.exe*'
+    - '*Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem
+      $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess
+      Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled*'
+    - '*del /q /f c:\kworking\agent.crt*'
+    - '*Kaseya VSA Agent Hot-fix*'
+    - '*\AppData\Local\Temp\MsMpEng.exe*'
+    - '*rmdir /s /q %SystemDrive%\inetpub\logs*'
+    - '*del /s /q /f %SystemDrive%\\*.log*'
+    - '*c:\kworking1\agent.exe*'
+    - '*c:\kworking1\agent.crt*'
+  SELECTION_3:
+    Image:
+    - C:\Windows\MsMpEng.exe
+    - C:\Windows\cert.exe
+    - C:\kworking\agent.exe
+    - C:\kworking1\agent.exe
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/05
+references:
+- https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
+- https://www.joesandbox.com/analysis/443736/0/html
+- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
+- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
+- https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
+status: experimental
+tags:
+- attack.execution
+- attack.g0115
diff --git a/rules/sigma/windows/process_creation/win_apt_sofacy.yml b/rules/sigma/windows/process_creation/win_apt_sofacy.yml
new file mode 100644
index 00000000..3ad219ac
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_sofacy.yml
@@ -0,0 +1,39 @@
+
+title: Sofacy Trojan Loader Activity
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2018/03/01
+description: Detects Trojan loader acitivty as used by APT28
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*rundll32.exe*'
+  SELECTION_3:
+    CommandLine: '*%APPDATA%\\*'
+  SELECTION_4:
+    CommandLine: '*.dat",*'
+  SELECTION_5:
+    CommandLine: '*.dll",#1'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
+- https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
+- https://twitter.com/ClearskySec/status/960924755355369472
+status: experimental
+tags:
+- attack.g0007
+- attack.execution
+- attack.t1059
+- attack.t1059.003
+- attack.defense_evasion
+- attack.t1085
+- car.2013-10-002
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/win_apt_ta17_293a_ps.yml b/rules/sigma/windows/process_creation/win_apt_ta17_293a_ps.yml
new file mode 100644
index 00000000..d99bc137
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_ta17_293a_ps.yml
@@ -0,0 +1,28 @@
+
+title: Ps.exe Renamed SysInternals Tool
+author: Florian Roth
+date: 2017/10/22
+description: Detects renamed SysInternals tool execution with a binary named ps.exe
+  as used by Dragonfly APT group and documented in TA17-293A report
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: ps.exe -accepteula
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Renamed SysInternals tool
+id: 18da1007-3f26-470f-875d-f77faf1cab31
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/27
+references:
+- https://www.us-cert.gov/ncas/alerts/TA17-293A
+tags:
+- attack.defense_evasion
+- attack.g0035
+- attack.t1036
+- attack.t1036.003
+- car.2013-05-009
diff --git a/rules/sigma/windows/process_creation/win_apt_ta505_dropper.yml b/rules/sigma/windows/process_creation/win_apt_ta505_dropper.yml
new file mode 100644
index 00000000..9d9b8d6e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_ta505_dropper.yml
@@ -0,0 +1,27 @@
+
+title: TA505 Dropper Load Pattern
+author: Florian Roth
+date: 2020/12/08
+description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious
+  documents
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\mshta.exe'
+  SELECTION_3:
+    ParentImage: '*\wmiprvse.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/ForensicITGuy/status/1334734244120309760
+status: experimental
+tags:
+- attack.execution
+- attack.g0092
diff --git a/rules/sigma/windows/process_creation/win_apt_taidoor.yml b/rules/sigma/windows/process_creation/win_apt_taidoor.yml
new file mode 100644
index 00000000..ebe10664
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_taidoor.yml
@@ -0,0 +1,36 @@
+
+title: TAIDOOR RAT DLL Load
+author: Florian Roth
+date: 2020/07/30
+description: Detects specific process characteristics of Chinese TAIDOOR RAT malware
+  load
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*dll,MyStart*'
+    - '*dll MyStart*'
+  SELECTION_3:
+    EventID: 1
+  SELECTION_4:
+    CommandLine:
+    - '* MyStart'
+  SELECTION_5:
+    CommandLine:
+    - '*rundll32.exe*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5)))
+falsepositives:
+- Unknown
+id: d1aa3382-abab-446f-96ea-4de52908210b
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
+status: experimental
+tags:
+- attack.execution
+- attack.t1055
+- attack.t1055.001
diff --git a/rules/sigma/windows/process_creation/win_apt_tropictrooper.yml b/rules/sigma/windows/process_creation/win_apt_tropictrooper.yml
new file mode 100644
index 00000000..badba166
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_tropictrooper.yml
@@ -0,0 +1,25 @@
+
+title: TropicTrooper Campaign November 2018
+author: '@41thexplorer, Microsoft Defender ATP'
+date: 2019/11/12
+description: Detects TropicTrooper activity, an actor who targeted high-profile organizations
+  in the energy and food and beverage sectors in Asia
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
+  condition: (SELECTION_1 and SELECTION_2)
+id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/27
+references:
+- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
+status: stable
+tags:
+- attack.execution
+- attack.t1059
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/sigma/windows/process_creation/win_apt_turla_comrat_may20.yml
new file mode 100644
index 00000000..62912b86
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_turla_comrat_may20.yml
@@ -0,0 +1,37 @@
+
+title: Turla Group Commands May 2020
+author: Florian Roth
+date: 2020/05/26
+description: Detects commands used by Turla group as reported by ESET in May 2020
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*tracert -h 10 yahoo.com*'
+    - '*.WSqmCons))|iex;*'
+    - '*Fr`omBa`se6`4Str`ing*'
+  SELECTION_3:
+    CommandLine: '*net use https://docs.live.net*'
+  SELECTION_4:
+    CommandLine: '*@aol.co.uk*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- Unknown
+id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/27
+references:
+- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
+status: experimental
+tags:
+- attack.g0010
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+- attack.t1053
+- attack.t1053.005
+- attack.t1027
diff --git a/rules/sigma/windows/process_creation/win_apt_unc2452_cmds.yml b/rules/sigma/windows/process_creation/win_apt_unc2452_cmds.yml
new file mode 100644
index 00000000..a20216d6
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_unc2452_cmds.yml
@@ -0,0 +1,60 @@
+
+title: UNC2452 Process Creation Patterns
+author: Florian Roth
+date: 2021/01/22
+description: Detects a specific process creation patterns as seen used by UNC2452
+  and provided by Microsoft as Microsoft Defender ATP queries
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*cmd.exe /C *'
+  SELECTION_11:
+    CommandLine: '*rundll32 c:\windows\\*'
+  SELECTION_12:
+    CommandLine: '*.dll *'
+  SELECTION_13:
+    EventID: 1
+  SELECTION_14:
+    ParentImage: '*\rundll32.exe'
+  SELECTION_15:
+    Image: '*\dllhost.exe'
+  SELECTION_16:
+    CommandLine:
+    - ' '
+    - ''
+  SELECTION_2:
+    CommandLine:
+    - '*7z.exe a -v500m -mx9 -r0 -p*'
+  SELECTION_3:
+    ParentCommandLine: '*wscript.exe*'
+  SELECTION_4:
+    ParentCommandLine: '*.vbs*'
+  SELECTION_5:
+    CommandLine: '*rundll32.exe*'
+  SELECTION_6:
+    CommandLine: '*C:\Windows*'
+  SELECTION_7:
+    CommandLine: '*.dll,Tk_*'
+  SELECTION_8:
+    ParentImage: '*\rundll32.exe'
+  SELECTION_9:
+    ParentCommandLine: '*C:\Windows*'
+  condition: (SELECTION_1 and ((((SELECTION_2 or (SELECTION_3 and SELECTION_4 and
+    SELECTION_5 and SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9
+    and SELECTION_10)) or (SELECTION_11 and SELECTION_12)) or (SELECTION_13 and (SELECTION_14
+    and SELECTION_15) and  not (SELECTION_16))))
+falsepositives:
+- Unknown
+id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+references:
+- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_apt_unc2452_ps.yml b/rules/sigma/windows/process_creation/win_apt_unc2452_ps.yml
new file mode 100644
index 00000000..8d4f87bf
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_unc2452_ps.yml
@@ -0,0 +1,34 @@
+
+title: UNC2452 PowerShell Pattern
+author: Florian Roth
+date: 2021/01/20
+description: Detects a specific PowerShell command line pattern used by the UNC2452
+  actors as mentioned in Microsoft and Symantec reports
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*Invoke-WMIMethod win32_process -name create -argumentlist*'
+  SELECTION_3:
+    CommandLine: '*rundll32 c:\windows*'
+  SELECTION_4:
+    CommandLine: '*wmic /node:*'
+  SELECTION_5:
+    CommandLine: '*process call create "rundll32 c:\windows*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- Unknown, unlikely, but possible
+id: b7155193-8a81-4d8f-805d-88de864ca50c
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/01/22
+references:
+- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
+- https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1047
diff --git a/rules/sigma/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/sigma/windows/process_creation/win_apt_unidentified_nov_18.yml
new file mode 100644
index 00000000..ed9f69de
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_unidentified_nov_18.yml
@@ -0,0 +1,28 @@
+
+title: Unidentified Attacker November 2018
+author: '@41thexplorer, Microsoft Defender ATP'
+date: 2018/11/20
+description: A sigma rule detecting an unidetefied attacker who used phishing emails
+  to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29
+  campaign in 2016.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*cyzfc.dat,*'
+  SELECTION_3:
+    CommandLine: '*PointFunctionCall'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+id: 7453575c-a747-40b9-839b-125a0aae324b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://twitter.com/DrunkBinary/status/1063075530180886529
+status: stable
+tags:
+- attack.execution
+- attack.t1218.011
+- attack.t1085
diff --git a/rules/sigma/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/sigma/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml
new file mode 100644
index 00000000..bc531f20
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml
@@ -0,0 +1,46 @@
+
+title: Winnti Malware HK University Campaign
+author: Florian Roth, Markus Neis
+date: 2020/02/01
+description: Detects specific process characteristics of Winnti malware noticed in
+  Dec/Jan 2020 in a campaign against Honk Kong universities
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    Image: '*\SearchFilterHost.exe'
+  SELECTION_2:
+    ParentImage:
+    - '*C:\Windows\Temp*'
+    - '*\hpqhvind.exe*'
+  SELECTION_3:
+    Image: C:\ProgramData\DRM*
+  SELECTION_4:
+    ParentImage: C:\ProgramData\DRM*
+  SELECTION_5:
+    Image: '*\wmplayer.exe'
+  SELECTION_6:
+    ParentImage: '*\Test.exe'
+  SELECTION_7:
+    Image: '*\wmplayer.exe'
+  SELECTION_8:
+    Image: C:\ProgramData\DRM\CLR\CLR.exe
+  SELECTION_9:
+    ParentImage: C:\ProgramData\DRM\Windows*
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7) or SELECTION_8 or (SELECTION_9 and SELECTION_10)))
+falsepositives:
+- Unlikely
+id: 3121461b-5aa0-4a41-b910-66d25524edbb
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1574.002
+- attack.t1073
+- attack.g0044
diff --git a/rules/sigma/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/sigma/windows/process_creation/win_apt_winnti_pipemon.yml
new file mode 100644
index 00000000..f8228429
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_winnti_pipemon.yml
@@ -0,0 +1,35 @@
+
+title: Winnti Pipemon Characteristics
+author: Florian Roth, oscd.community
+date: 2020/07/30
+description: Detects specific process characteristics of Winnti Pipemon malware reported
+  by ESET
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*setup0.exe -p*'
+  SELECTION_3:
+    CommandLine: '*setup.exe*'
+  SELECTION_4:
+    CommandLine:
+    - '*-x:0'
+    - '*-x:1'
+    - '*-x:2'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- Legitimate setups that use similar flags
+id: 73d70463-75c9-4258-92c6-17500fe972f2
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1574.002
+- attack.t1073
+- attack.g0044
diff --git a/rules/sigma/windows/process_creation/win_apt_zxshell.yml b/rules/sigma/windows/process_creation/win_apt_zxshell.yml
new file mode 100644
index 00000000..b44a0c4f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_apt_zxshell.yml
@@ -0,0 +1,38 @@
+
+title: ZxShell Malware
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
+date: 2017/07/20
+description: Detects a ZxShell start by the called and well-known function name
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\rundll32.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*zxFunction*'
+    - '*RemoteDiskXXXXX*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: f0b70adb-0075-43b0-9745-e82a1c608fcc
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/26
+references:
+- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+tags:
+- attack.execution
+- attack.t1059.003
+- attack.t1059
+- attack.defense_evasion
+- attack.t1218.011
+- attack.t1085
+- attack.s0412
+- attack.g0001
diff --git a/rules/sigma/windows/process_creation/win_attrib_hiding_files.yml b/rules/sigma/windows/process_creation/win_attrib_hiding_files.yml
new file mode 100644
index 00000000..55099e81
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_attrib_hiding_files.yml
@@ -0,0 +1,43 @@
+
+title: Hiding Files with Attrib.exe
+author: Sami Ruohonen
+date: 2019/01/16
+description: Detects usage of attrib.exe to hide files from users.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\attrib.exe'
+  SELECTION_3:
+    CommandLine: '* +h *'
+  SELECTION_4:
+    EventID: 1
+  SELECTION_5:
+    CommandLine: '*\desktop.ini *'
+  SELECTION_6:
+    ParentImage: '*\cmd.exe'
+  SELECTION_7:
+    CommandLine: +R +H +S +A \\*.cui
+  SELECTION_8:
+    ParentCommandLine: C:\WINDOWS\system32\\*.bat
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+    and (SELECTION_5 or (SELECTION_6 and SELECTION_7 and SELECTION_8)))))
+falsepositives:
+- igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe
+  and igfxCUIService.exe is the parent of the cmd.exe)
+- msiexec.exe hiding desktop.ini
+fields:
+- CommandLine
+- ParentCommandLine
+- User
+id: 4281cb20-2994-4580-aa63-c8b86d019934
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/27
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.001
+- attack.t1158
diff --git a/rules/sigma/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/sigma/windows/process_creation/win_bad_opsec_sacrificial_processes.yml
new file mode 100644
index 00000000..70a4a4fb
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_bad_opsec_sacrificial_processes.yml
@@ -0,0 +1,63 @@
+
+title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
+author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian
+  Burkard
+date: 2020/10/23
+description: Detects attackers using tooling with bad opsec defaults e.g. spawning
+  a sacrificial process to inject a capability into the process without taking into
+  account how the process is normally run, one trivial example of this is using rundll32.exe
+  without arguments as a sacrificial process (default in CS, now highlighted by c2lint),
+  running WerFault without arguments (Kraken - credit am0nsec), and other examples.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    Image: '*\regsvr32.exe'
+  SELECTION_11:
+    CommandLine: '*\regsvr32.exe'
+  SELECTION_2:
+    Image: '*\WerFault.exe'
+  SELECTION_3:
+    CommandLine: '*\WerFault.exe'
+  SELECTION_4:
+    Image: '*\rundll32.exe'
+  SELECTION_5:
+    CommandLine: '*\rundll32.exe'
+  SELECTION_6:
+    Image: '*\regsvcs.exe'
+  SELECTION_7:
+    CommandLine: '*\regsvcs.exe'
+  SELECTION_8:
+    Image: '*\regasm.exe'
+  SELECTION_9:
+    CommandLine: '*\regasm.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9) or (SELECTION_10
+    and SELECTION_11)))
+falsepositives:
+- Unlikely
+fields:
+- ParentImage
+- ParentCommandLine
+id: a7c3d773-caef-227e-a7e7-c2f13c622329
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/01
+references:
+- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
+- https://www.cobaltstrike.com/help-opsec
+- https://twitter.com/CyberRaiju/status/1251492025678983169
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
+- https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
+- https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback
+related:
+- id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
+  type: obsoletes
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1085
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/win_bootconf_mod.yml b/rules/sigma/windows/process_creation/win_bootconf_mod.yml
new file mode 100644
index 00000000..3061bb34
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_bootconf_mod.yml
@@ -0,0 +1,42 @@
+
+title: Modification of Boot Configuration
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Identifies use of the bcdedit command to delete boot configuration data.
+  This tactic is sometimes used as by malware or an attacker as a destructive technique.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\bcdedit.exe'
+  SELECTION_3:
+    CommandLine: '*set*'
+  SELECTION_4:
+    CommandLine: '*bootstatuspolicy*'
+  SELECTION_5:
+    CommandLine: '*ignoreallfailures*'
+  SELECTION_6:
+    CommandLine: '*recoveryenabled*'
+  SELECTION_7:
+    CommandLine: '*no*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
+    SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unlikely
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
+- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
+status: experimental
+tags:
+- attack.impact
+- attack.t1490
diff --git a/rules/sigma/windows/process_creation/win_bypass_squiblytwo.yml b/rules/sigma/windows/process_creation/win_bypass_squiblytwo.yml
new file mode 100644
index 00000000..cf159c1a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_bypass_squiblytwo.yml
@@ -0,0 +1,47 @@
+
+title: SquiblyTwo
+author: Markus Neis / Florian Roth
+date: 2019/01/16
+description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for
+  imphash
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*http*'
+  SELECTION_3:
+    Image:
+    - '*\wmic.exe'
+  SELECTION_4:
+    CommandLine: '*wmic*'
+  SELECTION_5:
+    CommandLine: '*format*'
+  SELECTION_6:
+    Imphash:
+    - 1B1A3F43BF37B5BFE60751F2EE2F326E
+    - 37777A96245A3C74EB217308F3546F4C
+    - 9D87C9D67CE724033C0B40CC4CA1B206
+  SELECTION_7:
+    CommandLine: '*format:*'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unknown
+id: 8d63dadf-b91b-4187-87b6-34a1114577ea
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/27
+references:
+- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
+- https://twitter.com/mattifestation/status/986280382042595328
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1047
+- attack.t1220
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1059
diff --git a/rules/sigma/windows/process_creation/win_change_default_file_association.yml b/rules/sigma/windows/process_creation/win_change_default_file_association.yml
new file mode 100644
index 00000000..39f864a9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_change_default_file_association.yml
@@ -0,0 +1,43 @@
+
+title: Change Default File Association
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: When a file is opened, the default program used to open the file (also
+  called the file association or handler) is checked. File association selections
+  are stored in the Windows Registry and can be edited by users, administrators, or
+  programs that have Registry access or by administrators using the built-in assoc
+  utility. Applications can modify the file association for a given file extension
+  to call an arbitrary program when a file with the given extension is opened.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*cmd*'
+  SELECTION_3:
+    CommandLine: '*/c*'
+  SELECTION_4:
+    CommandLine: '*assoc*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Admin activity
+fields:
+- Image
+- CommandLine
+- User
+- LogonGuid
+- Hashes
+- ParentProcessGuid
+- ParentCommandLine
+id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md
+status: experimental
+tags:
+- attack.persistence
+- attack.t1546.001
+- attack.t1042
diff --git a/rules/sigma/windows/process_creation/win_cl_invocation_lolscript.yml b/rules/sigma/windows/process_creation/win_cl_invocation_lolscript.yml
new file mode 100644
index 00000000..ce9958b5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_cl_invocation_lolscript.yml
@@ -0,0 +1,28 @@
+
+title: Execution via CL_Invocation.ps1
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*CL_Invocation.ps1*'
+  SELECTION_3:
+    CommandLine: '*SyncInvoke*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: a0459f02-ac51-4c09-b511-b8c9203fc429
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+- https://twitter.com/bohops/status/948061991012327424
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/windows/process_creation/win_cl_mutexverifiers_lolscript.yml b/rules/sigma/windows/process_creation/win_cl_mutexverifiers_lolscript.yml
new file mode 100644
index 00000000..60cb6a2e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_cl_mutexverifiers_lolscript.yml
@@ -0,0 +1,29 @@
+
+title: Execution via CL_Mutexverifiers.ps1
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
+  module
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*CL_Mutexverifiers.ps1*'
+  SELECTION_3:
+    CommandLine: '*runAfterCancelProcess*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 99465c8f-f102-4157-b11c-b0cddd53b79a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+- https://twitter.com/pabraeken/status/995111125447577600
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/windows/process_creation/win_class_exec_xwizard.yml b/rules/sigma/windows/process_creation/win_class_exec_xwizard.yml
new file mode 100644
index 00000000..837d391b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_class_exec_xwizard.yml
@@ -0,0 +1,27 @@
+
+title: Custom Class Execution via Xwizard
+author: Ensar Şamil, @sblmsrsn, @oscd_initiative
+date: 2020/10/07
+description: Detects the execution of Xwizard tool with specific arguments which utilized
+  to run custom class properties.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\xwizard.exe'
+  SELECTION_3:
+    CommandLine|re: \{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_cmdkey_recon.yml b/rules/sigma/windows/process_creation/win_cmdkey_recon.yml
new file mode 100644
index 00000000..e84288c7
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_cmdkey_recon.yml
@@ -0,0 +1,33 @@
+
+title: Cmdkey Cached Credentials Recon
+author: jmallette
+date: 2019/01/16
+description: Detects usage of cmdkey to look for cached credentials
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\cmdkey.exe'
+  SELECTION_3:
+    CommandLine: '* /list*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate administrative tasks
+fields:
+- CommandLine
+- ParentCommandLine
+- User
+id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/07
+references:
+- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
+- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.005
+- attack.t1003
diff --git a/rules/sigma/windows/process_creation/win_cmstp_com_object_access.yml b/rules/sigma/windows/process_creation/win_cmstp_com_object_access.yml
new file mode 100644
index 00000000..68ed8434
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_cmstp_com_object_access.yml
@@ -0,0 +1,51 @@
+
+title: CMSTP UAC Bypass via COM Object Access
+author: Nik Seetharaman, Christian Burkard
+date: 2021/08/31
+description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile
+  Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\DllHost.exe'
+  SELECTION_3:
+    IntegrityLevel:
+    - High
+    - System
+  SELECTION_4:
+    ParentCommandLine:
+    - '* /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*'
+    - '* /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}*'
+    - '* /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}*'
+    - '* /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}*'
+    - '* /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Hashes
+id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/07/31
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+- https://twitter.com/hFireF0X/status/897640081053364225
+- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
+- https://github.com/hfiref0x/UACME
+status: stable
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1088
+- attack.t1218.003
+- attack.t1191
+- attack.g0069
+- car.2019-04-001
diff --git a/rules/sigma/windows/process_creation/win_cobaltstrike_process_patterns.yml b/rules/sigma/windows/process_creation/win_cobaltstrike_process_patterns.yml
new file mode 100644
index 00000000..eedf3d3f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_cobaltstrike_process_patterns.yml
@@ -0,0 +1,49 @@
+
+title: CobaltStrike Process Patterns
+author: Florian Roth
+date: 2021/07/27
+description: Detects process patterns found in Cobalt Strike beacon activity (see
+  reference for more details)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    ParentCommandLine: '*\runonce.exe'
+  SELECTION_2:
+    CommandLine: '*\cmd.exe /C whoami*'
+  SELECTION_3:
+    ParentImage: C:\Temp*
+  SELECTION_4:
+    CommandLine: '*conhost.exe 0xffffffff -ForceV1*'
+  SELECTION_5:
+    ParentCommandLine:
+    - '*/C whoami*'
+    - '*cmd.exe /C echo*'
+    - '* > \\.\pipe*'
+  SELECTION_6:
+    CommandLine:
+    - '*cmd.exe /c echo*'
+    - '*> \\.\pipe*'
+    - '*\whoami.exe*'
+  SELECTION_7:
+    ParentImage: '*\dllhost.exe'
+  SELECTION_8:
+    Image: '*\cmd.exe'
+  SELECTION_9:
+    ParentImage: '*\runonce.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
+falsepositives:
+- Other programs that cause these patterns (please report)
+id: f35c5d71-b489-4e22-a115-f003df287317
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/30
+references:
+- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
+- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+status: experimental
+tags:
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_commandline_path_traversal.yml b/rules/sigma/windows/process_creation/win_commandline_path_traversal.yml
new file mode 100644
index 00000000..a0a99b38
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_commandline_path_traversal.yml
@@ -0,0 +1,32 @@
+
+title: Cmd.exe CommandLine Path Traversal
+author: xknow @xknow_infosec
+date: 2020/06/11
+description: detects the usage of path traversal in cmd.exe indicating possible command/argument
+  confusion/hijacking
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentCommandLine: '*cmd*'
+  SELECTION_3:
+    ParentCommandLine: '*/c*'
+  SELECTION_4:
+    CommandLine: '*/../../*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- (not much) some benign Java tools may product false-positive commandlines for loading
+  libraries
+id: 087790e3-3287-436c-bccf-cbd0184a7db1
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
+- https://twitter.com/Oddvarmoe/status/1270633613449723905
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.003
+- attack.t1059
diff --git a/rules/sigma/windows/process_creation/win_control_panel_item.yml b/rules/sigma/windows/process_creation/win_control_panel_item.yml
new file mode 100644
index 00000000..f1374c3c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_control_panel_item.yml
@@ -0,0 +1,42 @@
+
+title: Control Panel Items
+author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
+date: 2020/06/22
+description: Detects the malicious use of a control panel item
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*.cpl'
+  SELECTION_3:
+    CommandLine:
+    - '*\System32\\*'
+    - '*%System%*'
+  SELECTION_4:
+    Image: '*\reg.exe'
+  SELECTION_5:
+    CommandLine: '*add*'
+  SELECTION_6:
+    CommandLine:
+    - '*CurrentVersion\\Control Panel\\CPLs*'
+  condition: (SELECTION_1 and ((SELECTION_2 and  not (SELECTION_3)) or (SELECTION_4
+    and SELECTION_5 and SELECTION_6)))
+falsepositives:
+- Unknown
+id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://attack.mitre.org/techniques/T1196/
+- https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1218.002
+- attack.t1196
+- attack.persistence
+- attack.t1546
diff --git a/rules/sigma/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/sigma/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
new file mode 100644
index 00000000..5eb389c0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
@@ -0,0 +1,50 @@
+
+title: Copying Sensitive Files with Credential Data
+author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/22
+description: Files with well-known filenames (sensitive files with credential data)
+  copying
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\esentutl.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*vss*'
+    - '* /m *'
+    - '* /y *'
+  SELECTION_4:
+    CommandLine:
+    - '*\windows\ntds\ntds.dit*'
+    - '*\config\sam*'
+    - '*\config\security*'
+    - '*\config\system *'
+    - '*\repair\sam*'
+    - '*\repair\system*'
+    - '*\repair\security*'
+    - '*\config\RegBack\sam*'
+    - '*\config\RegBack\system*'
+    - '*\config\RegBack\security*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- Copying sensitive files for legitimate use (eg. backup) or forensic investigation
+  by legitimate incident responder or forensic invetigator
+id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/13
+references:
+- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
+- attack.t1003.003
+- attack.t1003
+- car.2013-07-001
+- attack.s0404
diff --git a/rules/sigma/windows/process_creation/win_credential_access_via_password_filter.yml b/rules/sigma/windows/process_creation/win_credential_access_via_password_filter.yml
new file mode 100644
index 00000000..501a3d7b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_credential_access_via_password_filter.yml
@@ -0,0 +1,32 @@
+
+title: Dropping Of Password Filter DLL
+author: Sreeman
+date: 2020/10/29
+description: Detects dropping of dll files in system32 that may be used to retrieve
+  user credentials from LSASS
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*HKLM\SYSTEM\CurrentControlSet\Control\Lsa*'
+  SELECTION_3:
+    CommandLine: '*scecli\0*'
+  SELECTION_4:
+    CommandLine: '*reg add*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: b7966f4a-b333-455b-8370-8ca53c229762
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/11
+references:
+- https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
+- https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1174
+- attack.t1556.002
diff --git a/rules/sigma/windows/process_creation/win_crime_fireball.yml b/rules/sigma/windows/process_creation/win_crime_fireball.yml
new file mode 100644
index 00000000..140d326c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_crime_fireball.yml
@@ -0,0 +1,33 @@
+
+title: Fireball Archer Install
+author: Florian Roth
+date: 2017/06/03
+description: Detects Archer malware invocation via rundll32
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*rundll32.exe*'
+  SELECTION_3:
+    CommandLine: '*InstallArcherSvc*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
+- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1218.011
+- attack.t1085
diff --git a/rules/sigma/windows/process_creation/win_crime_maze_ransomware.yml b/rules/sigma/windows/process_creation/win_crime_maze_ransomware.yml
new file mode 100644
index 00000000..3634b66a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_crime_maze_ransomware.yml
@@ -0,0 +1,51 @@
+
+title: Maze Ransomware
+author: Florian Roth
+date: 2020/05/08
+description: Detects specific process characteristics of Maze ransomware word document
+  droppers
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\WINWORD.exe'
+  SELECTION_3:
+    Image:
+    - '*.tmp'
+  SELECTION_4:
+    Image: '*\wmic.exe'
+  SELECTION_5:
+    ParentImage: '*\Temp\\*'
+  SELECTION_6:
+    CommandLine: '*shadowcopy delete'
+  SELECTION_7:
+    CommandLine: '*shadowcopy delete'
+  SELECTION_8:
+    CommandLine: '*\..\..\system32*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8)))
+falsepositives:
+- Unlikely
+fields:
+- ComputerName
+- User
+- Image
+id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+references:
+- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+- https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
+- https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
+status: experimental
+tags:
+- attack.execution
+- attack.t1204.002
+- attack.t1204
+- attack.t1047
+- attack.impact
+- attack.t1490
diff --git a/rules/sigma/windows/process_creation/win_crime_snatch_ransomware.yml b/rules/sigma/windows/process_creation/win_crime_snatch_ransomware.yml
new file mode 100644
index 00000000..304681cb
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_crime_snatch_ransomware.yml
@@ -0,0 +1,31 @@
+
+title: Snatch Ransomware
+author: Florian Roth
+date: 2020/08/26
+description: Detects specific process characteristics of Snatch ransomware word document
+  droppers
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*shutdown /r /f /t 00*'
+    - '*net stop SuperBackupMan*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
+fields:
+- ComputerName
+- User
+- Image
+id: 5325945e-f1f0-406e-97b8-65104d393fff
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
diff --git a/rules/sigma/windows/process_creation/win_data_compressed_with_rar.yml b/rules/sigma/windows/process_creation/win_data_compressed_with_rar.yml
new file mode 100644
index 00000000..dc31ae53
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_data_compressed_with_rar.yml
@@ -0,0 +1,40 @@
+
+title: Data Compressed - rar.exe
+author: Timur Zinniatullin, E.M. Anhaus, oscd.community
+date: 2019/10/21
+description: An adversary may compress data (e.g., sensitive documents) that is collected
+  prior to exfiltration in order to make it portable and minimize the amount of data
+  sent over the network.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\rar.exe'
+  SELECTION_3:
+    CommandLine: '* a *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Highly likely if rar is a default archiver in the monitored environment.
+fields:
+- Image
+- CommandLine
+- User
+- LogonGuid
+- Hashes
+- ParentProcessGuid
+- ParentCommandLine
+id: 6f3e2987-db24-4c78-a860-b4f4095a7095
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
+- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1002
+- attack.collection
+- attack.t1560.001
diff --git a/rules/sigma/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml b/rules/sigma/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml
new file mode 100644
index 00000000..81f72a7c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml
@@ -0,0 +1,30 @@
+
+title: Detecting Fake Instances Of Hxtsr.exe
+author: Sreeman
+date: 2020/04/17
+description: HxTsr.exe is a Microsoft compressed executable file called Microsoft
+  Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in
+  a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version
+  number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe".
+  Any instances of hxtsr.exe not in this folder may be malware camouflaging itself
+  as HxTsr.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: hxtsr.exe
+  SELECTION_3:
+    CurrentDirectory|re: (?i)c:\\\\program files\\\\windowsapps\\\\microsoft\.windowscommunicationsapps_.*\\\\hxtsr\.exe
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- unknown
+id: 4e762605-34a8-406d-b72e-c1a089313320
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/07
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
diff --git a/rules/sigma/windows/process_creation/win_dll_sideload_xwizard.yml b/rules/sigma/windows/process_creation/win_dll_sideload_xwizard.yml
new file mode 100644
index 00000000..bca98893
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_dll_sideload_xwizard.yml
@@ -0,0 +1,28 @@
+
+title: Xwizard DLL Sideloading
+author: Christian Burkard
+date: 2021/09/20
+description: Detects the execution of Xwizard tool from the non-default directory
+  which can be used to sideload a custom xwizards.dll
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\xwizard.exe'
+  SELECTION_3:
+    Image: C:\Windows\System32\\*
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Windows installed on non-C drive
+id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
+- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1574.002
diff --git a/rules/sigma/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/sigma/windows/process_creation/win_dns_exfiltration_tools_execution.yml
new file mode 100644
index 00000000..a1443e87
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_dns_exfiltration_tools_execution.yml
@@ -0,0 +1,31 @@
+
+title: DNS Exfiltration and Tunneling Tools Execution
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+description: Well-known DNS Exfiltration tools execution
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\iodine.exe'
+  SELECTION_3:
+    Image: '*\dnscat2*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely)
+id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048.001
+- attack.t1048
+- attack.command_and_control
+- attack.t1071.004
+- attack.t1071
+- attack.t1132.001
+- attack.t1132
diff --git a/rules/sigma/windows/process_creation/win_dnscat2_powershell_implementation.yml b/rules/sigma/windows/process_creation/win_dnscat2_powershell_implementation.yml
new file mode 100644
index 00000000..2bd254fd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_dnscat2_powershell_implementation.yml
@@ -0,0 +1,40 @@
+
+title: DNSCat2 Powershell Implementation Detection Via Process Creation
+author: Cian Heasley
+date: 2020/08/08
+description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries.
+  Counting nslookup processes spawned by PowerShell will show hundreds or thousands
+  of instances if PS DNSCat2 is active locally.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\powershell.exe'
+  SELECTION_3:
+    Image: '*\nslookup.exe'
+  SELECTION_4:
+    CommandLine: '*\nslookup.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) | count(Image)
+    by ParentImage > 100
+falsepositives:
+- Other powershell scripts that call nslookup.exe
+fields:
+- Image
+- CommandLine
+- ParentImage
+id: b11d75d6-d7c1-11ea-87d0-0242ac130003
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/lukebaggett/dnscat2-powershell
+- https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html
+- https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
+- attack.t1001.003
+- attack.t1041
diff --git a/rules/sigma/windows/process_creation/win_encoded_frombase64string.yml b/rules/sigma/windows/process_creation/win_encoded_frombase64string.yml
new file mode 100644
index 00000000..65092fcd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_encoded_frombase64string.yml
@@ -0,0 +1,32 @@
+
+title: Encoded FromBase64String
+author: Florian Roth
+date: 2019/08/24
+description: Detects a base64 encoded FromBase64String keyword in a process command
+  line
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*OjpGcm9tQmFzZTY0U3RyaW5n*'
+    - '*o6RnJvbUJhc2U2NFN0cmluZ*'
+    - '*6OkZyb21CYXNlNjRTdHJpbm*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_encoded_iex.yml b/rules/sigma/windows/process_creation/win_encoded_iex.yml
new file mode 100644
index 00000000..4443cc19
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_encoded_iex.yml
@@ -0,0 +1,39 @@
+
+title: Encoded IEX
+author: Florian Roth
+date: 2019/08/23
+description: Detects a base64 encoded IEX command string in a process command line
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*SUVYIChb*'
+    - '*lFWCAoW*'
+    - '*JRVggKF*'
+    - '*aWV4IChb*'
+    - '*lleCAoW*'
+    - '*pZXggKF*'
+    - '*aWV4IChOZX*'
+    - '*lleCAoTmV3*'
+    - '*pZXggKE5ld*'
+    - '*SUVYIChOZX*'
+    - '*lFWCAoTmV3*'
+    - '*JRVggKE5ld*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 88f680b8-070e-402c-ae11-d2914f2257f1
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_etw_modification_cmdline.yml b/rules/sigma/windows/process_creation/win_etw_modification_cmdline.yml
new file mode 100644
index 00000000..376f80c9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_etw_modification_cmdline.yml
@@ -0,0 +1,33 @@
+
+title: COMPlus_ETWEnabled Command Line Arguments
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*COMPlus_ETWEnabled=0*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 41421f44-58f9-455d-838a-c398859841d4
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://twitter.com/_xpn_/status/1268712093928378368
+- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+- https://bunnyinside.com/?term=f71e8cb9c76a
+- http://managed670.rssing.com/chan-5590147/all_p1.html
+- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562
diff --git a/rules/sigma/windows/process_creation/win_etw_trace_evasion.yml b/rules/sigma/windows/process_creation/win_etw_trace_evasion.yml
new file mode 100644
index 00000000..b20be104
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_etw_trace_evasion.yml
@@ -0,0 +1,71 @@
+
+title: Disable of ETW Trace
+author: '@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community'
+date: 2019/03/22
+description: Detects a command that clears or disables any ETW trace log which could
+  indicate a logging evasion.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*Remove-EtwTraceProvider*'
+  SELECTION_11:
+    CommandLine: '*EventLog-Microsoft-Windows-WMI-Activity-Trace*'
+  SELECTION_12:
+    CommandLine: '*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*'
+  SELECTION_13:
+    CommandLine: '*Set-EtwTraceProvider*'
+  SELECTION_14:
+    CommandLine: '*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*'
+  SELECTION_15:
+    CommandLine: '*EventLog-Microsoft-Windows-WMI-Activity-Trace*'
+  SELECTION_16:
+    CommandLine: '*0x11*'
+  SELECTION_17:
+    CommandLine: '*logman*'
+  SELECTION_18:
+    CommandLine: '*update*'
+  SELECTION_19:
+    CommandLine: '*trace*'
+  SELECTION_2:
+    CommandLine: '*cl*'
+  SELECTION_20:
+    CommandLine: '*--p*'
+  SELECTION_21:
+    CommandLine: '*-ets*'
+  SELECTION_3:
+    CommandLine: '*/Trace*'
+  SELECTION_4:
+    CommandLine: '*clear-log*'
+  SELECTION_5:
+    CommandLine: '*/Trace*'
+  SELECTION_6:
+    CommandLine: '*sl*'
+  SELECTION_7:
+    CommandLine: '*/e:false*'
+  SELECTION_8:
+    CommandLine: '*set-log*'
+  SELECTION_9:
+    CommandLine: '*/e:false*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9) or (SELECTION_10
+    and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15
+    and SELECTION_16) or (SELECTION_17 and SELECTION_18 and SELECTION_19 and SELECTION_20
+    and SELECTION_21)))
+falsepositives:
+- Unknown
+id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
+- https://abuse.io/lockergoga.txt
+- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.t1562.006
+- car.2016-04-002
diff --git a/rules/sigma/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml b/rules/sigma/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml
new file mode 100644
index 00000000..431a2dd7
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exchange_proxylogon_oabvirtualdir.yml
@@ -0,0 +1,30 @@
+
+title: ProxyLogon MSExchange OabVirtualDirectory
+author: Florian Roth
+date: 2021/08/09
+description: Detects specific patterns found after a successful ProxyLogon exploitation
+  in relation to a Commandlet invocation of Set-OabVirtualDirectory
+detection:
+  SELECTION_1:
+  - OabVirtualDirectory
+  SELECTION_2:
+  - ' -ExternalUrl '
+  SELECTION_3:
+  - eval(request
+  - http://f/<script
+  - '"unsafe"};'
+  - function Page_Load()
+  condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3))
+falsepositives:
+- Unlikely
+id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
+level: critical
+logsource:
+  product: windows
+  service: msexchange-management
+references:
+- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
+status: experimental
+tags:
+- attack.t1587.001
+- attack.resource_development
diff --git a/rules/sigma/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/sigma/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml
new file mode 100644
index 00000000..944759ec
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml
@@ -0,0 +1,31 @@
+
+title: Exfiltration and Tunneling Tools Execution
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+description: Execution of well known tools for data exfiltration and tunneling
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\plink.exe'
+    - '*\socat.exe'
+    - '*\stunnel.exe'
+    - '*\httptunnel.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate Administrator using tools
+id: c75309a3-59f8-4a8d-9c2c-4c927ad50555
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+status: experimental
+tags:
+- attack.exfiltration
+- attack.command_and_control
+- attack.t1043
+- attack.t1041
+- attack.t1572
+- attack.t1071.001
diff --git a/rules/sigma/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/sigma/windows/process_creation/win_exploit_cve_2015_1641.yml
new file mode 100644
index 00000000..260ed96d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exploit_cve_2015_1641.yml
@@ -0,0 +1,29 @@
+
+title: Exploit for CVE-2015-1641
+author: Florian Roth
+date: 2018/02/22
+description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used
+  in exploits for CVE-2015-1641
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\WINWORD.EXE'
+  SELECTION_3:
+    Image: '*\MicroScMgmt.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7993792c-5ce2-4475-a3db-a3a5539827ef
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
+- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036.005
+- attack.t1036
diff --git a/rules/sigma/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/sigma/windows/process_creation/win_exploit_cve_2017_0261.yml
new file mode 100644
index 00000000..32870701
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exploit_cve_2017_0261.yml
@@ -0,0 +1,34 @@
+
+title: Exploit for CVE-2017-0261
+author: Florian Roth
+date: 2018/02/22
+description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits
+  for CVE-2017-0261 and CVE-2017-0262
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\WINWORD.EXE'
+  SELECTION_3:
+    Image: '*\FLTLDR.exe*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Several false positives identified, check for suspicious file names or locations
+  (e.g. Temp folders)
+id: 864403a1-36c9-40a2-a982-4c9a45f7d833
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1203
+- attack.t1204.002
+- attack.t1204
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
diff --git a/rules/sigma/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/sigma/windows/process_creation/win_exploit_cve_2017_11882.yml
new file mode 100644
index 00000000..b46045bb
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exploit_cve_2017_11882.yml
@@ -0,0 +1,34 @@
+
+title: Droppers Exploiting CVE-2017-11882
+author: Florian Roth
+date: 2017/11/23
+description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other
+  sub processes like mshta.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\EQNEDT32.EXE'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+id: 678eb5f4-8597-4be6-8be7-905e4234b53a
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100
+- https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw
+status: experimental
+tags:
+- attack.execution
+- attack.t1203
+- attack.t1204.002
+- attack.t1204
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
diff --git a/rules/sigma/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/sigma/windows/process_creation/win_exploit_cve_2017_8759.yml
new file mode 100644
index 00000000..7ef8dcf6
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exploit_cve_2017_8759.yml
@@ -0,0 +1,33 @@
+
+title: Exploit for CVE-2017-8759
+author: Florian Roth
+date: 2017/09/15
+description: Detects Winword starting uncommon sub process csc.exe as used in exploits
+  for CVE-2017-8759
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\WINWORD.EXE'
+  SELECTION_3:
+    Image: '*\csc.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: fdd84c68-a1f6-47c9-9477-920584f94905
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+tags:
+- attack.execution
+- attack.t1203
+- attack.t1204.002
+- attack.t1204
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
diff --git a/rules/sigma/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/sigma/windows/process_creation/win_exploit_cve_2019_1378.yml
new file mode 100644
index 00000000..93aa581c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exploit_cve_2019_1378.yml
@@ -0,0 +1,45 @@
+
+title: Exploiting SetupComplete.cmd CVE-2019-1378
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
+date: 2019/11/15
+description: Detects exploitation attempt of privilege escalation vulnerability via
+  SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentCommandLine: '*\cmd.exe*'
+  SELECTION_3:
+    ParentCommandLine: '*/c*'
+  SELECTION_4:
+    ParentCommandLine: '*C:\Windows\Setup\Scripts\\*'
+  SELECTION_5:
+    ParentCommandLine:
+    - '*SetupComplete.cmd'
+    - '*PartnerSetupComplete.cmd'
+  SELECTION_6:
+    Image:
+    - C:\Windows\System32\\*
+    - C:\Windows\SysWOW64\\*
+    - C:\Windows\WinSxS\\*
+    - C:\Windows\Setup\\*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    and  not (SELECTION_6))
+falsepositives:
+- Unknown
+id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1068
+- attack.execution
+- attack.t1059.003
+- attack.t1059
+- attack.t1574
diff --git a/rules/sigma/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/sigma/windows/process_creation/win_exploit_cve_2019_1388.yml
new file mode 100644
index 00000000..7042ecbf
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exploit_cve_2019_1388.yml
@@ -0,0 +1,38 @@
+
+title: Exploiting CVE-2019-1388
+author: Florian Roth
+date: 2019/11/20
+description: Detects an exploitation attempt in which the UAC consent dialogue is
+  used to invoke an Internet Explorer process running as LOCAL_SYSTEM
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\consent.exe'
+  SELECTION_3:
+    Image: '*\iexplore.exe'
+  SELECTION_4:
+    CommandLine: '* http*'
+  SELECTION_5:
+    IntegrityLevel: System
+  SELECTION_6:
+    User:
+    - NT AUTHORITY\SYSTEM*
+    - AUTORITE NT\Sys*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+    or SELECTION_6))
+falsepositives:
+- Unknown
+id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/26
+references:
+- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
+- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1068
diff --git a/rules/sigma/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/sigma/windows/process_creation/win_exploit_cve_2020_10189.yml
new file mode 100644
index 00000000..99a1fd47
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exploit_cve_2020_10189.yml
@@ -0,0 +1,39 @@
+
+title: Exploited CVE-2020-10189 Zoho ManageEngine
+author: Florian Roth
+date: 2020/03/25
+description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization
+  vulnerability reported as CVE-2020-10189
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*DesktopCentral_Server\jre\bin\java.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\bitsadmin.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 846b866e-2a57-46ee-8e16-85fa92759be7
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+- https://nvd.nist.gov/vuln/detail/CVE-2020-10189
+- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
+- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.t1059.003
+- attack.t1059
+- attack.s0190
diff --git a/rules/sigma/windows/process_creation/win_exploit_cve_2020_1048.yml b/rules/sigma/windows/process_creation/win_exploit_cve_2020_1048.yml
new file mode 100644
index 00000000..279fd128
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exploit_cve_2020_1048.yml
@@ -0,0 +1,39 @@
+
+title: Suspicious PrinterPorts Creation (CVE-2020-1048)
+author: EagleEye Team, Florian Roth
+date: 2020/05/13
+description: Detects new commands that add new printer port which point to suspicious
+  file
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    CommandLine:
+    - '*Add-PrinterPort -Name*'
+  SELECTION_4:
+    CommandLine:
+    - '*.exe*'
+    - '*.dll*'
+    - '*.bat*'
+  SELECTION_5:
+    CommandLine:
+    - '*Generic / Text Only*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or SELECTION_5))
+falsepositives:
+- New printer port install on host
+id: cc08d590-8b90-413a-aff6-31d1a99678d7
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/05/23
+references:
+- https://windows-internals.com/printdemon-cve-2020-1048/
+status: experimental
+tags:
+- attack.persistence
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_exploit_cve_2020_1350.yml b/rules/sigma/windows/process_creation/win_exploit_cve_2020_1350.yml
new file mode 100644
index 00000000..86946aa0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exploit_cve_2020_1350.yml
@@ -0,0 +1,33 @@
+
+title: DNS RCE CVE-2020-1350
+author: Florian Roth
+date: 2020/07/15
+description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the
+  detection of suspicious sub process
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\System32\dns.exe'
+  SELECTION_3:
+    Image:
+    - '*\System32\werfault.exe'
+    - '*\System32\conhost.exe'
+    - '*\System32\dnscmd.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown but benign sub processes of the Windows DNS service dns.exe
+id: b5281f31-f9cc-4d0d-95d0-45b91c45b487
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
+- https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
+- attack.execution
+- attack.t1569.002
diff --git a/rules/sigma/windows/process_creation/win_exploit_systemnightmare.yml b/rules/sigma/windows/process_creation/win_exploit_systemnightmare.yml
new file mode 100644
index 00000000..df133512
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_exploit_systemnightmare.yml
@@ -0,0 +1,27 @@
+
+title: SystemNightmare Exploitation Script Execution
+author: Florian Roth
+date: 2021/08/11
+description: Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*printnightmare.gentilkiwi.com*'
+    - '* /user:gentilguest *'
+    - '*Kiwi Legit Printer*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c01f7bd6-0c1d-47aa-9c61-187b91273a16
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/GossiTheDog/SystemNightmare
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1068
diff --git a/rules/sigma/windows/process_creation/win_file_permission_modifications.yml b/rules/sigma/windows/process_creation/win_file_permission_modifications.yml
new file mode 100644
index 00000000..caad29f5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_file_permission_modifications.yml
@@ -0,0 +1,39 @@
+
+title: File or Folder Permissions Modifications
+author: Jakob Weinzettl, oscd.community
+date: 2019/10/23
+description: Detects a file or folder's permissions being modified.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\takeown.exe'
+    - '*\cacls.exe'
+    - '*\icacls.exe'
+  SELECTION_3:
+    CommandLine: '*/grant*'
+  SELECTION_4:
+    Image: '*\attrib.exe'
+  SELECTION_5:
+    CommandLine: '*-r*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- Users interacting with the files on their own (unlikely unless privileged users).
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/08
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1222.001
+- attack.t1222
diff --git a/rules/sigma/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/sigma/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
new file mode 100644
index 00000000..8f30c99a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml
@@ -0,0 +1,55 @@
+
+title: Grabbing Sensitive Hives via Reg Utility
+author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/22
+description: Dump sam, system or security hives using REG.exe utility
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\reg.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*save*'
+    - '*export*'
+    - '*ˢave*'
+    - '*eˣport*'
+  SELECTION_4:
+    CommandLine:
+    - '*hklm*'
+    - '*hk˪m*'
+    - '*hkey_local_machine*'
+    - '*hkey_˪ocal_machine*'
+    - '*hkey_loca˪_machine*'
+    - '*hkey_˪oca˪_machine*'
+  SELECTION_5:
+    CommandLine:
+    - '*\system'
+    - '*\sam'
+    - '*\security'
+    - '*\ˢystem'
+    - '*\syˢtem'
+    - '*\ˢyˢtem'
+    - '*\ˢam'
+    - '*\ˢecurity'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
+id: fd877b94-9bb5-4191-bb25-d79cbd93c167
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
+- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003
+- car.2013-07-001
diff --git a/rules/sigma/windows/process_creation/win_hack_adcspwn.yml b/rules/sigma/windows/process_creation/win_hack_adcspwn.yml
new file mode 100644
index 00000000..1adbd5fc
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_hack_adcspwn.yml
@@ -0,0 +1,27 @@
+
+title: ADCSPwn Hack Tool
+author: Florian Roth
+date: 2021/07/31
+description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges
+  in an active directory network by coercing authenticate from machine accounts and
+  relaying to the certificate service
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* --adcs *'
+  SELECTION_3:
+    CommandLine: '* --port *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unlikely
+id: cd8c163e-a19b-402e-bdd5-419ff5859f12
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/bats3c/ADCSPwn
+tags:
+- attack.credential_access
+- attack.t1557.001
diff --git a/rules/sigma/windows/process_creation/win_hack_bloodhound.yml b/rules/sigma/windows/process_creation/win_hack_bloodhound.yml
new file mode 100644
index 00000000..c233355b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_hack_bloodhound.yml
@@ -0,0 +1,52 @@
+
+title: Bloodhound and Sharphound Hack Tool
+author: Florian Roth
+date: 2019/12/20
+description: Detects command line parameters used by Bloodhound and Sharphound hack
+  tools
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\Bloodhound.exe*'
+    - '*\SharpHound.exe*'
+  SELECTION_3:
+    CommandLine:
+    - '* -CollectionMethod All *'
+    - '*.exe -c All -d *'
+    - '*Invoke-Bloodhound*'
+    - '*Get-BloodHoundData*'
+  SELECTION_4:
+    CommandLine: '* -JsonFolder *'
+  SELECTION_5:
+    CommandLine: '* -ZipFileName *'
+  SELECTION_6:
+    CommandLine: '* DCOnly *'
+  SELECTION_7:
+    CommandLine: '* --NoSaveCache *'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Other programs that use these command line option and accepts an 'All' parameter
+id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/12/21
+references:
+- https://github.com/BloodHoundAD/BloodHound
+- https://github.com/BloodHoundAD/SharpHound
+tags:
+- attack.discovery
+- attack.t1087.001
+- attack.t1087.002
+- attack.t1087
+- attack.t1482
+- attack.t1069.001
+- attack.t1069.002
+- attack.t1069
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_hack_koadic.yml b/rules/sigma/windows/process_creation/win_hack_koadic.yml
new file mode 100644
index 00000000..eead4fd1
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_hack_koadic.yml
@@ -0,0 +1,40 @@
+
+title: Koadic Execution
+author: wagga, Jonhnathan Ribeiro, oscd.community
+date: 2020/01/12
+description: Detects command line parameters used by Koadic hack tool
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\cmd.exe'
+  SELECTION_3:
+    CommandLine: '*/q*'
+  SELECTION_4:
+    CommandLine: '*/c*'
+  SELECTION_5:
+    CommandLine: '*chcp*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Pentest
+fields:
+- CommandLine
+- ParentCommandLine
+id: 5cddf373-ef00-4112-ad72-960ac29bac34
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
+- https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955
+- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.003
+- attack.t1059
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064
diff --git a/rules/sigma/windows/process_creation/win_hack_rubeus.yml b/rules/sigma/windows/process_creation/win_hack_rubeus.yml
new file mode 100644
index 00000000..96878cfe
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_hack_rubeus.yml
@@ -0,0 +1,40 @@
+
+title: Rubeus Hack Tool
+author: Florian Roth
+date: 2018/12/19
+description: Detects command line parameters used by Rubeus hack tool
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* asreproast *'
+    - '* dump /service:krbtgt *'
+    - '* kerberoast *'
+    - '* createnetonly /program:*'
+    - '* ptt /ticket:*'
+    - '* /impersonateuser:*'
+    - '* renew /ticket:*'
+    - '* asktgt /user:*'
+    - '* harvest /interval:*'
+    - '* s4u /user:*'
+    - '* s4u /ticket:*'
+    - '* hash /password:*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unlikely
+id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1558.003
+- attack.t1558
+- attack.lateral_movement
+- attack.t1550.003
+- attack.t1097
diff --git a/rules/sigma/windows/process_creation/win_hack_secutyxploded.yml b/rules/sigma/windows/process_creation/win_hack_secutyxploded.yml
new file mode 100644
index 00000000..258eeddf
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_hack_secutyxploded.yml
@@ -0,0 +1,31 @@
+
+title: SecurityXploded Tool
+author: Florian Roth
+date: 2018/12/19
+description: Detects the execution of SecurityXploded Tools
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Company: SecurityXploded
+  SELECTION_3:
+    Image: '*PasswordDump.exe'
+  SELECTION_4:
+    OriginalFileName: '*PasswordDump.exe'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unlikely
+id: 7679d464-4f74-45e2-9e01-ac66c5eb041a
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/11
+references:
+- https://securityxploded.com/
+- https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
+tags:
+- attack.credential_access
+- attack.t1555
+- attack.t1003
+- attack.t1503
diff --git a/rules/sigma/windows/process_creation/win_hh_chm.yml b/rules/sigma/windows/process_creation/win_hh_chm.yml
new file mode 100644
index 00000000..679fd8a6
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_hh_chm.yml
@@ -0,0 +1,34 @@
+
+title: HH.exe Execution
+author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
+date: 2019/10/24
+description: Identifies usage of hh.exe executing recently modified .chm files.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\hh.exe'
+  SELECTION_3:
+    CommandLine: '*.chm*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unlike
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md
+- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.001
+- attack.execution
+- attack.t1223
diff --git a/rules/sigma/windows/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/sigma/windows/process_creation/win_hiding_malware_in_fonts_folder.yml
new file mode 100644
index 00000000..f3b49a73
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_hiding_malware_in_fonts_folder.yml
@@ -0,0 +1,33 @@
+
+title: Writing Of Malicious Files To The Fonts Folder
+author: Sreeman
+date: 2020/21/04
+description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\
+  location. This folder doesn't require admin privillege to be written and executed
+  from.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i).*(echo|copy|type|file createnew|cacls).*C:\\\\Windows\\\\Fonts\\\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentProcess
+- CommandLine
+id: ae9b0bd7-8888-4606-b444-0ed7410cb728
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/11
+references:
+- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
+tags:
+- attack.t1064
+- attack.t1211
+- attack.t1059
+- attack.defense_evasion
+- attack.persistence
diff --git a/rules/sigma/windows/process_creation/win_hktl_createminidump.yml b/rules/sigma/windows/process_creation/win_hktl_createminidump.yml
new file mode 100644
index 00000000..89f11942
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_hktl_createminidump.yml
@@ -0,0 +1,28 @@
+
+title: CreateMiniDump Hacktool
+author: Florian Roth
+date: 2019/12/22
+description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process
+  memory for credential extraction on the attacker's machine
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\CreateMiniDump.exe*'
+  SELECTION_3:
+    Imphash: 4a07f944a83e8a7c2525efa35dd30e2f
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
diff --git a/rules/sigma/windows/process_creation/win_hktl_uacme_uac_bypass.yml b/rules/sigma/windows/process_creation/win_hktl_uacme_uac_bypass.yml
new file mode 100644
index 00000000..46f9e476
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_hktl_uacme_uac_bypass.yml
@@ -0,0 +1,30 @@
+
+title: UAC Bypass Tool UACMe
+author: Christian Burkard
+date: 2021/08/30
+description: Detects execution of UACMe (a tool used for UAC bypass) via default PE
+  metadata
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Product: UACMe
+  SELECTION_3:
+    Company: REvol Corp
+  SELECTION_4:
+    OriginalFileName: Akagi.exe
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_html_help_spawn.yml b/rules/sigma/windows/process_creation/win_html_help_spawn.yml
new file mode 100644
index 00000000..f16b4fb7
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_html_help_spawn.yml
@@ -0,0 +1,47 @@
+
+title: HTML Help Shell Spawn
+author: Maxim Pavlunin
+date: 2020/04/01
+description: Detects a suspicious child process of a Microsoft HTML Help system when
+  executing compiled HTML files (.chm)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: C:\Windows\hh.exe
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\regsvr32.exe'
+    - '*\wmic.exe'
+    - '*\rundll32.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.001
+- attack.t1218.010
+- attack.t1218.011
+- attack.execution
+- attack.t1223
+- attack.t1059.001
+- attack.t1059.003
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1047
diff --git a/rules/sigma/windows/process_creation/win_hwp_exploits.yml b/rules/sigma/windows/process_creation/win_hwp_exploits.yml
new file mode 100644
index 00000000..5900bb75
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_hwp_exploits.yml
@@ -0,0 +1,38 @@
+
+title: Suspicious HWP Sub Processes
+author: Florian Roth
+date: 2019/10/24
+description: Detects suspicious Hangul Word Processor (Hanword) sub processes that
+  could indicate an exploitation
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\Hwp.exe'
+  SELECTION_3:
+    Image: '*\gbb.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 023394c4-29d5-46ab-92b8-6a534c6f447b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
+- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
+- https://twitter.com/cyberwar_15/status/1187287262054076416
+- https://blog.alyac.co.kr/1901
+- https://en.wikipedia.org/wiki/Hangul_(word_processor)
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
+- attack.execution
+- attack.t1203
+- attack.t1059.003
+- attack.t1059
+- attack.g0032
diff --git a/rules/sigma/windows/process_creation/win_impacket_compiled_tools.yml b/rules/sigma/windows/process_creation/win_impacket_compiled_tools.yml
new file mode 100644
index 00000000..5653b928
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_impacket_compiled_tools.yml
@@ -0,0 +1,62 @@
+
+title: Impacket Tool Execution
+author: Florian Roth
+date: 2021/07/24
+description: Detects the execution of different compiled Windows binaries of the impacket
+  toolset (based on names or part of their names - could lead to false positives)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\goldenPac*'
+    - '*\karmaSMB*'
+    - '*\kintercept*'
+    - '*\ntlmrelayx*'
+    - '*\rpcdump*'
+    - '*\samrdump*'
+    - '*\secretsdump*'
+    - '*\smbexec*'
+    - '*\smbrelayx*'
+    - '*\wmiexec*'
+    - '*\wmipersist*'
+  SELECTION_3:
+    Image:
+    - '*\atexec_windows.exe'
+    - '*\dcomexec_windows.exe'
+    - '*\dpapi_windows.exe'
+    - '*\findDelegation_windows.exe'
+    - '*\GetADUsers_windows.exe'
+    - '*\GetNPUsers_windows.exe'
+    - '*\getPac_windows.exe'
+    - '*\getST_windows.exe'
+    - '*\getTGT_windows.exe'
+    - '*\GetUserSPNs_windows.exe'
+    - '*\ifmap_windows.exe'
+    - '*\mimikatz_windows.exe'
+    - '*\netview_windows.exe'
+    - '*\nmapAnswerMachine_windows.exe'
+    - '*\opdump_windows.exe'
+    - '*\psexec_windows.exe'
+    - '*\rdp_check_windows.exe'
+    - '*\sambaPipe_windows.exe'
+    - '*\smbclient_windows.exe'
+    - '*\smbserver_windows.exe'
+    - '*\sniffer_windows.exe'
+    - '*\sniff_windows.exe'
+    - '*\split_windows.exe'
+    - '*\ticketer_windows.exe'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Legitimate use of the impacket tools
+id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
+status: experimental
+tags:
+- attack.execution
+- attack.t1557.001
diff --git a/rules/sigma/windows/process_creation/win_impacket_lateralization.yml b/rules/sigma/windows/process_creation/win_impacket_lateralization.yml
new file mode 100644
index 00000000..6f157258
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_impacket_lateralization.yml
@@ -0,0 +1,58 @@
+
+title: Impacket Lateralization Detection
+author: Ecco, oscd.community, Jonhnathan Ribeiro
+date: 2019/09/03
+description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*Windows\Temp\\*'
+  SELECTION_2:
+    CommandLine: '*cmd.exe*'
+  SELECTION_3:
+    CommandLine: '*&1*'
+  SELECTION_4:
+    ParentImage:
+    - '*\wmiprvse.exe'
+    - '*\mmc.exe'
+    - '*\explorer.exe'
+    - '*\services.exe'
+  SELECTION_5:
+    CommandLine: '*/Q*'
+  SELECTION_6:
+    CommandLine: '*/c*'
+  SELECTION_7:
+    CommandLine: '*\\\\127.0.0.1\\*'
+  SELECTION_8:
+    ParentCommandLine:
+    - '*svchost.exe -k netsvcs*'
+    - '*taskeng.exe*'
+  SELECTION_9:
+    CommandLine: '*/C*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and ((SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
+falsepositives:
+- pentesters
+fields:
+- CommandLine
+- ParentCommandLine
+id: 10c14723-61c7-4c75-92ca-9af245723ad2
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
+- https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py
+- https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py
+- https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1175
+- attack.t1021.003
+- attack.t1021
diff --git a/rules/sigma/windows/process_creation/win_indirect_cmd.yml b/rules/sigma/windows/process_creation/win_indirect_cmd.yml
new file mode 100644
index 00000000..e7e6de9d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_indirect_cmd.yml
@@ -0,0 +1,36 @@
+
+title: Indirect Command Execution
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Detect indirect command execution via Program Compatibility Assistant
+  (pcalua.exe or forfiles.exe).
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\pcalua.exe'
+    - '*\forfiles.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers
+  as opposed to commonly seen artifacts.
+- Legitimate usage of scripts.
+fields:
+- ComputerName
+- User
+- ParentCommandLine
+- CommandLine
+id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md
+- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml b/rules/sigma/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml
new file mode 100644
index 00000000..03b99b13
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml
@@ -0,0 +1,34 @@
+
+title: Indirect Command Execution By Program Compatibility Wizard
+author: A. Sungurov , oscd.community
+date: 2020/10/12
+description: Detect indirect command execution via Program Compatibility Assistant
+  pcwrun.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\pcwrun.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers
+  as opposed to commonly seen artifacts
+- Legit usage of scripts
+fields:
+- ComputerName
+- User
+- ParentCommandLine
+- CommandLine
+id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc
+level: low
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/pabraeken/status/991335019833708544
+- https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/sigma/windows/process_creation/win_install_reg_debugger_backdoor.yml
new file mode 100644
index 00000000..5fba8e96
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_install_reg_debugger_backdoor.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious Debugger Registration Cmdline
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
+date: 2019/09/06
+description: Detects the registration of a debugger for a program that is available
+  in the logon screen (sticky key backdoor).
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\CurrentVersion\Image File Execution Options\\*'
+  SELECTION_3:
+    CommandLine:
+    - '*sethc.exe*'
+    - '*utilman.exe*'
+    - '*osk.exe*'
+    - '*magnify.exe*'
+    - '*narrator.exe*'
+    - '*displayswitch.exe*'
+    - '*atbroker.exe*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Penetration Tests
+id: ae215552-081e-44c7-805f-be16f975c8a2
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.008
+- attack.t1015
diff --git a/rules/sigma/windows/process_creation/win_interactive_at.yml b/rules/sigma/windows/process_creation/win_interactive_at.yml
new file mode 100644
index 00000000..7e2c101c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_interactive_at.yml
@@ -0,0 +1,34 @@
+
+title: Interactive AT Job
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Detect an interactive AT job, which may be used as a form of privilege
+  escalation.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\at.exe'
+  SELECTION_3:
+    CommandLine: '*interactive*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely (at.exe deprecated as of Windows 8)
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 60fc936d-2eb0-4543-8a13-911c750a1dfc
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md
+- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1053.002
+- attack.t1053
diff --git a/rules/sigma/windows/process_creation/win_invoke_obfuscation_clip.yml b/rules/sigma/windows/process_creation/win_invoke_obfuscation_clip.yml
new file mode 100644
index 00000000..6638eeac
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_invoke_obfuscation_clip.yml
@@ -0,0 +1,26 @@
+
+title: Invoke-Obfuscation CLIP+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: b222df08-0e07-11eb-adc1-0242ac120002
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/sigma/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml
new file mode 100644
index 00000000..a95029dd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml
@@ -0,0 +1,40 @@
+
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: Detects all variations of obfuscated powershell IEX invocation code generated
+  by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+  SELECTION_3:
+    CommandLine|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+  SELECTION_4:
+    CommandLine|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+  SELECTION_5:
+    CommandLine|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+  SELECTION_6:
+    CommandLine|re: \\\\*mdr\\\\*\W\s*\)\.Name
+  SELECTION_7:
+    CommandLine|re: \$VerbosePreference\.ToString\(
+  SELECTION_8:
+    CommandLine|re: \\\\String\]\s*\$VerbosePreference
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: 4bf943c6-5146-4273-98dd-e958fd1e3abf
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_invoke_obfuscation_stdin.yml b/rules/sigma/windows/process_creation/win_invoke_obfuscation_stdin.yml
new file mode 100644
index 00000000..fef0cadc
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_invoke_obfuscation_stdin.yml
@@ -0,0 +1,26 @@
+
+title: Invoke-Obfuscation STDIN+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 6c96fc76-0eb1-11eb-adc1-0242ac120002
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_invoke_obfuscation_var.yml b/rules/sigma/windows/process_creation/win_invoke_obfuscation_var.yml
new file mode 100644
index 00000000..5479f07a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_invoke_obfuscation_var.yml
@@ -0,0 +1,26 @@
+
+title: Invoke-Obfuscation VAR+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 27aec9c9-dbb0-4939-8422-1742242471d0
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_compress.yml b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_compress.yml
new file mode 100644
index 00000000..34f30fa7
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_compress.yml
@@ -0,0 +1,26 @@
+
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_rundll.yml
new file mode 100644
index 00000000..dedb22ae
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_rundll.yml
@@ -0,0 +1,26 @@
+
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_stdin.yml b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_stdin.yml
new file mode 100644
index 00000000..8cee1ab8
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_stdin.yml
@@ -0,0 +1,26 @@
+
+title: Invoke-Obfuscation Via Stdin
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 9c14c9fa-1a63-4a64-8e57-d19280559490
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml
new file mode 100644
index 00000000..dc8943f5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml
@@ -0,0 +1,26 @@
+
+title: Invoke-Obfuscation Via Use Clip
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e1561947-b4e3-4a74-9bdd-83baed21bdb5
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml
new file mode 100644
index 00000000..b737c688
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml
@@ -0,0 +1,26 @@
+
+title: Invoke-Obfuscation Via Use MSHTA
+author: Nikita Nazarov, oscd.community
+date: 2020/10/08
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: ac20ae82-8758-4f38-958e-b44a3140ca88
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml
new file mode 100644
index 00000000..6a2a7b9a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml
@@ -0,0 +1,26 @@
+
+title: Invoke-Obfuscation Via Use Rundll32
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 36c5146c-d127-4f85-8e21-01bf62355d5a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_var.yml b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_var.yml
new file mode 100644
index 00000000..13ded1d9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_invoke_obfuscation_via_var.yml
@@ -0,0 +1,26 @@
+
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e9f55347-2928-4c06-88e5-1a7f8169942e
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_lethalhta.yml b/rules/sigma/windows/process_creation/win_lethalhta.yml
new file mode 100644
index 00000000..3a621ee0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_lethalhta.yml
@@ -0,0 +1,29 @@
+
+title: MSHTA Spwaned by SVCHOST
+author: Markus Neis
+date: 2018/06/07
+description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described
+  in report
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\svchost.exe'
+  SELECTION_3:
+    Image: '*\mshta.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://codewhitesec.blogspot.com/2018/07/lethalhta.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.005
+- attack.execution
+- attack.t1170
diff --git a/rules/sigma/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/sigma/windows/process_creation/win_local_system_owner_account_discovery.yml
new file mode 100644
index 00000000..06cc042c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_local_system_owner_account_discovery.yml
@@ -0,0 +1,80 @@
+
+title: Local Accounts Discovery
+author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/21
+description: Local accounts, System Owner/User discovery using operating systems utilities
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*/c*'
+  SELECTION_11:
+    CommandLine: '*dir *'
+  SELECTION_12:
+    CommandLine: '*\Users\\*'
+  SELECTION_13:
+    CommandLine:
+    - '* rmdir *'
+  SELECTION_14:
+    Image:
+    - '*\net.exe'
+    - '*\net1.exe'
+  SELECTION_15:
+    CommandLine: '*user*'
+  SELECTION_16:
+    CommandLine:
+    - '*/domain*'
+    - '*/add*'
+    - '*/delete*'
+    - '*/active*'
+    - '*/expires*'
+    - '*/passwordreq*'
+    - '*/scriptpath*'
+    - '*/times*'
+    - '*/workstations*'
+  SELECTION_2:
+    Image: '*\whoami.exe'
+  SELECTION_3:
+    Image: '*\wmic.exe'
+  SELECTION_4:
+    CommandLine: '*useraccount*'
+  SELECTION_5:
+    CommandLine: '*get*'
+  SELECTION_6:
+    Image:
+    - '*\quser.exe'
+    - '*\qwinsta.exe'
+  SELECTION_7:
+    Image: '*\cmdkey.exe'
+  SELECTION_8:
+    CommandLine: '*/list*'
+  SELECTION_9:
+    Image: '*\cmd.exe'
+  condition: (SELECTION_1 and (((SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or SELECTION_6 or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10
+    and SELECTION_11 and SELECTION_12)) and  not (SELECTION_13)) or ((SELECTION_14
+    and SELECTION_15) and  not (SELECTION_16))))
+falsepositives:
+- Legitimate administrator or user enumerates local users for legitimate reason
+fields:
+- Image
+- CommandLine
+- User
+- LogonGuid
+- Hashes
+- ParentProcessGuid
+- ParentCommandLine
+id: 502b42de-4306-40b4-9596-6f590c81f073
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
+status: experimental
+tags:
+- attack.discovery
+- attack.t1033
+- attack.t1087.001
+- attack.t1087
diff --git a/rules/sigma/windows/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/sigma/windows/process_creation/win_lolbas_execution_of_wuauclt.yml
new file mode 100644
index 00000000..e3af2ec2
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_lolbas_execution_of_wuauclt.yml
@@ -0,0 +1,34 @@
+
+title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL
+author: Sreeman
+date: 2020/10/29
+description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code
+  execution by specifying an arbitrary DLL.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i)wuauclt\.exe.*/UpdateDeploymentProvider.*/Runhandlercomserver
+  SELECTION_3:
+    CommandLine:
+    - '*wuaueng.dll*'
+    - '*UpdateDeploymentProvider.dll /ClassId*'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Wuaueng.dll which is a module belonging to Microsoft Windows Update.
+fields:
+- CommandLine
+id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/11
+references:
+- https://dtm.uk/wuauclt/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1085
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/win_lolbin_execution_via_winget.yml b/rules/sigma/windows/process_creation/win_lolbin_execution_via_winget.yml
new file mode 100644
index 00000000..b794867f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_lolbin_execution_via_winget.yml
@@ -0,0 +1,34 @@
+
+title: Monitoring Winget For LOLbin Execution
+author: Sreeman
+date: 2020/21/04
+description: Adversaries can abuse winget to download payloads remotely and execute
+  them without touching disk. Winget will be included by default in Windows 10 and
+  is already available in Windows 10 insider programs. The manifest option enables
+  you to install an application by passing in a YAML file directly to the client.
+  Winget can be used to download and install exe's, msi, msix files later.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*.*(?i)winget install (--m|-m).*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Admin activity installing packages not in the official Microsoft repo. Winget probably
+  won't be used by most users.
+fields:
+- CommandLine
+id: 313d6012-51a0-4d93-8dfc-de8553239e25
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/11
+references:
+- https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059
diff --git a/rules/sigma/windows/process_creation/win_lsass_dump.yml b/rules/sigma/windows/process_creation/win_lsass_dump.yml
new file mode 100644
index 00000000..cb5bfa34
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_lsass_dump.yml
@@ -0,0 +1,45 @@
+
+title: LSASS Memory Dumping
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+description: Detect creation of dump files containing the memory space of lsass.exe,
+  which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe
+  to export the memory space of lsass.exe which contains sensitive credentials.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*lsass*'
+  SELECTION_3:
+    CommandLine: '*.dmp*'
+  SELECTION_4:
+    Image: '*\werfault.exe'
+  SELECTION_5:
+    Image: '*\procdump*'
+  SELECTION_6:
+    Image: '*.exe'
+  SELECTION_7:
+    CommandLine: '*lsass*'
+  condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+    or (SELECTION_5 and SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unlikely
+fields:
+- ComputerName
+- User
+- CommandLine
+id: ffa6861c-4461-4f59-8a41-578c39f3f23e
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
+- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
diff --git a/rules/sigma/windows/process_creation/win_mal_adwind.yml b/rules/sigma/windows/process_creation/win_mal_adwind.yml
new file mode 100644
index 00000000..47f8ff2e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_mal_adwind.yml
@@ -0,0 +1,37 @@
+
+title: Adwind RAT / JRAT
+author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
+date: 2017/11/10
+description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\AppData\Roaming\Oracle*'
+  SELECTION_3:
+    CommandLine: '*\java*'
+  SELECTION_4:
+    CommandLine: '*.exe *'
+  SELECTION_5:
+    CommandLine: '*cscript.exe*'
+  SELECTION_6:
+    CommandLine: '*Retrive*'
+  SELECTION_7:
+    CommandLine: '*.vbs *'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6 and SELECTION_7)))
+id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
+- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064
diff --git a/rules/sigma/windows/process_creation/win_malware_conti.yml b/rules/sigma/windows/process_creation/win_malware_conti.yml
new file mode 100644
index 00000000..3ea05012
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_conti.yml
@@ -0,0 +1,31 @@
+
+title: Conti Volume Shadow Listing
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects a command used by conti to find volume shadow backups
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*vssadmin list shadows*'
+  SELECTION_3:
+    CommandLine: '*log.txt*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- User
+- CommandLine
+- ParentImage
+id: 7b30e0a7-c675-4b24-8a46-82fa67e2433d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816?s=20
+- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
+status: experimental
+tags:
+- attack.t1587.001
+- attack.resource_development
diff --git a/rules/sigma/windows/process_creation/win_malware_conti_7zip.yml b/rules/sigma/windows/process_creation/win_malware_conti_7zip.yml
new file mode 100644
index 00000000..4961b844
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_conti_7zip.yml
@@ -0,0 +1,27 @@
+
+title: Conti Volume Shadow Listing
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects a command used by conti to exfiltrate NTDS
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*7za.exe*'
+  SELECTION_3:
+    CommandLine: '*\\C$\\temp\\log.zip*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: aa92fd02-09f2-48b0-8a93-864813fb8f41
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816?s=20
+- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
+status: experimental
+tags:
+- attack.collection
+- attack.t1560
diff --git a/rules/sigma/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/sigma/windows/process_creation/win_malware_conti_shadowcopy.yml
new file mode 100644
index 00000000..14bfb6b2
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_conti_shadowcopy.yml
@@ -0,0 +1,31 @@
+
+title: Conti Volume Shadow Listing
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects a command used by conti to access volume shadow backups
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*'
+  SELECTION_3:
+    CommandLine:
+    - '*\\NTDS.dit*'
+    - '*\\SYSTEM*'
+    - '*\\SECURITY*'
+    - '*C:\\tmp\\log*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Some rare backup scenarios
+id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816?s=20
+- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
+status: experimental
+tags:
+- attack.impact
+- attack.t1490
diff --git a/rules/sigma/windows/process_creation/win_malware_dridex.yml b/rules/sigma/windows/process_creation/win_malware_dridex.yml
new file mode 100644
index 00000000..23962991
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_dridex.yml
@@ -0,0 +1,48 @@
+
+title: Dridex Process Pattern
+author: Florian Roth, oscd.community
+date: 2019/01/10
+description: Detects typical Dridex process patterns
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*view*'
+  SELECTION_2:
+    Image: '*\svchost.exe'
+  SELECTION_3:
+    CommandLine: '*C:\Users\\*'
+  SELECTION_4:
+    CommandLine: '*\Desktop\\*'
+  SELECTION_5:
+    ParentImage: '*\svchost.exe'
+  SELECTION_6:
+    EventID: 1
+  SELECTION_7:
+    Image: '*\whoami.exe'
+  SELECTION_8:
+    CommandLine: '*all*'
+  SELECTION_9:
+    Image:
+    - '*\net.exe'
+    - '*\net1.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6 and ((SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)))))
+falsepositives:
+- Unlikely
+id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+- attack.discovery
+- attack.t1135
+- attack.t1033
diff --git a/rules/sigma/windows/process_creation/win_malware_dtrack.yml b/rules/sigma/windows/process_creation/win_malware_dtrack.yml
new file mode 100644
index 00000000..ffef1743
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_dtrack.yml
@@ -0,0 +1,29 @@
+
+title: DTRACK Process Creation
+author: Florian Roth
+date: 2019/10/30
+description: Detects specific process parameters as seen in DTRACK infections
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* echo EEEE > *'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://securelist.com/my-name-is-dtrack/93338/
+- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
+- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
+status: experimental
+tags:
+- attack.impact
+- attack.t1490
diff --git a/rules/sigma/windows/process_creation/win_malware_emotet.yml b/rules/sigma/windows/process_creation/win_malware_emotet.yml
new file mode 100644
index 00000000..5a075efe
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_emotet.yml
@@ -0,0 +1,43 @@
+
+title: Emotet Process Creation
+author: Florian Roth
+date: 2019/09/30
+description: Detects all Emotet like process executions that are not covered by the
+  more generic rules
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* -e* PAA*'
+    - '*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*'
+    - '*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*'
+    - '*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*'
+    - '*IgAoACcAKgAnACkAOwAkA*'
+    - '*IAKAAnACoAJwApADsAJA*'
+    - '*iACgAJwAqACcAKQA7ACQA*'
+    - '*JABGAGwAeAByAGgAYwBmAGQ*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
+- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
+- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/
+- https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.defense_evasion
+- attack.t1027
diff --git a/rules/sigma/windows/process_creation/win_malware_formbook.yml b/rules/sigma/windows/process_creation/win_malware_formbook.yml
new file mode 100644
index 00000000..a898d572
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_formbook.yml
@@ -0,0 +1,63 @@
+
+title: Formbook Process Creation
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
+date: 2019/09/30
+description: Detects Formbook like process executions that inject code into a set
+  of files in the System32 folder, which executes a special command command line to
+  delete the dropper from the AppData Temp folder. We avoid false positives by excluding
+  all parent process with command line parameters.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*\Desktop\\*'
+  SELECTION_11:
+    CommandLine: '*/C*'
+  SELECTION_12:
+    CommandLine: '*type nul >*'
+  SELECTION_13:
+    CommandLine: '*\Desktop\\*'
+  SELECTION_14:
+    CommandLine: '*.exe'
+  SELECTION_2:
+    ParentCommandLine:
+    - C:\Windows\System32\\*
+    - C:\Windows\SysWOW64\\*
+  SELECTION_3:
+    ParentCommandLine:
+    - '*.exe'
+  SELECTION_4:
+    CommandLine: '*C:\Users\\*'
+  SELECTION_5:
+    CommandLine: '*/c*'
+  SELECTION_6:
+    CommandLine: '*del*'
+  SELECTION_7:
+    CommandLine: '*\AppData\Local\Temp\\*'
+  SELECTION_8:
+    CommandLine: '*/c*'
+  SELECTION_9:
+    CommandLine: '*del*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and ((SELECTION_5
+    and SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)
+    or (SELECTION_11 and SELECTION_12 and SELECTION_13)) and SELECTION_14)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 032f5fb3-d959-41a5-9263-4173c802dc2b
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/10/31
+references:
+- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
+- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
+- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
+- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
+status: experimental
+tags:
+- attack.develop_capabilities
+- attack.t1587.001
diff --git a/rules/sigma/windows/process_creation/win_malware_notpetya.yml b/rules/sigma/windows/process_creation/win_malware_notpetya.yml
new file mode 100644
index 00000000..88af539a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_notpetya.yml
@@ -0,0 +1,48 @@
+
+title: NotPetya Ransomware Activity
+author: Florian Roth, Tom Ueltschi
+date: 2019/01/16
+description: Detects NotPetya ransomware activity in which the extracted passwords
+  are passed back to the main module via named pipe, the file system journal of drive
+  C is deleted and windows eventlogs are cleared using wevtutil
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\AppData\Local\Temp\\*'
+  SELECTION_3:
+    CommandLine: '*\\.\pipe\\\*'
+  SELECTION_4:
+    Image: '*\rundll32.exe'
+  SELECTION_5:
+    CommandLine: '*.dat,#1'
+  SELECTION_6:
+  - \perfc.dat
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or SELECTION_6))
+falsepositives:
+- Admin activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://securelist.com/schroedingers-petya/78870/
+- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+- attack.execution
+- attack.t1085
+- attack.t1070.001
+- attack.t1070
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- car.2016-04-002
diff --git a/rules/sigma/windows/process_creation/win_malware_qbot.yml b/rules/sigma/windows/process_creation/win_malware_qbot.yml
new file mode 100644
index 00000000..335dc265
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_qbot.yml
@@ -0,0 +1,42 @@
+
+title: QBot Process Creation
+author: Florian Roth
+date: 2019/10/01
+description: Detects QBot like process executions
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\WinRAR.exe'
+  SELECTION_3:
+    Image: '*\wscript.exe'
+  SELECTION_4:
+    CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *'
+  SELECTION_5:
+    CommandLine: '*regsvr32.exe*'
+  SELECTION_6:
+    CommandLine: '*C:\ProgramData*'
+  SELECTION_7:
+    CommandLine: '*.tmp*'
+  condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) or SELECTION_4) or (SELECTION_5
+    and SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: 4fcac6eb-0287-4090-8eea-2602e4c20040
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/01/25
+references:
+- https://twitter.com/killamjr/status/1179034907932315648
+- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.defense_evasion
+- attack.t1064
diff --git a/rules/sigma/windows/process_creation/win_malware_ryuk.yml b/rules/sigma/windows/process_creation/win_malware_ryuk.yml
new file mode 100644
index 00000000..75b4c7f3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_ryuk.yml
@@ -0,0 +1,31 @@
+
+title: Ryuk Ransomware
+author: Florian Roth
+date: 2019/12/16
+description: Detects Ryuk ransomware activity
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*Microsoft\Windows\CurrentVersion\Run*'
+  SELECTION_3:
+    CommandLine: '*C:\users\Public\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: c37510b8-2107-4b78-aa32-72f251e7a844
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
+- attack.t1060
diff --git a/rules/sigma/windows/process_creation/win_malware_script_dropper.yml b/rules/sigma/windows/process_creation/win_malware_script_dropper.yml
new file mode 100644
index 00000000..e72e89e0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_script_dropper.yml
@@ -0,0 +1,46 @@
+
+title: WScript or CScript Dropper
+author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community
+date: 2019/01/16
+description: Detects wscript/cscript executions of scripts located in user directories
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*C:\Users\\*'
+    - '*C:\ProgramData\\*'
+  SELECTION_4:
+    CommandLine:
+    - '*.jse*'
+    - '*.vbe*'
+    - '*.js*'
+    - '*.vba*'
+    - '*.vbs*'
+  SELECTION_5:
+    ParentImage: '*\winzip*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Winzip
+- Other self-extractors
+fields:
+- CommandLine
+- ParentCommandLine
+id: cea72823-df4d-4567-950c-0b579eaf0846
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.defense_evasion
+- attack.t1064
diff --git a/rules/sigma/windows/process_creation/win_malware_trickbot_recon_activity.yml b/rules/sigma/windows/process_creation/win_malware_trickbot_recon_activity.yml
new file mode 100644
index 00000000..0d40f63d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_trickbot_recon_activity.yml
@@ -0,0 +1,35 @@
+
+title: Trickbot Malware Recon Activity
+author: David Burkett, Florian Roth
+date: 2019/12/28
+description: Trickbot enumerates domain/network topology and executes certain commands
+  automatically every few minutes. This detectors attempts to identify that activity
+  based off a command rarely observed in an enterprise network.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\cmd.exe'
+  SELECTION_3:
+    Image:
+    - '*\nltest.exe'
+  SELECTION_4:
+    CommandLine:
+    - '*/domain_trusts /all_trusts*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Rare System Admin Activity
+id: 410ad193-a728-4107-bc79-4419789fcbf8
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/26
+references:
+- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
+- https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
diff --git a/rules/sigma/windows/process_creation/win_malware_trickbot_wermgr.yml b/rules/sigma/windows/process_creation/win_malware_trickbot_wermgr.yml
new file mode 100644
index 00000000..5b8e5d63
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_trickbot_wermgr.yml
@@ -0,0 +1,32 @@
+
+title: Trickbot Malware Activity
+author: Florian Roth
+date: 2020/11/26
+description: Detects Trickbot malware process tree pattern in which rundll32.exe is
+  parent of wermgr.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\wermgr.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\rundll32.exe'
+  SELECTION_4:
+    ParentCommandLine:
+    - '*DllRegisterServer*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
+- https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
+status: experimental
+tags:
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_malware_wannacry.yml b/rules/sigma/windows/process_creation/win_malware_wannacry.yml
new file mode 100644
index 00000000..effc56e5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_malware_wannacry.yml
@@ -0,0 +1,84 @@
+
+title: WannaCry Ransomware
+author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan
+  Ribeiro
+date: 2019/01/16
+description: Detects WannaCry ransomware activity
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*bcdedit*'
+  SELECTION_11:
+    CommandLine: '*/set*'
+  SELECTION_12:
+    CommandLine: '*{default}*'
+  SELECTION_13:
+    CommandLine: '*recoveryenabled*'
+  SELECTION_14:
+    CommandLine: '*no*'
+  SELECTION_15:
+    CommandLine: '*wbadmin*'
+  SELECTION_16:
+    CommandLine: '*delete*'
+  SELECTION_17:
+    CommandLine: '*catalog*'
+  SELECTION_18:
+    CommandLine: '*-quiet*'
+  SELECTION_19:
+    CommandLine: '*@Please_Read_Me@.txt*'
+  SELECTION_2:
+    Image:
+    - '*\tasksche.exe'
+    - '*\mssecsvc.exe'
+    - '*\taskdl.exe'
+    - '*\taskhsvc.exe'
+    - '*\taskse.exe'
+    - '*\111.exe'
+    - '*\lhdfrgui.exe'
+    - '*\diskpart.exe'
+    - '*\linuxnew.exe'
+    - '*\wannacry.exe'
+  SELECTION_3:
+    Image: '*WanaDecryptor*'
+  SELECTION_4:
+    CommandLine: '*icacls*'
+  SELECTION_5:
+    CommandLine: '*/grant*'
+  SELECTION_6:
+    CommandLine: '*Everyone:F*'
+  SELECTION_7:
+    CommandLine: '*/T*'
+  SELECTION_8:
+    CommandLine: '*/C*'
+  SELECTION_9:
+    CommandLine: '*/Q*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or (SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or (SELECTION_10
+    and SELECTION_11 and SELECTION_12 and SELECTION_13 and SELECTION_14) or (SELECTION_15
+    and SELECTION_16 and SELECTION_17 and SELECTION_18) or SELECTION_19))
+falsepositives:
+- Diskpart.exe usage to manage partitions on the local hard drive
+fields:
+- CommandLine
+- ParentCommandLine
+id: 41d40bff-377a-43e2-8e1b-2e543069e079
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1210
+- attack.discovery
+- attack.t1083
+- attack.defense_evasion
+- attack.t1222.001
+- attack.t1222
+- attack.impact
+- attack.t1486
+- attack.t1490
diff --git a/rules/sigma/windows/process_creation/win_manage_bde_lolbas.yml b/rules/sigma/windows/process_creation/win_manage_bde_lolbas.yml
new file mode 100644
index 00000000..359be25f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_manage_bde_lolbas.yml
@@ -0,0 +1,32 @@
+
+title: Suspicious Usage of the Manage-bde.wsf Script
+author: oscd.community, Natalia Shornikova
+date: 2020/10/13
+description: Detects a usage of the manage-bde.wsf script that may indicate an attempt
+  of proxy execution from script
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*cscript*'
+  SELECTION_3:
+    CommandLine: '*manage-bde.wsf*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: c363385c-f75d-4753-a108-c1a8e28bdbda
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Manage-bde.yml
+- https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+- https://twitter.com/bohops/status/980659399495741441
+- https://twitter.com/JohnLaTwC/status/1223292479270600706
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/windows/process_creation/win_mavinject_proc_inj.yml b/rules/sigma/windows/process_creation/win_mavinject_proc_inj.yml
new file mode 100644
index 00000000..07da4807
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_mavinject_proc_inj.yml
@@ -0,0 +1,28 @@
+
+title: MavInject Process Injection
+author: Florian Roth
+date: 2018/12/12
+description: Detects process injection using the signed Windows tool Mavinject32.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* /INJECTRUNNING *'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://twitter.com/gN3mes1s/status/941315826107510784
+- https://reaqta.com/2017/12/mavinject-microsoft-injector/
+- https://twitter.com/Hexacorn/status/776122138063409152
+status: experimental
+tags:
+- attack.t1055
+- attack.t1055.001
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/sigma/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
new file mode 100644
index 00000000..0585536c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
@@ -0,0 +1,68 @@
+
+title: Meterpreter or Cobalt Strike Getsystem Service Start
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+  a specific service starting
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*\pipe\\*'
+  SELECTION_11:
+    CommandLine: '*cmd.exe*'
+  SELECTION_12:
+    CommandLine: '*/c*'
+  SELECTION_13:
+    CommandLine: '*echo*'
+  SELECTION_14:
+    CommandLine: '*\pipe\\*'
+  SELECTION_15:
+    CommandLine: '*rundll32*'
+  SELECTION_16:
+    CommandLine: '*.dll,a*'
+  SELECTION_17:
+    CommandLine: '*/p:*'
+  SELECTION_18:
+    CommandLine: '*MpCmdRun*'
+  SELECTION_2:
+    ParentImage: '*\services.exe'
+  SELECTION_3:
+    CommandLine: '*cmd*'
+  SELECTION_4:
+    CommandLine: '*/c*'
+  SELECTION_5:
+    CommandLine: '*echo*'
+  SELECTION_6:
+    CommandLine: '*\pipe\\*'
+  SELECTION_7:
+    CommandLine: '*%COMSPEC%*'
+  SELECTION_8:
+    CommandLine: '*/c*'
+  SELECTION_9:
+    CommandLine: '*echo*'
+  condition: (SELECTION_1 and (SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10)
+    or (SELECTION_11 and SELECTION_12 and SELECTION_13 and SELECTION_14) or (SELECTION_15
+    and SELECTION_16 and SELECTION_17))) and  not (SELECTION_18))
+falsepositives:
+- Commandlines containing components like cmd accidentally
+- Jobs and services started with cmd
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 15619216-e993-4721-b590-4c520615a67d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/20
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
diff --git a/rules/sigma/windows/process_creation/win_mimikatz_command_line.yml b/rules/sigma/windows/process_creation/win_mimikatz_command_line.yml
new file mode 100644
index 00000000..08d650a8
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_mimikatz_command_line.yml
@@ -0,0 +1,46 @@
+
+title: Mimikatz Command Line
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Detection well-known mimikatz command line arguments
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*DumpCreds*'
+    - '*invoke-mimikatz*'
+  SELECTION_3:
+    CommandLine:
+    - '*rpc*'
+    - '*token*'
+    - '*crypto*'
+    - '*dpapi*'
+    - '*sekurlsa*'
+    - '*kerberos*'
+    - '*lsadump*'
+    - '*privilege*'
+    - '*process*'
+  SELECTION_4:
+    CommandLine:
+    - '*::*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- Legitimate Administrator using tool for password recovery
+id: a642964e-bead-4bed-8910-1bb4d63e3b4d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
diff --git a/rules/sigma/windows/process_creation/win_mmc_spawn_shell.yml b/rules/sigma/windows/process_creation/win_mmc_spawn_shell.yml
new file mode 100644
index 00000000..f23e77c2
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_mmc_spawn_shell.yml
@@ -0,0 +1,41 @@
+
+title: MMC Spawning Windows Shell
+author: Karneades, Swisscom CSIRT
+date: 2019/08/05
+description: Detects a Windows command line executable started from MMC
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\mmc.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\sh.exe'
+    - '*\bash.exe'
+    - '*\reg.exe'
+    - '*\regsvr32.exe'
+  SELECTION_4:
+    Image:
+    - '*\BITSADMIN*'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+fields:
+- CommandLine
+- Image
+- ParentCommandLine
+id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1175
+- attack.t1021.003
diff --git a/rules/sigma/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/sigma/windows/process_creation/win_modif_of_services_for_via_commandline.yml
new file mode 100644
index 00000000..b20dba40
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_modif_of_services_for_via_commandline.yml
@@ -0,0 +1,34 @@
+
+title: Modification Of Existing Services For Persistence
+author: Sreeman
+date: 2020/09/29
+description: Detects modification of an existing service on a compromised host in
+  order to execute an arbitrary payload when the service is started or killed as a
+  method of persistence.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i)sc config.*binpath=.*
+  SELECTION_3:
+    CommandLine|re: (?i)sc failure.*command=.*
+  SELECTION_4:
+    CommandLine|re: (?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin$|\.bat|\.cmd|\.js|\.msh$|\.reg$|\.scr|\.ps|\.vb|\.jar|\.pl).*
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 38879043-7e1e-47a9-8d46-6bec88e201df
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/10
+references:
+- https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1031
+- attack.t1543.003
+- attack.t1058
+- attack.t1574.011
diff --git a/rules/sigma/windows/process_creation/win_monitoring_for_persistence_via_bits.yml b/rules/sigma/windows/process_creation/win_monitoring_for_persistence_via_bits.yml
new file mode 100644
index 00000000..b1e54600
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_monitoring_for_persistence_via_bits.yml
@@ -0,0 +1,35 @@
+
+title: Monitoring For Persistence Via BITS
+author: Sreeman
+date: 2020/10/29
+description: BITS will allow you to schedule a command to execute after a successful
+  download to notify you that the job is finished. When the job runs on the system
+  the command specified in the BITS job will be executed. This can be abused by actors
+  to create a backdoor within the system and for persistence. It will be chained in
+  a BITS job to schedule the download of malware/additional binaries and execute the
+  program after being downloaded
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i).*bitsadmin.*/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*
+  SELECTION_3:
+    CommandLine|re: (?i).*bitsadmin.*/Addfile.*(http|https|ftp|ftps):.*
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- None observed yet.
+fields:
+- CommandLine
+id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/15
+references:
+- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+- http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
+- https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
+status: experimental
+tags:
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/win_mouse_lock.yml b/rules/sigma/windows/process_creation/win_mouse_lock.yml
new file mode 100644
index 00000000..e483223f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_mouse_lock.yml
@@ -0,0 +1,36 @@
+
+title: Mouse Lock Credential Gathering
+author: Cian Heasley
+date: 2020/08/13
+description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate
+  tool "Mouse Lock" as being used for both credential access and collection in security
+  incidents.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Product: '*Mouse Lock*'
+  SELECTION_3:
+    Company: '*Misc314*'
+  SELECTION_4:
+    CommandLine: '*Mouse Lock_*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Legitimate uses of Mouse Lock software
+fields:
+- Product
+- Company
+- CommandLine
+id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf
+- https://sourceforge.net/projects/mouselock/
+status: experimental
+tags:
+- attack.credential_access
+- attack.collection
+- attack.t1056.002
diff --git a/rules/sigma/windows/process_creation/win_mshta_javascript.yml b/rules/sigma/windows/process_creation/win_mshta_javascript.yml
new file mode 100644
index 00000000..e87ff501
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_mshta_javascript.yml
@@ -0,0 +1,33 @@
+
+title: Mshta JavaScript Execution
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Identifies suspicious mshta.exe commands.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\mshta.exe'
+  SELECTION_3:
+    CommandLine: '*javascript*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 67f113fa-e23d-4271-befa-30113b3e08b1
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1170
+- attack.t1218.005
diff --git a/rules/sigma/windows/process_creation/win_mshta_spawn_shell.yml b/rules/sigma/windows/process_creation/win_mshta_spawn_shell.yml
new file mode 100644
index 00000000..6c624355
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_mshta_spawn_shell.yml
@@ -0,0 +1,46 @@
+
+title: MSHTA Spawning Windows Shell
+author: Michael Haag
+date: 2019/01/16
+description: Detects a Windows command line executable started from MSHTA
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\mshta.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\sh.exe'
+    - '*\bash.exe'
+    - '*\reg.exe'
+    - '*\regsvr32.exe'
+  SELECTION_4:
+    Image:
+    - '*\BITSADMIN*'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Printer software / driver installations
+- HP software
+fields:
+- CommandLine
+- ParentCommandLine
+id: 03cc0c25-389f-4bf8-b48d-11878079f1ca
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://www.trustedsec.com/july-2015/malicious-htas/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1170
+- attack.t1218.005
+- car.2013-02-003
+- car.2013-03-001
+- car.2014-04-003
diff --git a/rules/sigma/windows/process_creation/win_multiple_suspicious_cli.yml b/rules/sigma/windows/process_creation/win_multiple_suspicious_cli.yml
new file mode 100644
index 00000000..b1b08e64
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_multiple_suspicious_cli.yml
@@ -0,0 +1,63 @@
+
+title: Quick Execution of a Series of Suspicious Commands
+author: juju4
+date: 2019/01/16
+description: Detects multiple suspicious process in a limited timeframe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*arp.exe*'
+    - '*at.exe*'
+    - '*attrib.exe*'
+    - '*cscript.exe*'
+    - '*dsquery.exe*'
+    - '*hostname.exe*'
+    - '*ipconfig.exe*'
+    - '*mimikatz.exe*'
+    - '*nbtstat.exe*'
+    - '*net.exe*'
+    - '*netsh.exe*'
+    - '*nslookup.exe*'
+    - '*ping.exe*'
+    - '*quser.exe*'
+    - '*qwinsta.exe*'
+    - '*reg.exe*'
+    - '*runas.exe*'
+    - '*sc.exe*'
+    - '*schtasks.exe*'
+    - '*ssh.exe*'
+    - '*systeminfo.exe*'
+    - '*taskkill.exe*'
+    - '*telnet.exe*'
+    - '*tracert.exe*'
+    - '*wscript.exe*'
+    - '*xcopy.exe*'
+    - '*pscp.exe*'
+    - '*copy.exe*'
+    - '*robocopy.exe*'
+    - '*certutil.exe*'
+    - '*vssadmin.exe*'
+    - '*powershell.exe*'
+    - '*wevtutil.exe*'
+    - '*psexec.exe*'
+    - '*bcedit.exe*'
+    - '*wbadmin.exe*'
+    - '*icacls.exe*'
+    - '*diskpart.exe*'
+  condition: (SELECTION_1 and SELECTION_2) | count() by MachineName > 5
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+id: 61ab5496-748e-4818-a92f-de78e20fe7f1
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/13
+references:
+- https://car.mitre.org/wiki/CAR-2013-04-002
+status: experimental
+tags:
+- car.2013-04-002
diff --git a/rules/sigma/windows/process_creation/win_net_enum.yml b/rules/sigma/windows/process_creation/win_net_enum.yml
new file mode 100644
index 00000000..1ecb75c1
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_net_enum.yml
@@ -0,0 +1,37 @@
+
+title: Windows Network Enumeration
+author: Endgame, JHasenbusch (ported for oscd.community)
+date: 2018/10/30
+description: Identifies attempts to enumerate hosts in a network using the built-in
+  Windows net.exe tool.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\net.exe'
+    - '*\net1.exe'
+  SELECTION_3:
+    CommandLine: '*view*'
+  SELECTION_4:
+    CommandLine: '*\\\\*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Legitimate use of net.exe utility by legitimate user
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 62510e69-616b-4078-b371-847da438cc03
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+status: stable
+tags:
+- attack.discovery
+- attack.t1018
diff --git a/rules/sigma/windows/process_creation/win_net_user_add.yml b/rules/sigma/windows/process_creation/win_net_user_add.yml
new file mode 100644
index 00000000..d20f614c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_net_user_add.yml
@@ -0,0 +1,38 @@
+
+title: Net.exe User Account Creation
+author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
+date: 2018/10/30
+description: Identifies creation of local users via the net.exe command.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\net.exe'
+    - '*\net1.exe'
+  SELECTION_3:
+    CommandLine: '*user*'
+  SELECTION_4:
+    CommandLine: '*add*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate user creation.
+- Better use event IDs for user creation rather than command line rules.
+fields:
+- ComputerName
+- User
+- CommandLine
+id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136
+- attack.t1136.001
diff --git a/rules/sigma/windows/process_creation/win_netsh_allow_port_rdp.yml b/rules/sigma/windows/process_creation/win_netsh_allow_port_rdp.yml
new file mode 100644
index 00000000..10058033
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_netsh_allow_port_rdp.yml
@@ -0,0 +1,40 @@
+
+title: Netsh RDP Port Opening
+author: Sander Wiebing
+date: 2020/05/23
+description: Detects netsh commands that opens the port 3389 used for RDP, used in
+  Sarwent Malware
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*netsh*'
+  SELECTION_3:
+    CommandLine: '*firewall add portopening*'
+  SELECTION_4:
+    CommandLine: '*tcp 3389*'
+  SELECTION_5:
+    CommandLine: '*advfirewall firewall add rule*'
+  SELECTION_6:
+    CommandLine: '*action=allow*'
+  SELECTION_7:
+    CommandLine: '*protocol=TCP*'
+  SELECTION_8:
+    CommandLine: '*localport=3389*'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8)))
+falsepositives:
+- Legitimate administration
+id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.004
diff --git a/rules/sigma/windows/process_creation/win_netsh_fw_add.yml b/rules/sigma/windows/process_creation/win_netsh_fw_add.yml
new file mode 100644
index 00000000..1b91cd52
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_netsh_fw_add.yml
@@ -0,0 +1,31 @@
+
+title: Netsh Port or Application Allowed
+author: Markus Neis, Sander Wiebing
+date: 2019/01/29
+description: Allow Incoming Connections by Port or Application on Windows Firewall
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\netsh.exe'
+  SELECTION_3:
+    CommandLine: '*firewall*'
+  SELECTION_4:
+    CommandLine: '*add*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate administration
+id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
+- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.004
diff --git a/rules/sigma/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/sigma/windows/process_creation/win_netsh_fw_add_susp_image.yml
new file mode 100644
index 00000000..4d14c024
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_netsh_fw_add_susp_image.yml
@@ -0,0 +1,71 @@
+
+title: Netsh Program Allowed with Suspcious Location
+author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2020/05/25
+description: Detects Netsh commands that allows a suspcious application location on
+  Windows Firewall
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*program=*'
+  SELECTION_11:
+    CommandLine:
+    - '*%TEMP%*'
+    - '*:\RECYCLER\\*'
+    - '*C:\$Recycle.bin\\*'
+    - '*:\SystemVolumeInformation\\*'
+    - '*C:\Windows\Temp\\*'
+    - '*C:\Temp\\*'
+    - '*C:\Users\Public\\*'
+    - '*C:\Users\Default\\*'
+    - '*C:\Users\Desktop\\*'
+    - '*\Downloads\\*'
+    - '*\Temporary Internet Files\Content.Outlook\\*'
+    - '*\Local Settings\Temporary Internet Files\\*'
+  SELECTION_12:
+    CommandLine:
+    - C:\Windows\Tasks\\*
+    - C:\Windows\debug\\*
+    - C:\Windows\fonts\\*
+    - C:\Windows\help\\*
+    - C:\Windows\drivers\\*
+    - C:\Windows\addins\\*
+    - C:\Windows\cursors\\*
+    - C:\Windows\system32\tasks\\*
+    - '%Public%\\*'
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    Image: '*\netsh.exe'
+  SELECTION_4:
+    CommandLine: '*firewall*'
+  SELECTION_5:
+    CommandLine: '*add*'
+  SELECTION_6:
+    CommandLine: '*allowedprogram*'
+  SELECTION_7:
+    CommandLine: '*advfirewall*'
+  SELECTION_8:
+    CommandLine: '*rule*'
+  SELECTION_9:
+    CommandLine: '*action=allow*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and (SELECTION_6 or (SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10)))
+    and (SELECTION_11 or SELECTION_12))
+falsepositives:
+- Legitimate administration
+id: a35f5a72-f347-4e36-8895-9869b0d5fc6d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://www.virusradar.com/en/Win32_Kasidet.AD/description
+- https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.004
diff --git a/rules/sigma/windows/process_creation/win_netsh_packet_capture.yml b/rules/sigma/windows/process_creation/win_netsh_packet_capture.yml
new file mode 100644
index 00000000..4c010108
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_netsh_packet_capture.yml
@@ -0,0 +1,31 @@
+
+title: Capture a Network Trace with netsh.exe
+author: Kutepov Anton, oscd.community
+date: 2019/10/24
+description: Detects capture a network trace via netsh.exe trace functionality
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*netsh*'
+  SELECTION_3:
+    CommandLine: '*trace*'
+  SELECTION_4:
+    CommandLine: '*start*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate administrator or user uses netsh.exe trace functionality for legitimate
+  reason
+id: d3c3861d-c504-4c77-ba55-224ba82d0118
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
+status: experimental
+tags:
+- attack.discovery
+- attack.credential_access
+- attack.t1040
diff --git a/rules/sigma/windows/process_creation/win_netsh_port_fwd.yml b/rules/sigma/windows/process_creation/win_netsh_port_fwd.yml
new file mode 100644
index 00000000..bde31e3c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_netsh_port_fwd.yml
@@ -0,0 +1,45 @@
+
+title: Netsh Port Forwarding
+author: Florian Roth, omkar72, oscd.community
+date: 2019/01/29
+description: Detects netsh commands that configure a port forwarding (PortProxy)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\netsh.exe'
+  SELECTION_3:
+    CommandLine: '*interface*'
+  SELECTION_4:
+    CommandLine: '*portproxy*'
+  SELECTION_5:
+    CommandLine: '*add*'
+  SELECTION_6:
+    CommandLine: '*v4tov4*'
+  SELECTION_7:
+    CommandLine: '*connectp*'
+  SELECTION_8:
+    CommandLine: '*listena*'
+  SELECTION_9:
+    CommandLine: '*c=*'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Legitimate administration
+- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
+id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/22
+references:
+- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+- https://adepts.of0x.cc/netsh-portproxy-code/
+- https://www.dfirnotes.net/portproxy_detection/
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.defense_evasion
+- attack.command_and_control
+- attack.t1090
diff --git a/rules/sigma/windows/process_creation/win_netsh_port_fwd_3389.yml b/rules/sigma/windows/process_creation/win_netsh_port_fwd_3389.yml
new file mode 100644
index 00000000..bcf10308
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_netsh_port_fwd_3389.yml
@@ -0,0 +1,37 @@
+
+title: Netsh RDP Port Forwarding
+author: Florian Roth, oscd.community
+date: 2019/01/29
+description: Detects netsh commands that configure a port forwarding of port 3389
+  used for RDP
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\netsh.exe'
+  SELECTION_3:
+    CommandLine: '*i*'
+  SELECTION_4:
+    CommandLine: '* p*'
+  SELECTION_5:
+    CommandLine: '*=3389*'
+  SELECTION_6:
+    CommandLine: '* c*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Legitimate administration
+id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.defense_evasion
+- attack.command_and_control
+- attack.t1090
diff --git a/rules/sigma/windows/process_creation/win_netsh_wifi_credential_harvesting.yml b/rules/sigma/windows/process_creation/win_netsh_wifi_credential_harvesting.yml
new file mode 100644
index 00000000..d04d3e5a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_netsh_wifi_credential_harvesting.yml
@@ -0,0 +1,38 @@
+
+title: Harvesting of Wifi Credentials Using netsh.exe
+author: Andreas Hunkeler (@Karneades), oscd.community
+date: 2020/04/20
+description: Detect the harvesting of wifi credentials using netsh.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\netsh.exe'
+  SELECTION_3:
+    CommandLine: '*wlan*'
+  SELECTION_4:
+    CommandLine: '* s*'
+  SELECTION_5:
+    CommandLine: '* p*'
+  SELECTION_6:
+    CommandLine: '* k*'
+  SELECTION_7:
+    CommandLine: '*=clear*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate
+  reason
+id: 42b1a5b8-353f-4f10-b256-39de4467faff
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
+status: experimental
+tags:
+- attack.discovery
+- attack.credential_access
+- attack.t1040
diff --git a/rules/sigma/windows/process_creation/win_network_sniffing.yml b/rules/sigma/windows/process_creation/win_network_sniffing.yml
new file mode 100644
index 00000000..5a12e598
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_network_sniffing.yml
@@ -0,0 +1,41 @@
+
+title: Network Sniffing
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: Network sniffing refers to using the network interface on a system to
+  monitor or capture information sent over a wired or wireless connection. An adversary
+  may place a network interface into promiscuous mode to passively access data in
+  transit over the network, or use span ports to capture a larger amount of data.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\tshark.exe'
+  SELECTION_3:
+    CommandLine: '*-i*'
+  SELECTION_4:
+    Image: '*\windump.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- Admin activity
+fields:
+- Image
+- CommandLine
+- User
+- LogonGuid
+- Hashes
+- ParentProcessGuid
+- ParentCommandLine
+id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
+status: experimental
+tags:
+- attack.credential_access
+- attack.discovery
+- attack.t1040
diff --git a/rules/sigma/windows/process_creation/win_new_service_creation.yml b/rules/sigma/windows/process_creation/win_new_service_creation.yml
new file mode 100644
index 00000000..c6ca9f15
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_new_service_creation.yml
@@ -0,0 +1,36 @@
+
+title: New Service Creation
+author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/21
+description: Detects creation of a new service.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\sc.exe'
+  SELECTION_3:
+    CommandLine: '*create*'
+  SELECTION_4:
+    CommandLine: '*binpath*'
+  SELECTION_5:
+    Image: '*\powershell.exe'
+  SELECTION_6:
+    CommandLine: '*new-service*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6)))
+falsepositives:
+- Legitimate administrator or user creates a service for legitimate reasons.
+id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1050
+- attack.t1543.003
diff --git a/rules/sigma/windows/process_creation/win_nltest_recon.yml b/rules/sigma/windows/process_creation/win_nltest_recon.yml
new file mode 100644
index 00000000..97a2516c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_nltest_recon.yml
@@ -0,0 +1,46 @@
+
+title: Recon Activity with NLTEST
+author: Craig Young, oscd.community, Georg Lauenstein
+date: 2021/07/24
+description: Detects nltest commands that can be used for information discovery
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\nltest.exe'
+  SELECTION_3:
+    CommandLine: '*/server*'
+  SELECTION_4:
+    CommandLine: '*/query*'
+  SELECTION_5:
+    CommandLine:
+    - '*/dclist:*'
+    - '*/parentdomain*'
+    - '*/domain_trusts*'
+    - '*/trusted_domains*'
+    - '*/user*'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or SELECTION_5))
+falsepositives:
+- Legitimate administration use but user must be check out
+fields:
+- Image
+- User
+- CommandLine
+- ParentCommandLine
+id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/19
+references:
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
+- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
+- https://attack.mitre.org/techniques/T1482/
+- https://attack.mitre.org/techniques/T1016/
+- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
+status: experimental
+tags:
+- attack.discovery
+- attack.t1016
+- attack.t1482
diff --git a/rules/sigma/windows/process_creation/win_non_interactive_powershell.yml b/rules/sigma/windows/process_creation/win_non_interactive_powershell.yml
new file mode 100644
index 00000000..e874cbc5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_non_interactive_powershell.yml
@@ -0,0 +1,31 @@
+
+title: Non Interactive PowerShell
+author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
+date: 2019/09/12
+description: Detects non-interactive PowerShell activity by looking at powershell.exe
+  with not explorer.exe as a parent.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\explorer.exe'
+    - '*\CompatTelRunner.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Legitimate programs executing PowerShell scripts
+id: f4bbd493-b796-416e-bbf2-121235348529
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/10
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_non_priv_reg_or_ps.yml b/rules/sigma/windows/process_creation/win_non_priv_reg_or_ps.yml
new file mode 100644
index 00000000..e9515007
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_non_priv_reg_or_ps.yml
@@ -0,0 +1,50 @@
+
+title: Non-privileged Usage of Reg or Powershell
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/05
+description: Search for usage of reg or Powershell by non-priveleged users to modify
+  service configuration in registry
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    IntegrityLevel: Medium
+  SELECTION_3:
+    CommandLine: '*reg*'
+  SELECTION_4:
+    CommandLine: '*add*'
+  SELECTION_5:
+    CommandLine: '*powershell*'
+  SELECTION_6:
+    CommandLine:
+    - '*set-itemproperty*'
+    - '* sp *'
+    - '*new-itemproperty*'
+  SELECTION_7:
+    CommandLine: '*ControlSet*'
+  SELECTION_8:
+    CommandLine: '*Services*'
+  SELECTION_9:
+    CommandLine:
+    - '*ImagePath*'
+    - '*FailureCommand*'
+    - '*ServiceDLL*'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6)) and SELECTION_7 and SELECTION_8 and SELECTION_9)
+falsepositives:
+- Unknown
+fields:
+- EventID
+- IntegrityLevel
+- CommandLine
+id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/process_creation/win_office_shell.yml b/rules/sigma/windows/process_creation/win_office_shell.yml
new file mode 100644
index 00000000..f0347cfe
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_office_shell.yml
@@ -0,0 +1,61 @@
+
+title: Microsoft Office Product Spawning Windows Shell
+author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team
+date: 2018/04/06
+description: Detects a Windows command and scripting interpreter executable started
+  from Microsoft Word, Excel, Powerpoint, Publisher and Visio
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\WINWORD.EXE'
+    - '*\EXCEL.EXE'
+    - '*\POWERPNT.exe'
+    - '*\MSPUB.exe'
+    - '*\VISIO.exe'
+    - '*\OUTLOOK.EXE'
+    - '*\MSACCESS.EXE'
+    - '*\EQNEDT32.EXE'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\sh.exe'
+    - '*\bash.exe'
+    - '*\scrcons.exe'
+    - '*\schtasks.exe'
+    - '*\regsvr32.exe'
+    - '*\hh.exe'
+    - '*\wmic.exe'
+    - '*\mshta.exe'
+    - '*\rundll32.exe'
+    - '*\msiexec.exe'
+    - '*\forfiles.exe'
+    - '*\scriptrunner.exe'
+    - '*\mftrace.exe'
+    - '*\AppVLP.exe'
+    - '*\svchost.exe'
+    - '*\msbuild.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 438025f9-5856-4663-83f7-52f878a70a50
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
+- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
diff --git a/rules/sigma/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/sigma/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
new file mode 100644
index 00000000..1cc48bac
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_office_spawn_exe_from_users_directory.yml
@@ -0,0 +1,45 @@
+
+title: MS Office Product Spawning Exe in User Dir
+author: Jason Lynch
+date: 2019/04/02
+description: Detects an executable in the users directory started from Microsoft Word,
+  Excel, Powerpoint, Publisher or Visio
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\WINWORD.EXE'
+    - '*\EXCEL.EXE'
+    - '*\POWERPNT.exe'
+    - '*\MSPUB.exe'
+    - '*\VISIO.exe'
+  SELECTION_3:
+    Image: C:\users\\*
+  SELECTION_4:
+    Image: '*.exe'
+  SELECTION_5:
+    Image: '*\Teams.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: aa3a6f94-890e-4e22-b634-ffdfd54792cc
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/04/01
+references:
+- sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c
+- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
+- attack.g0046
+- car.2013-05-002
diff --git a/rules/sigma/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/sigma/windows/process_creation/win_plugx_susp_exe_locations.yml
new file mode 100644
index 00000000..9ded65bd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_plugx_susp_exe_locations.yml
@@ -0,0 +1,107 @@
+
+title: Executable Used by PlugX in Uncommon Location
+author: Florian Roth
+date: 2017/06/12
+description: Detects the execution of an executable that is typically used by PlugX
+  for DLL side loading started from an uncommon location
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    Image: '*\hcc.exe'
+  SELECTION_11:
+    Image: '*\HTML Help Workshop\\*'
+  SELECTION_12:
+    Image: '*\hkcmd.exe'
+  SELECTION_13:
+    Image:
+    - '*\System32\\*'
+    - '*\SysNative\\*'
+    - '*\SysWowo64\\*'
+  SELECTION_14:
+    Image: '*\Mc.exe'
+  SELECTION_15:
+    Image:
+    - '*\Microsoft Visual Studio*'
+    - '*\Microsoft SDK*'
+    - '*\Windows Kit*'
+  SELECTION_16:
+    Image: '*\MsMpEng.exe'
+  SELECTION_17:
+    Image:
+    - '*\Microsoft Security Client\\*'
+    - '*\Windows Defender\\*'
+    - '*\AntiMalware\\*'
+  SELECTION_18:
+    Image: '*\msseces.exe'
+  SELECTION_19:
+    Image:
+    - '*\Microsoft Security Center\\*'
+    - '*\Microsoft Security Client\\*'
+    - '*\Microsoft Security Essentials\\*'
+  SELECTION_2:
+    Image: '*\CamMute.exe'
+  SELECTION_20:
+    Image: '*\OInfoP11.exe'
+  SELECTION_21:
+    Image: '*\Common Files\Microsoft Shared\\*'
+  SELECTION_22:
+    Image: '*\OleView.exe'
+  SELECTION_23:
+    Image:
+    - '*\Microsoft Visual Studio*'
+    - '*\Microsoft SDK*'
+    - '*\Windows Kit*'
+    - '*\Windows Resource Kit\\*'
+  SELECTION_24:
+    Image: '*\rc.exe'
+  SELECTION_25:
+    Image:
+    - '*\Microsoft Visual Studio*'
+    - '*\Microsoft SDK*'
+    - '*\Windows Kit*'
+    - '*\Windows Resource Kit\\*'
+    - '*\Microsoft.NET\\*'
+  SELECTION_3:
+    Image:
+    - '*\Lenovo\Communication Utility\\*'
+    - '*\Lenovo\Communications Utility\\*'
+  SELECTION_4:
+    Image: '*\chrome_frame_helper.exe'
+  SELECTION_5:
+    Image: '*\Google\Chrome\application\\*'
+  SELECTION_6:
+    Image: '*\dvcemumanager.exe'
+  SELECTION_7:
+    Image: '*\Microsoft Device Emulator\\*'
+  SELECTION_8:
+    Image: '*\Gadget.exe'
+  SELECTION_9:
+    Image: '*\Windows Media Player\\*'
+  condition: (SELECTION_1 and ((((((((((((SELECTION_2 and  not (SELECTION_3)) or (SELECTION_4
+    and  not (SELECTION_5))) or (SELECTION_6 and  not (SELECTION_7))) or (SELECTION_8
+    and  not (SELECTION_9))) or (SELECTION_10 and  not (SELECTION_11))) or (SELECTION_12
+    and  not (SELECTION_13))) or (SELECTION_14 and  not (SELECTION_15))) or (SELECTION_16
+    and  not (SELECTION_17))) or (SELECTION_18 and  not (SELECTION_19))) or (SELECTION_20
+    and  not (SELECTION_21))) or (SELECTION_22 and  not (SELECTION_23))) or (SELECTION_24
+    and  not (SELECTION_25))))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: aeab5ec5-be14-471a-80e8-e344418305c2
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
+- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
+status: experimental
+tags:
+- attack.s0013
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
diff --git a/rules/sigma/windows/process_creation/win_possible_applocker_bypass.yml b/rules/sigma/windows/process_creation/win_possible_applocker_bypass.yml
new file mode 100644
index 00000000..34a03c59
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_possible_applocker_bypass.yml
@@ -0,0 +1,45 @@
+
+title: Possible Applocker Bypass
+author: juju4
+date: 2019/01/16
+description: Detects execution of executables that can be used to bypass Applocker
+  whitelisting
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*\msdt.exe*'
+    - '*\installutil.exe*'
+    - '*\regsvcs.exe*'
+    - '*\regasm.exe*'
+    - '*\msbuild.exe*'
+    - '*\ieexec.exe*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+- Using installutil to add features for .NET applications (primarily would occur in
+  developer environments)
+id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
+- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1118
+- attack.t1218.004
+- attack.t1121
+- attack.t1218.009
+- attack.t1127
+- attack.t1127.001
+- attack.t1170
+- attack.t1218.005
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml b/rules/sigma/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml
new file mode 100644
index 00000000..4f6dc54e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml
@@ -0,0 +1,40 @@
+
+title: Possible Privilege Escalation via Service Permissions Weakness
+author: Teymur Kheirkhabarov
+date: 2019/10/26
+description: Detect modification of services configuration (ImagePath, FailureCommand
+  and ServiceDLL) in registry by processes with Medium integrity level
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    IntegrityLevel: Medium
+  SELECTION_3:
+    CommandLine: '*ControlSet*'
+  SELECTION_4:
+    CommandLine: '*services*'
+  SELECTION_5:
+    CommandLine:
+    - '*\ImagePath*'
+    - '*\FailureCommand*'
+    - '*\ServiceDll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+enrichment:
+- EN_0001_cache_sysmon_event_id_1_info
+- EN_0003_enrich_other_sysmon_events_with_event_id_1_data
+falsepositives:
+- Unknown
+id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/15
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1058
+- attack.t1574.011
diff --git a/rules/sigma/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/sigma/windows/process_creation/win_powershell_amsi_bypass.yml
new file mode 100644
index 00000000..6d2dc3bd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_amsi_bypass.yml
@@ -0,0 +1,31 @@
+
+title: Powershell AMSI Bypass via .NET Reflection
+author: Markus Neis
+date: 2018/08/17
+description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*System.Management.Automation.AmsiUtils*'
+  SELECTION_3:
+    CommandLine:
+    - '*amsiInitFailed*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Potential Admin Activity
+id: 30edb182-aa75-42c0-b0a9-e998bb29067c
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://twitter.com/mattifestation/status/735261176745988096
+- https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/win_powershell_audio_capture.yml b/rules/sigma/windows/process_creation/win_powershell_audio_capture.yml
new file mode 100644
index 00000000..df058cdd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_audio_capture.yml
@@ -0,0 +1,26 @@
+
+title: Audio Capture via PowerShell
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Detects audio capture via PowerShell Cmdlet.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*WindowsAudioDevice-Powershell-Cmdlet*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate audio capture by legitimate user.
+id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
+- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
+status: experimental
+tags:
+- attack.collection
+- attack.t1123
diff --git a/rules/sigma/windows/process_creation/win_powershell_b64_shellcode.yml b/rules/sigma/windows/process_creation/win_powershell_b64_shellcode.yml
new file mode 100644
index 00000000..5e08a0e9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_b64_shellcode.yml
@@ -0,0 +1,29 @@
+
+title: PowerShell Base64 Encoded Shellcode
+author: Florian Roth
+date: 2018/11/17
+description: Detects Base64 encoded Shellcode
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*AAAAYInlM*'
+  SELECTION_3:
+    CommandLine:
+    - '*OiCAAAAYInlM*'
+    - '*OiJAAAAYInlM*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://twitter.com/cyb3rops/status/1063072865992523776
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
diff --git a/rules/sigma/windows/process_creation/win_powershell_bitsjob.yml b/rules/sigma/windows/process_creation/win_powershell_bitsjob.yml
new file mode 100644
index 00000000..bb8f93d9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_bitsjob.yml
@@ -0,0 +1,33 @@
+
+title: Suspicious Bitsadmin Job via PowerShell
+author: Endgame, JHasenbusch (ported to sigma for oscd.community)
+date: 2018/10/30
+description: Detect download by BITS jobs via PowerShell
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    CommandLine: '*Start-BitsTransfer*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+id: f67dbfce-93bc-440d-86ad-a95ae8858c90
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.persistence
+- attack.t1197
diff --git a/rules/sigma/windows/process_creation/win_powershell_cmdline_reversed_strings.yml b/rules/sigma/windows/process_creation/win_powershell_cmdline_reversed_strings.yml
new file mode 100644
index 00000000..656384b5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_cmdline_reversed_strings.yml
@@ -0,0 +1,55 @@
+
+title: Suspicious PowerShell Cmdline
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/11
+description: Detects the PowerShell command lines with reversed strings
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*hctac*'
+    - '*kearb*'
+    - '*dnammoc*'
+    - '*ekovn*'
+    - '*eliFd*'
+    - '*rahc*'
+    - '*etirw*'
+    - '*golon*'
+    - '*tninon*'
+    - '*eddih*'
+    - '*tpircS*'
+    - '*ssecorp*'
+    - '*llehsrewop*'
+    - '*esnopser*'
+    - '*daolnwod*'
+    - '*tneilCbeW*'
+    - '*tneilc*'
+    - '*ptth*'
+    - '*elifotevas*'
+    - '*46esab*'
+    - '*htaPpmeTteG*'
+    - '*tcejbO*'
+    - '*maerts*'
+    - '*hcaerof*'
+    - '*ekovni*'
+    - '*retupmoc*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely
+id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_powershell_cmdline_special_characters.yml b/rules/sigma/windows/process_creation/win_powershell_cmdline_special_characters.yml
new file mode 100644
index 00000000..d4934af9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_cmdline_special_characters.yml
@@ -0,0 +1,37 @@
+
+title: Suspicious PowerShell Command Line
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/15
+description: Detects the PowerShell command lines with special characters
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    CommandLine|re: .*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*
+  SELECTION_4:
+    CommandLine|re: .*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*
+  SELECTION_5:
+    CommandLine|re: .*\{.*\{.*\{.*\{.*\{.*
+  SELECTION_6:
+    CommandLine|re: .*\^.*\^.*\^.*\^.*\^.*
+  SELECTION_7:
+    CommandLine|re: .*`.*`.*`.*`.*`.*
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+    or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unlikely
+id: d7bcd677-645d-4691-a8d4-7a5602b780d1
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml b/rules/sigma/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml
new file mode 100644
index 00000000..e79b7e2a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_cmdline_specific_comb_methods.yml
@@ -0,0 +1,59 @@
+
+title: Encoded PowerShell Command Line
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/11
+description: Detects specific combinations of encoding methods in the PowerShell command
+  lines
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*ForEach*'
+  SELECTION_11:
+    CommandLine: '*Xor*'
+  SELECTION_12:
+    CommandLine:
+    - '*cOnvErTTO-SECUreStRIng*'
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    EventID: 1
+  SELECTION_4:
+    CommandLine:
+    - '*ToInt*'
+    - '*ToDecimal*'
+    - '*ToByte*'
+    - '*ToUint*'
+    - '*ToSingle*'
+    - '*ToSByte*'
+  SELECTION_5:
+    CommandLine:
+    - '*ToChar*'
+    - '*ToString*'
+    - '*String*'
+  SELECTION_6:
+    CommandLine: '*char*'
+  SELECTION_7:
+    CommandLine: '*join*'
+  SELECTION_8:
+    CommandLine: '*split*'
+  SELECTION_9:
+    CommandLine: '*join*'
+  condition: (SELECTION_1 and SELECTION_2 and ((((SELECTION_3 and SELECTION_4 and
+    SELECTION_5) or (SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9))
+    or (SELECTION_10 and SELECTION_11) or SELECTION_12))
+falsepositives:
+- Unlikely
+id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_powershell_defender_exclusion.yml b/rules/sigma/windows/process_creation/win_powershell_defender_exclusion.yml
new file mode 100644
index 00000000..5327a7a0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_defender_exclusion.yml
@@ -0,0 +1,40 @@
+
+title: Powershell Defender Exclusion
+author: Florian Roth
+date: 2021/04/29
+description: Detects requests to exclude files, folders or processes from Antivirus
+  scanning using PowerShell cmdlets
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    CommandLine: '*Add-MpPreference *'
+  SELECTION_4:
+    CommandLine:
+    - '* -ExclusionPath *'
+    - '* -ExclusionExtension *'
+    - '* -ExclusionProcess *'
+  SELECTION_5:
+    CommandLine:
+    - '*QWRkLU1wUHJlZmVyZW5jZ*'
+    - '*FkZC1NcFByZWZlcmVuY2*'
+    - '*BZGQtTXBQcmVmZXJlbmNl*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or SELECTION_5))
+falsepositives:
+- Possible Admin Activity
+- Other Cmdlets that may use the same parameters
+id: 17769c90-230e-488b-a463-e05c08e9d48f
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/12
+references:
+- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/sigma/windows/process_creation/win_powershell_disable_windef_av.yml
new file mode 100644
index 00000000..4722b8e3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_disable_windef_av.yml
@@ -0,0 +1,49 @@
+
+title: Powershell Used To Disable Windows Defender AV Security Monitoring
+author: ok @securonix invrep-de, oscd.community, frack113
+date: 2020/10/12
+description: Detects attackers attempting to disable Windows Defender using Powershell
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*start=disabled*'
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*-DisableBehaviorMonitoring $true*'
+    - '*-DisableRuntimeMonitoring $true*'
+  SELECTION_4:
+    CommandLine: '*sc*'
+  SELECTION_5:
+    CommandLine: '*stop*'
+  SELECTION_6:
+    CommandLine: '*WinDefend*'
+  SELECTION_7:
+    CommandLine: '*sc*'
+  SELECTION_8:
+    CommandLine: '*config*'
+  SELECTION_9:
+    CommandLine: '*WinDefend*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10)))
+falsepositives:
+- Minimal, for some older versions of dev tools, such as pycharm, developers were
+  known to sometimes disable Windows Defender to improve performance, but this generally
+  is not considered a good security practice.
+id: a7ee1722-c3c5-aeff-3212-c777e4733217
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/07
+references:
+- https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
+- https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/win_powershell_dll_execution.yml b/rules/sigma/windows/process_creation/win_powershell_dll_execution.yml
new file mode 100644
index 00000000..387ab490
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_dll_execution.yml
@@ -0,0 +1,34 @@
+
+title: Detection of PowerShell Execution via DLL
+author: Markus Neis
+date: 2018/08/25
+description: Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\rundll32.exe'
+  SELECTION_3:
+    Description:
+    - '*Windows-Hostprozess (Rundll32)*'
+  SELECTION_4:
+    CommandLine:
+    - '*Default.GetString*'
+    - '*FromBase64String*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 6812a10b-60ea-420c-832f-dfcc33b646ba
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://github.com/p3nt4/PowerShdll/blob/master/README.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1085
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/win_powershell_downgrade_attack.yml b/rules/sigma/windows/process_creation/win_powershell_downgrade_attack.yml
new file mode 100644
index 00000000..e54b24ef
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_downgrade_attack.yml
@@ -0,0 +1,39 @@
+
+title: PowerShell Downgrade Attack
+author: Harish Segar (rule)
+date: 2020/03/20
+description: Detects PowerShell downgrade attack by comparing the host versions with
+  the actually used engine version 2.0
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* -version 2 *'
+    - '* -versio 2 *'
+    - '* -versi 2 *'
+    - '* -vers 2 *'
+    - '* -ver 2 *'
+    - '* -ve 2 *'
+  SELECTION_3:
+    Image: '*\powershell.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Penetration Test
+- Unknown
+id: b3512211-c67e-4707-bedc-66efc7848863
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+related:
+- id: 6331d09b-4785-4c13-980f-f96661356249
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_powershell_download.yml b/rules/sigma/windows/process_creation/win_powershell_download.yml
new file mode 100644
index 00000000..c8fcabbf
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_download.yml
@@ -0,0 +1,38 @@
+
+title: PowerShell Download from URL
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
+date: 2019/01/16
+description: Detects a Powershell process that contains download commands in its command
+  line string
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    CommandLine: '*new-object*'
+  SELECTION_4:
+    CommandLine: '*net.webclient).*'
+  SELECTION_5:
+    CommandLine: '*download*'
+  SELECTION_6:
+    CommandLine:
+    - '*string(*'
+    - '*file(*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+status: experimental
+tags:
+- attack.t1086
+- attack.execution
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_powershell_frombase64string.yml b/rules/sigma/windows/process_creation/win_powershell_frombase64string.yml
new file mode 100644
index 00000000..7d70c8e8
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_frombase64string.yml
@@ -0,0 +1,27 @@
+
+title: FromBase64String Command Line
+author: Florian Roth
+date: 2020/01/29
+description: Detects suspicious FromBase64String expressions in command line arguments
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*::FromBase64String(*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrative script libraries
+id: e32d4572-9826-4738-b651-95fa63747e8a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/06
+references:
+- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
+status: experimental
+tags:
+- attack.t1027
+- attack.defense_evasion
+- attack.t1140
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_powershell_reverse_shell_connection.yml b/rules/sigma/windows/process_creation/win_powershell_reverse_shell_connection.yml
new file mode 100644
index 00000000..41f3e59b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_reverse_shell_connection.yml
@@ -0,0 +1,33 @@
+
+title: Powershell Reverse Shell Connection
+author: FPT.EagleEye, wagga
+date: 2021/03/03
+description: Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*new-object system.net.sockets.tcpclient*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative might use this function for checking network connectivity
+fields:
+- CommandLine
+- ParentCommandLine
+id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+references:
+- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
+- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/sigma/windows/process_creation/win_powershell_suspicious_parameter_variation.yml
new file mode 100644
index 00000000..96119cd3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_suspicious_parameter_variation.yml
@@ -0,0 +1,69 @@
+
+title: Suspicious PowerShell Parameter Substring
+author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
+date: 2019/01/16
+description: Detects suspicious PowerShell invocation with a parameter substring
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\Powershell.exe'
+  SELECTION_3:
+    CommandLine:
+    - '* -windowstyle h *'
+    - '* -windowstyl h*'
+    - '* -windowsty h*'
+    - '* -windowst h*'
+    - '* -windows h*'
+    - '* -windo h*'
+    - '* -wind h*'
+    - '* -win h*'
+    - '* -wi h*'
+    - '* -win h *'
+    - '* -win hi *'
+    - '* -win hid *'
+    - '* -win hidd *'
+    - '* -win hidde *'
+    - '* -NoPr *'
+    - '* -NoPro *'
+    - '* -NoProf *'
+    - '* -NoProfi *'
+    - '* -NoProfil *'
+    - '* -nonin *'
+    - '* -nonint *'
+    - '* -noninte *'
+    - '* -noninter *'
+    - '* -nonintera *'
+    - '* -noninterac *'
+    - '* -noninteract *'
+    - '* -noninteracti *'
+    - '* -noninteractiv *'
+    - '* -ec *'
+    - '* -encodedComman *'
+    - '* -encodedComma *'
+    - '* -encodedComm *'
+    - '* -encodedCom *'
+    - '* -encodedCo *'
+    - '* -encodedC *'
+    - '* -encoded *'
+    - '* -encode *'
+    - '* -encod *'
+    - '* -enco *'
+    - '* -en *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Penetration tests
+id: 36210e0d-5b19-485d-a087-c096088885f0
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/07/14
+references:
+- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_powershell_xor_commandline.yml b/rules/sigma/windows/process_creation/win_powershell_xor_commandline.yml
new file mode 100644
index 00000000..ba29864c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powershell_xor_commandline.yml
@@ -0,0 +1,34 @@
+
+title: Suspicious XOR Encoded PowerShell Command Line
+author: Sami Ruohonen, Harish Segar (improvement)
+date: 2018/09/05
+description: Detects suspicious powershell process which includes bxor command, alternative
+  obfuscation method to b64 encoded commands.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Description: Windows PowerShell
+  SELECTION_3:
+    Product: PowerShell Core 6
+  SELECTION_4:
+    CommandLine:
+    - '*bxor*'
+    - '*join*'
+    - '*char*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+id: bb780e0c-16cf-4383-8383-1e5471db6cf9
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/06
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1086
+- attack.t1059.001
+- attack.t1140
+- attack.t1027
diff --git a/rules/sigma/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/sigma/windows/process_creation/win_powersploit_empire_schtasks.yml
new file mode 100644
index 00000000..59a90334
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_powersploit_empire_schtasks.yml
@@ -0,0 +1,56 @@
+
+title: Default PowerSploit and Empire Schtasks Persistence
+author: Markus Neis, @Karneades
+date: 2018/03/06
+description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*powershell*'
+  SELECTION_2:
+    ParentImage: '*\powershell.exe'
+  SELECTION_3:
+    Image: '*\schtasks.exe'
+  SELECTION_4:
+    CommandLine: '*/Create*'
+  SELECTION_5:
+    CommandLine: '*/SC*'
+  SELECTION_6:
+    CommandLine:
+    - '*ONLOGON*'
+    - '*DAILY*'
+    - '*ONIDLE*'
+    - '*Updater*'
+  SELECTION_7:
+    CommandLine: '*/TN*'
+  SELECTION_8:
+    CommandLine: '*Updater*'
+  SELECTION_9:
+    CommandLine: '*/TR*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10)
+falsepositives:
+- False positives are possible, depends on organisation and processes
+id: 56c217c3-2de2-479b-990f-5c109ba8458f
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
+- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py
+- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py
+status: experimental
+tags:
+- attack.execution
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1053
+- attack.t1086
+- attack.s0111
+- attack.g0022
+- attack.g0060
+- car.2013-08-001
+- attack.t1053.005
+- attack.t1059.001
diff --git a/rules/sigma/windows/process_creation/win_proc_wrong_parent.yml b/rules/sigma/windows/process_creation/win_proc_wrong_parent.yml
new file mode 100644
index 00000000..f4732826
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_proc_wrong_parent.yml
@@ -0,0 +1,54 @@
+
+title: Windows Processes Suspicious Parent Directory
+author: vburov
+date: 2019/02/23
+description: Detect suspicious parent processes of well-known Windows processes
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\svchost.exe'
+    - '*\taskhost.exe'
+    - '*\lsm.exe'
+    - '*\lsass.exe'
+    - '*\services.exe'
+    - '*\lsaiso.exe'
+    - '*\csrss.exe'
+    - '*\wininit.exe'
+    - '*\winlogon.exe'
+  SELECTION_3:
+    ParentImage: '*\SavService.exe'
+  SELECTION_4:
+    ParentImage:
+    - '*\System32\\*'
+    - '*\SysWOW64\\*'
+  SELECTION_5:
+    ParentImage:
+    - '*\Windows Defender\\*'
+    - '*\Microsoft Security Client\\*'
+  SELECTION_6:
+    ParentImage: '*\MsMpEng.exe'
+  SELECTION_7:
+    ParentImage|re: ^$
+  condition: (SELECTION_1 and ((SELECTION_2 and  not (SELECTION_3 or SELECTION_4))
+    and  not (SELECTION_5 and SELECTION_6)) and  not (SELECTION_7))
+falsepositives:
+- Some security products seem to spawn these
+id: 96036718-71cc-4027-a538-d1587e0006a7
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
+- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
+- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
+- https://attack.mitre.org/techniques/T1036/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
+- attack.t1036.005
diff --git a/rules/sigma/windows/process_creation/win_procdump.yml b/rules/sigma/windows/process_creation/win_procdump.yml
new file mode 100644
index 00000000..27abc1b2
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_procdump.yml
@@ -0,0 +1,31 @@
+
+title: Procdump Usage
+author: Florian Roth
+date: 2021/08/16
+description: Detects uses of the SysInternals Procdump utility
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\procdump.exe'
+    - '*\procdump64.exe'
+  SELECTION_3:
+    CommandLine: '* -ma *'
+  SELECTION_4:
+    CommandLine: '*.exe*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- Legitimate use of procdump by a developer or administrator
+id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- Internal Research
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1003.001
diff --git a/rules/sigma/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/sigma/windows/process_creation/win_process_creation_bitsadmin_download.yml
new file mode 100644
index 00000000..53299119
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_process_creation_bitsadmin_download.yml
@@ -0,0 +1,50 @@
+
+title: Bitsadmin Download
+author: Michael Haag, FPT.EagleEye
+date: 2017/03/09
+description: Detects usage of bitsadmin downloading a file
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    Image:
+    - '*\bitsadmin.exe'
+  SELECTION_4:
+    CommandLine:
+    - '* /create *'
+    - '* /addfile *'
+  SELECTION_5:
+    CommandLine:
+    - '*http*'
+  SELECTION_6:
+    CommandLine:
+    - '* /transfer *'
+  SELECTION_7:
+    CommandLine:
+    - '*copy bitsadmin.exe*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and ((SELECTION_4 and
+    SELECTION_5) or SELECTION_6)) or SELECTION_7))
+falsepositives:
+- Some legitimate apps use this, but limited.
+fields:
+- CommandLine
+- ParentCommandLine
+id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/16
+references:
+- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
+- https://isc.sans.edu/diary/22264
+- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.persistence
+- attack.t1197
+- attack.s0190
+- attack.t1036.003
diff --git a/rules/sigma/windows/process_creation/win_process_dump_rdrleakdiag.yml b/rules/sigma/windows/process_creation/win_process_dump_rdrleakdiag.yml
new file mode 100644
index 00000000..d3346f1c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_process_dump_rdrleakdiag.yml
@@ -0,0 +1,26 @@
+
+title: Process Dump via RdrLeakDiag.exe
+author: Cedric MAURUGEON
+date: 2021/09/24
+description: Detects a process memory dump performed by RdrLeakDiag.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    OriginalFileName: RdrLeakDiag.exe
+  SELECTION_3:
+    CommandLine: '*fullmemdmp*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
diff --git a/rules/sigma/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/sigma/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
new file mode 100644
index 00000000..f1585f88
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_process_dump_rundll32_comsvcs.yml
@@ -0,0 +1,33 @@
+
+title: Process Dump via Rundll32 and Comsvcs.dll
+author: Florian Roth
+date: 2020/02/18
+description: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*comsvcs.dll,#24*'
+    - '*comsvcs.dll,MiniDump*'
+    - '*comsvcs.dll MiniDump*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely, because no one should dump the process memory in that way
+id: 646ea171-dded-4578-8a4d-65e9822892e3
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/04/23
+references:
+- https://twitter.com/shantanukhande/status/1229348874298388484
+- https://twitter.com/pythonresponder/status/1385064506049630211?s=21
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.credential_access
+- attack.t1003
+- car.2013-05-009
+- attack.t1003.001
diff --git a/rules/sigma/windows/process_creation/win_psexesvc_start.yml b/rules/sigma/windows/process_creation/win_psexesvc_start.yml
new file mode 100644
index 00000000..8f6683d0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_psexesvc_start.yml
@@ -0,0 +1,24 @@
+
+title: PsExec Service Start
+author: Florian Roth
+date: 2018/03/13
+description: Detects a PsExec service start
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: C:\Windows\PSEXESVC.exe
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrative activity
+id: 3ede524d-21cc-472d-a3ce-d21b568d8db7
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2012/12/11
+tags:
+- attack.execution
+- attack.t1035
+- attack.s0029
+- attack.t1569.002
diff --git a/rules/sigma/windows/process_creation/win_purplesharp_indicators.yml b/rules/sigma/windows/process_creation/win_purplesharp_indicators.yml
new file mode 100644
index 00000000..7f1b2229
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_purplesharp_indicators.yml
@@ -0,0 +1,30 @@
+
+title: PurpleSharp Indicator
+author: Florian Roth
+date: 2021/06/18
+description: Detect
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*xyz123456.exe*'
+    - '*PurpleSharp*'
+  SELECTION_3:
+    OriginalFileName:
+    - PurpleSharp.exe
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unlikely
+id: ff23ffbc-3378-435e-992f-0624dcf93ab4
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/06
+references:
+- https://github.com/mvelazc0/PurpleSharp
+status: experimental
+tags:
+- attack.t1587
+- attack.resource_development
diff --git a/rules/sigma/windows/process_creation/win_query_registry.yml b/rules/sigma/windows/process_creation/win_query_registry.yml
new file mode 100644
index 00000000..5aae1241
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_query_registry.yml
@@ -0,0 +1,50 @@
+
+title: Query Registry
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: Adversaries may interact with the Windows Registry to gather information
+  about the system, configuration, and installed software.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\reg.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*query*'
+    - '*save*'
+    - '*export*'
+  SELECTION_4:
+    CommandLine:
+    - '*currentVersion\windows*'
+    - '*currentVersion\runServicesOnce*'
+    - '*currentVersion\runServices*'
+    - '*winlogon\\*'
+    - '*currentVersion\shellServiceObjectDelayLoad*'
+    - '*currentVersion\runOnce*'
+    - '*currentVersion\runOnceEx*'
+    - '*currentVersion\run*'
+    - '*currentVersion\policies\explorer\run*'
+    - '*currentcontrolset\services*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+fields:
+- Image
+- CommandLine
+- User
+- LogonGuid
+- Hashes
+- ParentProcessGuid
+- ParentCommandLine
+id: 970007b7-ce32-49d0-a4a4-fbef016950bd
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+- attack.t1007
diff --git a/rules/sigma/windows/process_creation/win_rasautou_dll_execution.yml b/rules/sigma/windows/process_creation/win_rasautou_dll_execution.yml
new file mode 100644
index 00000000..e4de4dbb
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_rasautou_dll_execution.yml
@@ -0,0 +1,37 @@
+
+title: DLL Execution via Rasautou.exe
+author: Julia Fomina, oscd.community
+date: 2020/10/09
+description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d
+  option and executes the export specified in -p.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\rasautou.exe'
+  SELECTION_3:
+    OriginalFileName: rasdlui.exe
+  SELECTION_4:
+    CommandLine: '*-d*'
+  SELECTION_5:
+    CommandLine: '*-p*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5))
+falsepositives:
+- Unlikely
+id: cd3d1298-eb3b-476c-ac67-12847de55813
+level: medium
+logsource:
+  category: process_creation
+  definition: Since options '-d' and '-p' were removed in Windows 10 this rule is
+    relevant only for Windows before 10. And as Windows 7 doesn't log command line
+    in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375
+    installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
+  product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
+- https://github.com/fireeye/DueDLLigence
+- https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_rdp_hijack_shadowing.yml b/rules/sigma/windows/process_creation/win_rdp_hijack_shadowing.yml
new file mode 100644
index 00000000..a6286db7
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_rdp_hijack_shadowing.yml
@@ -0,0 +1,28 @@
+
+title: MSTSC Shadowing
+author: Florian Roth
+date: 2020/01/24
+description: Detects RDP session hijacking by using MSTSC shadowing
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*noconsentprompt*'
+  SELECTION_3:
+    CommandLine: '*shadow:*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 6ba5a05f-b095-4f0a-8654-b825f4f16334
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/06
+references:
+- https://twitter.com/kmkz_security/status/1220694202301976576
+- https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1563.002
diff --git a/rules/sigma/windows/process_creation/win_redmimicry_winnti_proc.yml b/rules/sigma/windows/process_creation/win_redmimicry_winnti_proc.yml
new file mode 100644
index 00000000..cdef1517
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_redmimicry_winnti_proc.yml
@@ -0,0 +1,35 @@
+
+title: RedMimicry Winnti Playbook Execute
+author: Alexander Rausch
+date: 2020/06/24
+description: Detects actions caused by the RedMimicry Winnti playbook
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*rundll32.exe*'
+    - '*cmd.exe*'
+  SELECTION_3:
+    CommandLine:
+    - '*gthread-3.6.dll*'
+    - '*\Windows\Temp\tmp.bat*'
+    - '*sigcmm-2.4.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/06
+references:
+- https://redmimicry.com
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1059
+- attack.t1106
+- attack.t1059.003
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/win_reg_add_run_key.yml b/rules/sigma/windows/process_creation/win_reg_add_run_key.yml
new file mode 100644
index 00000000..eb7d6de2
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_reg_add_run_key.yml
@@ -0,0 +1,30 @@
+
+title: Reg Add RUN Key
+author: Florian Roth
+date: 2021/06/28
+description: Detects suspicious command line reg.exe tool adding key to RUN key in
+  Registry
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*reg*'
+  SELECTION_3:
+    CommandLine: '* ADD *'
+  SELECTION_4:
+    CommandLine: '*Software\Microsoft\Windows\CurrentVersion\Run*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: de587dce-915e-4218-aac4-835ca6af6f70
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
+- https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
diff --git a/rules/sigma/windows/process_creation/win_regedit_export_critical_keys.yml b/rules/sigma/windows/process_creation/win_regedit_export_critical_keys.yml
new file mode 100644
index 00000000..749a600e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_regedit_export_critical_keys.yml
@@ -0,0 +1,39 @@
+
+title: Exports Critical Registry Keys To a File
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/12
+description: Detects the export of a crital Registry key to a file.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\regedit.exe'
+  SELECTION_3:
+    CommandLine: '* /E *'
+  SELECTION_4:
+    CommandLine:
+    - '*hklm*'
+    - '*hkey_local_machine*'
+  SELECTION_5:
+    CommandLine:
+    - '*\system'
+    - '*\sam'
+    - '*\security'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
+fields:
+- ParentImage
+- CommandLine
+id: 82880171-b475-4201-b811-e9c826cd5eaa
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1012
diff --git a/rules/sigma/windows/process_creation/win_regedit_export_keys.yml b/rules/sigma/windows/process_creation/win_regedit_export_keys.yml
new file mode 100644
index 00000000..57c6783a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_regedit_export_keys.yml
@@ -0,0 +1,42 @@
+
+title: Exports Registry Key To a File
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+description: Detects the export of the target Registry key to a file.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\regedit.exe'
+  SELECTION_3:
+    CommandLine: '* /E *'
+  SELECTION_4:
+    EventID: 1
+  SELECTION_5:
+    CommandLine:
+    - '*hklm*'
+    - '*hkey_local_machine*'
+  SELECTION_6:
+    CommandLine:
+    - '*\system'
+    - '*\sam'
+    - '*\security'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+    and SELECTION_5 and SELECTION_6)))
+falsepositives:
+- Legitimate export of keys
+fields:
+- ParentImage
+- CommandLine
+id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
+level: low
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1012
diff --git a/rules/sigma/windows/process_creation/win_regedit_import_keys.yml b/rules/sigma/windows/process_creation/win_regedit_import_keys.yml
new file mode 100644
index 00000000..c9c18c20
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_regedit_import_keys.yml
@@ -0,0 +1,40 @@
+
+title: Imports Registry Key From a File
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+description: Detects the import of the specified file to the registry with regedit.exe.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\regedit.exe'
+  SELECTION_3:
+    CommandLine:
+    - '* /i *'
+    - '*.reg*'
+  SELECTION_4:
+    CommandLine:
+    - '* /e *'
+    - '* /a *'
+    - '* /c *'
+  SELECTION_5:
+    CommandLine|re: :[^ \\\\]
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+    and  not (SELECTION_5))
+falsepositives:
+- Legitimate import of keys
+fields:
+- ParentImage
+- CommandLine
+id: 73bba97f-a82d-42ce-b315-9182e76c57b1
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.t1112
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/win_regedit_import_keys_ads.yml b/rules/sigma/windows/process_creation/win_regedit_import_keys_ads.yml
new file mode 100644
index 00000000..72b9ccb1
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_regedit_import_keys_ads.yml
@@ -0,0 +1,40 @@
+
+title: Imports Registry Key From an ADS
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/12
+description: Detects the import of a alternate datastream to the registry with regedit.exe.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\regedit.exe'
+  SELECTION_3:
+    CommandLine:
+    - '* /i *'
+    - '*.reg*'
+  SELECTION_4:
+    CommandLine|re: :[^ \\\\]
+  SELECTION_5:
+    CommandLine:
+    - '* /e *'
+    - '* /a *'
+    - '* /c *'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- ParentImage
+- CommandLine
+id: 0b80ade5-6997-4b1d-99a1-71701778ea61
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.t1112
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/win_regini.yml b/rules/sigma/windows/process_creation/win_regini.yml
new file mode 100644
index 00000000..ab7e1d70
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_regini.yml
@@ -0,0 +1,33 @@
+
+title: Modifies the Registry From a File
+author: Eli Salem, Sander Wiebing, oscd.community
+date: 2020/10/08
+description: Detects the execution of regini.exe which can be used to modify registry
+  keys, the changes are imported from one or more text files.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\regini.exe'
+  SELECTION_3:
+    CommandLine|re: :[^ \\\\]
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Legitimate modification of keys
+fields:
+- ParentImage
+- CommandLine
+id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/24
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
+status: experimental
+tags:
+- attack.t1112
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/win_regini_ads.yml b/rules/sigma/windows/process_creation/win_regini_ads.yml
new file mode 100644
index 00000000..b0e7422c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_regini_ads.yml
@@ -0,0 +1,33 @@
+
+title: Modifies the Registry From a ADS
+author: Eli Salem, Sander Wiebing, oscd.community
+date: 2020/10/12
+description: Detects the import of an alternate data stream with regini.exe, regini.exe
+  can be used to modify registry keys.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\regini.exe'
+  SELECTION_3:
+    CommandLine|re: :[^ \\\\]
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ParentImage
+- CommandLine
+id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/24
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
+status: experimental
+tags:
+- attack.t1112
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/win_remote_powershell_session_process.yml b/rules/sigma/windows/process_creation/win_remote_powershell_session_process.yml
new file mode 100644
index 00000000..45b82709
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_remote_powershell_session_process.yml
@@ -0,0 +1,35 @@
+
+title: Remote PowerShell Session Host Process (WinRM)
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM
+  host process) as a parent or child process (sign of an active PowerShell remote
+  session).
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\wsmprovhost.exe'
+  SELECTION_3:
+    ParentImage: '*\wsmprovhost.exe'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Legitimate usage of remote Powershell, e.g. for monitoring purposes.
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+- attack.t1021.006
diff --git a/rules/sigma/windows/process_creation/win_remote_time_discovery.yml b/rules/sigma/windows/process_creation/win_remote_time_discovery.yml
new file mode 100644
index 00000000..a4e6e30b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_remote_time_discovery.yml
@@ -0,0 +1,41 @@
+
+title: Discovery of a System Time
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Identifies use of various commands to query a systems time. This technique
+  may be used before executing a scheduled task or to discover the time zone of a
+  target system.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\net.exe'
+    - '*\net1.exe'
+  SELECTION_3:
+    CommandLine: '*time*'
+  SELECTION_4:
+    Image: '*\w32tm.exe'
+  SELECTION_5:
+    CommandLine: '*tz*'
+  SELECTION_6:
+    Image: '*\powershell.exe'
+  SELECTION_7:
+    CommandLine: '*Get-Date*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Legitimate use of the system utilities to discover system time for legitimate reason
+id: b243b280-65fe-48df-ba07-6ddea7646427
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md
+status: experimental
+tags:
+- attack.discovery
+- attack.t1124
diff --git a/rules/sigma/windows/process_creation/win_renamed_binary.yml b/rules/sigma/windows/process_creation/win_renamed_binary.yml
new file mode 100644
index 00000000..8863cd80
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_renamed_binary.yml
@@ -0,0 +1,73 @@
+
+title: Renamed Binary
+author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community
+  (improvements), Andreas Hunkeler (@Karneades)
+date: 2019/06/15
+description: Detects the execution of a renamed binary often used by attackers or
+  malware leveraging new Sysmon OriginalFileName datapoint.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    OriginalFileName:
+    - cmd.exe
+    - powershell.exe
+    - powershell_ise.exe
+    - psexec.exe
+    - psexec.c
+    - cscript.exe
+    - wscript.exe
+    - mshta.exe
+    - regsvr32.exe
+    - wmic.exe
+    - certutil.exe
+    - rundll32.exe
+    - cmstp.exe
+    - msiexec.exe
+    - 7z.exe
+    - winrar.exe
+    - wevtutil.exe
+    - net.exe
+    - net1.exe
+    - netsh.exe
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\powershell_ise.exe'
+    - '*\psexec.exe'
+    - '*\psexec64.exe'
+    - '*\cscript.exe'
+    - '*\wscript.exe'
+    - '*\mshta.exe'
+    - '*\regsvr32.exe'
+    - '*\wmic.exe'
+    - '*\certutil.exe'
+    - '*\rundll32.exe'
+    - '*\cmstp.exe'
+    - '*\msiexec.exe'
+    - '*\7z.exe'
+    - '*\winrar.exe'
+    - '*\wevtutil.exe'
+    - '*\net.exe'
+    - '*\net1.exe'
+    - '*\netsh.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Custom applications use renamed binaries adding slight change to binary name. Typically
+  this is easy to spot and add to whitelist
+id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/06
+references:
+- https://attack.mitre.org/techniques/T1036/
+- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
+- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
diff --git a/rules/sigma/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/sigma/windows/process_creation/win_renamed_binary_highly_relevant.yml
new file mode 100644
index 00000000..1907cce3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_renamed_binary_highly_relevant.yml
@@ -0,0 +1,58 @@
+
+title: Highly Relevant Renamed Binary
+author: Matthew Green - @mgreen27, Florian Roth
+date: 2019/06/15
+description: Detects the execution of a renamed binary often used by attackers or
+  malware leveraging new Sysmon OriginalFileName datapoint.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    OriginalFileName:
+    - powershell.exe
+    - powershell_ise.exe
+    - psexec.exe
+    - psexec.c
+    - cscript.exe
+    - wscript.exe
+    - mshta.exe
+    - regsvr32.exe
+    - wmic.exe
+    - certutil.exe
+    - rundll32.exe
+    - cmstp.exe
+    - msiexec.exe
+  SELECTION_3:
+    Image:
+    - '*\powershell.exe'
+    - '*\powershell_ise.exe'
+    - '*\psexec.exe'
+    - '*\psexec64.exe'
+    - '*\cscript.exe'
+    - '*\wscript.exe'
+    - '*\mshta.exe'
+    - '*\regsvr32.exe'
+    - '*\wmic.exe'
+    - '*\certutil.exe'
+    - '*\rundll32.exe'
+    - '*\cmstp.exe'
+    - '*\msiexec.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Custom applications use renamed binaries adding slight change to binary name. Typically
+  this is easy to spot and add to whitelist
+id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/06
+references:
+- https://attack.mitre.org/techniques/T1036/
+- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
+- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
diff --git a/rules/sigma/windows/process_creation/win_renamed_jusched.yml b/rules/sigma/windows/process_creation/win_renamed_jusched.yml
new file mode 100644
index 00000000..22f1b7fa
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_renamed_jusched.yml
@@ -0,0 +1,35 @@
+
+title: Renamed jusched.exe
+author: Markus Neis, Swisscom
+date: 2019/06/04
+description: Detects renamed jusched.exe used by cobalt group
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    Description: Java Update Scheduler
+  SELECTION_4:
+    Description: Java(TM) Update Scheduler
+  SELECTION_5:
+    Image:
+    - '*\jusched.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4)) and  not
+    (SELECTION_5))
+falsepositives:
+- penetration tests, red teaming
+id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/06
+references:
+- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
diff --git a/rules/sigma/windows/process_creation/win_renamed_megasync.yml b/rules/sigma/windows/process_creation/win_renamed_megasync.yml
new file mode 100644
index 00000000..1e88f243
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_renamed_megasync.yml
@@ -0,0 +1,36 @@
+
+title: Renamed MegaSync
+author: Sittikorn S
+date: 2021/06/22
+description: Detects the execution of a renamed meg.exe of MegaSync during incident
+  response engagements associated with ransomware families like Nefilim, Sodinokibi,
+  Pysa, and Conti.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\explorer.exe'
+  SELECTION_3:
+    CommandLine: '*C:\Windows\Temp\meg.exe*'
+  SELECTION_4:
+    EventID: 1
+  SELECTION_5:
+    OriginalFileName: meg.exe
+  SELECTION_6:
+    Image: '*\meg.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and  not (SELECTION_6))))
+falsepositives:
+- Software that illegaly integrates MegaSync in a renamed form
+- Administrators that have renamed MegaSync
+id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://redcanary.com/blog/rclone-mega-extortion/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_renamed_paexec.yml b/rules/sigma/windows/process_creation/win_renamed_paexec.yml
new file mode 100644
index 00000000..80bb0aab
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_renamed_paexec.yml
@@ -0,0 +1,42 @@
+
+title: Execution of Renamed PaExec
+author: Jason Lynch
+date: 2019/04/17
+description: Detects execution of renamed paexec via imphash and executable product
+  string
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    Product:
+    - '*PAExec*'
+  SELECTION_4:
+    Imphash:
+    - 11D40A7B7876288F919AB819CC2D9802
+    - 6444f8a34e99b8f7d9647de66aabe516
+    - dfd6aa3f7b2b1035b76b718f1ddc689f
+    - 1a6cca4d5460b1710a12dea39e4a592c
+  SELECTION_5:
+    Image: '*paexec*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Unknown imphashes
+id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/06
+references:
+- sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc
+- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
+- attack.g0046
+- car.2013-05-009
diff --git a/rules/sigma/windows/process_creation/win_renamed_powershell.yml b/rules/sigma/windows/process_creation/win_renamed_powershell.yml
new file mode 100644
index 00000000..34e4de1b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_renamed_powershell.yml
@@ -0,0 +1,37 @@
+
+title: Renamed PowerShell
+author: Florian Roth, frack113
+date: 2019/08/22
+description: Detects the execution of a renamed PowerShell often used by attackers
+  or malware
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Description:
+    - Windows PowerShell*
+    - pwsh*
+  SELECTION_3:
+    Company: Microsoft Corporation
+  SELECTION_4:
+    Image:
+    - '*\powershell.exe'
+    - '*\powershell_ise.exe'
+    - '*\pwsh.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/03
+references:
+- https://twitter.com/christophetd/status/1164506034720952320
+status: experimental
+tags:
+- car.2013-05-009
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
diff --git a/rules/sigma/windows/process_creation/win_renamed_procdump.yml b/rules/sigma/windows/process_creation/win_renamed_procdump.yml
new file mode 100644
index 00000000..ed25b8f5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_renamed_procdump.yml
@@ -0,0 +1,43 @@
+
+title: Renamed ProcDump
+author: Florian Roth
+date: 2019/11/18
+description: Detects the execution of a renamed ProcDump executable often used by
+  attackers or malware
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    OriginalFileName: procdump
+  SELECTION_4:
+    CommandLine: '* -ma *'
+  SELECTION_5:
+    CommandLine: '* -accepteula *'
+  SELECTION_6:
+    CommandLine: '* -ma *'
+  SELECTION_7:
+    CommandLine: '*.dmp*'
+  SELECTION_8:
+    Image:
+    - '*\procdump.exe'
+    - '*\procdump64.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and ((SELECTION_3 or (SELECTION_4 and SELECTION_5))
+    or (SELECTION_6 and SELECTION_7))) and  not (SELECTION_8))
+falsepositives:
+- Procdump illegaly bundled with legitimate software
+- Weird admins who renamed binaries
+id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/16
+references:
+- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
diff --git a/rules/sigma/windows/process_creation/win_renamed_psexec.yml b/rules/sigma/windows/process_creation/win_renamed_psexec.yml
new file mode 100644
index 00000000..bf14a6b0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_renamed_psexec.yml
@@ -0,0 +1,35 @@
+
+title: Renamed PsExec
+author: Florian Roth
+date: 2019/05/21
+description: Detects the execution of a renamed PsExec often used by attackers or
+  malware
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Description: Execute processes remotely
+  SELECTION_3:
+    Product: Sysinternals PsExec
+  SELECTION_4:
+    Image:
+    - '*\PsExec.exe'
+    - '*\PsExec64.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Software that illegaly integrates PsExec in a renamed form
+- Administrators that have renamed PsExec and no one knows why
+id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/06
+references:
+- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
+status: experimental
+tags:
+- car.2013-05-009
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
diff --git a/rules/sigma/windows/process_creation/win_renamed_whoami.yml b/rules/sigma/windows/process_creation/win_renamed_whoami.yml
new file mode 100644
index 00000000..7de993ab
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_renamed_whoami.yml
@@ -0,0 +1,29 @@
+
+title: Renamed Whoami Execution
+author: Florian Roth
+date: 2021/08/12
+description: Detects the execution of whoami that has been renamed to a different
+  name to avoid detection
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    OriginalFileName: whoami.exe
+  SELECTION_3:
+    Image: '*\whoami.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
+- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1033
+- car.2016-03-001
diff --git a/rules/sigma/windows/process_creation/win_run_powershell_script_from_ads.yml b/rules/sigma/windows/process_creation/win_run_powershell_script_from_ads.yml
new file mode 100644
index 00000000..b92d04fb
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_run_powershell_script_from_ads.yml
@@ -0,0 +1,31 @@
+
+title: Run PowerShell Script from ADS
+author: Sergey Soldatov, Kaspersky Lab, oscd.community
+date: 2019/10/30
+description: Detects PowerShell script execution from Alternate Data Stream (ADS)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\powershell.exe'
+  SELECTION_3:
+    Image: '*\powershell.exe'
+  SELECTION_4:
+    CommandLine: '*Get-Content*'
+  SELECTION_5:
+    CommandLine: '*-Stream*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 45a594aa-1fbd-4972-a809-ff5a99dd81b8
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1096
+- attack.t1564.004
diff --git a/rules/sigma/windows/process_creation/win_run_powershell_script_from_input_stream.yml b/rules/sigma/windows/process_creation/win_run_powershell_script_from_input_stream.yml
new file mode 100644
index 00000000..81cf3560
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_run_powershell_script_from_input_stream.yml
@@ -0,0 +1,28 @@
+
+title: Run PowerShell Script from Redirected Input Stream
+author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
+date: 2020/10/17
+description: Detects PowerShell script execution via input stream redirect
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    CommandLine|re: \s-\s*<
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: c83bf4b5-cdf0-437c-90fa-43d734f7c476
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Powershell.yml
+- https://twitter.com/Moriarty_Meng/status/984380793383370752
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059
diff --git a/rules/sigma/windows/process_creation/win_run_virtualbox.yml b/rules/sigma/windows/process_creation/win_run_virtualbox.yml
new file mode 100644
index 00000000..073552cd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_run_virtualbox.yml
@@ -0,0 +1,43 @@
+
+title: Detect Virtualbox Driver Installation OR Starting Of VMs
+author: Janantha Marasinghe
+date: 2020/09/26
+description: Adversaries can carry out malicious operations using a virtual instance
+  to avoid detection. This rule is built to detect the registration of the Virtualbox
+  driver or start of a Virtualbox VM.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*VBoxRT.dll,RTR3Init*'
+    - '*VBoxC.dll*'
+    - '*VBoxDrv.sys*'
+  SELECTION_3:
+    CommandLine:
+    - '*startvm*'
+    - '*controlvm*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- This may have false positives on hosts where Virtualbox is legitimately being used
+  for operations
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: bab049ca-7471-4828-9024-38279a4c04da
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+references:
+- https://attack.mitre.org/techniques/T1564/006/
+- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
+- https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.006
+- attack.t1564
diff --git a/rules/sigma/windows/process_creation/win_rundll32_without_parameters.yml b/rules/sigma/windows/process_creation/win_rundll32_without_parameters.yml
new file mode 100644
index 00000000..e25ffcaa
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_rundll32_without_parameters.yml
@@ -0,0 +1,34 @@
+
+title: Rundll32 Without Parameters
+author: Bartlomiej Czyz, Relativity
+date: 2021/01/31
+description: Detects rundll32 execution without parameters as observed when running
+  Metasploit windows/smb/psexec exploit module
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: rundll32.exe
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectUserName
+- CommandLine
+- Image
+- ParentImage
+id: 5bb68627-3198-40ca-b458-49f973db8752
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://bczyz1.github.io/2021/01/30/psexec.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1570
+- attack.execution
+- attack.t1569.002
diff --git a/rules/sigma/windows/process_creation/win_script_event_consumer_spawn.yml b/rules/sigma/windows/process_creation/win_script_event_consumer_spawn.yml
new file mode 100644
index 00000000..d73d7a2c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_script_event_consumer_spawn.yml
@@ -0,0 +1,42 @@
+
+title: Script Event Consumer Spawning Process
+author: Sittikorn S
+date: 2021/06/21
+description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\scrcons.exe'
+  SELECTION_3:
+    Image:
+    - '*\svchost.exe'
+    - '*\dllhost.exe'
+    - '*\powershell.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\schtasks.exe'
+    - '*\regsvr32.exe'
+    - '*\mshta.exe'
+    - '*\rundll32.exe'
+    - '*\msiexec.exe'
+    - '*\msbuild.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://redcanary.com/blog/child-processes/
+- https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
diff --git a/rules/sigma/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/sigma/windows/process_creation/win_sdbinst_shim_persistence.yml
new file mode 100644
index 00000000..d300eb18
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_sdbinst_shim_persistence.yml
@@ -0,0 +1,33 @@
+
+title: Possible Shim Database Persistence via sdbinst.exe
+author: Markus Neis
+date: 2019/01/16
+description: Detects installation of a new shim using sdbinst.exe. A shim can be used
+  to load malicious DLLs into applications.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\sdbinst.exe'
+  SELECTION_3:
+    CommandLine: '*.sdb*'
+  SELECTION_4:
+    CommandLine:
+    - '*iisexpressshim.sdb*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: 517490a7-115a-48c6-8862-1a481504d5a8
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/14
+references:
+- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.011
+- attack.t1138
diff --git a/rules/sigma/windows/process_creation/win_service_execution.yml b/rules/sigma/windows/process_creation/win_service_execution.yml
new file mode 100644
index 00000000..6c923f4a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_service_execution.yml
@@ -0,0 +1,30 @@
+
+title: Service Execution
+author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/21
+description: Detects manual service execution (start) via system utilities.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\net.exe'
+    - '*\net1.exe'
+  SELECTION_3:
+    CommandLine: '* start *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate administrator or user executes a service for legitimate reasons.
+id: 2a072a96-a086-49fa-bcb5-15cc5a619093
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
diff --git a/rules/sigma/windows/process_creation/win_service_stop.yml b/rules/sigma/windows/process_creation/win_service_stop.yml
new file mode 100644
index 00000000..e38dab39
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_service_stop.yml
@@ -0,0 +1,32 @@
+
+title: Stop Windows Service
+author: Jakob Weinzettl, oscd.community
+date: 2019/10/23
+description: Detects a windows service to be stopped
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\sc.exe'
+    - '*\net.exe'
+    - '*\net1.exe'
+  SELECTION_3:
+    CommandLine: '*stop*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrator shutting down the service due to upgrade or removal purposes
+fields:
+- ComputerName
+- User
+- CommandLine
+id: eb87818d-db5d-49cc-a987-d5da331fbd90
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/14
+status: experimental
+tags:
+- attack.impact
+- attack.t1489
diff --git a/rules/sigma/windows/process_creation/win_shadow_copies_access_symlink.yml b/rules/sigma/windows/process_creation/win_shadow_copies_access_symlink.yml
new file mode 100644
index 00000000..94e55433
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_shadow_copies_access_symlink.yml
@@ -0,0 +1,29 @@
+
+title: Shadow Copies Access via Symlink
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Shadow Copies storage symbolic link creation using operating systems
+  utilities
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*mklink*'
+  SELECTION_3:
+    CommandLine: '*HarddiskVolumeShadowCopy*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate administrator working with shadow copies, access for backup purposes
+id: 40b19fa6-d835-400c-b301-41f3a2baacaf
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+- attack.t1003.003
diff --git a/rules/sigma/windows/process_creation/win_shadow_copies_creation.yml b/rules/sigma/windows/process_creation/win_shadow_copies_creation.yml
new file mode 100644
index 00000000..34a1cb88
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_shadow_copies_creation.yml
@@ -0,0 +1,35 @@
+
+title: Shadow Copies Creation Using Operating Systems Utilities
+author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/22
+description: Shadow Copies creation using operating systems utilities, possible credential
+  access
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\powershell.exe'
+    - '*\wmic.exe'
+    - '*\vssadmin.exe'
+  SELECTION_3:
+    CommandLine: '*shadow*'
+  SELECTION_4:
+    CommandLine: '*create*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate administrator working with shadow copies, access for backup purposes
+id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+- attack.t1003.003
diff --git a/rules/sigma/windows/process_creation/win_shadow_copies_deletion.yml b/rules/sigma/windows/process_creation/win_shadow_copies_deletion.yml
new file mode 100644
index 00000000..68709fb5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_shadow_copies_deletion.yml
@@ -0,0 +1,54 @@
+
+title: Shadow Copies Deletion Using Operating Systems Utilities
+author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community,
+  Andreas Hunkeler (@Karneades)
+date: 2019/10/22
+description: Shadow Copies deletion using operating systems utilities
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*delete*'
+  SELECTION_3:
+    Image:
+    - '*\powershell.exe'
+    - '*\wmic.exe'
+    - '*\vssadmin.exe'
+    - '*\diskshadow.exe'
+  SELECTION_4:
+    CommandLine: '*shadow*'
+  SELECTION_5:
+    Image:
+    - '*\wbadmin.exe'
+  SELECTION_6:
+    CommandLine: '*catalog*'
+  SELECTION_7:
+    CommandLine: '*quiet*'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Legitimate Administrator deletes Shadow Copies using operating systems utilities
+  for legitimate reason
+fields:
+- CommandLine
+- ParentCommandLine
+id: c947b146-0abc-4c87-9c64-b17e9d7274a2
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/02
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- https://blog.talosintelligence.com/2017/05/wannacry.html
+- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
+- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
+- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
+- https://github.com/Neo23x0/Raccine#the-process
+- https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar
+status: stable
+tags:
+- attack.defense_evasion
+- attack.impact
+- attack.t1070
+- attack.t1490
diff --git a/rules/sigma/windows/process_creation/win_shell_spawn_mshta.yml b/rules/sigma/windows/process_creation/win_shell_spawn_mshta.yml
new file mode 100644
index 00000000..8e807b6e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_shell_spawn_mshta.yml
@@ -0,0 +1,37 @@
+
+title: Mshta Spawning Windows Shell
+author: Florian Roth
+date: 2021/06/28
+description: Detects a suspicious child process of a mshta.exe process
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\mshta.exe'
+  SELECTION_3:
+    Image:
+    - '*\powershell.exe'
+    - '*\cmd.exe'
+    - '*\WScript.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 772bb24c-8df2-4be0-9157-ae4dfa794037
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://app.any.run/tasks/f0fac90f-84ac-4faa-b5b2-f4353c388969/#
+- https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1064
+- attack.t1059.005
+- attack.t1059.001
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/sigma/windows/process_creation/win_shell_spawn_susp_program.yml
new file mode 100644
index 00000000..4a84307c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_shell_spawn_susp_program.yml
@@ -0,0 +1,48 @@
+
+title: Windows Shell Spawning Suspicious Program
+author: Florian Roth
+date: 2018/04/06
+description: Detects a suspicious child process of a Windows shell
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\mshta.exe'
+    - '*\powershell.exe'
+    - '*\rundll32.exe'
+    - '*\cscript.exe'
+    - '*\wscript.exe'
+    - '*\wmiprvse.exe'
+  SELECTION_3:
+    Image:
+    - '*\schtasks.exe'
+    - '*\nslookup.exe'
+    - '*\certutil.exe'
+    - '*\bitsadmin.exe'
+    - '*\mshta.exe'
+  SELECTION_4:
+    CurrentDirectory: '*\ccmcache\\*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Administrative scripts
+- Microsoft SCCM
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/06
+references:
+- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1064
+- attack.t1059.005
+- attack.t1059.001
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/sigma/windows/process_creation/win_silenttrinity_stage_use.yml
new file mode 100644
index 00000000..95163d07
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_silenttrinity_stage_use.yml
@@ -0,0 +1,24 @@
+
+title: SILENTTRINITY Stager Execution
+author: Aleksey Potapov, oscd.community
+date: 2019/10/22
+description: Detects SILENTTRINITY stager use
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Description: '*st2stager*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 03552375-cc2c-4883-bbe4-7958d5a980be
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://github.com/byt3bl33d3r/SILENTTRINITY
+status: experimental
+tags:
+- attack.command_and_control
diff --git a/rules/sigma/windows/process_creation/win_soundrec_audio_capture.yml b/rules/sigma/windows/process_creation/win_soundrec_audio_capture.yml
new file mode 100644
index 00000000..30b9c394
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_soundrec_audio_capture.yml
@@ -0,0 +1,28 @@
+
+title: Audio Capture via SoundRecorder
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Detect attacker collecting audio via SoundRecorder application.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\SoundRecorder.exe'
+  SELECTION_3:
+    CommandLine: '*/FILE*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate audio capture by legitimate user.
+id: 83865853-59aa-449e-9600-74b9d89a6d6e
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
+- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
+status: experimental
+tags:
+- attack.collection
+- attack.t1123
diff --git a/rules/sigma/windows/process_creation/win_spn_enum.yml b/rules/sigma/windows/process_creation/win_spn_enum.yml
new file mode 100644
index 00000000..24b49e05
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_spn_enum.yml
@@ -0,0 +1,31 @@
+
+title: Possible SPN Enumeration
+author: Markus Neis, keepwatch
+date: 2018/11/14
+description: Detects Service Principal Name Enumeration used for Kerberoasting
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\setspn.exe'
+  SELECTION_3:
+    Description: '*Query or reset the computer*'
+  SELECTION_4:
+    Description: '*SPN attribute*'
+  SELECTION_5:
+    CommandLine: '*-q*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)) and SELECTION_5)
+falsepositives:
+- Administrator Activity
+id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1558.003
+- attack.t1208
diff --git a/rules/sigma/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/sigma/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml
new file mode 100644
index 00000000..0d12159f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml
@@ -0,0 +1,33 @@
+
+title: Using Sticky-keys To Obtain Unauthenticated, Privileged Console Access
+author: Sreeman
+date: 2020/02/18
+description: By replacing the sticky keys executable with the local admins CMD executable,
+  an attacker is able to access a privileged windows console session without authenticating
+  to the system. When the sticky keys are "activated" the privilleged shell is launched.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentProcess
+id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/11
+references:
+- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+- https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
+status: experimental
+tags:
+- attack.t1015
+- attack.t1546.008
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/process_creation/win_sus_auditpol_usage.yml b/rules/sigma/windows/process_creation/win_sus_auditpol_usage.yml
new file mode 100644
index 00000000..19b3243a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_sus_auditpol_usage.yml
@@ -0,0 +1,33 @@
+
+title: Suspicious Auditpol Usage
+author: Janantha Marasinghe (https://github.com/blueteam0ps)
+date: 2021/02/02
+description: Threat actors can use auditpol binary to change audit policy configuration
+  to impair detection capability. This can be carried out by selectively disabling/removing
+  certain audit policies as well as restoring a custom policy owned by the threat
+  actor.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\auditpol.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*disable*'
+    - '*clear*'
+    - '*remove*'
+    - '*restore*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Admin activity
+id: 0a13e132-651d-11eb-ae93-0242ac130002
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/02/02
+references:
+- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
+tags:
+- attack.defense_evasion
+- attack.t1562.002
diff --git a/rules/sigma/windows/process_creation/win_susp_adfind.yml b/rules/sigma/windows/process_creation/win_susp_adfind.yml
new file mode 100644
index 00000000..fa161b2c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_adfind.yml
@@ -0,0 +1,37 @@
+
+title: Suspicious AdFind Execution
+author: FPT.EagleEye Team, omkar72, oscd.community
+date: 2020/09/26
+description: Detects the execution of a AdFind for Active Directory enumeration
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*objectcategory*'
+    - '*trustdmp*'
+    - '*dcmodes*'
+    - '*dclist*'
+    - '*computers_pwdnotreqd*'
+  SELECTION_3:
+    Image: '*\adfind.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative activity
+id: 75df3b17-8bcc-4565-b89b-c9898acef911
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/12
+references:
+- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md
+- https://thedfirreport.com/2020/05/08/adfind-recon/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1018
+- attack.t1087.002
+- attack.t1482
+- attack.t1069.002
diff --git a/rules/sigma/windows/process_creation/win_susp_atbroker.yml b/rules/sigma/windows/process_creation/win_susp_atbroker.yml
new file mode 100644
index 00000000..e4575d76
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_atbroker.yml
@@ -0,0 +1,57 @@
+
+title: Suspicious Atbroker Execution
+author: Mateusz Wydra, oscd.community
+date: 2020/10/12
+description: Atbroker executing non-deafualt Assistive Technology applications
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*AtBroker.exe'
+  SELECTION_3:
+    CommandLine: '*start*'
+  SELECTION_4:
+    CommandLine:
+    - '*animations*'
+    - '*audiodescription*'
+    - '*caretbrowsing*'
+    - '*caretwidth*'
+    - '*colorfiltering*'
+    - '*cursorscheme*'
+    - '*filterkeys*'
+    - '*focusborderheight*'
+    - '*focusborderwidth*'
+    - '*highcontrast*'
+    - '*keyboardcues*'
+    - '*keyboardpref*'
+    - '*magnifierpane*'
+    - '*messageduration*'
+    - '*minimumhitradius*'
+    - '*mousekeys*'
+    - '*Narrator*'
+    - '*osk*'
+    - '*overlappedcontent*'
+    - '*showsounds*'
+    - '*soundsentry*'
+    - '*stickykeys*'
+    - '*togglekeys*'
+    - '*windowarranging*'
+    - '*windowtracking*'
+    - '*windowtrackingtimeout*'
+    - '*windowtrackingzorder*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Legitimate, non-default assistive technology applications execution
+id: f24bcaea-0cd1-11eb-adc1-0242ac120002
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/14
+references:
+- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+- https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_susp_bcdedit.yml b/rules/sigma/windows/process_creation/win_susp_bcdedit.yml
new file mode 100644
index 00000000..6d7e22f8
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_bcdedit.yml
@@ -0,0 +1,34 @@
+
+title: Possible Ransomware or Unauthorized MBR Modifications
+author: '@neu5ron'
+date: 2019/02/07
+description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\bcdedit.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*delete*'
+    - '*deletevalue*'
+    - '*import*'
+    - '*safeboot*'
+    - '*network*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/18
+references:
+- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
+- https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.persistence
+- attack.t1542.003
+- attack.t1067
diff --git a/rules/sigma/windows/process_creation/win_susp_bginfo.yml b/rules/sigma/windows/process_creation/win_susp_bginfo.yml
new file mode 100644
index 00000000..a11e9408
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_bginfo.yml
@@ -0,0 +1,33 @@
+
+title: Application Whitelisting Bypass via Bginfo
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+description: Execute VBscript code that is referenced within the *.bgi file.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\bginfo.exe'
+  SELECTION_3:
+    CommandLine: '*/popup*'
+  SELECTION_4:
+    CommandLine: '*/nolicprompt*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: aaf46cdc-934e-4284-b329-34aa701e3771
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/05
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml
+- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.defense_evasion
+- attack.t1218
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_susp_bitstransfer.yml b/rules/sigma/windows/process_creation/win_susp_bitstransfer.yml
new file mode 100644
index 00000000..617a2df5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_bitstransfer.yml
@@ -0,0 +1,37 @@
+
+title: Suspicious Bitstransfer via PowerShell
+author: Austin Songer @austinsonger
+date: 2021/08/19
+description: Detects transferring files from system on a server bitstransfer Powershell
+  cmdlets
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\powershell.exe'
+    - '*\powershell_ise.exe'
+    - '*\pwsh.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*Get-BitsTransfer*'
+    - '*Add-BitsFile*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+id: cd5c8085-4070-4e22-908d-a5b3342deb74
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
+status: experimental
+tags:
+- attack.exfiltration
+- attack.persistence
+- attack.t1197
diff --git a/rules/sigma/windows/process_creation/win_susp_calc.yml b/rules/sigma/windows/process_creation/win_susp_calc.yml
new file mode 100644
index 00000000..41fc493f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_calc.yml
@@ -0,0 +1,32 @@
+
+title: Suspicious Calculator Usage
+author: Florian Roth
+date: 2019/02/09
+description: Detects suspicious use of calc.exe with command line parameters or in
+  a suspicious directory, which is likely caused by some PoC or detection evasion
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\calc.exe *'
+  SELECTION_3:
+    EventID: 1
+  SELECTION_4:
+    Image: '*\calc.exe'
+  SELECTION_5:
+    Image: '*\Windows\Sys*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and  not
+    (SELECTION_5))))
+falsepositives:
+- Unknown
+id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/ItsReallyNick/status/1094080242686312448
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
diff --git a/rules/sigma/windows/process_creation/win_susp_cdb.yml b/rules/sigma/windows/process_creation/win_susp_cdb.yml
new file mode 100644
index 00000000..7ba506b2
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_cdb.yml
@@ -0,0 +1,31 @@
+
+title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+description: Launch 64-bit shellcode from a debugger script file using cdb.exe.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\cdb.exe'
+  SELECTION_3:
+    CommandLine: '*-cf*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of debugging tools
+id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/05
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml
+- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1106
+- attack.defense_evasion
+- attack.t1218
+- attack.t1127
diff --git a/rules/sigma/windows/process_creation/win_susp_certutil_command.yml b/rules/sigma/windows/process_creation/win_susp_certutil_command.yml
new file mode 100644
index 00000000..02aff336
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_certutil_command.yml
@@ -0,0 +1,60 @@
+
+title: Suspicious Certutil Command
+author: Florian Roth, juju4, keepwatch
+date: 2019/01/16
+description: Detects a suspicious Microsoft certutil execution with sub commands like
+  'decode' sub command, which is sometimes used to decode malicious code with the
+  built-in certutil utility
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* -decode *'
+    - '* -decodehex *'
+    - '* -urlcache *'
+    - '* -verifyctl *'
+    - '* -encode *'
+    - '* /decode *'
+    - '* /decodehex *'
+    - '* /urlcache *'
+    - '* /verifyctl *'
+    - '* /encode *'
+  SELECTION_3:
+    Image: '*\certutil.exe'
+  SELECTION_4:
+    CommandLine:
+    - '*URL*'
+    - '*ping*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+fields:
+- CommandLine
+- ParentCommandLine
+id: e011a729-98a6-4139-b5c4-bf6f6dd8239a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/04/23
+references:
+- https://twitter.com/JohnLaTwC/status/835149808817991680
+- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
+- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
+- https://twitter.com/egre55/status/1087685529016193025
+- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.command_and_control
+- attack.t1105
+- attack.s0160
+- attack.g0007
+- attack.g0010
+- attack.g0045
+- attack.g0049
+- attack.g0075
+- attack.g0096
diff --git a/rules/sigma/windows/process_creation/win_susp_certutil_encode.yml b/rules/sigma/windows/process_creation/win_susp_certutil_encode.yml
new file mode 100644
index 00000000..c78521d5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_certutil_encode.yml
@@ -0,0 +1,31 @@
+
+title: Certutil Encode
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2019/02/24
+description: Detects suspicious a certutil command that used to encode files, which
+  is sometimes used for data exfiltration
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\certutil.exe'
+  SELECTION_3:
+    CommandLine: '*-f*'
+  SELECTION_4:
+    CommandLine: '*-encode*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
+- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
diff --git a/rules/sigma/windows/process_creation/win_susp_cli_escape.yml b/rules/sigma/windows/process_creation/win_susp_cli_escape.yml
new file mode 100644
index 00000000..c33b682a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_cli_escape.yml
@@ -0,0 +1,32 @@
+
+title: Suspicious Commandline Escape
+author: juju4
+date: 2018/12/11
+description: Detects suspicious process that use escape characters
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*h^t^t^p*'
+    - '*h"t"t"p*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/03/14
+references:
+- https://twitter.com/vysecurity/status/885545634958385153
+- https://twitter.com/Hexacorn/status/885553465417756673
+- https://twitter.com/Hexacorn/status/885570278637678592
+- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
+- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
diff --git a/rules/sigma/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/sigma/windows/process_creation/win_susp_cmd_http_appdata.yml
new file mode 100644
index 00000000..d6f6e55b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_cmd_http_appdata.yml
@@ -0,0 +1,40 @@
+
+title: Command Line Execution with Suspicious URL and AppData Strings
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2019/01/16
+description: Detects a suspicious command line execution that includes an URL and
+  AppData string in the command line parameters as used by several droppers (js/vbs
+  > powershell)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\cmd.exe'
+  SELECTION_3:
+    CommandLine: '*http*'
+  SELECTION_4:
+    CommandLine: '*://*'
+  SELECTION_5:
+    CommandLine: '*%AppData%*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- High
+fields:
+- CommandLine
+- ParentCommandLine
+id: 1ac8666b-046f-4201-8aba-1951aaec03a3
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/20
+references:
+- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
+- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.003
+- attack.t1059.001
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/windows/process_creation/win_susp_cmd_shadowcopy_access.yml b/rules/sigma/windows/process_creation/win_susp_cmd_shadowcopy_access.yml
new file mode 100644
index 00000000..53d62e27
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_cmd_shadowcopy_access.yml
@@ -0,0 +1,25 @@
+
+title: Conti Volume Shadow Listing
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects a command used by conti to access volume shadow backups
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*copy \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Some rare backup scenarios
+id: c73124a7-3e89-44a3-bdc1-25fe4df754b1
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816?s=20
+- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
+status: experimental
+tags:
+- attack.impact
+- attack.t1490
diff --git a/rules/sigma/windows/process_creation/win_susp_codepage_switch.yml b/rules/sigma/windows/process_creation/win_susp_codepage_switch.yml
new file mode 100644
index 00000000..7ef415cd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_codepage_switch.yml
@@ -0,0 +1,33 @@
+
+title: Suspicious Code Page Switch
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2019/10/14
+description: Detects a code page switch in command line or batch scripts to a rare
+  language
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\chcp.com'
+  SELECTION_3:
+    CommandLine:
+    - '* 936'
+    - '* 1258'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative activity (adjust code pages according to your organisation's region)
+fields:
+- ParentCommandLine
+id: c7942406-33dd-4377-a564-0f62db0593a3
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
+- https://twitter.com/cglyer/status/1183756892952248325
+status: experimental
+tags:
+- attack.t1036
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/sigma/windows/process_creation/win_susp_commands_recon_activity.yml
new file mode 100644
index 00000000..983f7a7a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_commands_recon_activity.yml
@@ -0,0 +1,51 @@
+
+title: Reconnaissance Activity with Net Command
+author: Florian Roth, Markus Neis
+date: 2018/08/22
+description: Detects a set of commands often used in recon stages by different attack
+  groups
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - tasklist
+    - net time
+    - systeminfo
+    - whoami
+    - nbtstat
+    - net start
+    - qprocess
+    - nslookup
+    - hostname.exe
+    - netstat -an
+  SELECTION_3:
+    CommandLine:
+    - '*\net1 start'
+    - '*\net1 user /domain'
+    - '*\net1 group /domain'
+    - '*\net1 group "domain admins" /domain'
+    - '*\net1 group "Exchange Trusted Subsystem" /domain'
+    - '*\net1 accounts /domain'
+    - '*\net1 user net localgroup administrators'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3)) | count() by CommandLine
+    > 4
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+id: 2887e914-ce96-435f-8105-593937e90757
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://twitter.com/haroonmeer/status/939099379834658817
+- https://twitter.com/c_APT_ure/status/939475433711722497
+- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1082
+- car.2016-03-001
diff --git a/rules/sigma/windows/process_creation/win_susp_compression_params.yml b/rules/sigma/windows/process_creation/win_susp_compression_params.yml
new file mode 100644
index 00000000..29335439
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_compression_params.yml
@@ -0,0 +1,42 @@
+
+title: Suspicious Compression Tool Parameters
+author: Florian Roth, Samir Bousseaden
+date: 2019/10/15
+description: Detects suspicious command line arguments of common data compression
+  tools
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    OriginalFileName:
+    - 7z*.exe
+    - '*rar.exe'
+    - '*Command*Line*RAR*'
+  SELECTION_3:
+    CommandLine:
+    - '* -p*'
+    - '* -ta*'
+    - '* -tb*'
+    - '* -sdel*'
+    - '* -dw*'
+    - '* -hp*'
+  SELECTION_4:
+    ParentImage: C:\Program*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- unknown
+id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/05
+references:
+- https://twitter.com/SBousseaden/status/1184067445612535811
+status: experimental
+tags:
+- attack.collection
+- attack.t1560.001
+- attack.exfiltration
+- attack.t1020
+- attack.t1002
diff --git a/rules/sigma/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/sigma/windows/process_creation/win_susp_comsvcs_procdump.yml
new file mode 100644
index 00000000..154bff4c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_comsvcs_procdump.yml
@@ -0,0 +1,41 @@
+
+title: Process Dump via Comsvcs DLL
+author: Modexp (idea)
+date: 2019/09/02
+description: Detects process memory dump via comsvcs.dll and rundll32
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\rundll32.exe'
+  SELECTION_3:
+    OriginalFileName: RUNDLL32.EXE
+  SELECTION_4:
+    CommandLine: '*comsvcs*'
+  SELECTION_5:
+    CommandLine: '*MiniDump*'
+  SELECTION_6:
+    CommandLine: '*full*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5
+    and SELECTION_6))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/05
+references:
+- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+- https://twitter.com/SBousseaden/status/1167417096374050817
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
diff --git a/rules/sigma/windows/process_creation/win_susp_conhost.yml b/rules/sigma/windows/process_creation/win_susp_conhost.yml
new file mode 100644
index 00000000..ccf456d7
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_conhost.yml
@@ -0,0 +1,30 @@
+
+title: Conhost Parent Process Executions
+author: omkar72
+date: 2020/10/25
+description: Detects the conhost execution as parent process. Can be used to evaded
+  defense mechanism.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\conhost.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely, conhost is a child less process
+fields:
+- Image
+- CommandLine
+- ParentCommandLine
+id: 7dc2dedd-7603-461a-bc13-15803d132355
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+references:
+- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/sigma/windows/process_creation/win_susp_control_cve_2021_40444.yml
new file mode 100644
index 00000000..090a05c6
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_control_cve_2021_40444.yml
@@ -0,0 +1,31 @@
+
+title: CVE-2021-40444 Process Pattern
+author: '@neonprimetime, Florian Roth'
+date: 2021/09/08
+description: Detects a suspicious process pattern found in CVE-2021-40444 exploitation
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\control.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\winword.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+  SELECTION_4:
+    CommandLine: '*\control.exe input.dll'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: 894397c6-da03-425c-a589-3d09e7d1f750
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/09
+references:
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
+- https://twitter.com/neonprimetime/status/1435584010202255375
+- https://www.joesandbox.com/analysis/476188/1/iochtml
+status: experimental
diff --git a/rules/sigma/windows/process_creation/win_susp_control_dll_load.yml b/rules/sigma/windows/process_creation/win_susp_control_dll_load.yml
new file mode 100644
index 00000000..c9262984
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_control_dll_load.yml
@@ -0,0 +1,34 @@
+
+title: Suspicious Control Panel DLL Load
+author: Florian Roth
+date: 2017/04/15
+description: Detects suspicious Rundll32 execution from control.exe as used by Equation
+  Group and Exploit Kits
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\System32\control.exe'
+  SELECTION_3:
+    Image: '*\rundll32.exe '
+  SELECTION_4:
+    CommandLine: '*Shell32.dll*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/05
+references:
+- https://twitter.com/rikvduijn/status/853251879320662017
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1085
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/sigma/windows/process_creation/win_susp_copy_lateral_movement.yml
new file mode 100644
index 00000000..ae70e66e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_copy_lateral_movement.yml
@@ -0,0 +1,54 @@
+
+title: Copy from Admin Share
+author: Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford
+  @svch0st
+date: 2019/12/30
+description: Detects a suspicious copy command to or from an Admin share
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\robocopy.exe'
+    - '*\xcopy.exe'
+  SELECTION_3:
+    Image: '*\cmd.exe'
+  SELECTION_4:
+    CommandLine: '*copy*'
+  SELECTION_5:
+    Image: '*\powershell*'
+  SELECTION_6:
+    CommandLine:
+    - '*copy-item*'
+    - '*copy*'
+    - '*cpi *'
+    - '* cp *'
+  SELECTION_7:
+    CommandLine: '*\\\\\*'
+  SELECTION_8:
+    CommandLine: '*$*'
+  condition: (SELECTION_1 and ((SELECTION_2 or (SELECTION_3 and SELECTION_4)) or (SELECTION_5
+    and SELECTION_6)) and (SELECTION_7 and SELECTION_8))
+falsepositives:
+- Administrative scripts
+fields:
+- CommandLine
+- ParentCommandLine
+id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://twitter.com/SBousseaden/status/1211636381086339073
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.collection
+- attack.exfiltration
+- attack.t1039
+- attack.t1105
+- attack.t1048
+- attack.t1021.002
diff --git a/rules/sigma/windows/process_creation/win_susp_copy_system32.yml b/rules/sigma/windows/process_creation/win_susp_copy_system32.yml
new file mode 100644
index 00000000..8c5596c3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_copy_system32.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious Copy From or To System32
+author: Florian Roth, Markus Neis
+date: 2020/07/03
+description: Detects a suspicious copy command that copies a system program from System32
+  to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr
+  to a different location with a different name
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* /c copy*'
+    - '*xcopy*'
+  SELECTION_3:
+    CommandLine: '*\System32\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+- Admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/
+fields:
+- CommandLine
+- ParentCommandLine
+id: fff9d2b7-e11c-4a69-93d3-40ef66189767
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/05
+references:
+- https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036.003
diff --git a/rules/sigma/windows/process_creation/win_susp_covenant.yml b/rules/sigma/windows/process_creation/win_susp_covenant.yml
new file mode 100644
index 00000000..c47bcc43
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_covenant.yml
@@ -0,0 +1,42 @@
+
+title: Covenant Launcher Indicators
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2020/06/04
+description: Detects suspicious command lines used in Covenant luanchers
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*-Sta*'
+  SELECTION_3:
+    CommandLine: '*-Nop*'
+  SELECTION_4:
+    CommandLine: '*-Window*'
+  SELECTION_5:
+    CommandLine: '*Hidden*'
+  SELECTION_6:
+    CommandLine:
+    - '*-Command*'
+    - '*-EncodedCommand*'
+  SELECTION_7:
+    CommandLine:
+    - '*sv o (New-Object IO.MemorySteam);sv d *'
+    - '*mshta file.hta*'
+    - '*GruntHTTP*'
+    - '*-EncodedCommand cwB2ACAAbwAgA*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6) or SELECTION_7))
+id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://posts.specterops.io/covenant-v0-5-eee0507b85ba
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1059.001
+- attack.t1564.003
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/sigma/windows/process_creation/win_susp_crackmapexec_execution.yml
new file mode 100644
index 00000000..277f8a50
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_crackmapexec_execution.yml
@@ -0,0 +1,40 @@
+
+title: CrackMapExec Command Execution
+author: Thomas Patzke
+date: 2020/05/22
+description: Detect various execution methods of the CrackMapExec pentesting framework
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
+    - '*cmd.exe /C * > \\\\*\\*\\* 2>&1'
+    - '*cmd.exe /C * > *\\Temp\\* 2>&1'
+  SELECTION_3:
+    CommandLine:
+    - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*'
+    - '*powershell.exe -noni -nop -w 1 -enc *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 058f4380-962d-40a5-afce-50207d36d7e2
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/byt3bl33d3r/CrackMapExec
+status: stable
+tags:
+- attack.execution
+- attack.t1047
+- attack.t1053
+- attack.t1059.003
+- attack.t1059.001
+- attack.s0106
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/sigma/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml
new file mode 100644
index 00000000..e7d75b21
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml
@@ -0,0 +1,42 @@
+
+title: CrackMapExec PowerShell Obfuscation
+author: Thomas Patzke
+date: 2020/05/22
+description: The CrachMapExec pentesting framework implements a PowerShell obfuscation
+  with some static strings detected by this rule.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*powershell.exe*'
+  SELECTION_3:
+    CommandLine:
+    - '*join*split*'
+    - "*( $ShellId[1]+$ShellId[13]+'x')*"
+    - '*( $PSHome[*]+$PSHOME[*]+*'
+    - "*( $env:Public[13]+$env:Public[5]+'x')*"
+    - "*( $env:ComSpec[4,*,25]-Join'')*"
+    - "*[1,3]+'x'-Join'')*"
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/byt3bl33d3r/CrackMapExec
+- https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.defense_evasion
+- attack.t1027.005
+- attack.t1027
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_susp_csc.yml b/rules/sigma/windows/process_creation/win_susp_csc.yml
new file mode 100644
index 00000000..2c883a5c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_csc.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious Parent of Csc.exe
+author: Florian Roth
+date: 2019/02/11
+description: Detects a suspicious parent of csc.exe, which could by a sign of payload
+  delivery
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\csc.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\mshta.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://twitter.com/SBousseaden/status/1094924091256176641
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.defense_evasion
+- attack.t1500
+- attack.t1218.005
+- attack.t1027.004
diff --git a/rules/sigma/windows/process_creation/win_susp_csc_folder.yml b/rules/sigma/windows/process_creation/win_susp_csc_folder.yml
new file mode 100644
index 00000000..76a4c81b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_csc_folder.yml
@@ -0,0 +1,45 @@
+
+title: Suspicious Csc.exe Source File Folder
+author: Florian Roth
+date: 2019/08/24
+description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious
+  folder (e.g. AppData)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\csc.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*\AppData\\*'
+    - '*\Windows\Temp\\*'
+  SELECTION_4:
+    ParentImage: C:\Program Files*
+  SELECTION_5:
+    ParentImage:
+    - '*\sdiagnhost.exe'
+    - '*\w3wp.exe'
+  SELECTION_6:
+    ParentCommandLine:
+    - '*\ProgramData\Microsoft\Windows Defender Advanced Threat Protection*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4
+    or SELECTION_5 or SELECTION_6))
+falsepositives:
+- https://twitter.com/gN3mes1s/status/1206874118282448897
+- https://twitter.com/gabriele_pippi/status/1206907900268072962
+id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/02/01
+references:
+- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
+- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
+- https://twitter.com/gN3mes1s/status/1206874118282448897
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1500
+- attack.t1027.004
diff --git a/rules/sigma/windows/process_creation/win_susp_csi.yml b/rules/sigma/windows/process_creation/win_susp_csi.yml
new file mode 100644
index 00000000..17d16643
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_csi.yml
@@ -0,0 +1,47 @@
+
+title: Suspicious Csi.exe Usage
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/17
+description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio
+  and provides C# interactive capabilities. It can be used to run C# code from a file
+  passed as a parameter in command line. Early version of this utility provided with
+  Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\csi.exe'
+  SELECTION_3:
+    Image: '*\rcsi.exe'
+  SELECTION_4:
+    OriginalFileName: csi.exe
+  SELECTION_5:
+    OriginalFileName: rcsi.exe
+  SELECTION_6:
+    Company: Microsoft Corporation
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+    and SELECTION_6)
+falsepositives:
+- Legitimate usage by software developers
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 40b95d31-1afc-469e-8d34-9a3a667d058e
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/11
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Rcsi.yml
+- https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
+- https://twitter.com/Z3Jpa29z/status/1317545798981324801
+status: experimental
+tags:
+- attack.execution
+- attack.t1072
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_susp_curl_download.yml b/rules/sigma/windows/process_creation/win_susp_curl_download.yml
new file mode 100644
index 00000000..ebe37152
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_curl_download.yml
@@ -0,0 +1,34 @@
+
+title: Suspicious Curl Usage on Windows
+author: Florian Roth
+date: 2020/07/03
+description: Detects a suspicious curl process start on Windows and outputs the requested
+  document to a local file
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\curl.exe'
+  SELECTION_3:
+    Product: The curl executable
+  SELECTION_4:
+    CommandLine: '* -O *'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Scripts created by developers and admins
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/05
+references:
+- https://twitter.com/reegun21/status/1222093798009790464
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/windows/process_creation/win_susp_curl_fileupload.yml b/rules/sigma/windows/process_creation/win_susp_curl_fileupload.yml
new file mode 100644
index 00000000..7bdaccef
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_curl_fileupload.yml
@@ -0,0 +1,31 @@
+
+title: Suspicious Curl File Upload
+author: Florian Roth
+date: 2020/07/03
+description: Detects a suspicious curl process start the adds a file to a web request
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\curl.exe'
+  SELECTION_3:
+    CommandLine: '* -F *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Scripts created by developers and admins
+fields:
+- CommandLine
+- ParentCommandLine
+id: 00bca14a-df4e-4649-9054-3f2aa676bc04
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/05
+references:
+- https://twitter.com/d1r4c/status/1279042657508081664
+- https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567
diff --git a/rules/sigma/windows/process_creation/win_susp_curl_start_combo.yml b/rules/sigma/windows/process_creation/win_susp_curl_start_combo.yml
new file mode 100644
index 00000000..8f74e8dd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_curl_start_combo.yml
@@ -0,0 +1,33 @@
+
+title: Curl Start Combination
+author: Sreeman
+date: 2020/01/13
+description: Adversaries can use curl to download payloads remotely and execute them.
+  Curl is included by default in Windows 10 build 17063 and later.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*curl*'
+  SELECTION_3:
+    CommandLine: '* start *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative scripts (installers)
+fields:
+- ParentImage
+- CommandLine
+id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/05
+references:
+- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
+status: experimental
+tags:
+- attack.execution
+- attack.t1218
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/windows/process_creation/win_susp_dctask64_proc_inject.yml b/rules/sigma/windows/process_creation/win_susp_dctask64_proc_inject.yml
new file mode 100644
index 00000000..6395d703
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_dctask64_proc_inject.yml
@@ -0,0 +1,36 @@
+
+title: ZOHO Dctask64 Process Injection
+author: Florian Roth
+date: 2020/01/28
+description: Detects suspicious process injection using ZOHO's dctask64.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\dctask64.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*DesktopCentral_Agent\agent*'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown yet
+fields:
+- CommandLine
+- ParentCommandLine
+- ParentImage
+id: 6345b048-8441-43a7-9bed-541133633d7a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/30
+references:
+- https://twitter.com/gN3mes1s/status/1222088214581825540
+- https://twitter.com/gN3mes1s/status/1222095963789111296
+- https://twitter.com/gN3mes1s/status/1222095371175911424
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055.001
+- attack.t1055
diff --git a/rules/sigma/windows/process_creation/win_susp_desktopimgdownldr.yml b/rules/sigma/windows/process_creation/win_susp_desktopimgdownldr.yml
new file mode 100644
index 00000000..8a2b0c54
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_desktopimgdownldr.yml
@@ -0,0 +1,43 @@
+
+title: Suspicious Desktopimgdownldr Command
+author: Florian Roth
+date: 2020/07/03
+description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters
+  used to download files from the Internet
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    CommandLine: '* /lockscreenurl:*'
+  SELECTION_4:
+    CommandLine:
+    - '*.jpg*'
+    - '*.jpeg*'
+    - '*.png*'
+  SELECTION_5:
+    CommandLine: '*reg delete*'
+  SELECTION_6:
+    CommandLine: '*\PersonalizationCSP*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and  not (SELECTION_4))
+    or (SELECTION_5 and SELECTION_6)))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+fields:
+- CommandLine
+- ParentCommandLine
+id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/30
+references:
+- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+- https://twitter.com/SBousseaden/status/1278977301745741825
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/windows/process_creation/win_susp_devtoolslauncher.yml b/rules/sigma/windows/process_creation/win_susp_devtoolslauncher.yml
new file mode 100644
index 00000000..9b6b6a0d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_devtoolslauncher.yml
@@ -0,0 +1,29 @@
+
+title: Devtoolslauncher.exe Executes Specified Binary
+author: Beyu Denis, oscd.community (rule), @_felamos (idea)
+date: 2019/10/12
+description: The Devtoolslauncher.exe executes other binary
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\devtoolslauncher.exe'
+  SELECTION_3:
+    CommandLine: '*LaunchForDeploy*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of devtoolslauncher.exe by legitimate user
+id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/04
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml
+- https://twitter.com/_felamos/status/1179811992841797632
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/sigma/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
new file mode 100644
index 00000000..f9eef227
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
@@ -0,0 +1,46 @@
+
+title: Direct Autorun Keys Modification
+author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/25
+description: Detects direct modification of autostart extensibility point (ASEP) in
+  registry using reg.exe.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\reg.exe'
+  SELECTION_3:
+    CommandLine: '*add*'
+  SELECTION_4:
+    CommandLine:
+    - '*\software\Microsoft\Windows\CurrentVersion\Run*'
+    - '*\software\Microsoft\Windows\CurrentVersion\RunOnce*'
+    - '*\software\Microsoft\Windows\CurrentVersion\RunOnceEx*'
+    - '*\software\Microsoft\Windows\CurrentVersion\RunServices*'
+    - '*\software\Microsoft\Windows\CurrentVersion\RunServicesOnce*'
+    - '*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit*'
+    - '*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell*'
+    - '*\software\Microsoft\Windows NT\CurrentVersion\Windows*'
+    - '*\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders*'
+    - '*\system\CurrentControlSet\Control\SafeBoot\AlternateShell*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate software automatically (mostly, during installation) sets up autorun
+  keys for legitimate reasons.
+- Legitimate administrator sets up autorun keys for legitimate reasons.
+fields:
+- CommandLine
+- ParentCommandLine
+id: 24357373-078f-44ed-9ac4-6d334a668a11
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/10
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
+- attack.t1060
diff --git a/rules/sigma/windows/process_creation/win_susp_disable_eventlog.yml b/rules/sigma/windows/process_creation/win_susp_disable_eventlog.yml
new file mode 100644
index 00000000..203ba0bb
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_disable_eventlog.yml
@@ -0,0 +1,37 @@
+
+title: Disable or Delete Windows Eventlog
+author: Florian Roth
+date: 2021/02/11
+description: Detects command that is used to disable or delete Windows eventlog via
+  logman Windows utility
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*logman *'
+  SELECTION_3:
+    CommandLine:
+    - '*stop *'
+    - '*delete *'
+  SELECTION_4:
+    CommandLine:
+    - '*EventLog-System*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate deactivation by administrative staff
+- Installer tools that disable services, e.g. before log collection agent installation
+id: cd1f961e-0b96-436b-b7c6-38da4583ec00
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/21
+references:
+- https://twitter.com/0gtweet/status/1359039665232306183?s=21
+- https://ss64.com/nt/logman.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+- attack.t1070.001
diff --git a/rules/sigma/windows/process_creation/win_susp_disable_ie_features.yml b/rules/sigma/windows/process_creation/win_susp_disable_ie_features.yml
new file mode 100644
index 00000000..d93a684c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_disable_ie_features.yml
@@ -0,0 +1,37 @@
+
+title: Disabled IE Security Features
+author: Florian Roth
+date: 2020/06/19
+description: Detects command lines that indicate unwanted modifications to registry
+  keys that disable important Internet Explorer security features
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* -name IEHarden *'
+  SELECTION_3:
+    CommandLine: '* -value 0 *'
+  SELECTION_4:
+    CommandLine: '* -name DEPOff *'
+  SELECTION_5:
+    CommandLine: '* -value 1 *'
+  SELECTION_6:
+    CommandLine: '* -name DisableFirstRunCustomize *'
+  SELECTION_7:
+    CommandLine: '* -value 2 *'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unknown, maybe some security software installer disables these features temporarily
+id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+- attack.t1089
diff --git a/rules/sigma/windows/process_creation/win_susp_disable_raccine.yml b/rules/sigma/windows/process_creation/win_susp_disable_raccine.yml
new file mode 100644
index 00000000..3fdc59a9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_disable_raccine.yml
@@ -0,0 +1,41 @@
+
+title: Raccine Uninstall
+author: Florian Roth
+date: 2021/01/21
+description: Detects commands that indicate a Raccine removal from an end system.
+  Raccine is a free ransomware protection tool.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*taskkill *'
+  SELECTION_3:
+    CommandLine: '*RaccineSettings.exe*'
+  SELECTION_4:
+    CommandLine: '*reg.exe*'
+  SELECTION_5:
+    CommandLine: '*delete*'
+  SELECTION_6:
+    CommandLine: '*Raccine Tray*'
+  SELECTION_7:
+    CommandLine: '*schtasks*'
+  SELECTION_8:
+    CommandLine: '*/DELETE*'
+  SELECTION_9:
+    CommandLine: '*Raccine Rules Updater*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Legitimate deinstallation by administrative staff
+id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/14
+references:
+- https://github.com/Neo23x0/Raccine
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/win_susp_diskshadow.yml b/rules/sigma/windows/process_creation/win_susp_diskshadow.yml
new file mode 100644
index 00000000..61f45433
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_diskshadow.yml
@@ -0,0 +1,33 @@
+
+title: Execution via Diskshadow.exe
+author: Ivan Dyachkov, oscd.community
+date: 2020/10/07
+description: Detects using Diskshadow.exe to execute arbitrary code in text file
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\diskshadow.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*/s*'
+    - '*-s*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- False postitve can be if administrators use diskshadow tool in their infrastructure
+  as a main backup tool with scripts.
+fields:
+- CommandLine
+id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2
+level: high
+logsource:
+  category: process_creation
+  definition: 'Requirements: Sysmon ProcessCreation logging must be activated and
+    Windows audit msut Include command line in process creation events'
+  product: windows
+references:
+- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+status: experimental
+tags:
+- attack.execution
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_susp_ditsnap.yml b/rules/sigma/windows/process_creation/win_susp_ditsnap.yml
new file mode 100644
index 00000000..d567ef9f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_ditsnap.yml
@@ -0,0 +1,30 @@
+
+title: DIT Snapshot Viewer Use
+author: Furkan Caliskan (@caliskanfurkan_)
+date: 2020/07/04
+description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\ditsnap.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*ditsnap.exe*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Legitimate admin usage
+id: d3b70aad-097e-409c-9df2-450f80dc476b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://thedfirreport.com/2020/06/21/snatch-ransomware/
+- https://github.com/yosqueoy/ditsnap
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.003
+- attack.t1003
diff --git a/rules/sigma/windows/process_creation/win_susp_dnx.yml b/rules/sigma/windows/process_creation/win_susp_dnx.yml
new file mode 100644
index 00000000..3fd0469a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_dnx.yml
@@ -0,0 +1,28 @@
+
+title: Application Whitelisting Bypass via Dnx.exe
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+description: Execute C# code located in the consoleapp folder
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\dnx.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of dnx.exe by legitimate user
+id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/30
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
+- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.t1027.004
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_susp_double_extension.yml b/rules/sigma/windows/process_creation/win_susp_double_extension.yml
new file mode 100644
index 00000000..b11eb78c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_double_extension.yml
@@ -0,0 +1,38 @@
+
+title: Suspicious Double Extension
+author: Florian Roth (rule), @blu3_team (idea)
+date: 2019/06/26
+description: Detects suspicious use of an .exe extension after a non-executable file
+  extension like .pdf.exe, a set of spaces or underlines to cloak the executable file
+  in spear phishing campaigns
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*.doc.exe'
+    - '*.docx.exe'
+    - '*.xls.exe'
+    - '*.xlsx.exe'
+    - '*.ppt.exe'
+    - '*.pptx.exe'
+    - '*.rtf.exe'
+    - '*.pdf.exe'
+    - '*.txt.exe'
+    - '*      .exe'
+    - '*______.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
+- https://twitter.com/blackorbird/status/1140519090961825792
+tags:
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
diff --git a/rules/sigma/windows/process_creation/win_susp_dxcap.yml b/rules/sigma/windows/process_creation/win_susp_dxcap.yml
new file mode 100644
index 00000000..47e7bbee
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_dxcap.yml
@@ -0,0 +1,31 @@
+
+title: Application Whitelisting Bypass via Dxcap.exe
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+description: Detects execution of of Dxcap.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\dxcap.exe'
+  SELECTION_3:
+    CommandLine: '*-c*'
+  SELECTION_4:
+    CommandLine: '*.exe*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate execution of dxcap.exe by legitimate user
+id: 60f16a96-db70-42eb-8f76-16763e333590
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/04
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml
+- https://twitter.com/harr0ey/status/992008180904419328
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_susp_emotet_rudll32_execution.yml b/rules/sigma/windows/process_creation/win_susp_emotet_rudll32_execution.yml
new file mode 100644
index 00000000..998cbde0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_emotet_rudll32_execution.yml
@@ -0,0 +1,32 @@
+
+title: Emotet RunDLL32 Process Creation
+author: FPT.EagleEye
+date: 2020/12/25
+description: Detecting Emotet DLL loading by looking for rundll32.exe processes with
+  command lines ending in ,RunDLL or ,#1
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\rundll32.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*,RunDLL'
+  SELECTION_4:
+    ParentImage:
+    - '*\tracker.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/win_susp_eventlog_clear.yml b/rules/sigma/windows/process_creation/win_susp_eventlog_clear.yml
new file mode 100644
index 00000000..8b43056b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_eventlog_clear.yml
@@ -0,0 +1,49 @@
+
+title: Suspicious Eventlog Clear or Configuration Using Wevtutil
+author: Ecco, Daniil Yugoslavskiy, oscd.community
+date: 2019/09/26
+description: Detects clearing or configuration of eventlogs using wevtutil, powershell
+  and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*Clear-EventLog*'
+    - '*Remove-EventLog*'
+    - '*Limit-EventLog*'
+  SELECTION_4:
+    Image: '*\wmic.exe'
+  SELECTION_5:
+    CommandLine: '* ClearEventLog *'
+  SELECTION_6:
+    EventID: 1
+  SELECTION_7:
+    Image: '*\wevtutil.exe'
+  SELECTION_8:
+    CommandLine:
+    - '*clear-log*'
+    - '* cl *'
+    - '*set-log*'
+    - '* sl *'
+  condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+    SELECTION_5)) or (SELECTION_6 and SELECTION_7 and SELECTION_8)))
+falsepositives:
+- Admin activity
+- Scripts and administrative tools used in the monitored environment
+id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md
+- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
+tags:
+- attack.defense_evasion
+- attack.t1070.001
+- attack.t1070
+- car.2016-04-002
diff --git a/rules/sigma/windows/process_creation/win_susp_execution_path.yml b/rules/sigma/windows/process_creation/win_susp_execution_path.yml
new file mode 100644
index 00000000..36c8db49
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_execution_path.yml
@@ -0,0 +1,52 @@
+
+title: Execution from Suspicious Folder
+author: Florian Roth
+date: 2019/01/16
+description: Detects a suspicious execution from an uncommon folder
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\$Recycle.bin\\*'
+    - '*\config\systemprofile\\*'
+    - '*\Intel\Logs\\*'
+    - '*\RSA\MachineKeys\\*'
+    - '*\Users\All Users\\*'
+    - '*\Users\Default\\*'
+    - '*\Users\NetworkService\\*'
+    - '*\Users\Public\\*'
+    - '*\Windows\addins\\*'
+    - '*\Windows\debug\\*'
+    - '*\Windows\Fonts\\*'
+    - '*\Windows\Help\\*'
+    - '*\Windows\IME\\*'
+    - '*\Windows\Media\\*'
+    - '*\Windows\repair\\*'
+    - '*\Windows\security\\*'
+    - '*\Windows\system32\config\systemprofile\\*'
+    - '*\Windows\System32\Tasks\\*'
+    - '*\Windows\Tasks\\*'
+  SELECTION_3:
+    Image: C:\Perflogs\\*
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/03/31
+references:
+- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
+- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
+- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
diff --git a/rules/sigma/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/sigma/windows/process_creation/win_susp_execution_path_webserver.yml
new file mode 100644
index 00000000..807db25d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_execution_path_webserver.yml
@@ -0,0 +1,39 @@
+
+title: Execution in Webserver Root Folder
+author: Florian Roth
+date: 2019/01/16
+description: Detects a suspicious program execution in a web service root folder (filter
+  out false positives)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\wwwroot\\*'
+    - '*\wmpub\\*'
+    - '*\htdocs\\*'
+  SELECTION_3:
+    Image:
+    - '*bin\\*'
+    - '*\Tools\\*'
+    - '*\SMSComponent\\*'
+  SELECTION_4:
+    ParentImage:
+    - '*\services.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3 and SELECTION_4))
+falsepositives:
+- Various applications
+- Tools that include ping or nslookup command invocations
+fields:
+- CommandLine
+- ParentCommandLine
+id: 35efb964-e6a5-47ad-bbcd-19661854018d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.t1100
diff --git a/rules/sigma/windows/process_creation/win_susp_explorer.yml b/rules/sigma/windows/process_creation/win_susp_explorer.yml
new file mode 100644
index 00000000..997eeac8
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_explorer.yml
@@ -0,0 +1,31 @@
+
+title: Proxy Execution Via Explorer.exe
+author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
+date: 2020/10/05
+description: Attackers can use explorer.exe for evading defense mechanisms
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\explorer.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\cmd.exe'
+  SELECTION_4:
+    CommandLine:
+    - '*explorer.exe*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate explorer.exe run from cmd.exe
+id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e
+level: low
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/CyberRaiju/status/1273597319322058752
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_susp_explorer_break_proctree.yml b/rules/sigma/windows/process_creation/win_susp_explorer_break_proctree.yml
new file mode 100644
index 00000000..664249c6
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_explorer_break_proctree.yml
@@ -0,0 +1,30 @@
+
+title: Explorer Root Flag Process Tree Break
+author: Florian Roth
+date: 2019/06/29
+description: Detects a command line process that uses explorer.exe /root, which is
+  similar to cmd.exe /c, only it breaks the process tree and makes its parent a new
+  instance of explorer
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*explorer.exe*'
+  SELECTION_3:
+    CommandLine: '* /root,*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown how many legitimate software products use that method
+id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/30
+references:
+- https://twitter.com/CyberRaiju/status/1273597319322058752
+- https://twitter.com/bohops/status/1276357235954909188?s=12
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
diff --git a/rules/sigma/windows/process_creation/win_susp_file_characteristics.yml b/rules/sigma/windows/process_creation/win_susp_file_characteristics.yml
new file mode 100644
index 00000000..91dd3b07
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_file_characteristics.yml
@@ -0,0 +1,41 @@
+
+title: Suspicious File Characteristics Due to Missing Fields
+author: Markus Neis, Sander Wiebing
+date: 2018/11/22
+description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company
+  likely created with py2exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Description: \?
+  SELECTION_3:
+    FileVersion: \?
+  SELECTION_4:
+    Product: \?
+  SELECTION_5:
+    Company: \?
+  SELECTION_6:
+    Image: '*\Downloads\\*'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5)
+    and SELECTION_6)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+references:
+- https://securelist.com/muddywater/88059/
+- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.006
+- attack.defense_evasion
+- attack.t1064
diff --git a/rules/sigma/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/sigma/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml
new file mode 100644
index 00000000..c02e6c78
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml
@@ -0,0 +1,31 @@
+
+title: GfxDownloadWrapper.exe Downloads File from Suspicious URL
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+description: Detects when GfxDownloadWrapper.exe downloads file from non standard
+  URL
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\GfxDownloadWrapper.exe'
+  SELECTION_3:
+    CommandLine: '*gameplayapi.intel.com*'
+  SELECTION_4:
+    ParentImage: '*\GfxDownloadWrapper.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and  not (SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: eee00933-a761-4cd0-be70-c42fe91731e7
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/GfxDownloadWrapper.yml
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/windows/process_creation/win_susp_findstr.yml b/rules/sigma/windows/process_creation/win_susp_findstr.yml
new file mode 100644
index 00000000..be4e59b6
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_findstr.yml
@@ -0,0 +1,37 @@
+
+title: Abusing Findstr for Defense Evasion
+author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
+date: 2020/10/05
+description: Attackers can use findstr to hide their artifacts or search specific
+  strings and evade defense mechanism
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*findstr*'
+  SELECTION_3:
+    CommandLine: '*/V*'
+  SELECTION_4:
+    CommandLine: '*/L*'
+  SELECTION_5:
+    CommandLine: '*/S*'
+  SELECTION_6:
+    CommandLine: '*/I*'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6)))
+falsepositives:
+- Administrative findstr usage
+id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml
+- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_susp_findstr_lnk.yml b/rules/sigma/windows/process_creation/win_susp_findstr_lnk.yml
new file mode 100644
index 00000000..592dd6fd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_findstr_lnk.yml
@@ -0,0 +1,34 @@
+
+title: Findstr Launching .lnk File
+author: Trent Liffick
+date: 2020/05/01
+description: Detects usage of findstr to identify and execute a lnk file as seen within
+  the HHS redirect attack
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\findstr.exe'
+  SELECTION_3:
+    CommandLine: '*.lnk'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- Image
+- CommandLine
+- ParentCommandLine
+id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/30
+references:
+- https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1202
+- attack.t1027.003
diff --git a/rules/sigma/windows/process_creation/win_susp_finger_usage.yml b/rules/sigma/windows/process_creation/win_susp_finger_usage.yml
new file mode 100644
index 00000000..d66b386c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_finger_usage.yml
@@ -0,0 +1,26 @@
+
+title: Finger.exe Suspicious Invocation
+author: Florian Roth, omkar72, oscd.community
+date: 2021/02/24
+description: Detects suspicious aged finger.exe tool execution often used in malware
+  attacks nowadays
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\finger.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Admin activity (unclear what they do nowadays with finger.exe)
+id: af491bca-e752-4b44-9c86-df5680533dbc
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
+- https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
+- http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
+tags:
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/windows/process_creation/win_susp_firewall_disable.yml b/rules/sigma/windows/process_creation/win_susp_firewall_disable.yml
new file mode 100644
index 00000000..a35af3c7
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_firewall_disable.yml
@@ -0,0 +1,29 @@
+
+title: Firewall Disabled via Netsh
+author: Fatih Sirin
+date: 2019/11/01
+description: Detects netsh commands that turns off the Windows firewall
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - netsh firewall set opmode mode=disable
+    - netsh advfirewall set * state off
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate administration
+id: 57c4bf16-227f-4394-8ec7-1b745ee061c3
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/30
+references:
+- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/
+- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.004
+- attack.s0108
diff --git a/rules/sigma/windows/process_creation/win_susp_fsutil_usage.yml b/rules/sigma/windows/process_creation/win_susp_fsutil_usage.yml
new file mode 100644
index 00000000..c63c681f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_fsutil_usage.yml
@@ -0,0 +1,35 @@
+
+title: Fsutil Suspicious Invocation
+author: Ecco, E.M. Anhaus, oscd.community
+date: 2019/09/26
+description: Detects suspicious parameters of fsutil (deleting USN journal, configuring
+  it with small size, etc). Might be used by ransomwares during the attack (seen by
+  NotPetya and others).
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\fsutil.exe'
+  SELECTION_3:
+    OriginalFileName: fsutil.exe
+  SELECTION_4:
+    CommandLine:
+    - '*deletejournal*'
+    - '*createjournal*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Admin activity
+- Scripts and administrative tools used in the monitored environment
+id: add64136-62e5-48ea-807e-88638d02df1e
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md
+- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
+tags:
+- attack.defense_evasion
+- attack.t1070
diff --git a/rules/sigma/windows/process_creation/win_susp_ftp.yml b/rules/sigma/windows/process_creation/win_susp_ftp.yml
new file mode 100644
index 00000000..08cae4f2
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_ftp.yml
@@ -0,0 +1,45 @@
+
+title: Suspicious ftp.exe
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+description: Detects renamed ftp.exe, ftp.exe script execution and child processes
+  ran by ftp.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    CommandLine: '*-s:*'
+  SELECTION_4:
+    Image: '*ftp.exe'
+  SELECTION_5:
+    OriginalFileName: '*ftp.exe*'
+  SELECTION_6:
+    EventID: 1
+  SELECTION_7:
+    OriginalFileName: '*ftp.exe*'
+  SELECTION_8:
+    Image: '*ftp.exe'
+  SELECTION_9:
+    ParentImage: '*ftp.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
+    or (SELECTION_6 and SELECTION_7 and  not (SELECTION_8)) or SELECTION_9))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentImage
+id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
+- attack.defense_evasion
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_susp_gup.yml b/rules/sigma/windows/process_creation/win_susp_gup.yml
new file mode 100644
index 00000000..08c505f7
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_gup.yml
@@ -0,0 +1,33 @@
+
+title: Suspicious GUP Usage
+author: Florian Roth
+date: 2019/02/06
+description: Detects execution of the Notepad++ updater in a suspicious directory,
+  which is often used in DLL side-loading attacks
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\GUP.exe'
+  SELECTION_3:
+    Image:
+    - '*\Users\\*\AppData\Local\Notepad++\updater\GUP.exe'
+    - '*\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe'
+    - '*\Program Files\Notepad++\updater\GUP.exe'
+    - '*\Program Files (x86)\Notepad++\updater\GUP.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Execution of tools named GUP.exe and located in folders different than Notepad++\updater
+id: 0a4f6091-223b-41f6-8743-f322ec84930b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/09
+references:
+- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1574.002
+- attack.t1073
diff --git a/rules/sigma/windows/process_creation/win_susp_iss_module_install.yml b/rules/sigma/windows/process_creation/win_susp_iss_module_install.yml
new file mode 100644
index 00000000..0938f179
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_iss_module_install.yml
@@ -0,0 +1,33 @@
+
+title: IIS Native-Code Module Command Line Installation
+author: Florian Roth
+date: 2012/12/11
+description: Detects suspicious IIS native-code module installations via command line
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\appcmd.exe'
+  SELECTION_3:
+    CommandLine: '*install*'
+  SELECTION_4:
+    CommandLine: '*module*'
+  SELECTION_5:
+    CommandLine: '*/name:*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown as it may vary from organisation to arganisation how admins use to install
+  IIS modules
+id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.t1100
diff --git a/rules/sigma/windows/process_creation/win_susp_mounted_share_deletion.yml b/rules/sigma/windows/process_creation/win_susp_mounted_share_deletion.yml
new file mode 100644
index 00000000..fac22b63
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_mounted_share_deletion.yml
@@ -0,0 +1,32 @@
+
+title: Mounted Share Deleted
+author: oscd.community, @redcanary, Zach Stanford @svch0st
+date: 2020/10/08
+description: Detects when when a mounted share is removed. Adversaries may remove
+  share connections that are no longer useful in order to clean up traces of their
+  operation
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\net.exe'
+  SELECTION_3:
+    Image: '*\net1.exe'
+  SELECTION_4:
+    CommandLine: '*share*'
+  SELECTION_5:
+    CommandLine: '*/delete*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Administrators or Power users may remove their shares via cmd line
+id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
+level: low
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.005
diff --git a/rules/sigma/windows/process_creation/win_susp_mpcmdrun_download.yml b/rules/sigma/windows/process_creation/win_susp_mpcmdrun_download.yml
new file mode 100644
index 00000000..893c3b65
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_mpcmdrun_download.yml
@@ -0,0 +1,35 @@
+
+title: Windows Defender Download Activity
+author: Matthew Matchen
+date: 2020/09/04
+description: Detect the use of Windows Defender to download payloads
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*MpCmdRun.exe*'
+  SELECTION_3:
+    Description: Microsoft Malware Protection Command Line Utility
+  SELECTION_4:
+    CommandLine: '*DownloadFile*'
+  SELECTION_5:
+    CommandLine: '*url*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: 46123129-1024-423e-9fae-43af4a0fa9a5
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/djmtshepana/status/1301608169496612866
+- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/windows/process_creation/win_susp_mshta_pattern.yml b/rules/sigma/windows/process_creation/win_susp_mshta_pattern.yml
new file mode 100644
index 00000000..fd2dd248
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_mshta_pattern.yml
@@ -0,0 +1,47 @@
+
+title: Suspicious MSHTA Process Patterns
+author: Florian Roth
+date: 2021/07/17
+description: Detects suspicious mshta process patterns
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\mshta.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+  SELECTION_4:
+    CommandLine:
+    - '*\AppData\Local*'
+    - '*C:\Windows\Temp*'
+    - '*C:\Users\Public*'
+  SELECTION_5:
+    Image:
+    - '*C:\Windows\System32*'
+    - '*C:\Windows\SysWOW64*'
+  SELECTION_6:
+    CommandLine:
+    - '*.htm*'
+    - '*.hta*'
+  SELECTION_7:
+    CommandLine:
+    - '*mshta.exe'
+    - '*mshta'
+  condition: (SELECTION_1 and SELECTION_2 and (((SELECTION_3 or SELECTION_4) or  not
+    (SELECTION_5)) or  not (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unknown
+id: e32f92d1-523e-49c3-9374-bdb13b46a3ba
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://en.wikipedia.org/wiki/HTML_Application
+- https://www.echotrail.io/insights/search/mshta.exe
+- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
+status: experimental
+tags:
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_susp_msiexec_cwd.yml b/rules/sigma/windows/process_creation/win_susp_msiexec_cwd.yml
new file mode 100644
index 00000000..b900473b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_msiexec_cwd.yml
@@ -0,0 +1,30 @@
+
+title: Suspicious MsiExec Directory
+author: Florian Roth
+date: 2019/11/14
+description: Detects suspicious msiexec process starts in an uncommon directory
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\msiexec.exe'
+  SELECTION_3:
+    Image:
+    - C:\Windows\System32\\*
+    - C:\Windows\SysWOW64\\*
+    - C:\Windows\WinSxS\\*
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/200_okay_/status/1194765831911215104
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036.005
+- attack.t1036
diff --git a/rules/sigma/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/sigma/windows/process_creation/win_susp_msiexec_web_install.yml
new file mode 100644
index 00000000..88c81834
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_msiexec_web_install.yml
@@ -0,0 +1,30 @@
+
+title: MsiExec Web Install
+author: Florian Roth
+date: 2018/02/09
+description: Detects suspicious msiexec process starts with web addresses as parameter
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* msiexec*'
+  SELECTION_3:
+    CommandLine: '*://*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.007
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/windows/process_creation/win_susp_msoffice.yml b/rules/sigma/windows/process_creation/win_susp_msoffice.yml
new file mode 100644
index 00000000..bb5cdc64
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_msoffice.yml
@@ -0,0 +1,32 @@
+
+title: Malicious Payload Download via Office Binaries
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+description: Downloads payload from remote server
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\powerpnt.exe'
+    - '*\winword.exe'
+    - '*\excel.exe'
+  SELECTION_3:
+    CommandLine: '*http*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 0c79148b-118e-472b-bdb7-9b57b444cc19
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/04
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml
+- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
+- Reegun J (OCBC Bank)
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
diff --git a/rules/sigma/windows/process_creation/win_susp_net_execution.yml b/rules/sigma/windows/process_creation/win_susp_net_execution.yml
new file mode 100644
index 00000000..9fb32086
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_net_execution.yml
@@ -0,0 +1,57 @@
+
+title: Net.exe Execution
+author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community
+  (improvements)
+date: 2019/01/16
+description: Detects execution of Net.exe, whether suspicious or benign.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\net.exe'
+    - '*\net1.exe'
+  SELECTION_3:
+    CommandLine:
+    - '* group*'
+    - '* localgroup*'
+    - '* user*'
+    - '* view*'
+    - '* share*'
+    - '* accounts*'
+    - '* stop *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine
+  following the search for easy hunting by computer/CommandLine.
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
+- https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
+- https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html
+- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1049
+- attack.t1018
+- attack.t1135
+- attack.t1201
+- attack.t1069.001
+- attack.t1069.002
+- attack.t1087.001
+- attack.t1087.002
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1077
+- attack.s0039
diff --git a/rules/sigma/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/sigma/windows/process_creation/win_susp_netsh_dll_persistence.yml
new file mode 100644
index 00000000..32aeed50
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_netsh_dll_persistence.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious Netsh DLL Persistence
+author: Victor Sergeev, oscd.community
+date: 2019/10/25
+description: Detects persitence via netsh helper
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\netsh.exe'
+  SELECTION_3:
+    CommandLine: '*add*'
+  SELECTION_4:
+    CommandLine: '*helper*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 56321594-9087-49d9-bf10-524fe8479452
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/30
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md
+- https://attack.mitre.org/software/S0108/
+status: test
+tags:
+- attack.privilege_escalation
+- attack.t1546.007
+- attack.s0108
diff --git a/rules/sigma/windows/process_creation/win_susp_ngrok_pua.yml b/rules/sigma/windows/process_creation/win_susp_ngrok_pua.yml
new file mode 100644
index 00000000..bc129893
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_ngrok_pua.yml
@@ -0,0 +1,54 @@
+
+title: Ngrok Usage
+author: Florian Roth
+date: 2021/05/14
+description: Detects the use of Ngrok, a utility used for port forwarding and tunneling,
+  often used by threat actors to make local protected services publicly available.
+  Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* tcp 139*'
+    - '* tcp 445*'
+    - '* tcp 3389*'
+    - '* tcp 5985*'
+    - '* tcp 5986*'
+  SELECTION_3:
+    CommandLine: '* start *'
+  SELECTION_4:
+    CommandLine: '*--all*'
+  SELECTION_5:
+    CommandLine: '*--config*'
+  SELECTION_6:
+    CommandLine: '*.yml*'
+  SELECTION_7:
+    Image:
+    - '*ngrok.exe'
+  SELECTION_8:
+    CommandLine:
+    - '* tcp *'
+    - '* http *'
+    - '* authtoken *'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8)))
+falsepositives:
+- Another tool that uses the command line switches of Ngrok
+- ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
+id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/07
+references:
+- https://ngrok.com/docs
+- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+- https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp
+- https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection
+- https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/.
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1572
diff --git a/rules/sigma/windows/process_creation/win_susp_ntdsutil.yml b/rules/sigma/windows/process_creation/win_susp_ntdsutil.yml
new file mode 100644
index 00000000..192f82b4
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_ntdsutil.yml
@@ -0,0 +1,27 @@
+
+title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
+author: Thomas Patzke
+date: 2019/01/16
+description: Detects execution of ntdsutil.exe, which can be used for various attacks
+  against the NTDS database (NTDS.DIT)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\ntdsutil.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- NTDS maintenance
+id: 2afafd61-6aae-4df4-baed-139fa1f4c345
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.003
+- attack.t1003
diff --git a/rules/sigma/windows/process_creation/win_susp_odbcconf.yml b/rules/sigma/windows/process_creation/win_susp_odbcconf.yml
new file mode 100644
index 00000000..68157db6
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_odbcconf.yml
@@ -0,0 +1,36 @@
+
+title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
+author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/25
+description: Detects defence evasion attempt via odbcconf.exe execution to load DLL
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\odbcconf.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*-f*'
+    - '*regsvr*'
+  SELECTION_4:
+    ParentImage: '*\odbcconf.exe'
+  SELECTION_5:
+    Image: '*\rundll32.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- Legitimate use of odbcconf.exe by legitimate user
+id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/07
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml
+- https://twitter.com/Hexacorn/status/1187143326673330176
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.008
+- attack.execution
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_susp_openwith.yml b/rules/sigma/windows/process_creation/win_susp_openwith.yml
new file mode 100644
index 00000000..6b2b3907
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_openwith.yml
@@ -0,0 +1,29 @@
+
+title: OpenWith.exe Executes Specified Binary
+author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
+date: 2019/10/12
+description: The OpenWith.exe executes other binary
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\OpenWith.exe'
+  SELECTION_3:
+    CommandLine: '*/c*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of OpenWith.exe by legitimate user
+id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/04
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml
+- https://twitter.com/harr0ey/status/991670870384021504
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_susp_outlook.yml b/rules/sigma/windows/process_creation/win_susp_outlook.yml
new file mode 100644
index 00000000..bab24a0c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_outlook.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious Execution from Outlook
+author: Markus Neis
+date: 2018/12/27
+description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*EnableUnsafeClientMailRules*'
+  SELECTION_3:
+    ParentImage: '*\outlook.exe'
+  SELECTION_4:
+    CommandLine: '*\\\\\*'
+  SELECTION_5:
+    CommandLine: '*\\\*'
+  SELECTION_6:
+    CommandLine: '*.exe*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6)))
+falsepositives:
+- unknown
+id: e212d415-0e93-435f-9e1a-f29005bb4723
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://github.com/sensepost/ruler
+- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_susp_outlook_temp.yml b/rules/sigma/windows/process_creation/win_susp_outlook_temp.yml
new file mode 100644
index 00000000..24628d62
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_outlook_temp.yml
@@ -0,0 +1,27 @@
+
+title: Execution in Outlook Temp Folder
+author: Florian Roth
+date: 2019/10/01
+description: Detects a suspicious program execution in Outlook temp folder
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\Temporary Internet Files\Content.Outlook\\*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
diff --git a/rules/sigma/windows/process_creation/win_susp_pcwutl.yml b/rules/sigma/windows/process_creation/win_susp_pcwutl.yml
new file mode 100644
index 00000000..716554e7
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_pcwutl.yml
@@ -0,0 +1,32 @@
+
+title: Code Execution via Pcwutl.dll
+author: Julia Fomina, oscd.community
+date: 2020/10/05
+description: Detects launch of executable by calling the LaunchApplication function
+  from pcwutl.dll library.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\rundll32.exe'
+  SELECTION_3:
+    CommandLine: '*pcwutl*'
+  SELECTION_4:
+    CommandLine: '*LaunchApplication*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Use of Program Compatibility Troubleshooter Helper
+id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/api0cradle/LOLBAS/blob/master/OSLibraries/Pcwutl.md
+- https://twitter.com/harr0ey/status/989617817849876488
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+- attack.execution
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_susp_pester.yml b/rules/sigma/windows/process_creation/win_susp_pester.yml
new file mode 100644
index 00000000..c2a2a0b1
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_pester.yml
@@ -0,0 +1,44 @@
+
+title: Execute Code with Pester.bat
+author: Julia Fomina, oscd.community
+date: 2020/10/08
+description: Detects code execution via Pester.bat (Pester - Powershell Modulte for
+  testing)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    CommandLine: '*Pester*'
+  SELECTION_4:
+    CommandLine: '*Get-Help*'
+  SELECTION_5:
+    EventID: 1
+  SELECTION_6:
+    Image: '*\cmd.exe'
+  SELECTION_7:
+    CommandLine: '*pester*'
+  SELECTION_8:
+    CommandLine: '*;*'
+  SELECTION_9:
+    CommandLine:
+    - '*help*'
+    - '*?*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Legitimate use of Pester for writing tests for Powershell scripts and modules
+id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/Oddvarmoe/status/993383596244258816
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/sigma/windows/process_creation/win_susp_ping_hex_ip.yml
new file mode 100644
index 00000000..e1db4ef3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_ping_hex_ip.yml
@@ -0,0 +1,30 @@
+
+title: Ping Hex IP
+author: Florian Roth
+date: 2018/03/23
+description: Detects a ping command that uses a hex encoded IP address
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\ping.exe'
+  SELECTION_3:
+    CommandLine: '*0x*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely, because no sane admin pings IP addresses in a hexadecimal form
+fields:
+- ParentCommandLine
+id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.can
+- https://twitter.com/vysecurity/status/977198418354491392
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.t1027
diff --git a/rules/sigma/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/sigma/windows/process_creation/win_susp_powershell_empire_launch.yml
new file mode 100644
index 00000000..6e3cb74a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_powershell_empire_launch.yml
@@ -0,0 +1,35 @@
+
+title: Empire PowerShell Launch Parameters
+author: Florian Roth
+date: 2019/04/20
+description: Detects suspicious powershell command line parameters used in Empire
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* -NoP -sta -NonI -W Hidden -Enc *'
+    - '* -noP -sta -w 1 -enc *'
+    - '* -NoP -NonI -W Hidden -enc *'
+    - '* -noP -sta -w 1 -enc*'
+    - '* -enc  SQB*'
+    - '* -nop -exec bypass -EncodedCommand *'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Other tools that incidentally use the same command line parameters
+id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/07/20
+references:
+- https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/sigma/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
new file mode 100644
index 00000000..55304b82
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
@@ -0,0 +1,33 @@
+
+title: Empire PowerShell UAC Bypass
+author: Ecco
+date: 2019/08/30
+description: Detects some Empire PowerShell UAC bypass methods
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*'
+    - '* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3268b746-88d8-4cd3-bffc-30077d02c787
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1088
+- car.2019-04-001
diff --git a/rules/sigma/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/sigma/windows/process_creation/win_susp_powershell_enc_cmd.yml
new file mode 100644
index 00000000..73876d7b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_powershell_enc_cmd.yml
@@ -0,0 +1,60 @@
+
+title: Suspicious Encoded PowerShell Command Line
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton
+  Kutepov, oscd.community
+date: 2018/09/03
+description: Detects suspicious powershell process starts with base64 encoded commands
+  (e.g. Emotet)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine:
+    - '* BA^J*'
+    - '* SUVYI*'
+    - '* SQBFAFgA*'
+    - '* aQBlAHgA*'
+    - '* aWV4I*'
+    - '* IAA*'
+    - '* IAB*'
+    - '* UwB*'
+    - '* cwB*'
+  SELECTION_11:
+    CommandLine:
+    - '*.exe -ENCOD *'
+  SELECTION_12:
+    CommandLine: '* -ExecutionPolicy*'
+  SELECTION_13:
+    CommandLine: '*remotesigned *'
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    EventID: 1
+  SELECTION_4:
+    CommandLine: '* -e*'
+  SELECTION_5:
+    CommandLine: '* JAB*'
+  SELECTION_6:
+    CommandLine: '* -w*'
+  SELECTION_7:
+    CommandLine: '* hidden *'
+  SELECTION_8:
+    EventID: 1
+  SELECTION_9:
+    CommandLine: '* -e*'
+  condition: (SELECTION_1 and (SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)
+    or SELECTION_11)) and  not (SELECTION_12 and SELECTION_13))
+id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/03/02
+references:
+- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_susp_powershell_encoded_param.yml b/rules/sigma/windows/process_creation/win_susp_powershell_encoded_param.yml
new file mode 100644
index 00000000..0438015e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_powershell_encoded_param.yml
@@ -0,0 +1,27 @@
+
+title: PowerShell Encoded Character Syntax
+author: Florian Roth
+date: 2020/07/09
+description: Detects suspicious encoded character syntax often used for defense evasion
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*(WCHAR)0x*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e312efd0-35a1-407f-8439-b8d434b438a6
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/0gtweet/status/1281103918693482496
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.defense_evasion
+- attack.t1027
diff --git a/rules/sigma/windows/process_creation/win_susp_powershell_getprocess_lsass.yml b/rules/sigma/windows/process_creation/win_susp_powershell_getprocess_lsass.yml
new file mode 100644
index 00000000..ed3d3a94
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_powershell_getprocess_lsass.yml
@@ -0,0 +1,26 @@
+
+title: PowerShell Get-Process LSASS
+author: Florian Roth
+date: 2021/04/23
+description: Detects a Get-Process command on lsass process, which is in almost all
+  cases a sign of malicious activity
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '*Get-Process lsass*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/PythonResponder/status/1385064506049630211
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.004
diff --git a/rules/sigma/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/sigma/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
new file mode 100644
index 00000000..78f74daa
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml
@@ -0,0 +1,78 @@
+
+title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
+author: John Lambert (rule)
+date: 2019/01/16
+description: Detects base64 encoded strings used in hidden malicious PowerShell command
+  lines
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\powershell.exe'
+  SELECTION_3:
+    CommandLine: '* hidden *'
+  SELECTION_4:
+    CommandLine:
+    - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*'
+    - '*aXRzYWRtaW4gL3RyYW5zZmVy*'
+    - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*'
+    - '*JpdHNhZG1pbiAvdHJhbnNmZX*'
+    - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*'
+    - '*Yml0c2FkbWluIC90cmFuc2Zlc*'
+    - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*'
+    - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*'
+    - '*JGNodW5rX3Npem*'
+    - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*'
+    - '*RjaHVua19zaXpl*'
+    - '*Y2h1bmtfc2l6Z*'
+    - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*'
+    - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*'
+    - '*lPLkNvbXByZXNzaW9u*'
+    - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*'
+    - '*SU8uQ29tcHJlc3Npb2*'
+    - '*Ty5Db21wcmVzc2lvb*'
+    - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*'
+    - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*'
+    - '*lPLk1lbW9yeVN0cmVhb*'
+    - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*'
+    - '*SU8uTWVtb3J5U3RyZWFt*'
+    - '*Ty5NZW1vcnlTdHJlYW*'
+    - '*4ARwBlAHQAQwBoAHUAbgBrA*'
+    - '*5HZXRDaHVua*'
+    - '*AEcAZQB0AEMAaAB1AG4Aaw*'
+    - '*LgBHAGUAdABDAGgAdQBuAGsA*'
+    - '*LkdldENodW5r*'
+    - '*R2V0Q2h1bm*'
+    - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*'
+    - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*'
+    - '*RIUkVBRF9JTkZPNj*'
+    - '*SFJFQURfSU5GTzY0*'
+    - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*'
+    - '*VEhSRUFEX0lORk82N*'
+    - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*'
+    - '*cmVhdGVSZW1vdGVUaHJlYW*'
+    - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*'
+    - '*NyZWF0ZVJlbW90ZVRocmVhZ*'
+    - '*Q3JlYXRlUmVtb3RlVGhyZWFk*'
+    - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*'
+    - '*0AZQBtAG0AbwB2AGUA*'
+    - '*1lbW1vdm*'
+    - '*AGUAbQBtAG8AdgBlA*'
+    - '*bQBlAG0AbQBvAHYAZQ*'
+    - '*bWVtbW92Z*'
+    - '*ZW1tb3Zl*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Penetration tests
+id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/sigma/windows/process_creation/win_susp_powershell_parent_combo.yml
new file mode 100644
index 00000000..16d37285
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_powershell_parent_combo.yml
@@ -0,0 +1,37 @@
+
+title: Suspicious PowerShell Invocation Based on Parent Process
+author: Florian Roth
+date: 2019/01/16
+description: Detects suspicious powershell invocations from interpreters or unusual
+  programs
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+  SELECTION_3:
+    Image: '*\powershell.exe'
+  SELECTION_4:
+    CurrentDirectory: '*\Health Service State\\*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Microsoft Operations Manager (MOM)
+- Other scripts
+fields:
+- CommandLine
+- ParentCommandLine
+id: 95eadcb2-92e4-4ed1-9031-92547773a6db
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/sigma/windows/process_creation/win_susp_powershell_parent_process.yml
new file mode 100644
index 00000000..07f6e48f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_powershell_parent_process.yml
@@ -0,0 +1,66 @@
+
+title: Suspicious PowerShell Parent Process
+author: Teymur Kheirkhabarov, Harish Segar (rule)
+date: 2020/03/20
+description: Detects a suspicious parents of powershell.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\mshta.exe'
+    - '*\rundll32.exe'
+    - '*\regsvr32.exe'
+    - '*\services.exe'
+    - '*\winword.exe'
+    - '*\wmiprvse.exe'
+    - '*\powerpnt.exe'
+    - '*\excel.exe'
+    - '*\msaccess.exe'
+    - '*\mspub.exe'
+    - '*\visio.exe'
+    - '*\outlook.exe'
+    - '*\amigo.exe'
+    - '*\chrome.exe'
+    - '*\firefox.exe'
+    - '*\iexplore.exe'
+    - '*\microsoftedgecp.exe'
+    - '*\microsoftedge.exe'
+    - '*\browser.exe'
+    - '*\vivaldi.exe'
+    - '*\safari.exe'
+    - '*\sqlagent.exe'
+    - '*\sqlserver.exe'
+    - '*\sqlservr.exe'
+    - '*\w3wp.exe'
+    - '*\httpd.exe'
+    - '*\nginx.exe'
+    - '*\php-cgi.exe'
+    - '*\jbosssvc.exe'
+    - '*MicrosoftEdgeSH.exe'
+  SELECTION_3:
+    ParentImage: '*tomcat*'
+  SELECTION_4:
+    CommandLine:
+    - '*powershell*'
+    - '*pwsh*'
+  SELECTION_5:
+    Description: Windows PowerShell
+  SELECTION_6:
+    Product: PowerShell Core 6
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+    or SELECTION_6))
+falsepositives:
+- Other scripts
+id: 754ed792-634f-40ae-b3bc-e0448d33f695
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_susp_powershell_sam_access.yml b/rules/sigma/windows/process_creation/win_susp_powershell_sam_access.yml
new file mode 100644
index 00000000..ded4bc3f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_powershell_sam_access.yml
@@ -0,0 +1,34 @@
+
+title: PowerShell SAM Copy
+author: Florian Roth
+date: 2021/07/29
+description: Detects suspicious PowerShell scripts accessing SAM hives
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\HarddiskVolumeShadowCopy*'
+  SELECTION_3:
+    CommandLine: '*ystem32\config\sam*'
+  SELECTION_4:
+    CommandLine:
+    - '*Copy-Item*'
+    - '*cp $_.*'
+    - '*cpi $_.*'
+    - '*copy $_.*'
+    - '*.File]::Copy(*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Some rare backup scenarios
+- PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs
+id: 1af57a4b-460a-4738-9034-db68b880c665
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/splinter_code/status/1420546784250769408
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
diff --git a/rules/sigma/windows/process_creation/win_susp_print.yml b/rules/sigma/windows/process_creation/win_susp_print.yml
new file mode 100644
index 00000000..264ac846
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_print.yml
@@ -0,0 +1,39 @@
+
+title: Abusing Print Executable
+author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
+date: 2020/10/05
+description: Attackers can use print.exe for remote file copy
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\print.exe'
+  SELECTION_3:
+    CommandLine:
+    - print*
+  SELECTION_4:
+    CommandLine:
+    - '*/D*'
+  SELECTION_5:
+    CommandLine:
+    - '*.exe*'
+  SELECTION_6:
+    CommandLine:
+    - '*print.exe*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+    and  not (SELECTION_6))
+falsepositives:
+- Unknown
+id: bafac3d6-7de9-4dd9-8874-4a1194b493ed
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml
+- https://twitter.com/Oddvarmoe/status/985518877076541440
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_susp_procdump.yml b/rules/sigma/windows/process_creation/win_susp_procdump.yml
new file mode 100644
index 00000000..f8f4c8f3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_procdump.yml
@@ -0,0 +1,32 @@
+
+title: Suspicious Use of Procdump
+author: Florian Roth
+date: 2021/02/02
+description: Detects suspicious uses of the SysInternals Procdump utility by using
+  a special command line parameter ' -ma ' and ' -accepteula' in a single step. This
+  way we're also able to catch cases in which the attacker has renamed the procdump
+  executable.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* -ma *'
+  SELECTION_3:
+    CommandLine: '* -accepteula *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Another tool that uses the command line switches of Procdump
+- Legitimate use of procdump by a developer or administrator
+id: 03795938-1387-481b-9f4c-3f6241e604fe
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/16
+references:
+- Internal Research
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1003.001
diff --git a/rules/sigma/windows/process_creation/win_susp_procdump_lsass.yml b/rules/sigma/windows/process_creation/win_susp_procdump_lsass.yml
new file mode 100644
index 00000000..fba4d8fc
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_procdump_lsass.yml
@@ -0,0 +1,39 @@
+
+title: Suspicious Use of Procdump on LSASS
+author: Florian Roth
+date: 2018/10/30
+description: Detects suspicious uses of the SysInternals Procdump utility by using
+  a special command line parameter in combination with the lsass.exe process. This
+  way we're also able to catch cases in which the attacker has renamed the procdump
+  executable.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* -ma *'
+  SELECTION_3:
+    EventID: 1
+  SELECTION_4:
+    CommandLine: '* lsass*'
+  SELECTION_5:
+    CommandLine: '* ls*'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or SELECTION_5))
+falsepositives:
+- Unlikely, because no one should dump an lsass process memory
+- Another tool that uses the command line switches of Procdump
+id: 5afee48e-67dd-4e03-a783-f74259dcf998
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/02/02
+references:
+- Internal Research
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- car.2013-05-009
diff --git a/rules/sigma/windows/process_creation/win_susp_ps_appdata.yml b/rules/sigma/windows/process_creation/win_susp_ps_appdata.yml
new file mode 100644
index 00000000..1ff47e55
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_ps_appdata.yml
@@ -0,0 +1,36 @@
+
+title: PowerShell Script Run in AppData
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2019/01/09
+description: Detects a suspicious command line execution that invokes PowerShell with
+  reference to an AppData folder
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*/c*'
+  SELECTION_3:
+    CommandLine: '*powershell*'
+  SELECTION_4:
+    CommandLine: '*\AppData\\*'
+  SELECTION_5:
+    CommandLine:
+    - '*Local\\*'
+    - '*Roaming\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Administrative scripts
+id: ac175779-025a-4f12-98b0-acdaeb77ea85
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://twitter.com/JohnLaTwC/status/1082851155481288706
+- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
diff --git a/rules/sigma/windows/process_creation/win_susp_ps_downloadfile.yml b/rules/sigma/windows/process_creation/win_susp_ps_downloadfile.yml
new file mode 100644
index 00000000..a3b540c4
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_ps_downloadfile.yml
@@ -0,0 +1,33 @@
+
+title: PowerShell DownloadFile
+author: Florian Roth
+date: 2020/08/28
+description: Detects the execution of powershell, a WebClient object creation and
+  the invocation of DownloadFile in a single command line
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*powershell*'
+  SELECTION_3:
+    CommandLine: '*.DownloadFile*'
+  SELECTION_4:
+    CommandLine: '*System.Net.WebClient*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.command_and_control
+- attack.t1104
+- attack.t1105
diff --git a/rules/sigma/windows/process_creation/win_susp_psexec_eula.yml b/rules/sigma/windows/process_creation/win_susp_psexec_eula.yml
new file mode 100644
index 00000000..ccd05fd2
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_psexec_eula.yml
@@ -0,0 +1,29 @@
+
+title: Psexec Accepteula Condition
+author: omkar72 - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+date: 2020/10/30
+description: Detect ed user accept agreement execution in psexec commandline
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\psexec.exe'
+  SELECTION_3:
+    CommandLine: '*accepteula*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative scripts.
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 730fc21b-eaff-474b-ad23-90fd265d4988
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+status: experimental
+tags:
+- attack.execution
+- attack.t1569
+- attack.t1021
diff --git a/rules/sigma/windows/process_creation/win_susp_psexex_paexec_flags.yml b/rules/sigma/windows/process_creation/win_susp_psexex_paexec_flags.yml
new file mode 100644
index 00000000..dd061f87
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_psexex_paexec_flags.yml
@@ -0,0 +1,48 @@
+
+title: PsExec/PAExec Flags
+author: Florian Roth
+date: 2021/05/22
+description: Detects suspicious flags used by PsExec and PAExec but no usual program
+  name in command line
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine:
+    - '*paexec*'
+    - '*PsExec*'
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    CommandLine: '*\\127.0.0.1*'
+  SELECTION_4:
+    CommandLine: '* -s *'
+  SELECTION_5:
+    CommandLine: '*cmd.exe*'
+  SELECTION_6:
+    CommandLine: '* /accepteula *'
+  SELECTION_7:
+    CommandLine: '*cmd /c *'
+  SELECTION_8:
+    CommandLine: '* -u *'
+  SELECTION_9:
+    CommandLine: '* -p *'
+  condition: (SELECTION_1 and (SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9))) and  not (SELECTION_10))
+falsepositives:
+- Weird admins that rename their tools
+- Software companies that bundle PsExec/PAExec with their software and rename it,
+  so that it is less embarrassing
+id: 207b0396-3689-42d9-8399-4222658efc99
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
+- https://www.poweradmin.com/paexec/
+- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+status: experimental
+tags:
+- attack.develop_capabilities
+- attack.t1587.001
diff --git a/rules/sigma/windows/process_creation/win_susp_psr_capture_screenshots.yml b/rules/sigma/windows/process_creation/win_susp_psr_capture_screenshots.yml
new file mode 100644
index 00000000..967f57d7
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_psr_capture_screenshots.yml
@@ -0,0 +1,30 @@
+
+title: Psr.exe Capture Screenshots
+author: Beyu Denis, oscd.community
+date: 2019/10/12
+description: The psr.exe captures desktop screenshots and saves them on the local
+  machine
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\Psr.exe'
+  SELECTION_3:
+    CommandLine: '*/start*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 2158f96f-43c2-43cb-952a-ab4580f32382
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/28
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml
+- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1113
diff --git a/rules/sigma/windows/process_creation/win_susp_rar_flags.yml b/rules/sigma/windows/process_creation/win_susp_rar_flags.yml
new file mode 100644
index 00000000..fc288237
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_rar_flags.yml
@@ -0,0 +1,37 @@
+
+title: Rar with Password or Compression Level
+author: '@ROxPinTeddy'
+date: 2020/05/12
+description: Detects the use of rar.exe, on the command line, to create an archive
+  with password protection or with a specific compression level. This is pretty indicative
+  of malicious actions.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* -hp*'
+  SELECTION_3:
+    CommandLine:
+    - '* -m*'
+    - '* a *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of Winrar command line version
+- Other command line tools, that use these flags
+id: faa48cae-6b25-4f00-a094-08947fef582f
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/27
+references:
+- https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
+- https://ss64.com/bash/rar.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1560.001
+- attack.exfiltration
+- attack.t1002
diff --git a/rules/sigma/windows/process_creation/win_susp_rasdial_activity.yml b/rules/sigma/windows/process_creation/win_susp_rasdial_activity.yml
new file mode 100644
index 00000000..aaa83586
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_rasdial_activity.yml
@@ -0,0 +1,28 @@
+
+title: Suspicious RASdial Activity
+author: juju4
+date: 2019/01/16
+description: Detects suspicious process related to rasdial.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*rasdial.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/subTee/status/891298217907830785
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059
+- attack.t1064
diff --git a/rules/sigma/windows/process_creation/win_susp_razorinstaller_explorer.yml b/rules/sigma/windows/process_creation/win_susp_razorinstaller_explorer.yml
new file mode 100644
index 00000000..c7312e2d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_razorinstaller_explorer.yml
@@ -0,0 +1,32 @@
+
+title: Suspicious RazerInstaller Explorer Subprocess
+author: Florian Roth, Maxime Thiebaut
+date: 2021/08/23
+description: Detects a explorer.exe sub process of the RazerInstaller software which
+  can be invoked from the installer to select a different installation folder but
+  can also be exploited to escalate privileges to LOCAL SYSTEM
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\RazerInstaller.exe'
+  SELECTION_3:
+    IntegrityLevel: System
+  SELECTION_4:
+    Image: C:\Windows\Installer\Razer\Installer\\*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- User selecting a different installation folder (check for other sub processes of
+  this explorer.exe process)
+id: a4eaf250-7dc1-4842-862a-5e71cd59a167
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/24
+references:
+- https://twitter.com/j0nh4t/status/1429049506021138437
+- https://streamable.com/q2dsji
+status: experimental
+tags:
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/process_creation/win_susp_rclone_exec.yml b/rules/sigma/windows/process_creation/win_susp_rclone_exec.yml
new file mode 100644
index 00000000..e4d104c5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_rclone_exec.yml
@@ -0,0 +1,41 @@
+
+title: Rclone Execution via Command Line or PowerShell
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+description: Detects Rclone which is commonly used by ransomware groups for exfiltration
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* pass *'
+    - '* user *'
+    - '* copy *'
+    - '* mega *'
+    - '* sync *'
+    - '* config *'
+    - '* lsd *'
+    - '* remote *'
+    - '* ls *'
+  SELECTION_3:
+    Description: Rsync for cloud storage
+  SELECTION_4:
+    Image: '*\rclone.exe'
+  SELECTION_5:
+    ParentImage:
+    - '*\PowerShell.exe'
+    - '*\cmd.exe'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- Legitimate Rclone usage (rare)
+id: cb7286ba-f207-44ab-b9e6-760d82b84253
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.002
diff --git a/rules/sigma/windows/process_creation/win_susp_recon_activity.yml b/rules/sigma/windows/process_creation/win_susp_recon_activity.yml
new file mode 100644
index 00000000..640b4a72
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_recon_activity.yml
@@ -0,0 +1,40 @@
+
+title: Suspicious Reconnaissance Activity
+analysis:
+  recommendation: Check if the user that executed the commands is suspicious (e.g.
+    service accounts, LOCAL_SYSTEM)
+author: Florian Roth, omkar72
+date: 2019/01/16
+description: Detects suspicious command line activity on Windows systems
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - net group "domain admins" /dom
+    - net localgroup administrators
+    - net group "enterprise admins" /dom
+    - net accounts /dom
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Inventory tool runs
+- Penetration tests
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/09
+references:
+- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
+- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087.001
+- attack.t1087.002
+- attack.t1087
diff --git a/rules/sigma/windows/process_creation/win_susp_reg_disable_sec_services.yml b/rules/sigma/windows/process_creation/win_susp_reg_disable_sec_services.yml
new file mode 100644
index 00000000..bbf42839
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_reg_disable_sec_services.yml
@@ -0,0 +1,46 @@
+
+title: Reg Disable Security Service
+author: Florian Roth, John Lambert (idea)
+date: 2021/07/14
+description: Detects a suspicious reg.exe invocation that looks as if it would disable
+  an important security service
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*reg*'
+  SELECTION_3:
+    CommandLine: '*add*'
+  SELECTION_4:
+    CommandLine: '* /d 4*'
+  SELECTION_5:
+    CommandLine: '* /v Start*'
+  SELECTION_6:
+    CommandLine:
+    - '*\Sense *'
+    - '*\WinDefend*'
+    - '*\MsMpSvc*'
+    - '*\NisSrv*'
+    - '*\WdBoot *'
+    - '*\WdNisDrv*'
+    - '*\WdNisSvc*'
+    - '*\wscsvc *'
+    - '*\SecurityHealthService*'
+    - '*\wuauserv*'
+    - '*\UsoSvc *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Unknown
+- Other security solution installers
+id: 5e95028c-5229-4214-afae-d653d573d0ec
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/JohnLaTwC/status/1415295021041979392
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/sigma/windows/process_creation/win_susp_regedit_trustedinstaller.yml
new file mode 100644
index 00000000..e4806e34
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_regedit_trustedinstaller.yml
@@ -0,0 +1,27 @@
+
+title: Regedit as Trusted Installer
+author: Florian Roth
+date: 2021/05/27
+description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\regedit.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\TrustedInstaller.exe'
+    - '*\ProcessHacker.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely
+id: 883835a7-df45-43e4-bf1d-4268768afda4
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/1kwpeter/status/1397816101455765504
+tags:
+- attack.privilege_escalation
+- attack.t1548
diff --git a/rules/sigma/windows/process_creation/win_susp_register_cimprovider.yml b/rules/sigma/windows/process_creation/win_susp_register_cimprovider.yml
new file mode 100644
index 00000000..57e4f7ec
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_register_cimprovider.yml
@@ -0,0 +1,33 @@
+
+title: DLL Execution Via Register-cimprovider.exe
+author: Ivan Dyachkov, Yulia Fomina, oscd.community
+date: 2020/10/07
+description: Detects using register-cimprovider.exe to execute arbitrary dll file.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\register-cimprovider.exe'
+  SELECTION_3:
+    CommandLine: '*-path*'
+  SELECTION_4:
+    CommandLine: '*dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: a2910908-e86f-4687-aeba-76a5f996e652
+level: medium
+logsource:
+  category: process_creation
+  definition: 'Requirements: Sysmon ProcessCreation logging must be activated and
+    Windows audit msut Include command line in process creation events'
+  product: windows
+references:
+- https://twitter.com/PhilipTsukerman/status/992021361106268161
+- https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1574
diff --git a/rules/sigma/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/sigma/windows/process_creation/win_susp_regsvr32_anomalies.yml
new file mode 100644
index 00000000..c2b633cc
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_regsvr32_anomalies.yml
@@ -0,0 +1,74 @@
+
+title: Regsvr32 Anomaly
+author: Florian Roth, oscd.community
+date: 2019/01/16
+description: Detects various anomalies in relation to regsvr32.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine:
+    - '*http*'
+    - '*ftp*'
+  SELECTION_11:
+    CommandLine: '*scrobj.dll'
+  SELECTION_12:
+    Image: '*\wscript.exe'
+  SELECTION_13:
+    ParentImage: '*\regsvr32.exe'
+  SELECTION_14:
+    Image: '*\EXCEL.EXE'
+  SELECTION_15:
+    CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *'
+  SELECTION_16:
+    ParentImage: '*\mshta.exe'
+  SELECTION_17:
+    Image: '*\regsvr32.exe'
+  SELECTION_18:
+    Image: '*\regsvr32.exe'
+  SELECTION_19:
+    CommandLine:
+    - '*\AppData\Local*'
+    - '*C:\Users\Public*'
+  SELECTION_2:
+    Image: '*\regsvr32.exe'
+  SELECTION_3:
+    CommandLine: '*\Temp\\*'
+  SELECTION_4:
+    Image: '*\regsvr32.exe'
+  SELECTION_5:
+    ParentImage: '*\powershell.exe'
+  SELECTION_6:
+    Image: '*\regsvr32.exe'
+  SELECTION_7:
+    ParentImage: '*\cmd.exe'
+  SELECTION_8:
+    Image: '*\regsvr32.exe'
+  SELECTION_9:
+    CommandLine: '*/i:*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10
+    and SELECTION_11) or (SELECTION_12 and SELECTION_13) or (SELECTION_14 and SELECTION_15)
+    or (SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19)))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/18
+references:
+- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
+- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.010
+- attack.execution
+- attack.t1117
+- car.2019-04-002
+- car.2019-04-003
diff --git a/rules/sigma/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/sigma/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml
new file mode 100644
index 00000000..a7e09aa0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_regsvr32_flags_anomaly.yml
@@ -0,0 +1,33 @@
+
+title: Regsvr32 Flags Anomaly
+author: Florian Roth
+date: 2019/07/13
+description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using
+  a /n flag at the same time
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\regsvr32.exe'
+  SELECTION_3:
+    CommandLine: '* /i:*'
+  SELECTION_4:
+    CommandLine: '* /n *'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/sbousseaden/status/1282441816986484737?s=12
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
diff --git a/rules/sigma/windows/process_creation/win_susp_regsvr32_no_dll.yml b/rules/sigma/windows/process_creation/win_susp_regsvr32_no_dll.yml
new file mode 100644
index 00000000..5715e60f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_regsvr32_no_dll.yml
@@ -0,0 +1,37 @@
+
+title: Regsvr32 Command Line Without DLL
+author: Florian Roth
+date: 2019/07/17
+description: Detects a regsvr.exe execution that doesn't contain a DLL in the command
+  line
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\regsvr32.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*.dll*'
+    - '*.ocx*'
+    - '*.cpl*'
+    - '*.ax*'
+    - '*.bav*'
+    - '*.ppl*'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 50919691-7302-437f-8e10-1fe088afa145
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/10/07
+references:
+- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_susp_renamed_dctask64.yml b/rules/sigma/windows/process_creation/win_susp_renamed_dctask64.yml
new file mode 100644
index 00000000..ec05f3b8
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_renamed_dctask64.yml
@@ -0,0 +1,37 @@
+
+title: Renamed ZOHO Dctask64
+author: Florian Roth
+date: 2020/01/28
+description: Detects a renamed dctask64.exe used for process injection, command execution,
+  process creation with a signed binary by ZOHO Corporation
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Imphash: 6834B1B94E49701D77CCB3C0895E1AFD
+  SELECTION_3:
+    Image: '*\dctask64.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown yet
+fields:
+- CommandLine
+- ParentCommandLine
+- ParentImage
+id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/28
+references:
+- https://twitter.com/gN3mes1s/status/1222088214581825540
+- https://twitter.com/gN3mes1s/status/1222095963789111296
+- https://twitter.com/gN3mes1s/status/1222095371175911424
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1055.001
+- attack.t1202
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_susp_renamed_debugview.yml b/rules/sigma/windows/process_creation/win_susp_renamed_debugview.yml
new file mode 100644
index 00000000..0e743f5a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_renamed_debugview.yml
@@ -0,0 +1,30 @@
+
+title: Renamed SysInternals Debug View
+author: Florian Roth
+date: 2020/05/28
+description: Detects suspicious renamed SysInternals DebugView execution
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Product:
+    - Sysinternals DebugView
+    - Sysinternals Debugview
+  SELECTION_3:
+    OriginalFileName: Dbgview.exe
+  SELECTION_4:
+    Image: '*\Dbgview.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3 and SELECTION_4))
+falsepositives:
+- Unknown
+id: cd764533-2e07-40d6-a718-cfeec7f2da7f
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.epicturla.com/blog/sysinturla
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.discovery
diff --git a/rules/sigma/windows/process_creation/win_susp_renamed_paexec.yml b/rules/sigma/windows/process_creation/win_susp_renamed_paexec.yml
new file mode 100644
index 00000000..3e10911f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_renamed_paexec.yml
@@ -0,0 +1,36 @@
+
+title: Renamed PAExec
+author: Florian Roth
+date: 2021/05/22
+description: Detects suspicious renamed PAExec execution as often used by attackers
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    Description: PAExec Application
+  SELECTION_4:
+    OriginalFileName: PAExec.exe
+  SELECTION_5:
+    Image:
+    - '*\PAexec.exe'
+    - '*\paexec.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4)) and  not
+    (SELECTION_5))
+falsepositives:
+- Weird admins that rename their tools
+- Software companies that bundle PAExec with their software and rename it, so that
+  it is less embarrassing
+id: c4e49831-1496-40cf-8ce1-b53f942b02f9
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/06
+references:
+- https://www.poweradmin.com/paexec/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_susp_rpcping.yml b/rules/sigma/windows/process_creation/win_susp_rpcping.yml
new file mode 100644
index 00000000..c4026f51
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_rpcping.yml
@@ -0,0 +1,50 @@
+
+title: Capture Credentials with Rpcping.exe
+author: Julia Fomina, oscd.community
+date: 2020/10/09
+description: Detects using Rpcping.exe to send a RPC test connection to the target
+  server (-s) and force the NTLM hash to be sent in the process.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*/t*'
+  SELECTION_11:
+    CommandLine: '*ncacn_np*'
+  SELECTION_2:
+    Image: '*\rpcping.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*-s*'
+    - '*/s*'
+  SELECTION_4:
+    CommandLine: '*-u*'
+  SELECTION_5:
+    CommandLine: '*NTLM*'
+  SELECTION_6:
+    CommandLine: '*/u*'
+  SELECTION_7:
+    CommandLine: '*NTLM*'
+  SELECTION_8:
+    CommandLine: '*-t*'
+  SELECTION_9:
+    CommandLine: '*ncacn_np*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
+    SELECTION_5) or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9)
+    or (SELECTION_10 and SELECTION_11)))
+falsepositives:
+- Unlikely
+id: 93671f99-04eb-4ab4-a161-70d446a84003
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
+- https://twitter.com/vysecurity/status/974806438316072960
+- https://twitter.com/vysecurity/status/873181705024266241
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
diff --git a/rules/sigma/windows/process_creation/win_susp_run_locations.yml b/rules/sigma/windows/process_creation/win_susp_run_locations.yml
new file mode 100644
index 00000000..33b1fd75
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_run_locations.yml
@@ -0,0 +1,39 @@
+
+title: Suspicious Process Start Locations
+author: juju4, Jonhnathan Ribeiro, oscd.community
+date: 2019/01/16
+description: Detects suspicious process run from unusual locations
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*:\RECYCLER\\*'
+    - '*:\SystemVolumeInformation\\*'
+  SELECTION_3:
+    Image:
+    - C:\Windows\Tasks\\*
+    - C:\Windows\debug\\*
+    - C:\Windows\fonts\\*
+    - C:\Windows\help\\*
+    - C:\Windows\drivers\\*
+    - C:\Windows\addins\\*
+    - C:\Windows\cursors\\*
+    - C:\Windows\system32\tasks\\*
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+id: 15b75071-74cc-47e0-b4c6-b43744a62a2b
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://car.mitre.org/wiki/CAR-2013-05-002
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- car.2013-05-002
diff --git a/rules/sigma/windows/process_creation/win_susp_rundll32_activity.yml b/rules/sigma/windows/process_creation/win_susp_rundll32_activity.yml
new file mode 100644
index 00000000..9ae36460
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_rundll32_activity.yml
@@ -0,0 +1,106 @@
+
+title: Suspicious Rundll32 Activity
+author: juju4, Jonhnathan Ribeiro, oscd.community
+date: 2019/01/16
+description: Detects suspicious process related to rundll32 based on arguments
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*RouteTheCall*'
+  SELECTION_11:
+    CommandLine: '*shell32.dll*'
+  SELECTION_12:
+    CommandLine: '*Control_RunDLL*'
+  SELECTION_13:
+    CommandLine: '*shell32.dll*'
+  SELECTION_14:
+    CommandLine: '*ShellExec_RunDLL*'
+  SELECTION_15:
+    CommandLine: '*mshtml.dll*'
+  SELECTION_16:
+    CommandLine: '*PrintHTML*'
+  SELECTION_17:
+    CommandLine: '*advpack.dll*'
+  SELECTION_18:
+    CommandLine: '*LaunchINFSection*'
+  SELECTION_19:
+    CommandLine: '*advpack.dll*'
+  SELECTION_2:
+    CommandLine:
+    - '*javascript:*'
+    - '*.RegisterXLL*'
+  SELECTION_20:
+    CommandLine: '*RegisterOCX*'
+  SELECTION_21:
+    CommandLine: '*ieadvpack.dll*'
+  SELECTION_22:
+    CommandLine: '*LaunchINFSection*'
+  SELECTION_23:
+    CommandLine: '*ieadvpack.dll*'
+  SELECTION_24:
+    CommandLine: '*RegisterOCX*'
+  SELECTION_25:
+    CommandLine: '*ieframe.dll*'
+  SELECTION_26:
+    CommandLine: '*OpenURL*'
+  SELECTION_27:
+    CommandLine: '*shdocvw.dll*'
+  SELECTION_28:
+    CommandLine: '*OpenURL*'
+  SELECTION_29:
+    CommandLine: '*syssetup.dll*'
+  SELECTION_3:
+    CommandLine: '*url.dll*'
+  SELECTION_30:
+    CommandLine: "*SetupInfObjectInstallAction'*"
+  SELECTION_31:
+    CommandLine: '*setupapi.dll*'
+  SELECTION_32:
+    CommandLine: '*InstallHinfSection*'
+  SELECTION_33:
+    CommandLine: '*pcwutl.dll*'
+  SELECTION_34:
+    CommandLine: '*LaunchApplication*'
+  SELECTION_35:
+    CommandLine: '*dfshim.dll*'
+  SELECTION_36:
+    CommandLine: '*ShOpenVerbApplication*'
+  SELECTION_4:
+    CommandLine: '*OpenURL*'
+  SELECTION_5:
+    CommandLine: '*url.dll*'
+  SELECTION_6:
+    CommandLine: '*OpenURLA*'
+  SELECTION_7:
+    CommandLine: '*url.dll*'
+  SELECTION_8:
+    CommandLine: '*FileProtocolHandler*'
+  SELECTION_9:
+    CommandLine: '*zipfldr.dll*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)
+    or (SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14) or (SELECTION_15
+    and SELECTION_16) or (SELECTION_17 and SELECTION_18) or (SELECTION_19 and SELECTION_20)
+    or (SELECTION_21 and SELECTION_22) or (SELECTION_23 and SELECTION_24) or (SELECTION_25
+    and SELECTION_26) or (SELECTION_27 and SELECTION_28) or (SELECTION_29 and SELECTION_30)
+    or (SELECTION_31 and SELECTION_32) or (SELECTION_33 and SELECTION_34) or (SELECTION_35
+    and SELECTION_36)))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+id: e593cf51-88db-4ee1-b920-37e89012a3c9
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
+- https://twitter.com/Hexacorn/status/885258886428725250
+- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1218.011
+- attack.t1085
diff --git a/rules/sigma/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/sigma/windows/process_creation/win_susp_rundll32_by_ordinal.yml
new file mode 100644
index 00000000..989ce2eb
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_rundll32_by_ordinal.yml
@@ -0,0 +1,38 @@
+
+title: Suspicious Call by Ordinal
+author: Florian Roth
+date: 2019/10/22
+description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\rundll32.exe*'
+  SELECTION_3:
+    CommandLine: '*,#*'
+  SELECTION_4:
+    CommandLine: '*EDGEHTML.dll*'
+  SELECTION_5:
+    CommandLine: '*#141*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4
+    and SELECTION_5))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+- Windows control panel elements have been identified as source (mmc)
+id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/04/29
+references:
+- https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
+- https://github.com/Neo23x0/DLLRunner
+- https://twitter.com/cyb3rops/status/1186631731543236608
+status: stable
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1218.011
+- attack.t1085
diff --git a/rules/sigma/windows/process_creation/win_susp_rundll32_inline_vbs.yml b/rules/sigma/windows/process_creation/win_susp_rundll32_inline_vbs.yml
new file mode 100644
index 00000000..983dbdf5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_rundll32_inline_vbs.yml
@@ -0,0 +1,31 @@
+
+title: Suspicious Rundll32 Invoking Inline VBScript
+author: Florian Roth
+date: 2021/03/05
+description: Detects suspicious process related to rundll32 based on command line
+  that invokes inline VBScript as seen being used by UNC2452
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*rundll32.exe*'
+  SELECTION_3:
+    CommandLine: '*Execute*'
+  SELECTION_4:
+    CommandLine: '*RegRead*'
+  SELECTION_5:
+    CommandLine: '*window.close*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055
diff --git a/rules/sigma/windows/process_creation/win_susp_rundll32_no_params.yml b/rules/sigma/windows/process_creation/win_susp_rundll32_no_params.yml
new file mode 100644
index 00000000..da5fa0a8
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_rundll32_no_params.yml
@@ -0,0 +1,34 @@
+
+title: Suspicious Rundll32 Without Any CommandLine Params
+author: Florian Roth
+date: 2021/05/27
+description: Detects suspicious start of rundll32.exe without any parameters as found
+  in CobaltStrike beacon activity
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\rundll32.exe'
+  SELECTION_3:
+    ParentImage: '*\svchost.exe'
+  SELECTION_4:
+    ParentImage:
+    - '*\AppData\Local\\*'
+    - '*\Microsoft\Edge\\*'
+  condition: (SELECTION_1 and (SELECTION_2 and  not (SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Possible but rare
+fields:
+- ParentImage
+- ParentCommandLine
+id: 1775e15e-b61b-4d14-a1a3-80981298085a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.cobaltstrike.com/help-opsec
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/sigma/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml
new file mode 100644
index 00000000..7e67c2b5
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml
@@ -0,0 +1,44 @@
+
+title: Suspicious Rundll32 Setupapi.dll Activity
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/07
+description: setupapi.dll library provide InstallHinfSection function for processing
+  INF files. INF file may contain instructions allowing to create values in the registry,
+  modify files and install drivers. This technique could be used to obtain persistence
+  via modifying one of Run or RunOnce registry keys, run process or use other DLLs
+  chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe
+  executable regardless of actual content of INF file.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\runonce.exe'
+  SELECTION_3:
+    ParentImage: '*\rundll32.exe'
+  SELECTION_4:
+    ParentCommandLine: '*setupapi.dll*'
+  SELECTION_5:
+    ParentCommandLine: '*InstallHinfSection*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Scripts and administrative tools that use INF files for driver installation with
+  setupapi.dll
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 285b85b1-a555-4095-8652-a8a4106af63f
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
+- https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
+- https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
+- https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/win_susp_rundll32_sys.yml b/rules/sigma/windows/process_creation/win_susp_rundll32_sys.yml
new file mode 100644
index 00000000..2f9d276b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_rundll32_sys.yml
@@ -0,0 +1,29 @@
+
+title: Suspicious Rundll32 Activity Invoking Sys File
+author: Florian Roth
+date: 2021/03/05
+description: Detects suspicious process related to rundll32 based on command line
+  that includes a *.sys file as seen being used by UNC2452
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*rundll32.exe*'
+  SELECTION_3:
+    CommandLine:
+    - '*.sys,*'
+    - '*.sys *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 731231b9-0b5d-4219-94dd-abb6959aa7ea
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
diff --git a/rules/sigma/windows/process_creation/win_susp_runonce_execution.yml b/rules/sigma/windows/process_creation/win_susp_runonce_execution.yml
new file mode 100644
index 00000000..56df66d6
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_runonce_execution.yml
@@ -0,0 +1,33 @@
+
+title: Run Once Task Execution as Configured in Registry
+author: Avneet Singh @v3t0_, oscd.community
+date: 2020/10/18
+description: This rule detects the execution of Run Once task as configured in the
+  registry
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\runonce.exe'
+  SELECTION_3:
+    Description:
+    - Run Once Wrapper
+  SELECTION_4:
+    CommandLine:
+    - '* /AlternateShellStartup*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 198effb6-6c98-4d0c-9ea3-451fa143c45c
+level: low
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/pabraeken/status/990717080805789697
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/process_creation/win_susp_runscripthelper.yml b/rules/sigma/windows/process_creation/win_susp_runscripthelper.yml
new file mode 100644
index 00000000..5bc96a8d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_runscripthelper.yml
@@ -0,0 +1,30 @@
+
+title: Suspicious Runscripthelper.exe
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+description: Detects execution of powershell scripts via Runscripthelper.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\Runscripthelper.exe'
+  SELECTION_3:
+    CommandLine: '*surfacecheck*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: eca49c87-8a75-4f13-9c73-a5a29e845f03
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runscripthelper.yml
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
+- attack.defense_evasion
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_susp_schtask_creation.yml b/rules/sigma/windows/process_creation/win_susp_schtask_creation.yml
new file mode 100644
index 00000000..b39edc12
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_schtask_creation.yml
@@ -0,0 +1,38 @@
+
+title: Scheduled Task Creation
+author: Florian Roth
+date: 2019/01/16
+description: Detects the creation of scheduled tasks in user session
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\schtasks.exe'
+  SELECTION_3:
+    CommandLine: '* /create *'
+  SELECTION_4:
+    User:
+    - NT AUTHORITY\SYSTEM*
+    - AUTORITE NT\Sys*
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Administrative activity
+- Software installation
+fields:
+- CommandLine
+- ParentCommandLine
+id: 92626ddd-662c-49e3-ac59-f6535f12d189
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/26
+status: experimental
+tags:
+- attack.execution
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1053.005
+- attack.t1053
+- attack.s0111
+- car.2013-08-001
diff --git a/rules/sigma/windows/process_creation/win_susp_schtask_creation_temp_folder.yml b/rules/sigma/windows/process_creation/win_susp_schtask_creation_temp_folder.yml
new file mode 100644
index 00000000..dda947a2
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_schtask_creation_temp_folder.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious Scheduled Task Creation Involving Temp Folder
+author: Florian Roth
+date: 2021/03/11
+description: Detects the creation of scheduled tasks that involves a temporary folder
+  and runs only once
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\schtasks.exe'
+  SELECTION_3:
+    CommandLine: '* /create *'
+  SELECTION_4:
+    CommandLine: '* /sc once *'
+  SELECTION_5:
+    CommandLine: '*\Temp\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Administrative activity
+- Software installation
+fields:
+- CommandLine
+- ParentCommandLine
+id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
+status: experimental
+tags:
+- attack.execution
+- attack.persistence
+- attack.t1053.005
diff --git a/rules/sigma/windows/process_creation/win_susp_screenconnect_access.yml b/rules/sigma/windows/process_creation/win_susp_screenconnect_access.yml
new file mode 100644
index 00000000..f6929d90
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_screenconnect_access.yml
@@ -0,0 +1,34 @@
+
+title: ScreenConnect Remote Access
+author: Florian Roth
+date: 2021/02/11
+description: Detects ScreenConnect program starts that establish a remote access to
+  that system (not meeting, not remote support)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*e=Access&*'
+  SELECTION_3:
+    CommandLine: '*y=Guest&*'
+  SELECTION_4:
+    CommandLine: '*&p=*'
+  SELECTION_5:
+    CommandLine: '*&c=*'
+  SELECTION_6:
+    CommandLine: '*&k=*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Legitimate use by administrative staff
+id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1133
diff --git a/rules/sigma/windows/process_creation/win_susp_screensaver_reg.yml b/rules/sigma/windows/process_creation/win_susp_screensaver_reg.yml
new file mode 100644
index 00000000..fdabba3e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_screensaver_reg.yml
@@ -0,0 +1,55 @@
+
+title: Suspicious ScreenSave Change by Reg.exe
+author: frack113
+date: 2021/08/19
+description: |
+  Adversaries may establish persistence by executing malicious content triggered by user inactivity.
+  Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine: '*/v ScreenSaverIsSecure*'
+  SELECTION_11:
+    CommandLine: '*/d 0*'
+  SELECTION_12:
+    CommandLine: '*/v SCRNSAVE.EXE*'
+  SELECTION_13:
+    CommandLine: '*/d *'
+  SELECTION_14:
+    CommandLine: '*.scr*'
+  SELECTION_2:
+    Image: '*reg.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*HKEY_CURRENT_USER\Control Panel\Desktop*'
+    - '*HKCU\Control Panel\Desktop*'
+  SELECTION_4:
+    CommandLine: '*/t REG_SZ*'
+  SELECTION_5:
+    CommandLine: '*/f*'
+  SELECTION_6:
+    CommandLine: '*/v ScreenSaveActive*'
+  SELECTION_7:
+    CommandLine: '*/d 1*'
+  SELECTION_8:
+    CommandLine: '*/v ScreenSaveTimeout*'
+  SELECTION_9:
+    CommandLine: '*/d *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and ((SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9) or (SELECTION_10
+    and SELECTION_11) or (SELECTION_12 and SELECTION_13 and SELECTION_14)))
+falsepositives:
+- GPO
+id: 0fc35fc3-efe6-4898-8a37-0b233339524f
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
+- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1546.002
diff --git a/rules/sigma/windows/process_creation/win_susp_script_exec_from_temp.yml b/rules/sigma/windows/process_creation/win_susp_script_exec_from_temp.yml
new file mode 100644
index 00000000..1e33c761
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_script_exec_from_temp.yml
@@ -0,0 +1,42 @@
+
+title: Suspicious Script Execution From Temp Folder
+author: Florian Roth, Max Altgelt
+date: 2021/07/14
+description: Detects a suspicious script executions from temporary folder
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\powershell.exe'
+    - '*\mshta.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*\Windows\Temp*'
+    - '*\Temporary Internet*'
+    - '*\AppData\Local\Temp*'
+    - '*\AppData\Roaming\Temp*'
+    - '*%TEMP%*'
+    - '*%TMP%*'
+    - '*%LocalAppData%\Temp*'
+  SELECTION_4:
+    CommandLine:
+    - '* >*'
+    - '*Out-File*'
+    - '*ConvertTo-Json*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Administrative scripts
+id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/10
+references:
+- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
+status: experimental
+tags:
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_susp_script_execution.yml b/rules/sigma/windows/process_creation/win_susp_script_execution.yml
new file mode 100644
index 00000000..6bb9dbd6
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_script_execution.yml
@@ -0,0 +1,37 @@
+
+title: WSF/JSE/JS/VBA/VBE File Execution
+author: Michael Haag
+date: 2019/01/16
+description: Detects suspicious file execution by wscript and cscript
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*.jse*'
+    - '*.vbe*'
+    - '*.js*'
+    - '*.vba*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Will need to be tuned. I recommend adding the user profile path in CommandLine if
+  it is getting too noisy.
+fields:
+- CommandLine
+- ParentCommandLine
+id: 1e33157c-53b1-41ad-bbcc-780b80b58288
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/28
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064
diff --git a/rules/sigma/windows/process_creation/win_susp_service_dacl_modification.yml b/rules/sigma/windows/process_creation/win_susp_service_dacl_modification.yml
new file mode 100644
index 00000000..64ec8860
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_service_dacl_modification.yml
@@ -0,0 +1,38 @@
+
+title: Suspicious Service DACL Modification
+author: Jonhnathan Ribeiro, oscd.community
+date: 2020/10/16
+description: Detects suspicious DACL modifications that can  be used to hide services
+  or make them unstopable
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\sc.exe'
+  SELECTION_3:
+    CommandLine: '*sdset*'
+  SELECTION_4:
+    CommandLine: '*D;;*'
+  SELECTION_5:
+    CommandLine:
+    - '*;;;IU*'
+    - '*;;;SU*'
+    - '*;;;BA*'
+    - '*;;;SY*'
+    - '*;;;WD*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
+- https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
+status: experimental
+tags:
+- attack.persistence
+- attack.t1543.003
diff --git a/rules/sigma/windows/process_creation/win_susp_service_dir.yml b/rules/sigma/windows/process_creation/win_susp_service_dir.yml
new file mode 100644
index 00000000..e63a8779
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_service_dir.yml
@@ -0,0 +1,39 @@
+
+title: Suspicious Service Binary Directory
+author: Florian Roth
+date: 2021/03/09
+description: Detects a service binary running in a suspicious directory
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\Users\Public\\*'
+    - '*\$Recycle.bin*'
+    - '*\Users\All Users\\*'
+    - '*\Users\Default\\*'
+    - '*\Users\Contacts\\*'
+    - '*\Users\Searches\\*'
+    - '*C:\Perflogs\\*'
+    - '*\config\systemprofile\\*'
+    - '*\Windows\Fonts\\*'
+    - '*\Windows\IME\\*'
+    - '*\Windows\addins\\*'
+  SELECTION_3:
+    ParentImage:
+    - '*\services.exe'
+    - '*\svchost.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 883faa95-175a-4e22-8181-e5761aeb373c
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_susp_service_path_modification.yml b/rules/sigma/windows/process_creation/win_susp_service_path_modification.yml
new file mode 100644
index 00000000..5bdc8107
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_service_path_modification.yml
@@ -0,0 +1,38 @@
+
+title: Suspicious Service Path Modification
+author: Victor Sergeev, oscd.community
+date: 2019/10/21
+description: Detects service path modification to PowerShell or cmd.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\sc.exe'
+  SELECTION_3:
+    CommandLine: '*config*'
+  SELECTION_4:
+    CommandLine: '*binpath*'
+  SELECTION_5:
+    CommandLine:
+    - '*powershell*'
+    - '*cmd*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 138d3531-8793-4f50-a2cd-f291b2863d78
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/28
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1543.003
+- attack.t1031
diff --git a/rules/sigma/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/sigma/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml
new file mode 100644
index 00000000..0abd99f1
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml
@@ -0,0 +1,32 @@
+
+title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
+author: Florian Roth
+date: 2021/07/14
+description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211
+  vulnerability by threat group DEV-0322
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*whoami*'
+  SELECTION_3:
+    CommandLine:
+    - '*./Client/Common/*'
+    - '*.\Client\Common\\*'
+  SELECTION_4:
+    CommandLine: '*C:\Windows\Temp\Serv-U.bat*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- Unlikely
+id: 75578840-9526-4b2a-9462-af469a45e767
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
+- https://nvd.nist.gov/vuln/detail/cve-2021-35211
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136.001
diff --git a/rules/sigma/windows/process_creation/win_susp_servu_process_pattern.yml b/rules/sigma/windows/process_creation/win_susp_servu_process_pattern.yml
new file mode 100644
index 00000000..0970c425
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_servu_process_pattern.yml
@@ -0,0 +1,42 @@
+
+title: Suspicious Serv-U Process Pattern
+author: Florian Roth
+date: 2021/07/14
+description: Detects a suspicious process pattern which could be a sign of an exploited
+  Serv-U service
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\Serv-U.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\sh.exe'
+    - '*\bash.exe'
+    - '*\schtasks.exe'
+    - '*\regsvr32.exe'
+    - '*\wmic.exe'
+    - '*\mshta.exe'
+    - '*\rundll32.exe'
+    - '*\msiexec.exe'
+    - '*\forfiles.exe'
+    - '*\scriptrunner.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate uses in which users or programs use the SSH service of Serv-U for remote
+  command execution
+id: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
+- https://nvd.nist.gov/vuln/detail/cve-2021-35211
+status: experimental
+tags:
+- attack.credential_access
diff --git a/rules/sigma/windows/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/sigma/windows/process_creation/win_susp_shell_spawn_from_mssql.yml
new file mode 100644
index 00000000..5e4a9d4d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_shell_spawn_from_mssql.yml
@@ -0,0 +1,33 @@
+
+title: Suspicious Shells Spawn by SQL Server
+author: FPT.EagleEye Team, wagga
+date: 2020/12/11
+description: Detects suspicious shell spawn from MSSQL process, this might be sight
+  of RCE or SQL Injection
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\sqlservr.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\sh.exe'
+    - '*\bash.exe'
+    - '*\powershell.exe'
+    - '*\bitsadmin.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+status: experimental
+tags:
+- attack.t1100
+- attack.t1505.003
+- attack.t1190
+- attack.initial_access
+- attack.persistence
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/process_creation/win_susp_shimcache_flush.yml b/rules/sigma/windows/process_creation/win_susp_shimcache_flush.yml
new file mode 100644
index 00000000..4b84acb1
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_shimcache_flush.yml
@@ -0,0 +1,41 @@
+
+title: ShimCache Flush
+author: Florian Roth
+date: 2021/02/01
+description: Detects actions that clear the local ShimCache and remove forensic evidence
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*rundll32*'
+  SELECTION_3:
+    CommandLine: '*apphelp.dll*'
+  SELECTION_4:
+    CommandLine:
+    - '*ShimFlushCache*'
+    - '*#250*'
+  SELECTION_5:
+    CommandLine: '*kernel32.dll*'
+  SELECTION_6:
+    CommandLine:
+    - '*BaseFlushAppcompatCache*'
+    - '*#46*'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6)))
+falsepositives:
+- Unknown
+fields:
+- Image
+- CommandLine
+- ParentCommandLine
+id: b0524451-19af-4efa-a46f-562a977f792e
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/process_creation/win_susp_splwow64.yml b/rules/sigma/windows/process_creation/win_susp_splwow64.yml
new file mode 100644
index 00000000..9ec1153e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_splwow64.yml
@@ -0,0 +1,26 @@
+
+title: Suspicious Splwow64 Without Params
+author: Florian Roth
+date: 2021/08/23
+description: Detects suspicious Splwow64.exe process without any command line parameters
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\splwow64.exe'
+  SELECTION_3:
+    CommandLine: '*splwow64.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: 1f1a8509-2cbb-44f5-8751-8e1571518ce2
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/sbousseaden/status/1429401053229891590?s=12
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_susp_spoolsv_child_processes.yml b/rules/sigma/windows/process_creation/win_susp_spoolsv_child_processes.yml
new file mode 100644
index 00000000..1cd77a52
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_spoolsv_child_processes.yml
@@ -0,0 +1,90 @@
+
+title: Suspicious Spool Service Child Process
+author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
+date: 2021/07/11
+description: Detects suspicious print spool service (spoolsv.exe) child processes.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    CommandLine:
+    - '*.spl*'
+    - '*route add*'
+    - '*program files*'
+  SELECTION_11:
+    EventID: 1
+  SELECTION_12:
+    Image: '*\netsh.exe'
+  SELECTION_13:
+    CommandLine:
+    - '*add portopening*'
+    - '*rule name*'
+  SELECTION_14:
+    EventID: 1
+  SELECTION_15:
+    Image: '*\powershell.exe'
+  SELECTION_16:
+    CommandLine: '*.spl*'
+  SELECTION_17:
+    Image: '*\rundll32.exe'
+  SELECTION_18:
+    CommandLine: '*rundll32.exe'
+  SELECTION_2:
+    ParentImage: '*\\spoolsv.exe'
+  SELECTION_3:
+    IntegrityLevel: System
+  SELECTION_4:
+    Image:
+    - '*\gpupdate.exe'
+    - '*\whoami.exe'
+    - '*\nltest.exe'
+    - '*\taskkill.exe'
+    - '*\wmic.exe'
+    - '*\taskmgr.exe'
+    - '*\sc.exe'
+    - '*\findstr.exe'
+    - '*\curl.exe'
+    - '*\wget.exe'
+    - '*\certutil.exe'
+    - '*\bitsadmin.exe'
+    - '*\accesschk.exe'
+    - '*\wevtutil.exe'
+    - '*\bcdedit.exe'
+    - '*\fsutil.exe'
+    - '*\cipher.exe'
+    - '*\schtasks.exe'
+    - '*\write.exe'
+    - '*\wuauclt.exe'
+  SELECTION_5:
+    EventID: 1
+  SELECTION_6:
+    Image: '*\net.exe'
+  SELECTION_7:
+    CommandLine: '*start*'
+  SELECTION_8:
+    EventID: 1
+  SELECTION_9:
+    Image: '*\cmd.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (((((SELECTION_4 or
+    (SELECTION_5 and SELECTION_6 and  not (SELECTION_7))) or (SELECTION_8 and SELECTION_9
+    and  not (SELECTION_10))) or (SELECTION_11 and SELECTION_12 and  not (SELECTION_13)))
+    or (SELECTION_14 and SELECTION_15 and  not (SELECTION_16))) or (SELECTION_17 and
+    SELECTION_18)))
+falsepositives:
+- None known
+fields:
+- Image
+- CommandLine
+id: dcdbc940-0bff-46b2-95f3-2d73f848e33b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md
+status: stable
+tags:
+- attack.execution
+- attack.t1203
+- attack.privilege_escalation
+- attack.t1068
diff --git a/rules/sigma/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/sigma/windows/process_creation/win_susp_sqldumper_activity.yml
new file mode 100644
index 00000000..298104e3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_sqldumper_activity.yml
@@ -0,0 +1,31 @@
+
+title: Dumping Process via Sqldumper.exe
+author: Kirill Kiryanov, oscd.community
+date: 2020/10/08
+description: Detects process dump via legitimate sqldumper.exe binary
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\sqldumper.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*0x0110*'
+    - '*0x01100:40*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate MSSQL Server actions
+id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml
+- https://twitter.com/countuponsec/status/910977826853068800
+- https://twitter.com/countuponsec/status/910969424215232518
+- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
diff --git a/rules/sigma/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/sigma/windows/process_creation/win_susp_squirrel_lolbin.yml
new file mode 100644
index 00000000..9b9e5bba
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_squirrel_lolbin.yml
@@ -0,0 +1,65 @@
+
+title: Squirrel Lolbin
+author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
+date: 2019/11/12
+description: Detects Possible Squirrel Packages Manager as Lolbin
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\update.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*--processStart*'
+    - '*--processStartAndWait*'
+    - '*--createShortcut*'
+  SELECTION_4:
+    CommandLine: '*.exe*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- 1Clipboard
+- Beaker Browser
+- Caret
+- Collectie
+- Discord
+- Figma
+- Flow
+- Ghost
+- GitHub Desktop
+- GitKraken
+- Hyper
+- Insomnia
+- JIBO
+- Kap
+- Kitematic
+- Now Desktop
+- Postman
+- PostmanCanary
+- Rambox
+- Simplenote
+- Skype
+- Slack
+- SourceTree
+- Stride
+- Svgsus
+- WebTorrent
+- WhatsApp
+- WordPress.com
+- atom
+- gitkraken
+- slack
+- teams
+id: fa4b21c9-0057-4493-b289-2556416ae4d7
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
+- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_susp_svchost.yml b/rules/sigma/windows/process_creation/win_susp_svchost.yml
new file mode 100644
index 00000000..87bba866
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_svchost.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious Svchost Process
+author: Florian Roth
+date: 2017/08/15
+description: Detects a suspicious svchost process start
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\svchost.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\services.exe'
+    - '*\MsMpEng.exe'
+    - '*\Mrt.exe'
+    - '*\rpcnet.exe'
+    - '*\svchost.exe'
+  SELECTION_4:
+    ParentImage|re: ^$
+  condition: (SELECTION_1 and (SELECTION_2 and  not (SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/28
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036.005
+- attack.t1036
diff --git a/rules/sigma/windows/process_creation/win_susp_svchost_no_cli.yml b/rules/sigma/windows/process_creation/win_susp_svchost_no_cli.yml
new file mode 100644
index 00000000..f2c97001
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_svchost_no_cli.yml
@@ -0,0 +1,42 @@
+
+title: Suspect Svchost Activity
+author: David Burkett
+date: 2019/12/28
+description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments
+  and is normally observed when a malicious process spawns the process and injects
+  code into the process memory space.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    CommandLine: '*svchost.exe'
+  SELECTION_4:
+    Image: '*\svchost.exe'
+  SELECTION_5:
+    ParentImage:
+    - '*\rpcnet.exe'
+    - '*\rpcnetp.exe'
+  SELECTION_6:
+    CommandLine|re: ^$
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5 or SELECTION_6))
+falsepositives:
+- rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf
+fields:
+- CommandLine
+- ParentCommandLine
+id: 16c37b52-b141-42a5-a3ea-bbe098444397
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/02/24
+references:
+- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
diff --git a/rules/sigma/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/sigma/windows/process_creation/win_susp_sysprep_appdata.yml
new file mode 100644
index 00000000..05f94447
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_sysprep_appdata.yml
@@ -0,0 +1,31 @@
+
+title: Sysprep on AppData Folder
+author: Florian Roth
+date: 2018/06/22
+description: Detects suspicious sysprep process start with AppData folder as target
+  (as used by Trojan Syndicasec in Thrip report by Symantec)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\sysprep.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*\AppData\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2018/12/11
+references:
+- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
+- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
+status: experimental
+tags:
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_susp_sysvol_access.yml b/rules/sigma/windows/process_creation/win_susp_sysvol_access.yml
new file mode 100644
index 00000000..528b45b2
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_sysvol_access.yml
@@ -0,0 +1,29 @@
+
+title: Suspicious SYSVOL Domain Group Policy Access
+author: Markus Neis, Jonhnathan Ribeiro, oscd.community
+date: 2018/04/09
+description: Detects Access to Domain Group Policies stored in SYSVOL
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*\SYSVOL\\*'
+  SELECTION_3:
+    CommandLine: '*\policies\\*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- administrative activity
+id: 05f3c945-dcc8-4393-9f3d-af65077a8f86
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://adsecurity.org/?p=2288
+- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.006
+- attack.t1003
diff --git a/rules/sigma/windows/process_creation/win_susp_taskmgr_localsystem.yml b/rules/sigma/windows/process_creation/win_susp_taskmgr_localsystem.yml
new file mode 100644
index 00000000..4d0750cf
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_taskmgr_localsystem.yml
@@ -0,0 +1,27 @@
+
+title: Taskmgr as LOCAL_SYSTEM
+author: Florian Roth
+date: 2018/03/18
+description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    User:
+    - NT AUTHORITY\SYSTEM*
+    - AUTORITE NT\Sys*
+  SELECTION_3:
+    Image: '*\taskmgr.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 9fff585c-c33e-4a86-b3cd-39312079a65f
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/26
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
diff --git a/rules/sigma/windows/process_creation/win_susp_taskmgr_parent.yml b/rules/sigma/windows/process_creation/win_susp_taskmgr_parent.yml
new file mode 100644
index 00000000..df4511e3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_taskmgr_parent.yml
@@ -0,0 +1,31 @@
+
+title: Taskmgr as Parent
+author: Florian Roth
+date: 2018/03/13
+description: Detects the creation of a process from Windows task manager
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\taskmgr.exe'
+  SELECTION_3:
+    Image:
+    - '*\resmon.exe'
+    - '*\mmc.exe'
+    - '*\taskmgr.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Administrative activity
+fields:
+- Image
+- CommandLine
+- ParentCommandLine
+id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
+level: low
+logsource:
+  category: process_creation
+  product: windows
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
diff --git a/rules/sigma/windows/process_creation/win_susp_tracker_execution.yml b/rules/sigma/windows/process_creation/win_susp_tracker_execution.yml
new file mode 100644
index 00000000..06e49130
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_tracker_execution.yml
@@ -0,0 +1,34 @@
+
+title: DLL Injection with Tracker.exe
+author: Avneet Singh @v3t0_, oscd.community
+date: 2020/10/18
+description: This rule detects DLL injection and execution via LOLBAS - Tracker.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\tracker.exe'
+  SELECTION_3:
+    Description:
+    - Tracker
+  SELECTION_4:
+    CommandLine:
+    - '* /d *'
+  SELECTION_5:
+    CommandLine:
+    - '* /c *'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 148431ce-4b70-403d-8525-fcc2993f29ea
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Tracker.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055.001
diff --git a/rules/sigma/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/sigma/windows/process_creation/win_susp_tscon_localsystem.yml
new file mode 100644
index 00000000..d2386454
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_tscon_localsystem.yml
@@ -0,0 +1,30 @@
+
+title: Suspicious TSCON Start
+author: Florian Roth
+date: 2018/03/17
+description: Detects a tscon.exe start as LOCAL SYSTEM
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    User:
+    - NT AUTHORITY\SYSTEM*
+    - AUTORITE NT\Sys*
+  SELECTION_3:
+    Image: '*\tscon.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 9847f263-4a81-424f-970c-875dab15b79b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/26
+references:
+- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
+- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1219
diff --git a/rules/sigma/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/sigma/windows/process_creation/win_susp_tscon_rdp_redirect.yml
new file mode 100644
index 00000000..2745bb1b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_tscon_rdp_redirect.yml
@@ -0,0 +1,29 @@
+
+title: Suspicious RDP Redirect Using TSCON
+author: Florian Roth
+date: 2018/03/17
+description: Detects a suspicious RDP session redirect using tscon.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '* /dest:rdp-tcp:*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
+- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1563.002
+- attack.t1076
+- attack.t1021.001
+- car.2013-07-002
diff --git a/rules/sigma/windows/process_creation/win_susp_uac_bypass_trustedpath.yml b/rules/sigma/windows/process_creation/win_susp_uac_bypass_trustedpath.yml
new file mode 100644
index 00000000..d324cd05
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_uac_bypass_trustedpath.yml
@@ -0,0 +1,26 @@
+
+title: TrustedPath UAC Bypass Pattern
+author: Florian Roth
+date: 2021/08/27
+description: Detects indicators of a UAC bypass method by mocking directories
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*C:\Windows \System32\\*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
+- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
+- https://github.com/netero1010/TrustedPath-UACBypass-BOF
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_susp_use_of_csharp_console.yml b/rules/sigma/windows/process_creation/win_susp_use_of_csharp_console.yml
new file mode 100644
index 00000000..cdba698c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_use_of_csharp_console.yml
@@ -0,0 +1,29 @@
+
+title: Suspicious Use of CSharp Interactive Console
+author: Michael R. (@nahamike01)
+date: 2020/03/08
+description: Detects the execution of CSharp interactive console by PowerShell
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\csi.exe'
+  SELECTION_3:
+    ParentImage: '*\powershell.exe'
+  SELECTION_4:
+    OriginalFileName: csi.exe
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Possible depending on environment. Pair with other factors such as net connections,
+  command-line args, etc.
+id: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
+status: experimental
+tags:
+- attack.execution
+- attack.t1127
diff --git a/rules/sigma/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/sigma/windows/process_creation/win_susp_use_of_sqlps_bin.yml
new file mode 100644
index 00000000..9d4e5f56
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_use_of_sqlps_bin.yml
@@ -0,0 +1,39 @@
+
+title: Detection of PowerShell Execution via Sqlps.exe
+author: Agro (@agro_sev) oscd.community
+date: 2020/10/10
+description: This rule detects execution of a PowerShell code through the sqlps.exe
+  utility, which is included in the standard set of utilities supplied with the MSSQL
+  Server. Script blocks are not logged in this case, so this utility helps to bypass
+  protection mechanisms based on the analysis of these logs.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\sqlps.exe'
+  SELECTION_3:
+    ParentImage: '*\sqlps.exe'
+  SELECTION_4:
+    OriginalFileName: \sqlps.exe
+  SELECTION_5:
+    ParentImage: '*\sqlagent.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and  not
+    (SELECTION_5))))
+falsepositives:
+- Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe
+  spawned by sqlagent.exe is a legitimate action.
+id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
+- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
+- https://twitter.com/bryon_/status/975835709587075072
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.defense_evasion
+- attack.t1127
diff --git a/rules/sigma/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/sigma/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml
new file mode 100644
index 00000000..c5614e53
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml
@@ -0,0 +1,38 @@
+
+title: SQL Client Tools PowerShell Session Detection
+author: Agro (@agro_sev) oscd.communitly
+date: 2020/10/13
+description: This rule detects execution of a PowerShell code through the sqltoolsps.exe
+  utility, which is included in the standard set of utilities supplied with the Microsoft
+  SQL Server Management studio. Script blocks are not logged in this case, so this
+  utility helps to bypass protection mechanisms based on the analysis of these logs.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\sqltoolsps.exe'
+  SELECTION_3:
+    ParentImage: '*\sqltoolsps.exe'
+  SELECTION_4:
+    OriginalFileName: \sqltoolsps.exe
+  SELECTION_5:
+    ParentImage: '*\smss.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and  not
+    (SELECTION_5))))
+falsepositives:
+- Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe
+  spawned by smss.exe is a legitimate action.
+id: a746c9b8-a2fb-4ee5-a428-92bee9e99060
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml
+- https://twitter.com/pabraeken/status/993298228840992768
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.defense_evasion
+- attack.t1127
diff --git a/rules/sigma/windows/process_creation/win_susp_use_of_te_bin.yml b/rules/sigma/windows/process_creation/win_susp_use_of_te_bin.yml
new file mode 100644
index 00000000..54107567
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_use_of_te_bin.yml
@@ -0,0 +1,32 @@
+
+title: Malicious Windows Script Components File Execution by TAEF Detection
+author: Agro (@agro_sev) oscd.community
+date: 2020/10/13
+description: Windows Test Authoring and Execution Framework (TAEF) framework allows
+  you to run automation by executing tests files written on different languages (C,
+  C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code
+  (such as WSC file with VBScript, dll and so on) directly by running te.exe
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\te.exe'
+  SELECTION_3:
+    ParentImage: '*\te.exe'
+  SELECTION_4:
+    OriginalFileName: \te.exe
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- It's not an uncommon to use te.exe directly to execute legal TAEF tests
+id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
+level: low
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml
+- https://twitter.com/pabraeken/status/993298228840992768
+- https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/
+status: experimental
+tags:
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/sigma/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
new file mode 100644
index 00000000..41e7ec1d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
@@ -0,0 +1,37 @@
+
+title: Malicious PE Execution by Microsoft Visual Studio Debugger
+author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
+date: 2020/10/14
+description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe"
+  to launch specified executable and attach a debugger. This option may be used adversaries
+  to execute malicious code by signed verified binary. The debugger is installed alongside
+  with Microsoft Visual Studio package.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\vsjitdebugger.exe'
+  SELECTION_3:
+    EventID: 1
+  SELECTION_4:
+    Image: '*\vsimmersiveactivatehelper*.exe'
+  SELECTION_5:
+    Image: '*\devenv.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 and (SELECTION_4
+    or SELECTION_5))))
+falsepositives:
+- the process spawned by vsjitdebugger.exe is uncommon.
+id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/06
+references:
+- https://twitter.com/pabraeken/status/990758590020452353
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Vsjitdebugger.yml
+- https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
+status: experimental
+tags:
+- attack.t1218
+- attack.defense_evasion
diff --git a/rules/sigma/windows/process_creation/win_susp_userinit_child.yml b/rules/sigma/windows/process_creation/win_susp_userinit_child.yml
new file mode 100644
index 00000000..b78960dd
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_userinit_child.yml
@@ -0,0 +1,32 @@
+
+title: Suspicious Userinit Child Process
+author: Florian Roth (rule), Samir Bousseaden (idea)
+date: 2019/06/17
+description: Detects a suspicious child process of userinit
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\userinit.exe'
+  SELECTION_3:
+    CommandLine: '*\netlogon\\*'
+  SELECTION_4:
+    Image: '*\explorer.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and  not (SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Administrative scripts
+fields:
+- CommandLine
+- ParentCommandLine
+id: b655a06a-31c0-477a-95c2-3726b83d649d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/27
+references:
+- https://twitter.com/SBousseaden/status/1139811587760562176
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055
diff --git a/rules/sigma/windows/process_creation/win_susp_vboxdrvinst.yml b/rules/sigma/windows/process_creation/win_susp_vboxdrvinst.yml
new file mode 100644
index 00000000..3baa5a7b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_vboxdrvinst.yml
@@ -0,0 +1,38 @@
+
+title: Suspicious VBoxDrvInst.exe Parameters
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/06
+description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
+  This allows to create values in the registry and install drivers. For example one
+  could use this technique to obtain persistence via modifying one of Run or RunOnce
+  registry keys
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\VBoxDrvInst.exe'
+  SELECTION_3:
+    CommandLine: '*driver*'
+  SELECTION_4:
+    CommandLine: '*executeinf*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation
+  process
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
+- https://twitter.com/pabraeken/status/993497996179492864
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/process_creation/win_susp_vbscript_unc2452.yml b/rules/sigma/windows/process_creation/win_susp_vbscript_unc2452.yml
new file mode 100644
index 00000000..f42e5500
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_vbscript_unc2452.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious VBScript UN2452 Pattern
+author: Florian Roth
+date: 2021/03/05
+description: Detects suspicious inline VBScript keywords as used by UNC2452
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*Execute*'
+  SELECTION_3:
+    CommandLine: '*CreateObject*'
+  SELECTION_4:
+    CommandLine: '*RegRead*'
+  SELECTION_5:
+    CommandLine: '*window.close*'
+  SELECTION_6:
+    CommandLine: '*\Microsoft\Windows\CurrentVersion*'
+  SELECTION_7:
+    CommandLine:
+    - '*\Software\Microsoft\Windows\CurrentVersion\Run*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6) and  not (SELECTION_7))
+falsepositives:
+- Unknown
+id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
diff --git a/rules/sigma/windows/process_creation/win_susp_volsnap_disable.yml b/rules/sigma/windows/process_creation/win_susp_volsnap_disable.yml
new file mode 100644
index 00000000..336feac0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_volsnap_disable.yml
@@ -0,0 +1,30 @@
+
+title: Disabled Volume Snapshots
+author: Florian Roth
+date: 2021/01/28
+description: Detects commands that temporarily turn off Volume Snapshots
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*reg*'
+  SELECTION_3:
+    CommandLine: '* add *'
+  SELECTION_4:
+    CommandLine: '*\Services\VSS\Diag*'
+  SELECTION_5:
+    CommandLine: '*/d Disabled*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Legitimate administration
+id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/0gtweet/status/1354766164166115331
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/win_susp_whoami.yml b/rules/sigma/windows/process_creation/win_susp_whoami.yml
new file mode 100644
index 00000000..5a05b904
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_whoami.yml
@@ -0,0 +1,29 @@
+
+title: Whoami Execution
+author: Florian Roth
+date: 2018/08/13
+description: Detects the execution of whoami, which is often used by attackers after
+  exloitation / privilege escalation but rarely used by administrators
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\whoami.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Admin activity
+- Scripts and administrative tools used in the monitored environment
+- Monitoring activity
+id: e28a5a99-da44-436d-b7a0-2afc20a5f413
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
+- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1033
+- car.2016-03-001
diff --git a/rules/sigma/windows/process_creation/win_susp_whoami_anomaly.yml b/rules/sigma/windows/process_creation/win_susp_whoami_anomaly.yml
new file mode 100644
index 00000000..bd5727da
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_whoami_anomaly.yml
@@ -0,0 +1,48 @@
+
+title: Whoami Execution Anomaly
+author: Florian Roth
+date: 2021/08/12
+description: Detects the execution of whoami with suspicious parents or parameters
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    Image: '*\whoami.exe'
+  SELECTION_4:
+    ParentImage:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+  SELECTION_5:
+    ParentImage:
+    - C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
+    - ''
+  SELECTION_6:
+    ParentImage|re: ^$
+  SELECTION_7:
+    CommandLine:
+    - '*whoami -all*'
+    - '*whoami /all*'
+    - '*whoami.exe -all*'
+    - '*whoami.exe /all*'
+  condition: (SELECTION_1 and ((SELECTION_2 and ((SELECTION_3 and  not (SELECTION_4))
+    and  not (SELECTION_5)) and  not (SELECTION_6)) or SELECTION_7))
+falsepositives:
+- Admin activity
+- Scripts and administrative tools used in the monitored environment
+- Monitoring activity
+id: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/26
+references:
+- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
+- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1033
+- car.2016-03-001
diff --git a/rules/sigma/windows/process_creation/win_susp_winrm_awl_bypass.yml b/rules/sigma/windows/process_creation/win_susp_winrm_awl_bypass.yml
new file mode 100644
index 00000000..52e6a1c9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_winrm_awl_bypass.yml
@@ -0,0 +1,36 @@
+
+title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
+author: Julia Fomina, oscd.community
+date: 2020/10/06
+description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via
+  winrm.vbs and copied cscript.exe (can be renamed)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*winrm*'
+  SELECTION_3:
+    CommandLine:
+    - '*format:pretty*'
+    - '*format:"pretty"*'
+    - '*format:"text"*'
+    - '*format:text*'
+  SELECTION_4:
+    Image:
+    - C:\Windows\System32\\*
+    - C:\Windows\SysWOW64\\*
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and  not (SELECTION_4))
+falsepositives:
+- Unlikely
+id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/19
+references:
+- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/windows/process_creation/win_susp_winrm_execution.yml b/rules/sigma/windows/process_creation/win_susp_winrm_execution.yml
new file mode 100644
index 00000000..e35a781c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_winrm_execution.yml
@@ -0,0 +1,32 @@
+
+title: Remote Code Execute via Winrm.vbs
+author: Julia Fomina, oscd.community
+date: 2020/10/07
+description: Detects an attempt to execute code or create service on remote host via
+  winrm.vbs.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\cscript.exe'
+  SELECTION_3:
+    CommandLine: '*winrm*'
+  SELECTION_4:
+    CommandLine: '*invoke Create wmicimv2/Win32_*'
+  SELECTION_5:
+    CommandLine: '*-r:http*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Legitimate use for administartive purposes. Unlikely
+id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/bohops/status/994405551751815170
+- https://redcanary.com/blog/lateral-movement-winrm-wmi/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
diff --git a/rules/sigma/windows/process_creation/win_susp_wmi_execution.yml b/rules/sigma/windows/process_creation/win_susp_wmi_execution.yml
new file mode 100644
index 00000000..89e7a8f3
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_wmi_execution.yml
@@ -0,0 +1,49 @@
+
+title: Suspicious WMI Execution
+author: Michael Haag, Florian Roth, juju4, oscd.community
+date: 2019/01/16
+description: Detects WMI executing suspicious commands
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\wmic.exe'
+  SELECTION_3:
+    CommandLine: '*process*'
+  SELECTION_4:
+    CommandLine: '*call*'
+  SELECTION_5:
+    CommandLine: '*create *'
+  SELECTION_6:
+    CommandLine: '* path *'
+  SELECTION_7:
+    CommandLine:
+    - '*AntiVirus*'
+    - '*Firewall*'
+  SELECTION_8:
+    CommandLine: '*Product*'
+  SELECTION_9:
+    CommandLine: '* get *'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)))
+falsepositives:
+- If using Splunk, we recommend | stats count by Computer,CommandLine following for
+  easy hunting by Computer/CommandLine
+fields:
+- CommandLine
+- ParentCommandLine
+id: 526be59f-a573-4eea-b5f7-f0973207634d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/11/28
+references:
+- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/
+- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
+- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- car.2016-03-002
diff --git a/rules/sigma/windows/process_creation/win_susp_wmic_eventconsumer_create.yml b/rules/sigma/windows/process_creation/win_susp_wmic_eventconsumer_create.yml
new file mode 100644
index 00000000..f14f81a4
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_wmic_eventconsumer_create.yml
@@ -0,0 +1,31 @@
+
+title: Suspicious WMIC ActiveScriptEventConsumer Creation
+author: Florian Roth
+date: 2021/06/25
+description: Detects WMIC executions in which a event consumer gets created in order
+  to establish persistence
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*ActiveScriptEventConsumer*'
+  SELECTION_3:
+    CommandLine: '* CREATE *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate software creating script event consumers
+fields:
+- CommandLine
+- ParentCommandLine
+id: ebef4391-1a81-4761-a40a-1db446c0e625
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/johnlatwc/status/1408062131321270282?s=12
+- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
+status: experimental
+tags:
+- attack.persistence
+- attack.t1546.003
diff --git a/rules/sigma/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml b/rules/sigma/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml
new file mode 100644
index 00000000..fc8effbe
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_wmic_proc_create_rundll32.yml
@@ -0,0 +1,29 @@
+
+title: Suspicious WMI Execution Using Rundll32
+author: Florian Roth
+date: 2020/10/12
+description: Detects WMI executing rundll32
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*process call create*'
+  SELECTION_3:
+    CommandLine: '*rundll32*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://thedfirreport.com/2020/10/08/ryuks-return/
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
diff --git a/rules/sigma/windows/process_creation/win_susp_wmic_security_product_uninstall.yml b/rules/sigma/windows/process_creation/win_susp_wmic_security_product_uninstall.yml
new file mode 100644
index 00000000..0f3ae8d0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_wmic_security_product_uninstall.yml
@@ -0,0 +1,41 @@
+
+title: Wmic Uninstall Security Product
+author: Florian Roth
+date: 2021/01/30
+description: Detects deinstallation of security products using WMIC utility
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*wmic*'
+  SELECTION_3:
+    CommandLine: '*product where name=*'
+  SELECTION_4:
+    CommandLine: '*call uninstall*'
+  SELECTION_5:
+    CommandLine: '*/nointeractive*'
+  SELECTION_6:
+    CommandLine:
+    - '*Antivirus*'
+    - '*Endpoint Security*'
+    - '*Endpoint Detection*'
+    - '*Crowdstrike Sensor*'
+    - '*Windows Defender*'
+    - '*VirusScan*'
+    - '*Threat Protection*'
+    - '*Endpoint Sensor*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Legitimate administration
+id: 847d5ff3-8a31-4737-a970-aeae8fe21765
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/cglyer/status/1355171195654709249
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/process_creation/win_susp_wsl_lolbin.yml b/rules/sigma/windows/process_creation/win_susp_wsl_lolbin.yml
new file mode 100644
index 00000000..c654622f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_wsl_lolbin.yml
@@ -0,0 +1,32 @@
+
+title: WSL Execution
+author: oscd.community, Zach Stanford @svch0st
+date: 2020/10/05
+description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as
+  a LOLBIN
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\wsl.exe'
+  SELECTION_3:
+    CommandLine:
+    - '* -e *'
+    - '* --exec *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Automation and orchestration scripts may use this method execute scripts etc
+id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1218
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_susp_wuauclt.yml b/rules/sigma/windows/process_creation/win_susp_wuauclt.yml
new file mode 100644
index 00000000..2478bbeb
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_susp_wuauclt.yml
@@ -0,0 +1,32 @@
+
+title: Windows Update Client LOLBIN
+author: FPT.EagleEye Team
+date: 2020/10/17
+description: Detects code execution via the Windows Update client (wuauclt)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ProcessCommandLine: '*/UpdateDeploymentProvider*'
+  SELECTION_3:
+    ProcessCommandLine: '*/RunHandlerComServer*'
+  SELECTION_4:
+    Image:
+    - '*\wuauclt.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: d7825193-b70a-48a4-b992-8b5b3015cc11
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/05/12
+references:
+- https://dtm.uk/wuauclt/
+status: experimental
+tags:
+- attack.command_and_control
+- attack.execution
+- attack.t1105
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_sysmon_driver_unload.yml b/rules/sigma/windows/process_creation/win_sysmon_driver_unload.yml
new file mode 100644
index 00000000..22bdda8f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_sysmon_driver_unload.yml
@@ -0,0 +1,34 @@
+
+title: Sysmon Driver Unload
+author: Kirill Kiryanov, oscd.community
+date: 2019/10/23
+description: Detect possible Sysmon driver unload
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\fltmc.exe'
+  SELECTION_3:
+    CommandLine: '*unload*'
+  SELECTION_4:
+    CommandLine: '*sys*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- Details
+id: 4d7cda18-1b12-4e52-b45c-d28653210df8
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/09/27
+references:
+- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.t1562
+- attack.t1562.002
diff --git a/rules/sigma/windows/process_creation/win_system_exe_anomaly.yml b/rules/sigma/windows/process_creation/win_system_exe_anomaly.yml
new file mode 100644
index 00000000..9808398b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_system_exe_anomaly.yml
@@ -0,0 +1,65 @@
+
+title: System File Execution Location Anomaly
+author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community
+date: 2017/11/27
+description: Detects a Windows program executable started in a suspicious folder
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\svchost.exe'
+    - '*\rundll32.exe'
+    - '*\services.exe'
+    - '*\powershell.exe'
+    - '*\regsvr32.exe'
+    - '*\spoolsv.exe'
+    - '*\lsass.exe'
+    - '*\smss.exe'
+    - '*\csrss.exe'
+    - '*\conhost.exe'
+    - '*\wininit.exe'
+    - '*\lsm.exe'
+    - '*\winlogon.exe'
+    - '*\explorer.exe'
+    - '*\taskhost.exe'
+    - '*\Taskmgr.exe'
+    - '*\sihost.exe'
+    - '*\RuntimeBroker.exe'
+    - '*\smartscreen.exe'
+    - '*\dllhost.exe'
+    - '*\audiodg.exe'
+    - '*\wlanext.exe'
+  SELECTION_3:
+    Image:
+    - C:\Windows\System32\\*
+    - C:\Windows\system32\\*
+    - C:\Windows\SysWow64\\*
+    - C:\Windows\SysWOW64\\*
+    - C:\Windows\winsxs\\*
+    - C:\Windows\WinSxS\\*
+    - C:\avast! sandbox*
+  SELECTION_4:
+    Image: '*\SystemRoot\System32\\*'
+  SELECTION_5:
+    Image: C:\Windows\explorer.exe
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3 or SELECTION_4 or
+    SELECTION_5))
+falsepositives:
+- Exotic software
+fields:
+- ComputerName
+- User
+- Image
+id: e4a6b256-3e47-40fc-89d2-7a477edd6915
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/03/02
+references:
+- https://twitter.com/GelosSnake/status/934900723426439170
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
diff --git a/rules/sigma/windows/process_creation/win_tap_installer_execution.yml b/rules/sigma/windows/process_creation/win_tap_installer_execution.yml
new file mode 100644
index 00000000..7049ea2b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_tap_installer_execution.yml
@@ -0,0 +1,23 @@
+
+title: Tap Installer Execution
+author: Daniil Yugoslavskiy, Ian Davis, oscd.community
+date: 2019/10/24
+description: Well-known TAP software installation. Possible preparation for data exfiltration
+  using tunneling techniques
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\tapinstall.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate OpenVPN TAP insntallation
+id: 99793437-3e16-439b-be0f-078782cf953d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048
diff --git a/rules/sigma/windows/process_creation/win_task_folder_evasion.yml b/rules/sigma/windows/process_creation/win_task_folder_evasion.yml
new file mode 100644
index 00000000..99a8cadf
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_task_folder_evasion.yml
@@ -0,0 +1,41 @@
+
+title: Tasks Folder Evasion
+author: Sreeman
+date: 2020/01/13
+description: The Tasks folder in system32 and syswow64 are globally writable paths.
+  Adversaries can take advantage of this and load or influence any script hosts or
+  ANY .NET Application in Tasks to load and execute a custom assembly into cscript,
+  wscript, regsvr32, mshta, eventvwr
+detection:
+  SELECTION_1:
+    CommandLine:
+    - '*echo *'
+    - '*copy *'
+    - '*type *'
+    - '*file createnew*'
+  SELECTION_2:
+    CommandLine:
+    - '* C:\Windows\System32\Tasks\\*'
+    - '* C:\Windows\SysWow64\Tasks\\*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentProcess
+id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
+level: high
+logsource:
+  product: windows
+modified: 2021/05/30
+references:
+- https://twitter.com/subTee/status/1216465628946563073
+- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.persistence
+- attack.execution
+- attack.t1574.002
+- attack.t1059
+- attack.t1064
diff --git a/rules/sigma/windows/process_creation/win_termserv_proc_spawn.yml b/rules/sigma/windows/process_creation/win_termserv_proc_spawn.yml
new file mode 100644
index 00000000..37f5d500
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_termserv_proc_spawn.yml
@@ -0,0 +1,33 @@
+
+title: Terminal Service Process Spawn
+author: Florian Roth
+date: 2019/05/22
+description: Detects a process spawned by the terminal service server process (this
+  could be an indicator for an exploitation of CVE-2019-0708)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentCommandLine: '*\svchost.exe*'
+  SELECTION_3:
+    ParentCommandLine: '*termsvcs*'
+  SELECTION_4:
+    Image: '*\rdpclip.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: 1012f107-b8f1-4271-af30-5aed2de89b39
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
+- attack.lateral_movement
+- attack.t1210
+- car.2013-07-002
diff --git a/rules/sigma/windows/process_creation/win_tools_relay_attacks.yml b/rules/sigma/windows/process_creation/win_tools_relay_attacks.yml
new file mode 100644
index 00000000..b7a18ed1
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_tools_relay_attacks.yml
@@ -0,0 +1,51 @@
+
+title: SMB Relay Attack Tools
+author: Florian Roth
+date: 2021/07/24
+description: Detects different hacktools used for relay attacks on Windows for privilege
+  escalation
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*PetitPotam*'
+    - '*RottenPotato*'
+    - '*HotPotato*'
+    - '*JuicyPotato*'
+    - '*\just_dce_*'
+    - '*Juicy Potato*'
+    - '*\temp\rot.exe*'
+    - '*\Potato.exe*'
+    - '*\SpoolSample.exe*'
+    - '*\Responder.exe*'
+    - '*\smbrelayx*'
+    - '*\ntlmrelayx*'
+  SELECTION_3:
+    CommandLine:
+    - '*Invoke-Tater*'
+    - '* smbrelay*'
+    - '* ntlmrelay*'
+    - '*cme smb *'
+    - '* /ntlm:NTLMhash *'
+    - '*Invoke-PetitPotam*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Legitimate files with these rare hacktool names
+id: 5589ab4f-a767-433c-961d-c91f3f704db1
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/26
+references:
+- https://attack.mitre.org/techniques/T1557/001/
+- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
+- https://pentestlab.blog/2017/04/13/hot-potato/
+- https://github.com/ohpe/juicy-potato
+- https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
+- https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
+status: experimental
+tags:
+- attack.execution
+- attack.t1557.001
diff --git a/rules/sigma/windows/process_creation/win_trust_discovery.yml b/rules/sigma/windows/process_creation/win_trust_discovery.yml
new file mode 100644
index 00000000..c9ffcdd1
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_trust_discovery.yml
@@ -0,0 +1,51 @@
+
+title: Domain Trust Discovery
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community,
+  omkar72
+date: 2019/10/24
+description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery.
+  This technique is used by attackers to enumerate Active Directory trusts.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\nltest.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*domain_trusts*'
+    - '*all_trusts*'
+    - '*/trusted_domains*'
+    - '*/dclist*'
+  SELECTION_4:
+    Image: '*\dsquery.exe'
+  SELECTION_5:
+    CommandLine: '*trustedDomain*'
+  SELECTION_6:
+    Image: '*\dsquery.exe'
+  SELECTION_7:
+    CommandLine: '*-filter*'
+  SELECTION_8:
+    CommandLine: '*trustedDomain*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7 and SELECTION_8)))
+falsepositives:
+- Legitimate use of the utilities by legitimate user for legitimate reason
+id: 3bad990e-4848-4a78-9530-b427d854aac0
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/09
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
+- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
+- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
+- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
+- https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
+related:
+- id: 77815820-246c-47b8-9741-e0def3f57308
+  type: obsoletes
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_changepk_slui.yml b/rules/sigma/windows/process_creation/win_uac_bypass_changepk_slui.yml
new file mode 100644
index 00000000..b96ad635
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_changepk_slui.yml
@@ -0,0 +1,33 @@
+
+title: UAC Bypass Using ChangePK and SLUI
+author: Christian Burkard
+date: 2021/08/23
+description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\changepk.exe'
+  SELECTION_3:
+    ParentImage: '*\slui.exe'
+  SELECTION_4:
+    IntegrityLevel:
+    - High
+    - System
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 503d581c-7df0-4bbe-b9be-5840c0ecc1fc
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b
+- https://github.com/hfiref0x/UACME
+- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_cleanmgr.yml b/rules/sigma/windows/process_creation/win_uac_bypass_cleanmgr.yml
new file mode 100644
index 00000000..ccd8854d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_cleanmgr.yml
@@ -0,0 +1,32 @@
+
+title: UAC Bypass Using Disk Cleanup
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using scheduled tasks and variable
+  expansion of cleanmgr.exe (UACMe 34)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*"\system32\cleanmgr.exe /autoclean /d C:'
+  SELECTION_3:
+    ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
+  SELECTION_4:
+    IntegrityLevel:
+    - High
+    - System
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: b697e69c-746f-4a86-9f59-7bfff8eab881
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_computerdefaults.yml b/rules/sigma/windows/process_creation/win_uac_bypass_computerdefaults.yml
new file mode 100644
index 00000000..34c0eb75
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_computerdefaults.yml
@@ -0,0 +1,33 @@
+
+title: UAC Bypass Using ComputerDefaults
+author: Christian Burkard
+date: 2021/08/31
+description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    IntegrityLevel:
+    - High
+    - System
+  SELECTION_3:
+    Image: C:\Windows\System32\ComputerDefaults.exe
+  SELECTION_4:
+    ParentImage:
+    - '*:\Windows\System32*'
+    - '*:\Program Files*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: 3c05e90d-7eba-4324-9972-5d7f711a60a8
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_consent_comctl32.yml b/rules/sigma/windows/process_creation/win_uac_bypass_consent_comctl32.yml
new file mode 100644
index 00000000..3767f9ea
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_consent_comctl32.yml
@@ -0,0 +1,32 @@
+
+title: UAC Bypass Using Consent and Comctl32 - Process
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll
+  (UACMe 22)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\consent.exe'
+  SELECTION_3:
+    Image: '*\werfault.exe'
+  SELECTION_4:
+    IntegrityLevel:
+    - High
+    - System
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 1ca6bd18-0ba0-44ca-851c-92ed89a61085
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_dismhost.yml b/rules/sigma/windows/process_creation/win_uac_bypass_dismhost.yml
new file mode 100644
index 00000000..d9f70da7
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_dismhost.yml
@@ -0,0 +1,34 @@
+
+title: UAC Bypass Using DismHost
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe
+  63)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*C:\Users\\*'
+  SELECTION_3:
+    ParentImage: '*\AppData\Local\Temp\\*'
+  SELECTION_4:
+    ParentImage: '*\DismHost.exe*'
+  SELECTION_5:
+    IntegrityLevel:
+    - High
+    - System
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 853e74f9-9392-4935-ad3b-2e8c040dae86
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_ieinstal.yml b/rules/sigma/windows/process_creation/win_uac_bypass_ieinstal.yml
new file mode 100644
index 00000000..3f6b541a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_ieinstal.yml
@@ -0,0 +1,33 @@
+
+title: UAC Bypass Using IEInstal - Process
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    IntegrityLevel:
+    - High
+    - System
+  SELECTION_3:
+    ParentImage: '*\ieinstal.exe'
+  SELECTION_4:
+    Image: '*\AppData\Local\Temp\\*'
+  SELECTION_5:
+    Image: '*consent.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 80fc36aa-945e-4181-89f2-2f907ab6775d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_msconfig_gui.yml b/rules/sigma/windows/process_creation/win_uac_bypass_msconfig_gui.yml
new file mode 100644
index 00000000..bc32dd6f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_msconfig_gui.yml
@@ -0,0 +1,31 @@
+
+title: UAC Bypass Using MSConfig Token Modification - Process
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    IntegrityLevel:
+    - High
+    - System
+  SELECTION_3:
+    ParentImage: '*\AppData\Local\Temp\pkgmgr.exe'
+  SELECTION_4:
+    CommandLine: '"C:\Windows\system32\msconfig.exe" -5'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: ad92e3f9-7eb6-460e-96b1-582b0ccbb980
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml b/rules/sigma/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml
new file mode 100644
index 00000000..ca41d33f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_ntfs_reparse_point.yml
@@ -0,0 +1,44 @@
+
+title: UAC Bypass Using NTFS Reparse Point - Process
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe
+  DLL hijacking (UACMe 36)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    IntegrityLevel:
+    - High
+    - System
+  SELECTION_3:
+    CommandLine: '"C:\Windows\system32\wusa.exe"  /quiet C:\Users\\*'
+  SELECTION_4:
+    CommandLine: '*\AppData\Local\Temp\update.msu'
+  SELECTION_5:
+    ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package
+      /packagepath:"C:\Windows\system32\pe386" /ignorecheck'
+  SELECTION_6:
+    CommandLine: '*C:\Users\\*'
+  SELECTION_7:
+    CommandLine: '*\AppData\Local\Temp\\*'
+  SELECTION_8:
+    CommandLine: '*\dismhost.exe {*'
+  SELECTION_9:
+    Image: '*\DismHost.exe'
+  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or (SELECTION_5
+    and SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Unknown
+id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml b/rules/sigma/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml
new file mode 100644
index 00000000..2231e939
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_pkgmgr_dism.yml
@@ -0,0 +1,32 @@
+
+title: UAC Bypass Using PkgMgr and DISM
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe
+  23)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\pkgmgr.exe'
+  SELECTION_3:
+    Image: '*\dism.exe'
+  SELECTION_4:
+    IntegrityLevel:
+    - High
+    - System
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: a743ceba-c771-4d75-97eb-8a90f7f4844c
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_winsat.yml b/rules/sigma/windows/process_creation/win_uac_bypass_winsat.yml
new file mode 100644
index 00000000..953d1596
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_winsat.yml
@@ -0,0 +1,32 @@
+
+title: UAC Bypass Abusing Winsat Path Parsing - Process
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe
+  (UACMe 52)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    IntegrityLevel:
+    - High
+    - System
+  SELECTION_3:
+    ParentImage: '*\AppData\Local\Temp\system32\winsat.exe'
+  SELECTION_4:
+    ParentCommandLine: '*C:\Windows \system32\winsat.exe*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 7a01183d-71a2-46ad-ad5c-acd989ac1793
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_wmp.yml b/rules/sigma/windows/process_creation/win_uac_bypass_wmp.yml
new file mode 100644
index 00000000..c17ef57f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_wmp.yml
@@ -0,0 +1,35 @@
+
+title: UAC Bypass Using Windows Media Player - Process
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll
+  (UACMe 32)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    IntegrityLevel:
+    - High
+    - System
+  SELECTION_3:
+    Image: C:\Program Files\Windows Media Player\osk.exe
+  SELECTION_4:
+    Image: C:\Windows\System32\cmd.exe
+  SELECTION_5:
+    ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
+      /s'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or (SELECTION_4 and SELECTION_5)))
+falsepositives:
+- Unknown
+id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_bypass_wsreset.yml b/rules/sigma/windows/process_creation/win_uac_bypass_wsreset.yml
new file mode 100644
index 00000000..1387c576
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_bypass_wsreset.yml
@@ -0,0 +1,31 @@
+
+title: UAC Bypass WSReset
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\wsreset.exe'
+  SELECTION_3:
+    IntegrityLevel:
+    - High
+    - System
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 89a9a0e0-f61a-42e5-8957-b1479565a658
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
+- https://github.com/hfiref0x/UACME
+- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/process_creation/win_uac_cmstp.yml b/rules/sigma/windows/process_creation/win_uac_cmstp.yml
new file mode 100644
index 00000000..6bd11065
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_cmstp.yml
@@ -0,0 +1,39 @@
+
+title: Bypass UAC via CMSTP
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Detect child processes of automatically elevated instances of Microsoft
+  Connection Manager Profile Installer (cmstp.exe).
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\cmstp.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*/s*'
+    - '*/au*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of cmstp.exe utility by legitimate user
+fields:
+- ComputerName
+- User
+- CommandLine
+id: e66779cc-383e-4224-a3a4-267eeb585c40
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1548.002
+- attack.t1218.003
+- attack.t1191
+- attack.t1088
diff --git a/rules/sigma/windows/process_creation/win_uac_fodhelper.yml b/rules/sigma/windows/process_creation/win_uac_fodhelper.yml
new file mode 100644
index 00000000..8809fc98
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_fodhelper.yml
@@ -0,0 +1,32 @@
+
+title: Bypass UAC via Fodhelper.exe
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries
+  use this technique to execute privileged processes.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\fodhelper.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of fodhelper.exe utility by legitimate user
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 7f741dcf-fc22-4759-87b4-9ae8376676a2
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1088
diff --git a/rules/sigma/windows/process_creation/win_uac_wsreset.yml b/rules/sigma/windows/process_creation/win_uac_wsreset.yml
new file mode 100644
index 00000000..af1cc9d0
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_uac_wsreset.yml
@@ -0,0 +1,29 @@
+
+title: Bypass UAC via WSReset.exe
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries
+  use this technique to execute privileged processes.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\wsreset.exe'
+  SELECTION_3:
+    Image: '*\conhost.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: d797268e-28a9-49a7-b9a8-2f5039011c5c
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1088
diff --git a/rules/sigma/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/sigma/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml
new file mode 100644
index 00000000..fe842e29
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml
@@ -0,0 +1,40 @@
+
+title: Possible Privilege Escalation via Weak Service Permissions
+author: Teymur Kheirkhabarov
+date: 2019/10/26
+description: Detection of sc.exe utility spawning by user with Medium integrity level
+  to change service ImagePath or FailureCommand
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\sc.exe'
+  SELECTION_3:
+    IntegrityLevel: Medium
+  SELECTION_4:
+    CommandLine: '*config*'
+  SELECTION_5:
+    CommandLine: '*binPath*'
+  SELECTION_6:
+    CommandLine: '*failure*'
+  SELECTION_7:
+    CommandLine: '*command*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and ((SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unknown
+id: d937b75f-a665-4480-88a5-2f20e9f9b22a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://pentestlab.blog/2017/03/30/weak-service-permissions/
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1574.011
diff --git a/rules/sigma/windows/process_creation/win_using_settingsynchost_as_lolbin.yml b/rules/sigma/windows/process_creation/win_using_settingsynchost_as_lolbin.yml
new file mode 100644
index 00000000..dd09818a
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_using_settingsynchost_as_lolbin.yml
@@ -0,0 +1,38 @@
+
+title: Using SettingSyncHost.exe as LOLBin
+author: Anton Kutepov, oscd.community
+date: 2020/02/05
+description: Detects using SettingSyncHost.exe to run hijacked binary
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - C:\Windows\System32\\*
+    - C:\Windows\SysWOW64\\*
+  SELECTION_3:
+    ParentCommandLine: '*cmd.exe /c*'
+  SELECTION_4:
+    ParentCommandLine: '*RoamDiag.cmd*'
+  SELECTION_5:
+    ParentCommandLine: '*-outputpath*'
+  condition: (SELECTION_1 and  not (SELECTION_2) and (SELECTION_3 and SELECTION_4
+    and SELECTION_5))
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+- Image
+id: b2ddd389-f676-4ac4-845a-e00781a48e5f
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/10/10
+references:
+- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1574.008
diff --git a/rules/sigma/windows/process_creation/win_verclsid_runs_com.yml b/rules/sigma/windows/process_creation/win_verclsid_runs_com.yml
new file mode 100644
index 00000000..aeb3535d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_verclsid_runs_com.yml
@@ -0,0 +1,32 @@
+
+title: Verclsid.exe Runs COM Object
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+description: Detects when verclsid.exe is used to run COM object via GUID
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\verclsid.exe'
+  SELECTION_3:
+    CommandLine: '*/C*'
+  SELECTION_4:
+    CommandLine: '*/S*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: d06be4b9-8045-428b-a567-740a26d9db25
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml
+- https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
+- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_visual_basic_compiler.yml b/rules/sigma/windows/process_creation/win_visual_basic_compiler.yml
new file mode 100644
index 00000000..5ea68bff
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_visual_basic_compiler.yml
@@ -0,0 +1,27 @@
+
+title: Visual Basic Command Line Compiler Usage
+author: Ensar Şamil, @sblmsrsn, @oscd_initiative
+date: 2020/10/07
+description: Detects successful code compilation via Visual Basic Command Line Compiler
+  that utilizes Windows Resource to Object Converter.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\vbc.exe'
+  SELECTION_3:
+    Image: '*\cvtres.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Utilization of this tool should not be seen in enterprise environment
+id: 7b10f171-7f04-47c7-9fa2-5be43c76e535
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Vbc/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027.004
diff --git a/rules/sigma/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/sigma/windows/process_creation/win_vul_java_remote_debugging.yml
new file mode 100644
index 00000000..6fc31d70
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_vul_java_remote_debugging.yml
@@ -0,0 +1,30 @@
+
+title: Java Running with Remote Debugging
+author: Florian Roth
+date: 2019/01/16
+description: Detects a JAVA process running with remote debugging allowing more than
+  just localhost to connect
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine: '*transport=dt_socket,address=*'
+  SELECTION_3:
+    CommandLine: '*address=127.0.0.1*'
+  SELECTION_4:
+    CommandLine: '*address=localhost*'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+tags:
+- attack.t1203
+- attack.execution
diff --git a/rules/sigma/windows/process_creation/win_webshell_detection.yml b/rules/sigma/windows/process_creation/win_webshell_detection.yml
new file mode 100644
index 00000000..5cbca217
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_webshell_detection.yml
@@ -0,0 +1,84 @@
+
+title: Webshell Detection With Command Line Keywords
+author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community
+date: 2017/01/01
+description: Detects certain command line parameters often used during reconnaissance
+  activity via web shells
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_10:
+    Image: '*\wmic.exe'
+  SELECTION_11:
+    CommandLine: '* /node:*'
+  SELECTION_12:
+    Image:
+    - '*\whoami.exe'
+    - '*\systeminfo.exe'
+    - '*\quser.exe'
+    - '*\ipconfig.exe'
+    - '*\pathping.exe'
+    - '*\tracert.exe'
+    - '*\netstat.exe'
+    - '*\schtasks.exe'
+    - '*\vssadmin.exe'
+    - '*\wevtutil.exe'
+    - '*\tasklist.exe'
+  SELECTION_13:
+    CommandLine:
+    - '* Test-NetConnection *'
+    - '*dir \\*'
+  SELECTION_2:
+    ParentImage:
+    - '*\w3wp.exe'
+    - '*\php-cgi.exe'
+    - '*\nginx.exe'
+    - '*\httpd.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\apache*'
+    - '*\tomcat*'
+  SELECTION_4:
+    EventID: 1
+  SELECTION_5:
+    Image:
+    - '*\net.exe'
+    - '*\net1.exe'
+  SELECTION_6:
+    CommandLine:
+    - '* user *'
+    - '* use *'
+    - '* group *'
+  SELECTION_7:
+    Image: '*\ping.exe'
+  SELECTION_8:
+    CommandLine: '* -n *'
+  SELECTION_9:
+    CommandLine:
+    - '*&cd&echo*'
+    - '*cd /d *'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and (((SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8) or SELECTION_9) or (SELECTION_10
+    and SELECTION_11) or SELECTION_12 or SELECTION_13)))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: bed2a484-9348-4143-8a8a-b801c979301c
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/03/02
+references:
+- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
+- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.t1018
+- attack.t1033
+- attack.t1087
+- attack.privilege_escalation
+- attack.t1100
diff --git a/rules/sigma/windows/process_creation/win_webshell_recon_detection.yml b/rules/sigma/windows/process_creation/win_webshell_recon_detection.yml
new file mode 100644
index 00000000..8e44c26f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_webshell_recon_detection.yml
@@ -0,0 +1,49 @@
+
+title: Webshell Recon Detection Via CommandLine & Processes
+author: Cian Heasley
+date: 2020/07/22
+description: Looking for processes spawned by web server components that indicate
+  reconnaissance by popular public domain webshells for whether perl, python or wget
+  are installed.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\apache*'
+    - '*\tomcat*'
+  SELECTION_3:
+    ParentImage:
+    - '*\w3wp.exe'
+    - '*\php-cgi.exe'
+    - '*\nginx.exe'
+    - '*\httpd.exe'
+  SELECTION_4:
+    Image:
+    - '*\cmd.exe'
+  SELECTION_5:
+    CommandLine:
+    - '*perl --help*'
+    - '*python --help*'
+    - '*wget --help*'
+    - '*perl -h*'
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5))
+falsepositives:
+- unknown
+fields:
+- Image
+- CommandLine
+- ParentCommandLine
+id: f64e5c19-879c-4bae-b471-6d84c8339677
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.privilege_escalation
+- attack.t1100
diff --git a/rules/sigma/windows/process_creation/win_webshell_spawn.yml b/rules/sigma/windows/process_creation/win_webshell_spawn.yml
new file mode 100644
index 00000000..56fa82f9
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_webshell_spawn.yml
@@ -0,0 +1,42 @@
+
+title: Shells Spawned by Web Servers
+author: Thomas Patzke
+date: 2019/01/16
+description: Web servers that spawn shell processes could be the result of a successfully
+  placed web shell or an other attack
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\w3wp.exe'
+    - '*\httpd.exe'
+    - '*\nginx.exe'
+    - '*\php-cgi.exe'
+    - '*\tomcat.exe'
+    - '*\UMWorkerProcess.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\sh.exe'
+    - '*\bash.exe'
+    - '*\powershell.exe'
+    - '*\bitsadmin.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Particular web applications may spawn a shell process legitimately
+fields:
+- CommandLine
+- ParentCommandLine
+id: 8202070f-edeb-4d31-a010-a26c72ac5600
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/03/25
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.privilege_escalation
+- attack.t1190
diff --git a/rules/sigma/windows/process_creation/win_whoami_as_system.yml b/rules/sigma/windows/process_creation/win_whoami_as_system.yml
new file mode 100644
index 00000000..ddafbb33
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_whoami_as_system.yml
@@ -0,0 +1,31 @@
+
+title: Run Whoami as SYSTEM
+author: Teymur Kheirkhabarov
+date: 2019/10/23
+description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of
+  a successful local privilege escalation.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    User:
+    - NT AUTHORITY\SYSTEM*
+    - AUTORITE NT\Sys*
+  SELECTION_3:
+    Image: '*\whoami.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/26
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.discovery
+- attack.t1033
diff --git a/rules/sigma/windows/process_creation/win_whoami_priv.yml b/rules/sigma/windows/process_creation/win_whoami_priv.yml
new file mode 100644
index 00000000..c7bd199b
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_whoami_priv.yml
@@ -0,0 +1,29 @@
+
+title: Run Whoami Showing Privileges
+author: Florian Roth
+date: 2021/05/05
+description: Detects a whoami.exe executed with the /priv command line flag instructing
+  the tool to show all current user privieleges. This is often used after a privilege
+  escalation attempt.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\whoami.exe'
+  SELECTION_3:
+    CommandLine: '*/priv*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative activity (rare lookups on current privileges)
+id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
+level: high
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.discovery
+- attack.t1033
diff --git a/rules/sigma/windows/process_creation/win_win10_sched_task_0day.yml b/rules/sigma/windows/process_creation/win_win10_sched_task_0day.yml
new file mode 100644
index 00000000..c1e4995e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_win10_sched_task_0day.yml
@@ -0,0 +1,36 @@
+
+title: Windows 10 Scheduled Task SandboxEscaper 0-day
+author: Olaf Hartong
+date: 2019/05/22
+description: Detects Task Scheduler .job import arbitrary DACL write\par
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\schtasks.exe'
+  SELECTION_3:
+    CommandLine: '*/change*'
+  SELECTION_4:
+    CommandLine: '*/TN*'
+  SELECTION_5:
+    CommandLine: '*/RU*'
+  SELECTION_6:
+    CommandLine: '*/RP*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Unknown
+id: 931b6802-d6a6-4267-9ffa-526f57f22aaf
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1053.005
+- attack.t1053
+- car.2013-08-001
diff --git a/rules/sigma/windows/process_creation/win_winword_dll_load.yml b/rules/sigma/windows/process_creation/win_winword_dll_load.yml
new file mode 100644
index 00000000..14b8447c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_winword_dll_load.yml
@@ -0,0 +1,28 @@
+
+title: Winword.exe Loads Suspicious DLL
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+description: Detects Winword.exe loading of custmom dll via /l cmd switch
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\winword.exe'
+  SELECTION_3:
+    CommandLine: '*/l*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: 2621b3a6-3840-4810-ac14-a02426086171
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherMSBinaries/Winword.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
diff --git a/rules/sigma/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/sigma/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
new file mode 100644
index 00000000..bd7a3238
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
@@ -0,0 +1,26 @@
+
+title: WMI Backdoor Exchange Transport Agent
+author: Florian Roth
+date: 2019/10/11
+description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\EdgeTransport.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/cglyer/status/1182389676876980224
+- https://twitter.com/cglyer/status/1182391019633029120
+status: experimental
+tags:
+- attack.persistence
+- attack.t1546.003
+- attack.t1084
diff --git a/rules/sigma/windows/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/sigma/windows/process_creation/win_wmi_persistence_script_event_consumer.yml
new file mode 100644
index 00000000..cbd76831
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_wmi_persistence_script_event_consumer.yml
@@ -0,0 +1,29 @@
+
+title: WMI Persistence - Script Event Consumer
+author: Thomas Patzke
+date: 2018/03/07
+description: Detects WMI script event consumers
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: C:\WINDOWS\system32\wbem\scrcons.exe
+  SELECTION_3:
+    ParentImage: C:\Windows\System32\svchost.exe
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate event consumers
+id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.003
+- attack.t1047
diff --git a/rules/sigma/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/sigma/windows/process_creation/win_wmi_spwns_powershell.yml
new file mode 100644
index 00000000..6c27166c
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_wmi_spwns_powershell.yml
@@ -0,0 +1,39 @@
+
+title: WMI Spawning Windows PowerShell
+author: Markus Neis / @Karneades
+date: 2019/04/03
+description: Detects WMI spawning PowerShell
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\wmiprvse.exe'
+  SELECTION_3:
+    Image:
+    - '*\powershell.exe'
+  SELECTION_4:
+    CommandLine: 'null'
+  SELECTION_5:
+    CommandLine|re: ^$
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+    and  not (SELECTION_5))
+falsepositives:
+- AppvClient
+- CCM
+id: 692f0bec-83ba-4d04-af7e-e884a96059b6
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/02/24
+references:
+- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml
+- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.t1059.001
+- attack.defense_evasion
+- attack.t1064
diff --git a/rules/sigma/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/sigma/windows/process_creation/win_wmiprvse_spawning_process.yml
new file mode 100644
index 00000000..fa3c327e
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_wmiprvse_spawning_process.yml
@@ -0,0 +1,46 @@
+
+title: Wmiprvse Spawning Process
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/15
+description: Detects wmiprvse spawning processes
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\WmiPrvSe.exe'
+  SELECTION_3:
+    LogonId:
+    - '0x3e7'
+    - 'null'
+  SELECTION_4:
+    SubjectLogonId:
+    - '0x3e7'
+    - 'null'
+  SELECTION_5:
+    User:
+    - NT AUTHORITY\SYSTEM*
+    - AUTORITE NT\Sys*
+  SELECTION_6:
+    Image:
+    - '*\WmiPrvSE.exe'
+    - '*\WerFault.exe'
+  SELECTION_7:
+    LogonId|re: ^$
+  SELECTION_8:
+    SubjectLogonId|re: ^$
+  condition: (SELECTION_1 and ((SELECTION_2 and  not (SELECTION_3 or SELECTION_4 or
+    SELECTION_5 or SELECTION_6)) and  not (SELECTION_7)) and  not (SELECTION_8))
+falsepositives:
+- Unknown
+id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/08/26
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
diff --git a/rules/sigma/windows/process_creation/win_workflow_compiler.yml b/rules/sigma/windows/process_creation/win_workflow_compiler.yml
new file mode 100644
index 00000000..3d01e095
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_workflow_compiler.yml
@@ -0,0 +1,36 @@
+
+title: Microsoft Workflow Compiler
+author: Nik Seetharaman, frack113
+date: 2019/01/16
+description: Detects invocation of Microsoft Workflow Compiler, which may permit the
+  execution of arbitrary unsigned code.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\Microsoft.Workflow.Compiler.exe'
+  SELECTION_3:
+    OriginalFileName: Microsoft.Workflow.Compiler.exe
+  SELECTION_4:
+    CommandLine: '*.xml*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- Legitimate MWC use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/13
+references:
+- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1127
+- attack.t1218
diff --git a/rules/sigma/windows/process_creation/win_write_protect_for_storage_disabled.yml b/rules/sigma/windows/process_creation/win_write_protect_for_storage_disabled.yml
new file mode 100644
index 00000000..513ee21f
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_write_protect_for_storage_disabled.yml
@@ -0,0 +1,26 @@
+
+title: Write Protect For Storage Disabled
+author: Sreeman
+date: 2021/06/11
+description: Looks for changes to registry to disable any write-protect property for
+  storage devices. This could be a precursor to a ransomware attack and has been an
+  observed technique used by cypherpunk group.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine|re: (?i).*reg add.*hklm\\\\system\\\\currentcontrolset\\\\control.*(storage|storagedevicepolicies).*write
+      protection.*0.*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- none observed
+id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/06/11
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562
diff --git a/rules/sigma/windows/process_creation/win_wsreset_uac_bypass.yml b/rules/sigma/windows/process_creation/win_wsreset_uac_bypass.yml
new file mode 100644
index 00000000..aea9c179
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_wsreset_uac_bypass.yml
@@ -0,0 +1,33 @@
+
+title: Wsreset UAC Bypass
+author: Florian Roth
+date: 2020/01/30
+description: Detects a method that uses Wsreset.exe tool that can be used to reset
+  the Windows Store to bypass UAC
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\WSreset.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown sub processes of Wsreset.exe
+fields:
+- CommandLine
+id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/08/29
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
+- https://www.activecyber.us/activelabs/windows-uac-bypass
+- https://twitter.com/ReaQta/status/1222548288731217921
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1548.002
+- attack.t1088
diff --git a/rules/sigma/windows/process_creation/win_xsl_script_processing.yml b/rules/sigma/windows/process_creation/win_xsl_script_processing.yml
new file mode 100644
index 00000000..2885b16d
--- /dev/null
+++ b/rules/sigma/windows/process_creation/win_xsl_script_processing.yml
@@ -0,0 +1,34 @@
+
+title: XSL Script Processing
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: Extensible Stylesheet Language (XSL) files are commonly used to describe
+  the processing and rendering of data within XML files. Rule detects when adversaries
+  abuse this functionality to execute arbitrary files while potentially bypassing
+  application whitelisting defenses.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\wmic.exe'
+  SELECTION_3:
+    CommandLine: '*/format*'
+  SELECTION_4:
+    Image: '*\msxsl.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
+- msxsl.exe is not installed by default, so unlikely.
+id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1220
+- attack.execution
diff --git a/rules/sigma/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/sigma/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
new file mode 100644
index 00000000..ec3b1db0
--- /dev/null
+++ b/rules/sigma/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
@@ -0,0 +1,46 @@
+
+title: Raw Disk Access Using Illegitimate Tools
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Raw disk access using illegitimate tools, possible defence evasion
+detection:
+  SELECTION_1:
+    EventID: 9
+  SELECTION_2:
+    Device: '*floppy*'
+  SELECTION_3:
+    Image:
+    - '*\wmiprvse.exe'
+    - '*\sdiagnhost.exe'
+    - '*\searchindexer.exe'
+    - '*\csrss.exe'
+    - '*\defrag.exe'
+    - '*\smss.exe'
+    - '*\vssvc.exe'
+    - '*\compattelrunner.exe'
+    - '*\wininit.exe'
+    - '*\autochk.exe'
+    - '*\taskhost.exe'
+    - '*\dfsrs.exe'
+    - '*\vds.exe'
+    - '*\lsass.exe'
+  condition: (SELECTION_1 and  not (SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Legitimate Administrator using tool for raw access or ongoing forensic investigation
+fields:
+- ComputerName
+- Image
+- ProcessID
+- Device
+id: db809f10-56ce-4420-8c86-d6a7d793c79c
+level: medium
+logsource:
+  category: raw_access_thread
+  product: windows
+modified: 2021/08/14
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1006
diff --git a/rules/sigma/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/sigma/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml
new file mode 100644
index 00000000..47a4fc3b
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml
@@ -0,0 +1,55 @@
+
+title: Abusing Windows Telemetry For Persistence
+author: Sreeman
+date: 2020/09/29
+description: Windows telemetry makes use of the binary CompatTelRunner.exe to run
+  a variety of commands and perform the actual telemetry collections. This binary
+  was created to be easily extensible, and to that end, it relies on the registry
+  to instruct on which commands to run. The problem is, it will run any arbitrary
+  command without restriction of location or type.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\\*'
+  SELECTION_5:
+    Details:
+    - '*.sh'
+    - '*.exe'
+    - '*.dll'
+    - '*.bin'
+    - '*.bat'
+    - '*.cmd'
+    - '*.js'
+    - '*.ps'
+    - '*.vb'
+    - '*.jar'
+    - '*.hta'
+    - '*.msi'
+    - '*.vbs'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- none
+fields:
+- EventID
+- CommandLine
+- TargetObject
+- Details
+id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/24
+references:
+- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.persistence
+- attack.t1112
+- attack.t1053
diff --git a/rules/sigma/windows/registry_event/registry_event_apt_chafer_mar18.yml b/rules/sigma/windows/registry_event/registry_event_apt_chafer_mar18.yml
new file mode 100644
index 00000000..210e99d1
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_apt_chafer_mar18.yml
@@ -0,0 +1,44 @@
+
+title: Chafer Activity
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
+  in March 2018
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+    - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/19
+references:
+- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+related:
+- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+  type: derived
+tags:
+- attack.persistence
+- attack.g0049
+- attack.t1053
+- attack.t1053.005
+- attack.s0111
+- attack.t1050
+- attack.t1543.003
+- attack.defense_evasion
+- attack.t1112
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
diff --git a/rules/sigma/windows/registry_event/registry_event_apt_pandemic.yml b/rules/sigma/windows/registry_event/registry_event_apt_pandemic.yml
new file mode 100644
index 00000000..7ee287d2
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_apt_pandemic.yml
@@ -0,0 +1,37 @@
+
+title: Pandemic Registry Key
+author: Florian Roth
+date: 2017/06/01
+description: Detects Pandemic Windows Implant
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\SYSTEM\CurrentControlSet\services\null\Instance*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- Image
+- User
+- TargetObject
+id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/12
+references:
+- https://wikileaks.org/vault7/#Pandemic
+- https://twitter.com/MalwareJake/status/870349480356454401
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1105
diff --git a/rules/sigma/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/sigma/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
new file mode 100644
index 00000000..459365c1
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -0,0 +1,38 @@
+
+title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
+author: Sittikorn S
+date: 2021/07/16
+description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979
+  CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32*'
+    - '*\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32*'
+  SELECTION_5:
+  - IMJPUEXP.DLL
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unlikely
+id: 32b5db62-cb5f-4266-9639-0fa48376ac00
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/09
+references:
+- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
+- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
+- https://nvd.nist.gov/vuln/detail/cve-2021-33771
+- https://nvd.nist.gov/vuln/detail/cve-2021-31979
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1566
+- attack.t1203
diff --git a/rules/sigma/windows/registry_event/registry_event_defender_disabled.yml b/rules/sigma/windows/registry_event/registry_event_defender_disabled.yml
new file mode 100644
index 00000000..fcd689a5
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_defender_disabled.yml
@@ -0,0 +1,44 @@
+
+title: Windows Defender Threat Detection Disabled
+author: Ján Trenčanský, frack113
+date: 2020/07/28
+description: Detects disabling Windows Defender threat protection
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    Details: DWORD (0x00000001)
+  SELECTION_5:
+    EventType: SetValue
+  SELECTION_6:
+    TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
+  SELECTION_7:
+    TargetObject:
+    - HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
+    - HKLM\SOFTWARE\Microsoft\Windows Defender
+    - HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and ((SELECTION_5
+    and SELECTION_6) or SELECTION_7))
+falsepositives:
+- Administrator actions
+id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/21
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+related:
+- id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
+  type: derived
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/windows/registry_event/registry_event_defender_exclusions.yml b/rules/sigma/windows/registry_event/registry_event_defender_exclusions.yml
new file mode 100644
index 00000000..37d849a8
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_defender_exclusions.yml
@@ -0,0 +1,35 @@
+
+title: Windows Defender Exclusions Added
+author: Christian Burkard
+date: 2021/07/06
+description: Detects the Setting of Windows Defender Exclusions
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: SetValue
+  SELECTION_5:
+    TargetObject: '*\Microsoft\Windows Defender\Exclusions*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Administrator actions
+id: a982fc9c-6333-4ffb-a51d-addb04e8b529
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/21
+references:
+- https://twitter.com/_nullbind/status/1204923340810543109
+related:
+- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
+  type: derived
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
diff --git a/rules/sigma/windows/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/sigma/windows/registry_event/registry_event_dns_serverlevelplugindll.yml
new file mode 100644
index 00000000..a477187d
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_dns_serverlevelplugindll.yml
@@ -0,0 +1,40 @@
+
+title: DNS ServerLevelPluginDll Install
+author: Florian Roth
+date: 2017/05/08
+description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter
+  in Registry, which can be used to execute code in context of the DNS server (restart
+  required)
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- Image
+- User
+- TargetObject
+id: e61e8a88-59a9-451c-874e-70fcc9740d67
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/12
+references:
+- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/registry_event_mal_adwind.yml b/rules/sigma/windows/registry_event/registry_event_mal_adwind.yml
new file mode 100644
index 00000000..0bb3420e
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_mal_adwind.yml
@@ -0,0 +1,35 @@
+
+title: Adwind RAT / JRAT
+author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
+date: 2017/11/10
+description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
+  SELECTION_5:
+    Details: '%AppData%\Roaming\Oracle\bin\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+id: 42f0e038-767e-4b85-9d96-2c6335bad0b5
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/19
+references:
+- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
+- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
+related:
+- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064
diff --git a/rules/sigma/windows/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/sigma/windows/registry_event/registry_event_net_ntlm_downgrade.yml
new file mode 100644
index 00000000..76eda613
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_net_ntlm_downgrade.yml
@@ -0,0 +1,40 @@
+
+title: NetNTLM Downgrade Attack
+author: Florian Roth, wagga
+date: 2018/03/20
+description: Detects NetNTLM downgrade attack
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*SYSTEM\\*'
+  SELECTION_5:
+    TargetObject: '*ControlSet*'
+  SELECTION_6:
+    TargetObject: '*\Control\Lsa*'
+  SELECTION_7:
+    TargetObject:
+    - '*\lmcompatibilitylevel'
+    - '*\NtlmMinClientSec'
+    - '*\RestrictSendingNTLMTraffic'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown
+id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/21
+references:
+- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/sigma/windows/registry_event/registry_event_stickykey_like_backdoor.yml
new file mode 100644
index 00000000..6682d8ba
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_stickykey_like_backdoor.yml
@@ -0,0 +1,40 @@
+
+title: Sticky Key Like Backdoor Usage
+author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
+date: 2018/03/15
+description: Detects the usage and installation of a backdoor that uses an option
+  to register a malicious debugger for built-in tools that are accessible in the login
+  screen
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
+    - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
+    - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
+    - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
+    - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
+    - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unlikely
+id: baca5663-583c-45f9-b5dc-ea96a22ce542
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/12
+references:
+- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+tags:
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1015
+- attack.t1546.008
+- car.2014-11-003
+- car.2014-11-008
diff --git a/rules/sigma/windows/registry_event/registry_event_sysinternals_eula_accepted.yml b/rules/sigma/windows/registry_event/registry_event_sysinternals_eula_accepted.yml
new file mode 100644
index 00000000..16be38c5
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_sysinternals_eula_accepted.yml
@@ -0,0 +1,31 @@
+
+title: Usage of Sysinternals Tools
+author: Markus Neis
+date: 2017/08/28
+description: Detects the usage of Sysinternals Tools due to accepteula key being added
+  to Registry
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\EulaAccepted'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate use of SysInternals tools
+- Programs that use the same Registry Key
+id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
+level: low
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/12
+references:
+- https://twitter.com/Moti_B/status/1008587936735035392
+status: experimental
+tags:
+- attack.resource_development
+- attack.t1588.002
diff --git a/rules/sigma/windows/registry_event/registry_event_uac_bypass_eventvwr.yml b/rules/sigma/windows/registry_event/registry_event_uac_bypass_eventvwr.yml
new file mode 100644
index 00000000..7d91f686
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_uac_bypass_eventvwr.yml
@@ -0,0 +1,35 @@
+
+title: UAC Bypass via Event Viewer
+author: Florian Roth
+date: 2017/03/19
+description: Detects UAC bypass method using Windows event viewer
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: HKCU\\*
+  SELECTION_5:
+    TargetObject: '*\mscfile\shell\open\command'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- unknown
+id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/12
+references:
+- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
+- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1088
+- attack.t1548.002
+- car.2019-04-001
diff --git a/rules/sigma/windows/registry_event/registry_event_uac_bypass_winsat.yml b/rules/sigma/windows/registry_event/registry_event_uac_bypass_winsat.yml
new file mode 100644
index 00000000..d37c5a83
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_uac_bypass_winsat.yml
@@ -0,0 +1,37 @@
+
+title: UAC Bypass Abusing Winsat Path Parsing - Registry
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe
+  (UACMe 52)
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\Root\InventoryApplicationFile\winsat.exe|*'
+  SELECTION_5:
+    TargetObject: '*\LowerCaseLongPath'
+  SELECTION_6:
+    Details: c:\users\\*
+  SELECTION_7:
+    Details: '*\appdata\local\temp\system32\winsat.exe'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown
+id: 6597be7b-ac61-4ac8-bef4-d3ec88174853
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/registry_event/registry_event_uac_bypass_wmp.yml b/rules/sigma/windows/registry_event/registry_event_uac_bypass_wmp.yml
new file mode 100644
index 00000000..4cc90b7b
--- /dev/null
+++ b/rules/sigma/windows/registry_event/registry_event_uac_bypass_wmp.yml
@@ -0,0 +1,33 @@
+
+title: UAC Bypass Using Windows Media Player - Registry
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll
+  (UACMe 32)
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility
+      Assistant\Store\C:\Program Files\Windows Media Player\osk.exe'
+  SELECTION_5:
+    Details: Binary Data
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/registry_event/sysmon_apt_leviathan.yml b/rules/sigma/windows/registry_event/sysmon_apt_leviathan.yml
new file mode 100644
index 00000000..3160a30b
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_apt_leviathan.yml
@@ -0,0 +1,28 @@
+
+title: Leviathan Registry Key Activity
+author: Aidan Bracher
+date: 2020/07/07
+description: Detects registry key used by Leviathan APT in Malaysian focused campaign
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntkd
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+id: 70d43542-cd2d-483c-8f30-f16b436fd7db
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/13
+references:
+- https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
+status: experimental
+tags:
+- attack.persistence
+- attack.t1060
+- attack.t1547.001
diff --git a/rules/sigma/windows/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/sigma/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
new file mode 100644
index 00000000..bd405131
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_apt_oceanlotus_registry.yml
@@ -0,0 +1,53 @@
+
+title: OceanLotus Registry Activity
+author: megan201296, Jonhnathan Ribeiro
+date: 2019/04/14
+description: Detects registry keys created in OceanLotus (also known as APT32) attacks
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: HKCU\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model
+  SELECTION_5:
+    TargetObject:
+    - HKCU\SOFTWARE\App\\*
+    - HKLM\SOFTWARE\App\\*
+  SELECTION_6:
+    TargetObject:
+    - '*AppXbf13d4ea2945444d8b13e2121cb6b663\\*'
+    - '*AppX70162486c7554f7f80f481985d67586d\\*'
+    - '*AppX37cc7fdccd644b4f85f4b22d5a3f105a\\*'
+  SELECTION_7:
+    TargetObject:
+    - '*Application'
+    - '*DefaultIcon'
+  SELECTION_8:
+    TargetObject:
+    - HKCU\\*
+  SELECTION_9:
+    TargetObject:
+    - '*Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*'
+    - '*Classes\AppX3bbba44c6cae4d9695755183472171e2\\*'
+    - '*Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*'
+    - '*Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or (SELECTION_5
+    and SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Unknown
+id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/17
+references:
+- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
+- https://github.com/eset/malware-ioc/tree/master/oceanlotus
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/sigma/windows/registry_event/sysmon_asep_reg_keys_modification.yml
new file mode 100644
index 00000000..cf393007
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_asep_reg_keys_modification.yml
@@ -0,0 +1,229 @@
+
+title: Autorun Keys Modification
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin,
+  oscd.community
+date: 2019/10/25
+description: Detects modification of autostart extensibility point (ASEP) in registry.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_10:
+    TargetObject:
+    - '*\Winlogon\VmApplet*'
+    - '*\Winlogon\Userinit*'
+    - '*\Winlogon\Taskman*'
+    - '*\Winlogon\Shell*'
+    - '*\Winlogon\GpExtensions*'
+    - '*\Winlogon\AppSetup*'
+    - '*\Winlogon\AlternateShells\AvailableShells*'
+    - '*\Windows\IconServiceLib*'
+    - '*\Windows\Appinit_Dlls*'
+    - '*\Image File Execution Options*'
+    - '*\Font Drivers*'
+    - '*\Drivers32*'
+    - '*\Windows\Run*'
+    - '*\Windows\Load*'
+  SELECTION_11:
+    TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion*'
+  SELECTION_12:
+    TargetObject:
+    - '*\ShellServiceObjectDelayLoad*'
+    - '*\Run*'
+    - '*\Explorer\ShellServiceObjects*'
+    - '*\Explorer\ShellIconOverlayIdentifiers*'
+    - '*\Explorer\ShellExecuteHooks*'
+    - '*\Explorer\SharedTaskScheduler*'
+    - '*\Explorer\Browser Helper Objects*'
+  SELECTION_13:
+    TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion*'
+  SELECTION_14:
+    TargetObject:
+    - '*\Windows\Appinit_Dlls*'
+    - '*\Image File Execution Options*'
+    - '*\Drivers32*'
+  SELECTION_15:
+    EventID: 12
+  SELECTION_16:
+    EventID: 13
+  SELECTION_17:
+    EventID: 14
+  SELECTION_18:
+    TargetObject: '*\Software\Wow6432Node\Microsoft\Office*'
+  SELECTION_19:
+    TargetObject: '*\Software\Microsoft\Office*'
+  SELECTION_2:
+    EventID: 13
+  SELECTION_20:
+    TargetObject:
+    - '*\Word\Addins*'
+    - '*\PowerPoint\Addins*'
+    - '*\Outlook\Addins*'
+    - '*\Onenote\Addins*'
+    - '*\Excel\Addins*'
+    - '*\Access\Addins*'
+    - '*test\Special\Perf*'
+  SELECTION_21:
+    EventID: 12
+  SELECTION_22:
+    EventID: 13
+  SELECTION_23:
+    EventID: 14
+  SELECTION_24:
+    TargetObject: '*\Software\Wow6432Node\Microsoft\Internet Explorer*'
+  SELECTION_25:
+    TargetObject: '*\Software\Microsoft\Internet Explorer*'
+  SELECTION_26:
+    TargetObject:
+    - '*\Toolbar*'
+    - '*\Extensions*'
+    - '*\Explorer Bars*'
+  SELECTION_27:
+    TargetObject: '*\Software\Wow6432Node\Classes*'
+  SELECTION_28:
+    TargetObject:
+    - '*\Folder\ShellEx\ExtShellFolderViews*'
+    - '*\Folder\ShellEx\DragDropHandlers*'
+    - '*\Folder\ShellEx\ColumnHandlers*'
+    - '*\Directory\Shellex\DragDropHandlers*'
+    - '*\Directory\Shellex\CopyHookHandlers*'
+    - '*\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance*'
+    - '*\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance*'
+    - '*\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance*'
+    - '*\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance*'
+    - '*\AllFileSystemObjects\ShellEx\DragDropHandlers*'
+    - '*\ShellEx\PropertySheetHandlers*'
+    - '*\ShellEx\ContextMenuHandlers*'
+  SELECTION_29:
+    TargetObject: '*\Software\Classes*'
+  SELECTION_3:
+    EventID: 14
+  SELECTION_30:
+    TargetObject:
+    - '*\Folder\ShellEx\ExtShellFolderViews*'
+    - '*\Folder\ShellEx\DragDropHandlers*'
+    - '*\Folder\Shellex\ColumnHandlers*'
+    - '*\Filter*'
+    - '*\Exefile\Shell\Open\Command\(Default)*'
+    - '*\Directory\Shellex\DragDropHandlers*'
+    - '*\Directory\Shellex\CopyHookHandlers*'
+    - '*\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance*'
+    - '*\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance*'
+    - '*\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance*'
+    - '*\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance*'
+    - '*\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers*'
+    - '*\.exe*'
+    - '*\.cmd*'
+    - '*\ShellEx\PropertySheetHandlers*'
+    - '*\ShellEx\ContextMenuHandlers*'
+  SELECTION_31:
+    TargetObject: '*\Software\Policies\Microsoft\Windows\System\Scripts*'
+  SELECTION_32:
+    TargetObject:
+    - '*\Startup*'
+    - '*\Shutdown*'
+    - '*\Logon*'
+    - '*\Logoff*'
+  SELECTION_33:
+    TargetObject: '*\System\CurrentControlSet\Services\WinSock2\Parameters*'
+  SELECTION_34:
+    TargetObject:
+    - '*\Protocol_Catalog9\Catalog_Entries*'
+    - '*\NameSpace_Catalog5\Catalog_Entries*'
+  SELECTION_35:
+    TargetObject: '*\SYSTEM\CurrentControlSet\Control*'
+  SELECTION_36:
+    TargetObject:
+    - '*\Terminal Server\WinStations\RDP-Tcp\InitialProgram*'
+    - '*\Terminal Server\Wds\rdpwd\StartupPrograms*'
+    - '*\SecurityProviders\SecurityProviders*'
+    - '*\SafeBoot\AlternateShell*'
+    - '*\Print\Providers*'
+    - '*\Print\Monitors*'
+    - '*\NetworkProvider\Order*'
+    - '*\Lsa\Notification Packages*'
+    - '*\Lsa\Authentication Packages*'
+    - '*\BootVerificationProgram\ImagePath*'
+  SELECTION_4:
+    TargetObject:
+    - '*\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart*'
+    - '*\Software\Wow6432Node\Microsoft\Command Processor\Autorun*'
+    - '*\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components*'
+    - '*\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect*'
+    - '*\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect*'
+    - '*\SYSTEM\Setup\CmdLine*'
+    - '*\Software\Microsoft\Ctf\LangBarAddin*'
+    - '*\Software\Microsoft\Command Processor\Autorun*'
+    - '*\SOFTWARE\Microsoft\Active Setup\Installed Components*'
+    - '*\SOFTWARE\Classes\Protocols\Handler*'
+    - '*\SOFTWARE\Classes\Protocols\Filter*'
+    - '*\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)*'
+    - '*\Environment\UserInitMprLogonScript*'
+    - '*\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe*'
+    - '*\Software\Microsoft\Internet Explorer\UrlSearchHooks*'
+    - '*\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components*'
+    - '*\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32*'
+    - '*\Control Panel\Desktop\Scrnsave.exe*'
+  SELECTION_5:
+    TargetObject: '*\System\CurrentControlSet\Control\Session Manager*'
+  SELECTION_6:
+    TargetObject:
+    - '*\SetupExecute*'
+    - '*\S0InitialCommand*'
+    - '*\KnownDlls*'
+    - '*\Execute*'
+    - '*\BootExecute*'
+    - '*\AppCertDlls*'
+  SELECTION_7:
+    TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion*'
+  SELECTION_8:
+    TargetObject:
+    - '*\ShellServiceObjectDelayLoad*'
+    - '*\Run*'
+    - '*\Policies\System\Shell*'
+    - '*\Policies\Explorer\Run*'
+    - '*\Group Policy\Scripts\Startup*'
+    - '*\Group Policy\Scripts\Shutdown*'
+    - '*\Group Policy\Scripts\Logon*'
+    - '*\Group Policy\Scripts\Logoff*'
+    - '*\Explorer\ShellServiceObjects*'
+    - '*\Explorer\ShellIconOverlayIdentifiers*'
+    - '*\Explorer\ShellExecuteHooks*'
+    - '*\Explorer\SharedTaskScheduler*'
+    - '*\Explorer\Browser Helper Objects*'
+    - '*\Authentication\PLAP Providers*'
+    - '*\Authentication\Credential Providers*'
+    - '*\Authentication\Credential Provider Filters*'
+  SELECTION_9:
+    TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((((((((((((SELECTION_4
+    or (SELECTION_5 and SELECTION_6)) or (SELECTION_7 and SELECTION_8)) or (SELECTION_9
+    and SELECTION_10)) or (SELECTION_11 and SELECTION_12)) or (SELECTION_13 and SELECTION_14))
+    or ((SELECTION_15 or SELECTION_16 or SELECTION_17) and (SELECTION_18 or SELECTION_19)
+    and SELECTION_20)) or ((SELECTION_21 or SELECTION_22 or SELECTION_23) and (SELECTION_24
+    or SELECTION_25) and SELECTION_26)) or (SELECTION_27 and SELECTION_28)) or (SELECTION_29
+    and SELECTION_30)) or (SELECTION_31 and SELECTION_32)) or (SELECTION_33 and SELECTION_34))
+    or (SELECTION_35 and SELECTION_36)))
+falsepositives:
+- Legitimate software automatically (mostly, during installation) sets up autorun
+  keys for legitimate reason
+- Legitimate administrator sets up autorun keys for legitimate reason
+fields:
+- SecurityID
+- ObjectName
+- OldValueType
+- NewValueType
+id: 17f878b8-9968-4578-b814-c4217fc5768c
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
+- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
+- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
+- attack.t1060
diff --git a/rules/sigma/windows/registry_event/sysmon_bypass_via_wsreset.yml b/rules/sigma/windows/registry_event/sysmon_bypass_via_wsreset.yml
new file mode 100644
index 00000000..beb70a1b
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_bypass_via_wsreset.yml
@@ -0,0 +1,37 @@
+
+title: UAC Bypass Via Wsreset
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated
+  with the Windows Store. It will run a binary file contained in a low-privilege registry.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- Image
+- EventType
+- TargetObject
+id: 6ea3bf32-9680-422d-9f50-e90716b12a66
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
+- https://lolbas-project.github.io/lolbas/Binaries/Wsreset
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/registry_event/sysmon_cmstp_execution_by_registry.yml b/rules/sigma/windows/registry_event/sysmon_cmstp_execution_by_registry.yml
new file mode 100644
index 00000000..ae74dd3e
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_cmstp_execution_by_registry.yml
@@ -0,0 +1,38 @@
+
+title: CMSTP Execution Registry Event
+author: Nik Seetharaman
+date: 2018/07/16
+description: Detects various indicators of Microsoft Connection Manager Profile Installer
+  execution
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\cmmgr32.exe*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: b6d235fc-1d38-4b12-adbe-325f06728f37
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/12/23
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+status: stable
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1191
+- attack.t1218.003
+- attack.g0069
+- car.2019-04-001
diff --git a/rules/sigma/windows/registry_event/sysmon_cobaltstrike_service_installs.yml b/rules/sigma/windows/registry_event/sysmon_cobaltstrike_service_installs.yml
new file mode 100644
index 00000000..f39eb920
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_cobaltstrike_service_installs.yml
@@ -0,0 +1,50 @@
+
+title: CobaltStrike Service Installations in Registry
+author: Wojciech Lesicki
+date: 2021/06/29
+description: Detects known malicious service installs that appear in cases in which
+  a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch
+  this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)
+  In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services
+  or HKLM\System\ControlSet002\Services, however, this rule is based on a regular
+  sysmon's events.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_10:
+    Details: '*powershell*'
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: SetValue
+  SELECTION_5:
+    TargetObject: '*HKLM\System\CurrentControlSet\Services*'
+  SELECTION_6:
+    Details: '*ADMIN$*'
+  SELECTION_7:
+    Details: '*.exe*'
+  SELECTION_8:
+    Details: '*%COMSPEC%*'
+  SELECTION_9:
+    Details: '*start*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and ((SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
+falsepositives:
+- unknown
+id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1543.003
+- attack.t1569.002
diff --git a/rules/sigma/windows/registry_event/sysmon_comhijack_sdclt.yml b/rules/sigma/windows/registry_event/sysmon_comhijack_sdclt.yml
new file mode 100644
index 00000000..1d037bb5
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_comhijack_sdclt.yml
@@ -0,0 +1,31 @@
+
+title: COM Hijack via Sdclt
+author: Omkar Gudhate
+date: 2020/09/27
+description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+id: 07743f65-7ec9-404a-a519-913db7118a8d
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
+- https://www.exploit-db.com/exploits/47696
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1546
+- attack.t1548
diff --git a/rules/sigma/windows/registry_event/sysmon_cve_2020_1048.yml b/rules/sigma/windows/registry_event/sysmon_cve_2020_1048.yml
new file mode 100644
index 00000000..3e5b4efb
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_cve_2020_1048.yml
@@ -0,0 +1,39 @@
+
+title: Suspicious New Printer Ports in Registry (CVE-2020-1048)
+author: EagleEye Team, Florian Roth, NVISO
+date: 2020/05/13
+description: Detects a new and suspicious printer port creation in Registry that could
+  be an attempt to exploit CVE-2020-1048
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports*
+  SELECTION_5:
+    Details:
+    - '*.dll*'
+    - '*.exe*'
+    - '*.bat*'
+    - '*.com*'
+    - '*C:*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- New printer port install on host
+id: 7ec912f2-5175-4868-b811-ec13ad0f8567
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- https://windows-internals.com/printdemon-cve-2020-1048/
+status: experimental
+tags:
+- attack.persistence
+- attack.execution
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_dhcp_calloutdll.yml b/rules/sigma/windows/registry_event/sysmon_dhcp_calloutdll.yml
new file mode 100644
index 00000000..4ff4a311
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_dhcp_calloutdll.yml
@@ -0,0 +1,36 @@
+
+title: DHCP Callout DLL Installation
+author: Dimitrios Slamaris
+date: 2017/05/15
+description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled
+  parameter in Registry, which can be used to execute code in context of the DHCP
+  server (restart required)
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\Services\DHCPServer\Parameters\CalloutDlls'
+    - '*\Services\DHCPServer\Parameters\CalloutEnabled'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
+- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
+- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_disable_microsoft_office_security_features.yml b/rules/sigma/windows/registry_event/sysmon_disable_microsoft_office_security_features.yml
new file mode 100644
index 00000000..18b5d1b9
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_disable_microsoft_office_security_features.yml
@@ -0,0 +1,42 @@
+
+title: Disable Microsoft Office Security Features
+author: frack113
+date: 2021/06/08
+description: Disable Microsoft Office Security Features by registry
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: SetValue
+  SELECTION_5:
+    TargetObject: '*\SOFTWARE\Microsoft\Office\\*'
+  SELECTION_6:
+    TargetObject:
+    - '*VBAWarnings'
+    - '*DisableInternetFilesInPV'
+    - '*DisableUnsafeLocationsInPV'
+    - '*DisableAttachementsInPV'
+  SELECTION_7:
+    Details: DWORD (0x00000001)
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- unknown
+id: 7c637634-c95d-4bbf-b26c-a82510874b34
+level: high
+logsource:
+  category: registry_event
+  definition: key must be add to the sysmon configuration to works
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
+- https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/sigma/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
new file mode 100644
index 00000000..74433337
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
@@ -0,0 +1,42 @@
+
+title: Disable Security Events Logging Adding Reg Key MiniNt
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot,
+  Windows Event Log service will stopped write events.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt
+  SELECTION_5:
+    EventType: CreateKey
+  SELECTION_6:
+    NewName: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and SELECTION_5)
+    or SELECTION_6))
+falsepositives:
+- Unknown
+fields:
+- EventID
+- Image
+- TargetObject
+- NewName
+id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2019/11/13
+references:
+- https://twitter.com/0gtweet/status/1182516740955226112
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml b/rules/sigma/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml
new file mode 100644
index 00000000..9fdeea1f
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml
@@ -0,0 +1,31 @@
+
+title: Wdigest CredGuard Registry Modification
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/08/25
+description: Detects potential malicious modification of the property value of IsCredGuardEnabled
+  from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable
+  Cred Guard on a system. This is usually used with UseLogonCredential to manipulate
+  the caching credentials.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\IsCredGuardEnabled'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml b/rules/sigma/windows/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
new file mode 100644
index 00000000..1ba4eb36
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
@@ -0,0 +1,34 @@
+
+title: Disable Exploit Guard Network Protection on Windows Defender
+author: Austin Songer @austinsonger
+date: 2021/08/04
+description: Detects disabling Windows Defender Exploit Guard Network Protection
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: SetValue
+  SELECTION_5:
+    TargetObject: '*HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App
+      and Browser protection\DisallowExploitProtectionOverride*'
+  SELECTION_6:
+    Details: DWORD (00000001)
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Unknown
+id: bf9e1387-b040-4393-9851-1598f8ecfae9
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/sigma/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
new file mode 100644
index 00000000..1cb3b3bc
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
@@ -0,0 +1,33 @@
+
+title: Disable PUA Protection on Windows Defender
+author: Austin Songer @austinsonger
+date: 2021/08/04
+description: Detects disabling Windows Defender PUA protection
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: SetValue
+  SELECTION_5:
+    TargetObject: '*HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection*'
+  SELECTION_6:
+    Details: DWORD (0x00000000)
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Unknown
+id: 8ffc5407-52e3-478f-9596-0a7371eafe13
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml b/rules/sigma/windows/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml
new file mode 100644
index 00000000..2cf4c8cf
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml
@@ -0,0 +1,33 @@
+
+title: Disable Tamper Protection on Windows Defender
+author: Austin Songer @austinsonger
+date: 2021/08/04
+description: Detects disabling Windows Defender Tamper Protection
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: SetValue
+  SELECTION_5:
+    TargetObject: '*HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection*'
+  SELECTION_6:
+    Details: DWORD (0)
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Unknown
+id: 93d298a1-d28f-47f1-a468-d971e7796679
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/sigma/windows/registry_event/sysmon_dns_over_https_enabled.yml
new file mode 100644
index 00000000..ce52751a
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_dns_over_https_enabled.yml
@@ -0,0 +1,47 @@
+
+title: DNS-over-HTTPS Enabled by Registry
+author: Austin Songer
+date: 2021/07/22
+description: Detects when a user enables DNS-over-HTTPS. This can be used to hide
+  internet activity or be used to hide the process of exfiltrating data. With this
+  enabled organization will lose visibility into data such as query type, response
+  and originating IP that are used to determine bad actors.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
+  SELECTION_5:
+    Details: DWORD (1)
+  SELECTION_6:
+    TargetObject: '*\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
+  SELECTION_7:
+    Details: DWORD (secure)
+  SELECTION_8:
+    TargetObject: '*\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
+  SELECTION_9:
+    Details: DWORD (1)
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((SELECTION_4 and SELECTION_5)
+    or (SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Unlikely
+id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/08
+references:
+- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
+- https://github.com/elastic/detection-rules/issues/1371
+- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
+- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml b/rules/sigma/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml
new file mode 100644
index 00000000..a702399a
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml
@@ -0,0 +1,33 @@
+
+title: Enabling COR Profiler Environment Variables
+author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
+date: 2020/09/10
+description: This rule detects cor_enable_profiling and cor_profiler environment variables
+  being set and configured.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\COR_ENABLE_PROFILING'
+    - '*\COR_PROFILER'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+id: ad89044a-8f49-4673-9a55-cbd88a1b374f
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://twitter.com/jamieantisocial/status/1304520651248668673
+- https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
+- https://www.sans.org/cyber-security-summit/archives
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1574.012
diff --git a/rules/sigma/windows/registry_event/sysmon_etw_disabled.yml b/rules/sigma/windows/registry_event/sysmon_etw_disabled.yml
new file mode 100644
index 00000000..31f5f21e
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_etw_disabled.yml
@@ -0,0 +1,38 @@
+
+title: COMPlus_ETWEnabled Registry Modification
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/05
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
+  SELECTION_5:
+    Details: DWORD (0x00000000)
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- unknown
+id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://twitter.com/_xpn_/status/1268712093928378368
+- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+- https://bunnyinside.com/?term=f71e8cb9c76a
+- http://managed670.rssing.com/chan-5590147/all_p1.html
+- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/sigma/windows/registry_event/sysmon_hack_wce_reg.yml
new file mode 100644
index 00000000..de40330f
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_hack_wce_reg.yml
@@ -0,0 +1,30 @@
+
+title: Windows Credential Editor Registry
+author: Florian Roth
+date: 2019/12/31
+description: Detects the use of Windows Credential Editor (WCE)
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*Services\WCESERVICE\Start*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: a6b33c02-8305-488f-8585-03cb2a7763f2
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- https://www.ampliasecurity.com/research/windows-credentials-editor/
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.s0005
diff --git a/rules/sigma/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/sigma/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml
new file mode 100644
index 00000000..a096d41e
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml
@@ -0,0 +1,30 @@
+
+title: HybridConnectionManager Service Installation
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Detects the installation of the Azure Hybrid Connection Manager service
+  to allow remote code execution from Azure function.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\Services\HybridConnectionManager*'
+  SELECTION_5:
+    Details: '*Microsoft.HybridConnectionManager.Listener.exe*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: ac8866c7-ce44-46fd-8c17-b24acff96ca8
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
diff --git a/rules/sigma/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/sigma/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
new file mode 100644
index 00000000..4777a4cd
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
@@ -0,0 +1,32 @@
+
+title: Logon Scripts (UserInitMprLogonScript) Registry
+author: Tom Ueltschi (@c_APT_ure)
+date: 2019/01/12
+description: Detects creation or execution of UserInitMprLogonScript persistence method
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*UserInitMprLogonScript*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- exclude legitimate logon scripts
+- penetration tests, red teaming
+id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/07/01
+references:
+- https://attack.mitre.org/techniques/T1037/
+status: experimental
+tags:
+- attack.t1037
+- attack.t1037.001
+- attack.persistence
+- attack.lateral_movement
diff --git a/rules/sigma/windows/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/sigma/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
new file mode 100644
index 00000000..e914e036
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_modify_screensaver_binary_path.yml
@@ -0,0 +1,36 @@
+
+title: Path To Screensaver Binary Modified
+author: Bartlomiej Czyz @bczyz1, oscd.community
+date: 2020/10/11
+description: Detects value modification of registry key containing path to binary
+  used as screensaver.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\Control Panel\Desktop\SCRNSAVE.EXE'
+  SELECTION_5:
+    Image:
+    - '*\rundll32.exe'
+    - '*\explorer.exe'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
+    (SELECTION_5))
+falsepositives:
+- Legitimate modification of screensaver.
+id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
+- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.002
diff --git a/rules/sigma/windows/registry_event/sysmon_narrator_feedback_persistance.yml b/rules/sigma/windows/registry_event/sysmon_narrator_feedback_persistance.yml
new file mode 100644
index 00000000..d9c8340e
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_narrator_feedback_persistance.yml
@@ -0,0 +1,35 @@
+
+title: Narrator's Feedback-Hub Persistence
+author: Dmitriy Lifanov, oscd.community
+date: 2019/10/25
+description: Detects abusing Windows 10 Narrator's Feedback-Hub
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: DeleteValue
+  SELECTION_5:
+    TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
+  SELECTION_6:
+    TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and SELECTION_5)
+    or SELECTION_6))
+falsepositives:
+- unknown
+id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1060
+- attack.t1547.001
diff --git a/rules/sigma/windows/registry_event/sysmon_new_application_appcompat.yml b/rules/sigma/windows/registry_event/sysmon_new_application_appcompat.yml
new file mode 100644
index 00000000..9c7733c7
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_new_application_appcompat.yml
@@ -0,0 +1,33 @@
+
+title: New Application in AppCompat
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for a new application in AppCompat. This indicates
+  an application executing for the first time on an endpoint.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\AppCompatFlags\Compatibility Assistant\Store\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- This rule is to explore new applications on an endpoint. False positives depends
+  on the organization.
+- Newly setup system.
+- Legitimate installation of new application.
+id: 60936b49-fca0-4f32-993d-7415edcf9a5d
+level: informational
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/1
+- https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1204.002
diff --git a/rules/sigma/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/sigma/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
new file mode 100644
index 00000000..ae044c0b
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
@@ -0,0 +1,41 @@
+
+title: New DLL Added to AppCertDlls Registry Key
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value
+  in the Registry key can be abused to obtain persistence and privilege escalation
+  by causing a malicious DLL to be loaded and run in the context of separate processes
+  on the computer.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
+  SELECTION_5:
+    NewName: HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- EventID
+- Image
+- TargetObject
+- NewName
+id: 6aa1d992-5925-4e9f-a49b-845e51d1de01
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1182
+- attack.t1546.009
diff --git a/rules/sigma/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/sigma/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
new file mode 100644
index 00000000..3e608d95
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
@@ -0,0 +1,43 @@
+
+title: New DLL Added to AppInit_DLLs Registry Key
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: DLLs that are specified in the AppInit_DLLs value in the Registry key
+  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll
+  into every process that loads user32.dll
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+    - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+  SELECTION_5:
+    NewName:
+    - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+    - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- EventID
+- Image
+- TargetObject
+- NewName
+id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1103
+- attack.t1546.010
diff --git a/rules/sigma/windows/registry_event/sysmon_office_test_regadd.yml b/rules/sigma/windows/registry_event/sysmon_office_test_regadd.yml
new file mode 100644
index 00000000..35a4572d
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_office_test_regadd.yml
@@ -0,0 +1,32 @@
+
+title: Office Application Startup - Office Test
+author: omkar72
+date: 2020/10/25
+description: Detects the addition of office test registry that allows a user to specify
+  an arbitrary DLL that will be executed every time an Office application is started
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - HKCU\Software\Microsoft\Office test\Special\Perf
+    - HKLM\Software\Microsoft\Office test\Special\Perf
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unlikely
+id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/13
+references:
+- https://attack.mitre.org/techniques/T1137/002/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1137.002
diff --git a/rules/sigma/windows/registry_event/sysmon_office_vsto_persistence.yml b/rules/sigma/windows/registry_event/sysmon_office_vsto_persistence.yml
new file mode 100644
index 00000000..41a8ba12
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_office_vsto_persistence.yml
@@ -0,0 +1,41 @@
+
+title: Stealthy VSTO Persistence
+author: Bhabesh Raj
+date: 2021/01/10
+description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins
+  in Office applications.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: SetValue
+  SELECTION_5:
+    TargetObject:
+    - '*\Software\Microsoft\Office\Outlook\Addins\\*'
+    - '*\Software\Microsoft\Office\Word\Addins\\*'
+    - '*\Software\Microsoft\Office\Excel\Addins\\*'
+    - '*\Software\Microsoft\Office\Powerpoint\Addins\\*'
+    - '*\Software\Microsoft\VSTO\Security\Inclusion\\*'
+  SELECTION_6:
+    Image: '*\msiexec.exe'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5)
+    and  not (SELECTION_6))
+falsepositives:
+- Unknown
+id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/07/27
+references:
+- https://twitter.com/_vivami/status/1347925307643355138
+- https://vanmieghem.io/stealth-outlook-persistence/
+status: experimental
+tags:
+- attack.t1137.006
+- attack.persistence
diff --git a/rules/sigma/windows/registry_event/sysmon_powershell_as_service.yml b/rules/sigma/windows/registry_event/sysmon_powershell_as_service.yml
new file mode 100644
index 00000000..345b7c13
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_powershell_as_service.yml
@@ -0,0 +1,36 @@
+
+title: PowerShell as a Service in Registry
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects that a powershell code is written to the registry as a service.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\Services\\*'
+  SELECTION_5:
+    TargetObject: '*\ImagePath'
+  SELECTION_6:
+    Details:
+    - '*powershell*'
+    - '*pwsh*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Unknown
+id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/05/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
diff --git a/rules/sigma/windows/registry_event/sysmon_rdp_registry_modification.yml b/rules/sigma/windows/registry_event/sysmon_rdp_registry_modification.yml
new file mode 100644
index 00000000..bb969501
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_rdp_registry_modification.yml
@@ -0,0 +1,39 @@
+
+title: RDP Registry Modification
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects potential malicious modification of the property value of fDenyTSConnections
+  and UserAuthentication to enable remote desktop connections.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication'
+    - '*\CurrentControlSet\Control\Terminal Server\fDenyTSConnections'
+  SELECTION_5:
+    Details: DWORD (0x00000000)
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- Image
+- EventType
+- TargetObject
+id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2019/11/10
+references:
+- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_rdp_settings_hijack.yml b/rules/sigma/windows/registry_event/sysmon_rdp_settings_hijack.yml
new file mode 100644
index 00000000..b7b16b49
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_rdp_settings_hijack.yml
@@ -0,0 +1,31 @@
+
+title: RDP Sensitive Settings Changed
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects changes to RDP terminal service sensitive settings
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\services\TermService\Parameters\ServiceDll*'
+    - '*\Control\Terminal Server\fSingleSessionPerUser*'
+    - '*\Control\Terminal Server\fDenyTSConnections*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+id: 171b67e1-74b4-460e-8d55-b331f3e32d67
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_redmimicry_winnti_reg.yml b/rules/sigma/windows/registry_event/sysmon_redmimicry_winnti_reg.yml
new file mode 100644
index 00000000..0859c999
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_redmimicry_winnti_reg.yml
@@ -0,0 +1,27 @@
+
+title: RedMimicry Winnti Playbook Registry Manipulation
+author: Alexander Rausch
+date: 2020/06/24
+description: Detects actions caused by the RedMimicry Winnti playbook
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*HKLM\SOFTWARE\Microsoft\HTMLHelp\data*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://redmimicry.com
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_reg_office_security.yml b/rules/sigma/windows/registry_event/sysmon_reg_office_security.yml
new file mode 100644
index 00000000..938c7f92
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_reg_office_security.yml
@@ -0,0 +1,33 @@
+
+title: Office Security Settings Changed
+author: Trent Liffick (@tliffick)
+date: 2020/05/22
+description: Detects registry changes to Office macro settings
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\Security\Trusted Documents\TrustRecords'
+    - '*\Security\AccessVBOM'
+    - '*\Security\VBAWarnings'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Valid Macros and/or internal documents
+id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/07/12
+references:
+- Internal Research
+- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/sigma/windows/registry_event/sysmon_reg_silentprocessexit.yml
new file mode 100644
index 00000000..c75d771d
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_reg_silentprocessexit.yml
@@ -0,0 +1,31 @@
+
+title: SilentProcessExit Monitor Registrytion
+author: Florian Roth
+date: 2021/02/26
+description: Detects changes to the Registry in which a monitor program gets registered
+  to monitor the exit of another process
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*Microsoft\Windows NT\CurrentVersion\SilentProcessExit*'
+  SELECTION_5:
+    Details: '*MonitorProcess*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: c81fe886-cac0-4913-a511-2822d72ff505
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
+tags:
+- attack.persistence
+- attack.t1546.012
diff --git a/rules/sigma/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml b/rules/sigma/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml
new file mode 100644
index 00000000..90b244fb
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml
@@ -0,0 +1,29 @@
+
+title: SilentProcessExit Monitor Registrytion for LSASS
+author: Florian Roth
+date: 2021/02/26
+description: Detects changes to the Registry in which a monitor program gets registered
+  to dump process memory of the lsass.exe process memory
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 55e29995-75e7-451a-bef0-6225e2f13597
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
+- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+tags:
+- attack.credential_access
+- attack.t1003.007
diff --git a/rules/sigma/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/sigma/windows/registry_event/sysmon_reg_vbs_payload_stored.yml
new file mode 100644
index 00000000..a6b4e5ab
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_reg_vbs_payload_stored.yml
@@ -0,0 +1,44 @@
+
+title: VBScript Payload Stored in Registry
+author: Florian Roth
+date: 2021/03/05
+description: Detects VBScript content stored into registry keys as seen being used
+  by UNC2452 group
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*Software\Microsoft\Windows\CurrentVersion*'
+  SELECTION_5:
+    Details:
+    - '*vbscript*'
+    - '*jscript*'
+    - '*mshtml*'
+    - '*mshtml,*'
+    - '*mshtml *'
+    - '*RunHTMLApplication*'
+    - '*Execute(*'
+    - '*CreateObject*'
+    - '*RegRead*'
+    - '*window.close*'
+  SELECTION_6:
+    TargetObject: '*Software\Microsoft\Windows\CurrentVersion\Run*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5)
+    and  not (SELECTION_6))
+falsepositives:
+- Unknown
+id: 46490193-1b22-4c29-bdd6-5bf63907216f
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
diff --git a/rules/sigma/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/sigma/windows/registry_event/sysmon_registry_add_local_hidden_user.yml
new file mode 100644
index 00000000..2c11e9e9
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_registry_add_local_hidden_user.yml
@@ -0,0 +1,34 @@
+
+title: Creation of a Local Hidden User Account by Registry
+author: Christian Burkard
+date: 2021/05/03
+description: Sysmon registry detection of a local hidden user account.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: HKLM\SAM\SAM\Domains\Account\Users\Names\\*
+  SELECTION_5:
+    TargetObject: '*$'
+  SELECTION_6:
+    Image: '*lsass.exe'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- unknown
+id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/05/12
+references:
+- https://twitter.com/SBousseaden/status/1387530414185664538
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136.001
diff --git a/rules/sigma/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/sigma/windows/registry_event/sysmon_registry_persistence_key_linking.yml
new file mode 100644
index 00000000..df0723ce
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_registry_persistence_key_linking.yml
@@ -0,0 +1,37 @@
+
+title: Windows Registry Persistence COM Key Linking
+author: Kutepov Anton, oscd.community
+date: 2019/10/23
+description: Detects COM object hijacking via TreatAs subkey
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: CreateKey
+  SELECTION_5:
+    TargetObject: '*HKU\\*'
+  SELECTION_6:
+    TargetObject: '*Classes\CLSID\\*'
+  SELECTION_7:
+    TargetObject: '*\TreatAs*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Maybe some system utilities in rare cases use linking keys for backward compatibility
+id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/17
+references:
+- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1122
+- attack.t1546.015
diff --git a/rules/sigma/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/sigma/windows/registry_event/sysmon_registry_persistence_search_order.yml
new file mode 100644
index 00000000..0cee8112
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_registry_persistence_search_order.yml
@@ -0,0 +1,68 @@
+
+title: Windows Registry Persistence COM Search Order Hijacking
+author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
+date: 2020/04/14
+description: Detects potential COM object hijacking leveraging the COM Search Order
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_10:
+    EventID: 12
+  SELECTION_11:
+    EventID: 13
+  SELECTION_12:
+    EventID: 14
+  SELECTION_13:
+    Details: '*\AppData\Local\Microsoft\OneDrive\\*'
+  SELECTION_14:
+    Details:
+    - '*\FileCoAuthLib64.dll*'
+    - '*\FileSyncShell64.dll*'
+    - '*\FileSyncApi64.dll*'
+  SELECTION_15:
+    Details: '*\AppData\Local\Microsoft\TeamsMeetingAddin\\*'
+  SELECTION_16:
+    Details: '*\Microsoft.Teams.AddinLoader.dll*'
+  SELECTION_17:
+    Details: '*\AppData\Roaming\Dropbox\\*'
+  SELECTION_18:
+    Details: '*\DropboxExt64.*.dll*'
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - HKCR\CLSID\\*
+    - HKCU\Software\Classes\CLSID\\*
+  SELECTION_5:
+    TargetObject: '*\InprocServer32\(Default)'
+  SELECTION_6:
+    EventID: 12
+  SELECTION_7:
+    EventID: 13
+  SELECTION_8:
+    EventID: 14
+  SELECTION_9:
+    Details:
+    - '*%%systemroot%%\system32\\*'
+    - '*%%systemroot%%\SysWow64\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5)
+    and  not (((SELECTION_6 or SELECTION_7 or SELECTION_8) and (((SELECTION_9 or ((SELECTION_10
+    or SELECTION_11 or SELECTION_12) and SELECTION_13 and SELECTION_14)) or (SELECTION_15
+    and SELECTION_16)) or (SELECTION_17 and SELECTION_18)))))
+falsepositives:
+- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
+id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/16
+references:
+- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1038
+- attack.t1574.001
diff --git a/rules/sigma/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/sigma/windows/registry_event/sysmon_registry_susp_printer_driver.yml
new file mode 100644
index 00000000..5e4de0fe
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_registry_susp_printer_driver.yml
@@ -0,0 +1,35 @@
+
+title: Suspicious Printer Driver Empty Manufacturer
+author: Florian Roth
+date: 2020/07/01
+description: Detects a suspicious printer driver installation with an empty Manufacturer
+  value
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\Control\Print\Environments\Windows x64\Drivers*'
+  SELECTION_5:
+    TargetObject: '*\Manufacturer*'
+  SELECTION_6:
+    Details: (Empty)
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- Alerts on legitimate printer drivers that do not set any more details in the Manufacturer
+  value
+id: e0813366-0407-449a-9869-a2db1119dc41
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://twitter.com/SBousseaden/status/1410545674773467140
+- https://nvd.nist.gov/vuln/detail/cve-2021-1675
+status: experimental
+tags:
+- attack.privilege_escalation
diff --git a/rules/sigma/windows/registry_event/sysmon_registry_trust_record_modification.yml b/rules/sigma/windows/registry_event/sysmon_registry_trust_record_modification.yml
new file mode 100644
index 00000000..ce240953
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_registry_trust_record_modification.yml
@@ -0,0 +1,32 @@
+
+title: Windows Registry Trust Record Modification
+author: Antonlovesdnb
+date: 2020/02/19
+description: Alerts on trust record modification within the registry, indicating usage
+  of macros
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*TrustRecords*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
+- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1193
+- attack.t1566.001
diff --git a/rules/sigma/windows/registry_event/sysmon_removal_amsi_registry_key.yml b/rules/sigma/windows/registry_event/sysmon_removal_amsi_registry_key.yml
new file mode 100644
index 00000000..427629d7
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_removal_amsi_registry_key.yml
@@ -0,0 +1,35 @@
+
+title: Removal Amsi Provider Reg Key
+author: frack113
+date: 2021/06/07
+description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI
+  to disable AMSI inspection
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: DeleteKey
+  SELECTION_5:
+    TargetObject:
+    - '*{2781761E-28E0-4109-99FE-B9D127C57AFE}'
+    - '*{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- unknown
+id: 41d1058a-aea7-4952-9293-29eaaf516465
+level: high
+logsource:
+  category: registry_event
+  definition: key must be add to the sysmon configuration to works
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+- https://seclists.org/fulldisclosure/2020/Mar/45
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
diff --git a/rules/sigma/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml b/rules/sigma/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml
new file mode 100644
index 00000000..3ca819ae
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml
@@ -0,0 +1,35 @@
+
+title: Removal of Potential COM Hijacking Registry Keys
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection to trigger for processes removing .*\shell\open\command
+  registry keys. Registry keys that might have been used for COM hijacking activities.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: DeleteKey
+  SELECTION_5:
+    TargetObject: '*\shell\open\command'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- unknown
+id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/7
+- https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html
+- https://docs.microsoft.com/en-us/windows/win32/shell/launch
+- https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
+- https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_runkey_winekey.yml b/rules/sigma/windows/registry_event/sysmon_runkey_winekey.yml
new file mode 100644
index 00000000..8c2340c6
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_runkey_winekey.yml
@@ -0,0 +1,34 @@
+
+title: WINEKEY Registry Modification
+author: omkar72
+date: 2020/10/30
+description: Detects potential malicious modification of run keys by winekey or team9
+  backdoor
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- Image
+- EventType
+- TargetObject
+id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+tags:
+- attack.persistence
+- attack.t1547
diff --git a/rules/sigma/windows/registry_event/sysmon_runonce_persistence.yml b/rules/sigma/windows/registry_event/sysmon_runonce_persistence.yml
new file mode 100644
index 00000000..e2e3a995
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_runonce_persistence.yml
@@ -0,0 +1,32 @@
+
+title: Run Once Task Configuration in Registry
+author: Avneet Singh @v3t0_, oscd.community
+date: 2020/11/15
+description: Rule to detect the configuration of Run Once registry key. Configured
+  payload can be run by runonce.exe /AlternateShellStartup
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components*
+  SELECTION_5:
+    TargetObject: '*\StubPath'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Legitimate modification of the registry key by legitimate program
+id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://twitter.com/pabraeken/status/990717080805789697
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_ssp_added_lsa_config.yml b/rules/sigma/windows/registry_event/sysmon_ssp_added_lsa_config.yml
new file mode 100644
index 00000000..481d4674
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_ssp_added_lsa_config.yml
@@ -0,0 +1,39 @@
+
+title: Security Support Provider (SSP) Added to LSA Configuration
+author: iwillkeepwatch
+date: 2019/01/18
+description: Detects the addition of a SSP to the registry. Upon a reboot or API call,
+  SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - HKLM\System\CurrentControlSet\Control\Lsa\Security Packages
+    - HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages
+  SELECTION_5:
+    Image: C:\Windows\system32\msiexec.exe
+  SELECTION_6:
+    Image: C:\Windows\syswow64\MsiExec.exe
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
+    (SELECTION_5 or SELECTION_6))
+falsepositives:
+- Unlikely
+id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- https://attack.mitre.org/techniques/T1101/
+- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1101
+- attack.t1547.005
diff --git a/rules/sigma/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/sigma/windows/registry_event/sysmon_susp_atbroker_change.yml
new file mode 100644
index 00000000..67382d1d
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_susp_atbroker_change.yml
@@ -0,0 +1,34 @@
+
+title: Atbroker Registry Change
+author: Mateusz Wydra, oscd.community
+date: 2020/10/13
+description: Detects creation/modification of Assisitive Technology applications and
+  persistence with usage of ATs
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs*'
+  SELECTION_5:
+    TargetObject: '*Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Creation of non-default, legitimate AT.
+id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/05/24
+references:
+- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.persistence
+- attack.t1547
diff --git a/rules/sigma/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/sigma/windows/registry_event/sysmon_susp_download_run_key.yml
new file mode 100644
index 00000000..491fd3a9
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_susp_download_run_key.yml
@@ -0,0 +1,36 @@
+
+title: Suspicious Run Key from Download
+author: Florian Roth
+date: 2019/10/01
+description: Detects the suspicious RUN keys created by software located in Download
+  or temporary Outlook/Internet Explorer directories
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    Image:
+    - '*\Downloads\\*'
+    - '*\Temporary Internet Files\Content.Outlook\\*'
+    - '*\Local Settings\Temporary Internet Files\\*'
+  SELECTION_5:
+    TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Software installers downloaded and used by users
+id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1060
+- attack.t1547.001
diff --git a/rules/sigma/windows/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/sigma/windows/registry_event/sysmon_susp_lsass_dll_load.yml
new file mode 100644
index 00000000..ecbd5173
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_susp_lsass_dll_load.yml
@@ -0,0 +1,35 @@
+
+title: DLL Load via LSASS
+author: Florian Roth
+date: 2019/10/16
+description: Detects a method to load DLL via LSASS process using an undocumented
+  Registry key
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
+    - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: b3503044-60ce-4bf4-bbcb-e3db98788823
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/07/01
+references:
+- https://blog.xpnsec.com/exploring-mimikatz-part-1/
+- https://twitter.com/SBousseaden/status/1183745981189427200
+status: experimental
+tags:
+- attack.execution
+- attack.persistence
+- attack.t1177
+- attack.t1547.008
diff --git a/rules/sigma/windows/registry_event/sysmon_susp_mic_cam_access.yml b/rules/sigma/windows/registry_event/sysmon_susp_mic_cam_access.yml
new file mode 100644
index 00000000..920153e5
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_susp_mic_cam_access.yml
@@ -0,0 +1,46 @@
+
+title: Suspicious Camera and Microphone Access
+author: Den Iuzvyk
+date: 2020/06/07
+description: Detects Processes accessing the camera and microphone from suspicious
+  folder
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*'
+  SELECTION_5:
+    TargetObject: '*\NonPackaged*'
+  SELECTION_6:
+    TargetObject:
+    - '*microphone*'
+    - '*webcam*'
+  SELECTION_7:
+    TargetObject:
+    - '*:#Windows#Temp#*'
+    - '*:#$Recycle.bin#*'
+    - '*:#Temp#*'
+    - '*:#Users#Public#*'
+    - '*:#Users#Default#*'
+    - '*:#Users#Desktop#*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unlikely, there could be conferencing software running from a Temp folder accessing
+  the devices
+id: 62120148-6b7a-42be-8b91-271c04e281a3
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/17
+references:
+- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+tags:
+- attack.collection
+- attack.t1125
+- attack.t1123
diff --git a/rules/sigma/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/sigma/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
new file mode 100644
index 00000000..c5562124
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml
@@ -0,0 +1,46 @@
+
+title: Registry Persistence via Explorer Run Key
+author: Florian Roth, oscd.community
+date: 2018/07/18
+description: Detects a possible persistence mechanism using RUN key for Windows Explorer
+  and pointing to a suspicious folder
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
+  SELECTION_5:
+    Details:
+    - C:\Windows\Temp\\*
+    - C:\ProgramData\\*
+    - C:\$Recycle.bin\\*
+    - C:\Temp\\*
+    - C:\Users\Public\\*
+    - C:\Users\Default\\*
+  SELECTION_6:
+    Details:
+    - '*\AppData\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
+    or SELECTION_6))
+falsepositives:
+- Unknown
+fields:
+- Image
+- ParentImage
+id: b7916c2a-fa2f-4795-9477-32b731f70f11
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1060
+- attack.t1547.001
diff --git a/rules/sigma/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/sigma/windows/registry_event/sysmon_susp_run_key_img_folder.yml
new file mode 100644
index 00000000..7efbfae2
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_susp_run_key_img_folder.yml
@@ -0,0 +1,49 @@
+
+title: New RUN Key Pointing to Suspicious Folder
+author: Florian Roth, Markus Neis, Sander Wiebing
+date: 2018/08/25
+description: Detects suspicious new RUN key element pointing to an executable in a
+  suspicious folder
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
+    - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
+  SELECTION_5:
+    Details:
+    - '*C:\Windows\Temp\\*'
+    - '*C:\$Recycle.bin\\*'
+    - '*C:\Temp\\*'
+    - '*C:\Users\Public\\*'
+    - '*C:\Users\Default\\*'
+    - '*C:\Users\Desktop\\*'
+  SELECTION_6:
+    Details:
+    - '%Public%\\*'
+    - wscript*
+    - cscript*
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
+    or SELECTION_6))
+falsepositives:
+- Software using weird folders for updates
+fields:
+- Image
+id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1060
+- attack.t1547.001
diff --git a/rules/sigma/windows/registry_event/sysmon_susp_service_installed.yml b/rules/sigma/windows/registry_event/sysmon_susp_service_installed.yml
new file mode 100644
index 00000000..dd34521c
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_susp_service_installed.yml
@@ -0,0 +1,45 @@
+
+title: Suspicious Service Installed
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
+date: 2019/04/08
+description: Detects installation of NalDrv or PROCEXP152 services via registry-keys
+  to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),
+  which uses KDU (https://github.com/hfiref0x/KDU)
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath
+    - HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath
+  SELECTION_5:
+    Image:
+    - '*\procexp64.exe'
+    - '*\procexp.exe'
+    - '*\procmon64.exe'
+    - '*\procmon.exe'
+  SELECTION_6:
+    Details:
+    - '*\WINDOWS\system32\Drivers\PROCEXP152.SYS*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and  not
+    (SELECTION_5)) and  not (SELECTION_6))
+falsepositives:
+- Other legimate tools using this service names and drivers. Note - clever attackers
+  may easily bypass this detection by just renaming the services. Therefore just Medium-level
+  and don't rely on it.
+id: f2485272-a156-4773-82d7-1d178bc4905b
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+status: experimental
+tags:
+- attack.t1089
+- attack.t1562.001
+- attack.defense_evasion
diff --git a/rules/sigma/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/sigma/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
new file mode 100644
index 00000000..1fe373c1
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
@@ -0,0 +1,41 @@
+
+title: Suspicious Keyboard Layout Load
+author: Florian Roth
+date: 2019/10/12
+description: Detects the keyboard preload installation with a suspicious keyboard
+  layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems
+  maintained by US staff only
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\Keyboard Layout\Preload\\*'
+    - '*\Keyboard Layout\Substitutes\\*'
+  SELECTION_5:
+    Details:
+    - '*00000429*'
+    - '*00050429*'
+    - '*0000042a*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Administrators or users that actually use the selected keyboard layouts (heavily
+  depends on the organisation's user base)
+id: 34aa0252-6039-40ff-951f-939fd6ce47d8
+level: medium
+logsource:
+  category: registry_event
+  definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload
+    subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
+  product: windows
+modified: 2019/10/15
+references:
+- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
+- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
+tags:
+- attack.resource_development
+- attack.t1588.002
diff --git a/rules/sigma/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/sigma/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml
new file mode 100644
index 00000000..a795baf7
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml
@@ -0,0 +1,31 @@
+
+title: Sysinternals SDelete Registry Keys
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete
+  registry keys. Indicators of the use of Sysinternals SDelete tool.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\Software\Sysinternals\SDelete*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+id: 9841b233-8df8-4ad7-9133-b0b4402a9014
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/05/12
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/9
+- https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.004
diff --git a/rules/sigma/windows/registry_event/sysmon_taskcache_entry.yml b/rules/sigma/windows/registry_event/sysmon_taskcache_entry.yml
new file mode 100644
index 00000000..7dda43de
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_taskcache_entry.yml
@@ -0,0 +1,32 @@
+
+title: New TaskCache Entry
+author: Syed Hasan (@syedhasan009)
+date: 2021/06/18
+description: Monitor the creation of a new key under 'TaskCache' when a new scheduled
+  task is registered
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    EventType: SetValue
+  SELECTION_5:
+    TargetObject: '*SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/07/27
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+tags:
+- attack.persistence
+- attack.t1053
+- attack.t1053.005
diff --git a/rules/sigma/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/sigma/windows/registry_event/sysmon_uac_bypass_sdclt.yml
new file mode 100644
index 00000000..bc0656b6
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_uac_bypass_sdclt.yml
@@ -0,0 +1,39 @@
+
+title: UAC Bypass via Sdclt
+author: Omer Yampel, Christian Burkard
+date: 2017/03/17
+description: Detects the pattern of UAC Bypass using registry key manipulation of
+  sdclt.exe (e.g. UACMe 53)
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*Software\Classes\exefile\shell\runas\command\isolatedCommand'
+  SELECTION_5:
+    TargetObject: '*Software\Classes\Folder\shell\open\command\SymbolicLinkValue'
+  SELECTION_6:
+    Details: '*-1???\Software\Classes\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or (SELECTION_5
+    and SELECTION_6)))
+falsepositives:
+- unknown
+id: 5b872a46-3b90-45c1-8419-f675db8053aa
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/17
+references:
+- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1088
+- attack.t1548.002
+- car.2019-04-001
diff --git a/rules/sigma/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/sigma/windows/registry_event/sysmon_uac_bypass_shell_open.yml
new file mode 100644
index 00000000..13cd97bf
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_uac_bypass_shell_open.yml
@@ -0,0 +1,51 @@
+
+title: UAC Bypass Using Registry Shell Open Keys
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe,
+  slui.exe via registry keys (e.g. UACMe 33 or 62)
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_10:
+    TargetObject:
+    - '*Classes\ms-settings\shell\open\command\(Default)'
+    - '*Classes\exefile\shell\open\command\(Default)'
+  SELECTION_11:
+    Details: (Empty)
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*Classes\ms-settings\shell\open\command\SymbolicLinkValue'
+  SELECTION_5:
+    Details: '*\Software\Classes\{*'
+  SELECTION_6:
+    TargetObject: '*Classes\ms-settings\shell\open\command\DelegateExecute'
+  SELECTION_7:
+    EventID: 12
+  SELECTION_8:
+    EventID: 13
+  SELECTION_9:
+    EventID: 14
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((SELECTION_4 and SELECTION_5)
+    or SELECTION_6) or ((SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10
+    and  not (SELECTION_11))))
+falsepositives:
+- Unknown
+id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/17
+references:
+- https://github.com/hfiref0x/UACME
+- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
+- https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
diff --git a/rules/sigma/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml b/rules/sigma/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml
new file mode 100644
index 00000000..ff247a5b
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml
@@ -0,0 +1,34 @@
+
+title: Volume Shadow Copy Service Keys
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects the volume shadow copy service initialization and processing.
+  Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume
+  are captured.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*System\CurrentControlSet\Services\VSS*'
+  SELECTION_5:
+    TargetObject: '*System\CurrentControlSet\Services\VSS\Start*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
+    (SELECTION_5))
+falsepositives:
+- Other services accessing that key or sub keys
+id: 5aad0995-46ab-41bd-a9ff-724f41114971
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/06/02
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
diff --git a/rules/sigma/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/sigma/windows/registry_event/sysmon_wab_dllpath_reg_change.yml
new file mode 100644
index 00000000..4da84d48
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_wab_dllpath_reg_change.yml
@@ -0,0 +1,35 @@
+
+title: Execution DLL of Choice Using WAB.EXE
+author: oscd.community, Natalia Shornikova
+date: 2020/10/13
+description: This rule detects that the path to the DLL written in the registry is
+  different from the default one. Launched WAB.exe tries to load the DLL from Registry.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\Software\Microsoft\WAB\DLLPath'
+  SELECTION_5:
+    Details: '%CommonProgramFiles%\System\wab32.dll'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
+    (SELECTION_5))
+falsepositives:
+- Unknown
+id: fc014922-5def-4da9-a0fc-28c973f41bfb
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml
+- https://twitter.com/Hexacorn/status/991447379864932352
+- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
diff --git a/rules/sigma/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml b/rules/sigma/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml
new file mode 100644
index 00000000..457cf9ae
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml
@@ -0,0 +1,31 @@
+
+title: Wdigest Enable UseLogonCredential
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/09/12
+description: Detects potential malicious modification of the property value of UseLogonCredential
+  from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable
+  clear-text credentials
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*WDigest\UseLogonCredential'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/05/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/sigma/windows/registry_event/sysmon_win_reg_persistence.yml
new file mode 100644
index 00000000..2e1d4b53
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_win_reg_persistence.yml
@@ -0,0 +1,46 @@
+
+title: Registry Persistence Mechanisms
+author: Karneades, Jonhnathan Ribeiro
+date: 2018/04/11
+description: Detects persistence registry keys
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_10:
+    TargetObject: '*\MonitorProcess*'
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion*'
+  SELECTION_5:
+    TargetObject: '*\Image File Execution Options\\*'
+  SELECTION_6:
+    TargetObject: '*\GlobalFlag*'
+  SELECTION_7:
+    TargetObject: '*SilentProcessExit\\*'
+  SELECTION_8:
+    TargetObject: '*\ReportingMode*'
+  SELECTION_9:
+    TargetObject: '*SilentProcessExit\\*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and ((SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)))
+falsepositives:
+- unknown
+id: 36803969-5421-41ec-b92f-8500f79c23b0
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2020/09/06
+references:
+- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+tags:
+- attack.privilege_escalation
+- attack.persistence
+- attack.defense_evasion
+- attack.t1183
+- attack.t1546.012
+- car.2013-01-002
diff --git a/rules/sigma/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/sigma/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
new file mode 100644
index 00000000..1a2299f8
--- /dev/null
+++ b/rules/sigma/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
@@ -0,0 +1,39 @@
+
+title: Registry Persistence Mechanism via Windows Telemetry
+author: Lednyov Alexey, oscd.community
+date: 2020/10/16
+description: Detects persistence method using windows telemetry
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\\*'
+  SELECTION_5:
+    TargetObject: '*\Command*'
+  SELECTION_6:
+    Details: '*.exe*'
+  SELECTION_7:
+    Details:
+    - '*\system32\CompatTelRunner.exe*'
+    - '*\system32\DeviceCensus.exe*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5
+    and SELECTION_6) and  not (SELECTION_7))
+falsepositives:
+- unknown
+id: 73a883d0-0348-4be4-a8d8-51031c2564f8
+level: critical
+logsource:
+  category: registry_event
+  definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows
+    NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives'
+  product: windows
+references:
+- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1053.005
diff --git a/rules/sigma/windows/registry_event/win_outlook_c2_registry_key.yml b/rules/sigma/windows/registry_event/win_outlook_c2_registry_key.yml
new file mode 100644
index 00000000..371ab09e
--- /dev/null
+++ b/rules/sigma/windows/registry_event/win_outlook_c2_registry_key.yml
@@ -0,0 +1,36 @@
+
+title: Outlook C2 Registry Key
+author: '@ScoubiMtl'
+date: 2021/04/05
+description: Detects the modification of Outlook Security Setting to allow unprompted
+  execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting
+  if both events occur near to each other.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level
+  SELECTION_5:
+    Details: '*0x00000001*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unlikely
+id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/13
+references:
+- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
+status: experimental
+tags:
+- attack.persistence
+- attack.command_and_control
+- attack.t1137
+- attack.t1008
+- attack.t1546
diff --git a/rules/sigma/windows/registry_event/win_outlook_registry_todaypage.yml b/rules/sigma/windows/registry_event/win_outlook_registry_todaypage.yml
new file mode 100644
index 00000000..89f63689
--- /dev/null
+++ b/rules/sigma/windows/registry_event/win_outlook_registry_todaypage.yml
@@ -0,0 +1,40 @@
+
+title: Persistent Outlook Landing Pages
+author: Tobias Michalski
+date: 2021/06/10
+description: Detects the manipulation of persistent URLs which could execute malicious
+  code
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*Software\Microsoft\Office\\*'
+    - '*\Outlook\Today\\*'
+  SELECTION_5:
+    TargetObject: '*Stamp'
+  SELECTION_6:
+    Details: DWORD (0x00000001)
+  SELECTION_7:
+    TargetObject: '*UserDefinedUrl'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and ((SELECTION_5
+    and SELECTION_6) or SELECTION_7))
+falsepositives:
+- unknown
+fields:
+- Details
+id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
+level: high
+logsource:
+  category: registry_event
+  product: windows
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
+status: experimental
+tags:
+- attack.persistence
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/win_outlook_registry_webview.yml b/rules/sigma/windows/registry_event/win_outlook_registry_webview.yml
new file mode 100644
index 00000000..7ab74484
--- /dev/null
+++ b/rules/sigma/windows/registry_event/win_outlook_registry_webview.yml
@@ -0,0 +1,41 @@
+
+title: Persistent Outlook Landing Pages
+author: Tobias Michalski
+date: 2021/06/09
+description: Detects the manipulation of persistent URLs which can be malicious
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*Software\Microsoft\Office\\*'
+    - '*Outlook\WebView\\*'
+  SELECTION_5:
+    TargetObject: '*URL'
+  SELECTION_6:
+    TargetObject:
+    - '*Calendar*'
+    - '*Inbox*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+    and SELECTION_6)
+falsepositives:
+- unknown
+fields:
+- Details
+id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
+level: high
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/17
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
+- https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
+status: experimental
+tags:
+- attack.persistence
+- attack.t1112
diff --git a/rules/sigma/windows/registry_event/win_portproxy_registry_key.yml b/rules/sigma/windows/registry_event/win_portproxy_registry_key.yml
new file mode 100644
index 00000000..49dfc1f4
--- /dev/null
+++ b/rules/sigma/windows/registry_event/win_portproxy_registry_key.yml
@@ -0,0 +1,35 @@
+
+title: PortProxy Registry Key
+author: Andreas Hunkeler (@Karneades)
+date: 2021/06/22
+description: Detects the modification of PortProxy registry key which is used for
+  port forwarding. For command execution see rule win_netsh_port_fwd.yml.
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
+- Synergy Software KVM (https://symless.com/synergy)
+id: a54f842a-3713-4b45-8c84-5f136fdebd3c
+level: medium
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/09/13
+references:
+- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+- https://adepts.of0x.cc/netsh-portproxy-code/
+- https://www.dfirnotes.net/portproxy_detection/
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.defense_evasion
+- attack.command_and_control
+- attack.t1090
diff --git a/rules/sigma/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/sigma/windows/registry_event/win_registry_mimikatz_printernightmare.yml
new file mode 100644
index 00000000..a707f692
--- /dev/null
+++ b/rules/sigma/windows/registry_event/win_registry_mimikatz_printernightmare.yml
@@ -0,0 +1,57 @@
+
+title: PrinterNightmare Mimimkatz Driver Name
+author: Markus Neis, @markus_neis, Florian Roth
+date: 2021/07/04
+description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited
+  in CVE-2021-1675 and CVE-2021-34527
+detection:
+  SELECTION_1:
+    EventID: 12
+  SELECTION_10:
+    TargetObject:
+    - '*\Control\Print\Environments*'
+    - '*\CurrentVersion\Print\Printers*'
+  SELECTION_11:
+    TargetObject:
+    - '*Gentil Kiwi*'
+    - '*mimikatz printer*'
+    - '*Kiwi Legit Printer*'
+  SELECTION_2:
+    EventID: 13
+  SELECTION_3:
+    EventID: 14
+  SELECTION_4:
+    TargetObject:
+    - '*\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\\*'
+    - '*\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz*'
+  SELECTION_5:
+    TargetObject: '*legitprinter*'
+  SELECTION_6:
+    TargetObject: '*\Control\Print\Environments\Windows*'
+  SELECTION_7:
+    EventID: 12
+  SELECTION_8:
+    EventID: 13
+  SELECTION_9:
+    EventID: 14
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or (SELECTION_5
+    and SELECTION_6)) or ((SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10
+    and SELECTION_11)))
+falsepositives:
+- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser
+  printer (unlikely)
+id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
+level: critical
+logsource:
+  category: registry_event
+  product: windows
+modified: 2021/07/28
+references:
+- https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
+- https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
+- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
+- https://nvd.nist.gov/vuln/detail/cve-2021-1675
+- https://nvd.nist.gov/vuln/detail/cve-2021-34527
+status: experimental
+tags:
+- attack.execution
diff --git a/rules/sigma/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/sigma/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
new file mode 100644
index 00000000..b2670d61
--- /dev/null
+++ b/rules/sigma/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
@@ -0,0 +1,29 @@
+
+title: Accessing WinAPI in PowerShell for Credentials Dumping
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects Accessing to lsass.exe by Powershell
+detection:
+  SELECTION_1:
+    EventID: 8
+  SELECTION_2:
+    EventID: 10
+  SELECTION_3:
+    SourceImage: '*\powershell.exe'
+  SELECTION_4:
+    TargetImage: '*\lsass.exe'
+  condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 3f07b9d1-2082-4c56-9277-613a621983cc
+level: high
+logsource:
+  product: windows
+  service: sysmon
+modified: 2021/05/24
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
diff --git a/rules/sigma/windows/sysmon/sysmon_config_modification_error.yml b/rules/sigma/windows/sysmon/sysmon_config_modification_error.yml
new file mode 100644
index 00000000..66df61f5
--- /dev/null
+++ b/rules/sigma/windows/sysmon/sysmon_config_modification_error.yml
@@ -0,0 +1,28 @@
+
+title: Sysmon Configuration Error
+author: frack113
+date: 2021/06/04
+description: Someone try to hide from Sysmon
+detection:
+  SELECTION_1:
+    EventID: 255
+  SELECTION_2:
+    Description:
+    - '*Failed to open service configuration with error*'
+    - '*Failed to connect to the driver to update configuration*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- legitimate administrative action
+id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
+level: high
+logsource:
+  category: sysmon_error
+  product: windows
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564
diff --git a/rules/sigma/windows/sysmon/sysmon_config_modification_status.yml b/rules/sigma/windows/sysmon/sysmon_config_modification_status.yml
new file mode 100644
index 00000000..909fd4eb
--- /dev/null
+++ b/rules/sigma/windows/sysmon/sysmon_config_modification_status.yml
@@ -0,0 +1,30 @@
+
+title: Sysmon Configuration Modification
+author: frack113
+date: 2021/06/04
+description: Someone try to hide from Sysmon
+detection:
+  SELECTION_1:
+    EventID: 4
+  SELECTION_2:
+    EventID: 16
+  SELECTION_3:
+    State: Stopped
+  SELECTION_4:
+  - Sysmon config state changed
+  condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- legitimate administrative action
+id: 1f2b5353-573f-4880-8e33-7d04dcf97744
+level: high
+logsource:
+  category: sysmon_status
+  product: windows
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564
diff --git a/rules/sigma/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml b/rules/sigma/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml
new file mode 100644
index 00000000..ef84d38c
--- /dev/null
+++ b/rules/sigma/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml
@@ -0,0 +1,37 @@
+
+title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
+date: 2020/10/12
+description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program
+  Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer
+  DLL Hijack scenario.
+detection:
+  SELECTION_1:
+    EventID: 11
+  SELECTION_2:
+    Image: System
+  SELECTION_3:
+    TargetFilename: '*\Internet Explorer\iertutil.dll'
+  SELECTION_4:
+    EventID: 7
+  SELECTION_5:
+    Image: '*\Internet Explorer\iexplore.exe'
+  SELECTION_6:
+    ImageLoaded: '*\Internet Explorer\iertutil.dll'
+  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
+    and SELECTION_6))
+falsepositives:
+- Unknown
+id: e554f142-5cf3-4e55-ace9-a1b59e0def65
+level: critical
+logsource:
+  product: windows
+  service: sysmon
+modified: 2021/06/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1021.003
diff --git a/rules/sigma/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/sigma/windows/wmi_event/sysmon_wmi_event_subscription.yml
new file mode 100644
index 00000000..c8379776
--- /dev/null
+++ b/rules/sigma/windows/wmi_event/sysmon_wmi_event_subscription.yml
@@ -0,0 +1,25 @@
+
+title: WMI Event Subscription
+author: Tom Ueltschi (@c_APT_ure)
+date: 2019/01/12
+description: Detects creation of WMI event subscription persistence method
+detection:
+  SELECTION_1:
+    EventID: 19
+  SELECTION_2:
+    EventID: 20
+  SELECTION_3:
+    EventID: 21
+  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
+falsepositives:
+- exclude legitimate (vetted) use of WMI event subscription in your network
+id: 0f06a3a5-6a09-413f-8743-e6cf35561297
+level: high
+logsource:
+  category: wmi_event
+  product: windows
+status: experimental
+tags:
+- attack.t1084
+- attack.persistence
+- attack.t1546.003
diff --git a/rules/sigma/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/sigma/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml
new file mode 100644
index 00000000..e540de8c
--- /dev/null
+++ b/rules/sigma/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml
@@ -0,0 +1,42 @@
+
+title: Suspicious Encoded Scripts in a WMI Consumer
+author: Florian Roth
+date: 2021/09/01
+description: Detects suspicious encoded payloads in WMI Event Consumers
+detection:
+  SELECTION_1:
+    EventID: 19
+  SELECTION_2:
+    EventID: 20
+  SELECTION_3:
+    EventID: 21
+  SELECTION_4:
+    Destination:
+    - '*V3JpdGVQcm9jZXNzTWVtb3J5*'
+    - '*dyaXRlUHJvY2Vzc01lbW9ye*'
+    - '*Xcml0ZVByb2Nlc3NNZW1vcn*'
+    - '*VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZG*'
+    - '*RoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2Rl*'
+    - '*UaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZ*'
+    - '*VGhpcyBwcm9ncmFtIG11c3QgYmUgcnVuIHVuZGVyIFdpbjMy*'
+    - '*RoaXMgcHJvZ3JhbSBtdXN0IGJlIHJ1biB1bmRlciBXaW4zM*'
+    - '*UaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2luMz*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- User
+- Operation
+id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
+level: high
+logsource:
+  category: wmi_event
+  product: windows
+references:
+- https://github.com/RiccardoAncarani/LiquidSnake
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.persistence
+- attack.t1546.003
diff --git a/rules/sigma/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/sigma/windows/wmi_event/sysmon_wmi_susp_scripting.yml
new file mode 100644
index 00000000..02aeddd6
--- /dev/null
+++ b/rules/sigma/windows/wmi_event/sysmon_wmi_susp_scripting.yml
@@ -0,0 +1,59 @@
+
+title: Suspicious Scripting in a WMI Consumer
+author: Florian Roth, Jonhnathan Ribeiro
+date: 2019/04/15
+description: Detects suspicious scripting in WMI Event Consumers
+detection:
+  SELECTION_1:
+    EventID: 19
+  SELECTION_10:
+    Destination:
+    - '* iex(*'
+    - '*WScript.shell*'
+    - '* -nop *'
+    - '* -noprofile *'
+    - '* -decode *'
+    - '* -enc *'
+  SELECTION_11:
+    Destination:
+    - '*WScript.Shell*'
+    - '*System.Security.Cryptography.FromBase64Transform*'
+  SELECTION_2:
+    EventID: 20
+  SELECTION_3:
+    EventID: 21
+  SELECTION_4:
+    Destination: '*new-object*'
+  SELECTION_5:
+    Destination: '*net.webclient*'
+  SELECTION_6:
+    Destination: '*.downloadstring*'
+  SELECTION_7:
+    Destination: '*new-object*'
+  SELECTION_8:
+    Destination: '*net.webclient*'
+  SELECTION_9:
+    Destination: '*.downloadfile*'
+  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and SELECTION_5
+    and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9) or SELECTION_10
+    or SELECTION_11))
+falsepositives:
+- Administrative scripts
+fields:
+- User
+- Operation
+id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
+level: high
+logsource:
+  category: wmi_event
+  product: windows
+modified: 2021/09/01
+references:
+- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
+- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19
+- https://github.com/RiccardoAncarani/LiquidSnake
+status: experimental
+tags:
+- attack.t1086
+- attack.execution
+- attack.t1059.005
diff --git a/src/detections/detection.rs b/src/detections/detection.rs
index 19101b17..2b435835 100644
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -21,13 +21,15 @@ const DIRPATH_RULES: &str = "rules";
 pub struct EvtxRecordInfo {
     pub evtx_filepath: String, // イベントファイルのファイルパス　ログで出力するときに使う
     pub record: Value,         // 1レコード分のデータをJSON形式にシリアライズしたもの
+    pub data_string: String,
 }
 
 impl EvtxRecordInfo {
-    pub fn new(evtx_filepath: String, record: Value) -> EvtxRecordInfo {
+    pub fn new(evtx_filepath: String, record: Value, data_string: String) -> EvtxRecordInfo {
         return EvtxRecordInfo {
             evtx_filepath: evtx_filepath,
             record: record,
+            data_string,
         };
     }
 }
@@ -144,7 +146,7 @@ impl Detection {
         let records = &*records;
         let agg_condition = rule.has_agg_condition();
         for record_info in records {
-            let result = rule.select(&record_info.evtx_filepath, &record_info.record);
+            let result = rule.select(&record_info.evtx_filepath, &record_info);
             if !result {
                 continue;
             }
diff --git a/src/detections/rule/condition_parser.rs b/src/detections/rule/condition_parser.rs
index 841504ae..c7958b14 100644
--- a/src/detections/rule/condition_parser.rs
+++ b/src/detections/rule/condition_parser.rs
@@ -506,6 +506,7 @@ impl ConditionCompiler {
 mod tests {
     use yaml_rust::YamlLoader;
 
+    use crate::detections::detection::EvtxRecordInfo;
     use crate::detections::rule::create_rule;
     use crate::detections::rule::tests::parse_rule_from_str;
 
@@ -537,8 +538,13 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_str) {
             Ok(record) => {
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
                 assert_eq!(
-                    rule_node.select(&"testpath".to_owned(), &record),
+                    rule_node.select(&"testpath".to_owned(), &recinfo),
                     expect_select
                 );
             }
@@ -581,7 +587,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_rec) => {
                 assert!(false, "failed to parse json record.");
@@ -623,7 +634,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_rec) => {
                 assert!(false, "failed to parse json record.");
diff --git a/src/detections/rule/count.rs b/src/detections/rule/count.rs
index de1efaf2..849cf951 100644
--- a/src/detections/rule/count.rs
+++ b/src/detections/rule/count.rs
@@ -341,6 +341,7 @@ pub fn judge_timeframe(
 
 #[cfg(test)]
 mod tests {
+    use crate::detections::detection::EvtxRecordInfo;
     use crate::detections::rule::create_rule;
     use crate::detections::rule::AggResult;
     use std::collections::HashMap;
@@ -666,7 +667,12 @@ mod tests {
         for record in target {
             match serde_json::from_str(record) {
                 Ok(rec) => {
-                    let _result = rule_node.select(&"testpath".to_string(), &rec);
+                    let recinfo = EvtxRecordInfo {
+                        evtx_filepath: "testpath".to_owned(),
+                        record: rec,
+                        data_string: String::default(),
+                    };
+                    let _result = rule_node.select(&"testpath".to_string(), &recinfo);
                 }
                 Err(_rec) => {
                     assert!(false, "failed to parse json record.");
@@ -754,7 +760,12 @@ mod tests {
         for record_str in records_str {
             match serde_json::from_str(record_str) {
                 Ok(record) => {
-                    let result = &rule_node.select(&"testpath".to_owned(), &record);
+                    let recinfo = EvtxRecordInfo {
+                        evtx_filepath: "testpath".to_owned(),
+                        record: record,
+                        data_string: String::default(),
+                    };
+                    let result = &rule_node.select(&"testpath".to_owned(), &recinfo);
                     assert_eq!(result, &true);
                 }
                 Err(_rec) => {
diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs
index f260f267..022594f5 100644
--- a/src/detections/rule/matchers.rs
+++ b/src/detections/rule/matchers.rs
@@ -3,7 +3,7 @@ use serde_json::Value;
 use std::collections::VecDeque;
 use yaml_rust::Yaml;
 
-use crate::detections::utils;
+use crate::detections::{detection::EvtxRecordInfo, utils};
 use mopa::mopafy;
 
 // 末端ノードがEventLogの値を比較するロジックを表す。
@@ -18,7 +18,7 @@ pub trait LeafMatcher: mopa::Any {
     /// 引数に指定されたJSON形式のデータがマッチするかどうか判定する。
     /// main.rsでWindows Event LogをJSON形式に変換していて、そのJSON形式のWindowsのイベントログデータがここには来る
     /// 例えば正規表現でマッチするロジックなら、ここに正規表現でマッチさせる処理を書く。
-    fn is_match(&self, event_value: Option<&Value>) -> bool;
+    fn is_match(&self, event_value: Option<&Value>, recinfo: &EvtxRecordInfo) -> bool;
 
     /// 初期化ロジックをここに記載します。
     /// ルールファイルの書き方が間違っている等の原因により、正しくルールファイルからパースできない場合、戻り値のResult型でエラーを返してください。
@@ -60,7 +60,7 @@ impl LeafMatcher for MinlengthMatcher {
         return Result::Ok(());
     }
 
-    fn is_match(&self, event_value: Option<&Value>) -> bool {
+    fn is_match(&self, event_value: Option<&Value>, _recinfo: &EvtxRecordInfo) -> bool {
         return match event_value.unwrap_or(&Value::Null) {
             Value::String(s) => s.len() as i64 >= self.min_len,
             Value::Number(n) => n.to_string().len() as i64 >= self.min_len,
@@ -118,7 +118,7 @@ impl LeafMatcher for RegexesFileMatcher {
         return Result::Ok(());
     }
 
-    fn is_match(&self, event_value: Option<&Value>) -> bool {
+    fn is_match(&self, event_value: Option<&Value>, _recinfo: &EvtxRecordInfo) -> bool {
         //TODO Wildcardの場合、CaseInsensitiveなので、ToLowerする。
         return match event_value.unwrap_or(&Value::Null) {
             Value::String(s) => !utils::check_regex(s, &self.regexes),
@@ -177,7 +177,7 @@ impl LeafMatcher for AllowlistFileMatcher {
         return Result::Ok(());
     }
 
-    fn is_match(&self, event_value: Option<&Value>) -> bool {
+    fn is_match(&self, event_value: Option<&Value>, _recinfo: &EvtxRecordInfo) -> bool {
         return match event_value.unwrap_or(&Value::Null) {
             Value::String(s) => !utils::check_allowlist(s, &self.regexes),
             Value::Number(n) => !utils::check_allowlist(&n.to_string(), &self.regexes),
@@ -192,6 +192,7 @@ impl LeafMatcher for AllowlistFileMatcher {
 pub struct DefaultMatcher {
     re: Option<Regex>,
     pipes: Vec<PipeElement>,
+    key_list: Vec<String>,
 }
 
 impl DefaultMatcher {
@@ -199,20 +200,21 @@ impl DefaultMatcher {
         return DefaultMatcher {
             re: Option::None,
             pipes: Vec::new(),
+            key_list: Vec::new(),
         };
     }
 
     /// このmatcherの正規表現とマッチするかどうか判定します。
     /// 判定対象の文字列とこのmatcherが保持する正規表現が完全にマッチした場合のTRUEを返します。
     /// 例えば、判定対象文字列が"abc"で、正規表現が"ab"の場合、正規表現は判定対象文字列の一部分にしか一致していないので、この関数はfalseを返します。
-    fn is_regex_fullmatch(&self, value: String) -> bool {
+    fn is_regex_fullmatch(&self, value: &String) -> bool {
         return self
             .re
             .as_ref()
             .unwrap()
             .find_iter(&value)
             .any(|match_obj| {
-                return match_obj.as_str().to_string() == value;
+                return match_obj.as_str() == value;
             });
     }
 
@@ -228,7 +230,7 @@ impl DefaultMatcher {
 
 impl LeafMatcher for DefaultMatcher {
     fn is_target_key(&self, key_list: &Vec<String>) -> bool {
-        if key_list.len() == 1 {
+        if key_list.len() <= 1 {
             return true;
         }
 
@@ -236,6 +238,7 @@ impl LeafMatcher for DefaultMatcher {
     }
 
     fn init(&mut self, key_list: &Vec<String>, select_value: &Yaml) -> Result<(), Vec<String>> {
+        self.key_list = key_list.to_vec();
         if select_value.is_null() {
             return Result::Ok(());
         }
@@ -258,7 +261,8 @@ impl LeafMatcher for DefaultMatcher {
         let pattern = yaml_value.unwrap();
 
         // Pipeが指定されていればパースする
-        let mut keys: VecDeque<&str> = key_list.get(0).unwrap().split("|").collect(); // key_listが空はあり得ない
+        let emp = String::default();
+        let mut keys: VecDeque<&str> = key_list.get(0).unwrap_or(&emp).split("|").collect(); // key_listが空はあり得ない
         keys.pop_front();
         while !keys.is_empty() {
             let key = keys.pop_front().unwrap();
@@ -316,7 +320,7 @@ impl LeafMatcher for DefaultMatcher {
         return Result::Ok(());
     }
 
-    fn is_match(&self, event_value: Option<&Value>) -> bool {
+    fn is_match(&self, event_value: Option<&Value>, recinfo: &EvtxRecordInfo) -> bool {
         // unwrap_orの引数に""ではなく" "を指定しているのは、
         // event_valueが文字列じゃない場合にis_event_value_nullの値がfalseになるように、len() == 0とならない値を指定している。
         let is_event_value_null = event_value.is_none()
@@ -324,16 +328,22 @@ impl LeafMatcher for DefaultMatcher {
             || event_value.unwrap().as_str().unwrap_or(" ").len() == 0;
 
         // yamlにnullが設定されていた場合
-        if self.re.is_none() {
+        // keylistが空(==JSONのgrep検索)の場合、無視する。
+        if !self.key_list.is_empty() && self.re.is_none() {
             return is_event_value_null;
         }
 
         // JSON形式のEventLogデータをstringに変換
-        let event_value_str = match event_value.unwrap_or(&Value::Null) {
-            Value::Bool(b) => Option::Some(b.to_string()),
-            Value::String(s) => Option::Some(s.to_owned()),
-            Value::Number(n) => Option::Some(n.to_string()),
-            _ => Option::None,
+        let event_value_str: Option<String> = if self.key_list.is_empty() {
+            Option::Some(recinfo.data_string.to_string())
+        } else {
+            let value = match event_value.unwrap_or(&Value::Null) {
+                Value::Bool(b) => Option::Some(b.to_string()),
+                Value::String(s) => Option::Some(s.to_string()),
+                Value::Number(n) => Option::Some(n.to_string()),
+                _ => Option::None,
+            };
+            value
         };
         if event_value_str.is_none() {
             return false;
@@ -346,7 +356,13 @@ impl LeafMatcher for DefaultMatcher {
                 return pipe.pipe_eventlog_data(acc);
             });
 
-        return self.is_regex_fullmatch(event_value_str);
+        if self.key_list.is_empty() {
+            // この場合ただのgrep検索なので、ただ正規表現に一致するかどうか調べればよいだけ
+            return self.re.as_ref().unwrap().is_match(&event_value_str);
+        } else {
+            // 通常の検索はこっち
+            return self.is_regex_fullmatch(&event_value_str);
+        }
     }
 }
 
@@ -363,7 +379,7 @@ impl PipeElement {
     /// WindowsEventLogのJSONデータに対してパイプ処理します。
     fn pipe_eventlog_data(&self, pattern: String) -> String {
         return match self {
-            // wildcardはcase sensetiveなので、全て小文字にして比較する。
+            // wildcardはcase insensetiveなので、全て小文字にして比較する。
             PipeElement::Wildcard => pattern.to_lowercase(),
             _ => pattern,
         };
@@ -498,7 +514,9 @@ mod tests {
     use super::super::selectionnodes::{
         AndSelectionNode, LeafSelectionNode, OrSelectionNode, SelectionNode,
     };
+    use crate::detections::detection::EvtxRecordInfo;
     use crate::detections::rule::tests::parse_rule_from_str;
+    use serde_json::Value;
 
     #[test]
     fn test_rule_parse() {
@@ -720,7 +738,12 @@ mod tests {
 
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -748,7 +771,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -776,7 +804,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -805,7 +838,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -834,7 +872,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -862,7 +905,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -890,7 +938,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -919,7 +972,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -948,7 +1006,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -977,7 +1040,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -1006,7 +1074,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -1035,7 +1108,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -1063,7 +1141,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -1095,7 +1178,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -1127,7 +1215,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -1158,7 +1251,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -1198,7 +1296,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_rec) => {
                 assert!(false, "failed to parse json record.");
@@ -1238,7 +1341,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_rec) => {
                 assert!(false, "failed to parse json record.");
@@ -1278,7 +1386,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_rec) => {
                 assert!(false, "failed to parse json record.");
@@ -1318,7 +1431,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_rec) => {
                 assert!(false, "failed to parse json record.");
@@ -1358,7 +1476,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_rec) => {
                 assert!(false, "failed to parse json record.");
@@ -1398,7 +1521,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_rec) => {
                 assert!(false, "failed to parse json record.");
@@ -1426,7 +1554,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -1454,7 +1587,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -1482,7 +1620,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -1548,6 +1691,76 @@ mod tests {
         assert_eq!(r"\\\\.*ho\\\\.*ge\\\\\\", value);
     }
 
+    #[test]
+    fn test_grep_match() {
+        // wildcardは大文字小文字関係なくマッチする。
+        let rule_str = r#"
+        enabled: true
+        detection:
+            selection:
+                - 4103
+        output: 'command=%CommandLine%'
+        "#;
+
+        let record_json_str = r#"
+        {
+            "Event": {"System": {"EventID": 4103, "Channel": "security", "Computer":"DESKTOP-ICHIICHI"}},
+            "Event_attributes": {"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"}
+        }"#;
+
+        let mut rule_node = parse_rule_from_str(rule_str);
+        match serde_json::from_str(record_json_str) {
+            Ok(rec) => {
+                let rec: Value = rec;
+                let recstr = rec.to_string();
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: rec,
+                    data_string: recstr,
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
+            }
+            Err(_) => {
+                assert!(false, "failed to parse json record.");
+            }
+        }
+    }
+
+    #[test]
+    fn test_grep_not_match() {
+        // wildcardは大文字小文字関係なくマッチする。
+        let rule_str = r#"
+        enabled: true
+        detection:
+            selection:
+                - 4104
+        output: 'command=%CommandLine%'
+        "#;
+
+        let record_json_str = r#"
+        {
+            "Event": {"System": {"EventID": 4103, "Channel": "security", "Computer":"DESKTOP-ICHIICHI"}},
+            "Event_attributes": {"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"}
+        }"#;
+
+        let mut rule_node = parse_rule_from_str(rule_str);
+        match serde_json::from_str(record_json_str) {
+            Ok(record) => {
+                let rec: Value = record;
+                let recstr = rec.to_string();
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: rec,
+                    data_string: recstr,
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
+            }
+            Err(_) => {
+                assert!(false, "failed to parse json record.");
+            }
+        }
+    }
+
     #[test]
     fn test_detect_value_keyword() {
         // 文字列っぽいデータでも確認
@@ -1570,7 +1783,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -1600,7 +1818,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs
index bd882584..b636bc10 100644
--- a/src/detections/rule/mod.rs
+++ b/src/detections/rule/mod.rs
@@ -5,7 +5,6 @@ use chrono::{DateTime, Utc};
 
 use std::{collections::HashMap, fmt::Debug, sync::Arc, vec};
 
-use serde_json::Value;
 use yaml_rust::Yaml;
 
 mod matchers;
@@ -18,6 +17,8 @@ mod condition_parser;
 mod count;
 use self::count::TimeFrameInfo;
 
+use super::detection::EvtxRecordInfo;
+
 pub fn create_rule(rulepath: String, yaml: Yaml) -> RuleNode {
     return RuleNode::new(rulepath, yaml);
 }
@@ -71,13 +72,13 @@ impl RuleNode {
         }
     }
 
-    pub fn select(&mut self, filepath: &String, event_record: &Value) -> bool {
+    pub fn select(&mut self, filepath: &String, event_record: &EvtxRecordInfo) -> bool {
         if self.detection.is_none() {
             return false;
         }
         let result = self.detection.as_ref().unwrap().select(event_record);
         if result {
-            count::count(self, filepath, event_record);
+            count::count(self, filepath, &event_record.record);
         }
         return result;
     }
@@ -174,7 +175,7 @@ impl DetectionNode {
         }
     }
 
-    pub fn select(&self, event_record: &Value) -> bool {
+    pub fn select(&self, event_record: &EvtxRecordInfo) -> bool {
         if self.condition.is_none() {
             return false;
         }
@@ -313,7 +314,7 @@ impl AggResult {
 
 #[cfg(test)]
 mod tests {
-    use crate::detections::rule::create_rule;
+    use crate::detections::{detection::EvtxRecordInfo, rule::create_rule};
     use yaml_rust::YamlLoader;
 
     use super::RuleNode;
@@ -348,7 +349,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -376,7 +382,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -404,7 +415,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -485,7 +501,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -542,7 +563,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -606,7 +632,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -648,7 +679,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -691,7 +727,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -753,7 +794,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -815,7 +861,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -859,7 +910,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_rec) => {
                 assert!(false, "failed to parse json record.");
@@ -915,7 +971,12 @@ mod tests {
         let _init = rule_node.init();
         match serde_json::from_str(record_str) {
             Ok(record) => {
-                let result = rule_node.select(&"testpath".to_string(), &record);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                let result = rule_node.select(&"testpath".to_string(), &recinfo);
                 assert_eq!(
                     rule_node.detection.unwrap().aggregation_condition.is_some(),
                     true
diff --git a/src/detections/rule/selectionnodes.rs b/src/detections/rule/selectionnodes.rs
index 6a3b0c4a..78dc3ea4 100644
--- a/src/detections/rule/selectionnodes.rs
+++ b/src/detections/rule/selectionnodes.rs
@@ -1,4 +1,4 @@
-use crate::detections::utils;
+use crate::detections::{detection::EvtxRecordInfo, utils};
 use mopa::mopafy;
 use serde_json::Value;
 use std::{sync::Arc, vec};
@@ -10,7 +10,7 @@ use super::matchers;
 pub trait SelectionNode: mopa::Any {
     // 引数で指定されるイベントログのレコードが、条件に一致するかどうかを判定する
     // このトレイトを実装する構造体毎に適切な判定処理を書く必要がある。
-    fn select(&self, event_record: &Value) -> bool;
+    fn select(&self, event_record: &EvtxRecordInfo) -> bool;
 
     // 初期化処理を行う
     // 戻り値としてエラーを返却できるようになっているので、Ruleファイルが間違っていて、SelectionNodeを構成出来ない時はここでエラーを出す
@@ -43,7 +43,7 @@ impl AndSelectionNode {
 }
 
 impl SelectionNode for AndSelectionNode {
-    fn select(&self, event_record: &Value) -> bool {
+    fn select(&self, event_record: &EvtxRecordInfo) -> bool {
         return self.child_nodes.iter().all(|child_node| {
             return child_node.select(event_record);
         });
@@ -119,7 +119,7 @@ impl OrSelectionNode {
 }
 
 impl SelectionNode for OrSelectionNode {
-    fn select(&self, event_record: &Value) -> bool {
+    fn select(&self, event_record: &EvtxRecordInfo) -> bool {
         return self.child_nodes.iter().any(|child_node| {
             return child_node.select(event_record);
         });
@@ -193,7 +193,7 @@ impl NotSelectionNode {
 }
 
 impl SelectionNode for NotSelectionNode {
-    fn select(&self, event_record: &Value) -> bool {
+    fn select(&self, event_record: &EvtxRecordInfo) -> bool {
         return !self.node.select(event_record);
     }
 
@@ -230,7 +230,7 @@ impl RefSelectionNode {
 }
 
 impl SelectionNode for RefSelectionNode {
-    fn select(&self, event_record: &Value) -> bool {
+    fn select(&self, event_record: &EvtxRecordInfo) -> bool {
         return self.selection_node.select(event_record);
     }
 
@@ -278,8 +278,9 @@ impl LeafSelectionNode {
 
     /// JSON形式のEventJSONから値を取得する関数 aliasも考慮されている。
     fn get_event_value<'a>(&self, event_value: &'a Value) -> Option<&'a Value> {
+        // keyが指定されたいない場合は
         if self.key_list.is_empty() {
-            return Option::None;
+            return Option::Some(event_value);
         }
 
         return utils::get_event_value(&self.get_key(), event_value);
@@ -298,7 +299,7 @@ impl LeafSelectionNode {
 }
 
 impl SelectionNode for LeafSelectionNode {
-    fn select(&self, event_record: &Value) -> bool {
+    fn select(&self, event_record: &EvtxRecordInfo) -> bool {
         if self.matcher.is_none() {
             return false;
         }
@@ -324,9 +325,14 @@ impl SelectionNode for LeafSelectionNode {
                 }
         */
         if self.get_key() == "EventData" {
-            let values = utils::get_event_value(&"Event.EventData.Data".to_string(), event_record);
+            let values =
+                utils::get_event_value(&"Event.EventData.Data".to_string(), &event_record.record);
             if values.is_none() {
-                return self.matcher.as_ref().unwrap().is_match(Option::None);
+                return self
+                    .matcher
+                    .as_ref()
+                    .unwrap()
+                    .is_match(Option::None, event_record);
             }
 
             // 配列じゃなくて、文字列や数値等の場合は普通通りに比較する。
@@ -337,7 +343,7 @@ impl SelectionNode for LeafSelectionNode {
                     .matcher
                     .as_ref()
                     .unwrap()
-                    .is_match(Option::Some(eventdata_data));
+                    .is_match(Option::Some(eventdata_data), event_record);
             }
             // 配列の場合は配列の要素のどれか一つでもルールに合致すれば条件に一致したことにする。
             if eventdata_data.is_array() {
@@ -350,15 +356,23 @@ impl SelectionNode for LeafSelectionNode {
                             .matcher
                             .as_ref()
                             .unwrap()
-                            .is_match(Option::Some(ary_element));
+                            .is_match(Option::Some(ary_element), event_record);
                     });
             } else {
-                return self.matcher.as_ref().unwrap().is_match(Option::None);
+                return self
+                    .matcher
+                    .as_ref()
+                    .unwrap()
+                    .is_match(Option::None, event_record);
             }
         }
 
-        let event_value = self.get_event_value(event_record);
-        return self.matcher.as_ref().unwrap().is_match(event_value);
+        let event_value = self.get_event_value(&event_record.record);
+        return self
+            .matcher
+            .as_ref()
+            .unwrap()
+            .is_match(event_value, event_record);
     }
 
     fn init(&mut self) -> Result<(), Vec<String>> {
@@ -401,7 +415,7 @@ impl SelectionNode for LeafSelectionNode {
 
 #[cfg(test)]
 mod tests {
-    use crate::detections::rule::tests::parse_rule_from_str;
+    use crate::detections::{detection::EvtxRecordInfo, rule::tests::parse_rule_from_str};
 
     #[test]
     fn test_detect_mutiple_regex_and() {
@@ -424,7 +438,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -455,7 +474,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -485,7 +509,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -515,7 +544,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), true);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
@@ -545,7 +579,12 @@ mod tests {
         let mut rule_node = parse_rule_from_str(rule_str);
         match serde_json::from_str(record_json_str) {
             Ok(record) => {
-                assert_eq!(rule_node.select(&"testpath".to_owned(), &record), false);
+                let recinfo = EvtxRecordInfo {
+                    evtx_filepath: "testpath".to_owned(),
+                    record: record,
+                    data_string: String::default(),
+                };
+                assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false);
             }
             Err(_) => {
                 assert!(false, "failed to parse json record.");
diff --git a/src/main.rs b/src/main.rs
index dff81b19..9db674d1 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -171,8 +171,9 @@ fn analysis_file(
                 continue;
             }
 
-            let record_info =
-                EvtxRecordInfo::new((&filepath_disp).to_string(), record_result.unwrap().data);
+            let data = record_result.unwrap().data;
+            let data_string = data.to_string();
+            let record_info = EvtxRecordInfo::new((&filepath_disp).to_string(), data, data_string);
             records_per_detect.push(record_info);
         }
         if records_per_detect.len() == 0 {
diff --git a/tools/sigmac/README-English.md b/tools/sigmac/README-English.md
index e8d84710..458dc898 100644
--- a/tools/sigmac/README-English.md
+++ b/tools/sigmac/README-English.md
@@ -13,8 +13,11 @@ Please refer to this documentation to convert rules on your own for local testin
 
 ## Python requirements
 
-You need Python 3.8+ and the following modules: `pyyaml`, `ruamel_yaml`, `requests`. 
-You can install the modules with `pip3 install -r requirements.txt`.
+You need Python 3.8+ and the following modules: `pyyaml`, `ruamel.yaml`, `requests`. 
+
+```sh
+pip3 install -r requirements.txt
+```
 
 ## About Sigma
 
@@ -36,33 +39,25 @@ Create an environmental variable `$sigma_path` that points to the Sigma reposito
 ```sh
 export sigma_path=/path/to/sigma_repository
 cp hayabusa.py $sigma_path/tools/sigma/backends
+cp convert.sh $sigma_path
+cp splitter.py $sigma_path
 ```
 
 * Caution：Be sure to specify the path to your Sigma repository in place of `/path/to/sigma_repository`.
 
-### Converting a single rule
+### Convert Rule
 
-You can convert a single rule with the following syntax:
+Conversion rules can be created by executing `convert.sh`.
+The rules will be created to hayabusa_rules folder.
 
 ```sh
-python3 $sigma_path/tools/sigmac <Target Rule> --config <Config File Name> --target hayabusa
+export sigma_path=/path/to/sigma_repository
+cd $sigma_path
+sh convert.sh
 ```
 
-Example:
-```sh
-python3 $sigma_path/tools/sigmac $sigma_path/rules/windows/create_remote_thread/sysmon_cactustorch.yml --config $sigma_path/tools/config/generic/sysmon.yml --target hayabusa > sysmon_cactustorch.yml
-```
-
-### Converting multiple rules
-
-This example will convert all Sigma rules for Windows event logs to hayabusa rules and save them to the current directory.
-Please run this command from the `./rules/Sigma` directory.
-
-```sh
-find $sigma_path/rules/windows/ -type f -name '*.yml' -exec sh -c 'python3 $sigma_path/tools/sigmac {} --config $sigma_path/tools/config/generic/sysmon.yml --target hayabusa > "$(basename {})"' \;
-```
-
-※  It takes around 30 minutes to convert all rules.
+`sigmac` which we use for convert rule files has many options.
+If you want to use some option, edit `convert.sh`
 
 ## Currently unsupported rules
 
@@ -74,21 +69,6 @@ sigma/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
 sigma/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml
 ```
 
-Also, the following rules cannot be automatically converted：
-```
-process_creation_apt_turla_commands_medium.yml
-sysmon_mimikatz_inmemory_detection.yml
-win_susp_failed_logons_explicit_credentials.yml
-win_susp_failed_logons_single_process.yml
-win_susp_failed_logons_single_source_kerberos.yml
-win_susp_failed_logons_single_source_kerberos2.yml
-win_susp_failed_logons_single_source_kerberos3.yml
-win_susp_failed_logons_single_source_ntlm.yml
-win_susp_failed_logons_single_source_ntlm2.yml
-win_susp_failed_remote_logons_single_source.yml
-win_susp_samr_pwset.yml
-```
-
 ## Sigma rule parsing errors
 
-Some rules will have been able to be converted but will cause parsing errors. We will continue to fix these bugs but for the meantime the majority of Sigma rules do work so please ignore the errors for now.
\ No newline at end of file
+Some rules will have been able to be converted but will cause parsing errors. We will continue to fix these bugs but for the meantime the majority of Sigma rules do work so please ignore the errors for now.
diff --git a/tools/sigmac/README-Japanese.md b/tools/sigmac/README-Japanese.md
index 3556d3d6..8baca41b 100644
--- a/tools/sigmac/README-Japanese.md
+++ b/tools/sigmac/README-Japanese.md
@@ -14,8 +14,12 @@ Sigmaからhayabusa形式に変換されたルールが`./rules/Sigma`ディレ
 
 ## Pythonの環境依存
 
-Python 3.8以上と次のモジュールが必要です：`pyyaml`、`ruamel_yaml`、`requests` 
-`pip3 install -r requirements.txt`というコマンドでインストールできます。
+Python 3.8以上と次のモジュールが必要です：`pyyaml`、`ruamel.yaml`、`requests` 
+以下のコマンドでインストール可能です。
+
+```sh
+pip3 install -r requirements.txt
+```
 
 ## Sigmaについて
 
@@ -37,32 +41,22 @@ Sigmaレポジトリのパスが書いてある`$sigma_path`という環境変
 ```sh
 export sigma_path=/path/to/sigma_repository
 cp hayabusa.py $sigma_path/tools/sigma/backends
+cp convert.sh $sigma_path
+cp splitter.py $sigma_path
 ```
 
 * 注意：`/path/to/sigma_repository`そのままではなくて、自分のSigmaレポジトリのパスを指定してください。
 
-### 単体のルールを変換
-
-以下のシンタクスで単体のルールを変換できます：
+### ルールの変換
+convert.shを実行することでルールの変換が実行されます。変換されたルールはhayabusa_rulesフォルダに作成されます。
 
 ```sh
-python3 $sigma_path/tools/sigmac <変換対象ruleの指定> --config <configの指定> --target hayabusa
+export sigma_path=/path/to/sigma_repository
+cd $sigma_path
+sh convert.sh
 ```
 
-例：
-```sh
-python3 $sigma_path/tools/sigmac $sigma_path/rules/windows/create_remote_thread/sysmon_cactustorch.yml --config $sigma_path/tools/config/generic/sysmon.yml --target hayabusa > sysmon_cactustorch.yml
-```
-
-### 複数のルールを変換
-
-以下のように、SigmaのすべてのWindowsイベントログルールをhayabusaルールに変換して、カレントディレクトリに保存します。`./rules/Sigma`ディレクトリから実行して下さい。
-
-```sh
-find $sigma_path/rules/windows/ -type f -name '*.yml' -exec sh -c 'python3 $sigma_path/tools/sigmac {} --config $sigma_path/tools/config/generic/sysmon.yml --target hayabusa > "$(basename {})"' \;
-```
-
-※ すべてのルールを変換するのに、約30分かかります。
+ルールの変換に利用しているsigmacには様々なオプションが用意されています。オプションを変更する場合はconvert.shを編集してください。
 
 ## 現在サポートされていないルール
 
@@ -74,21 +68,6 @@ sigma/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml
 sigma/rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml
 ```
 
-また、以下のルールも現在変換できません：
-```
-process_creation_apt_turla_commands_medium.yml
-sysmon_mimikatz_inmemory_detection.yml
-win_susp_failed_logons_explicit_credentials.yml
-win_susp_failed_logons_single_process.yml
-win_susp_failed_logons_single_source_kerberos.yml
-win_susp_failed_logons_single_source_kerberos2.yml
-win_susp_failed_logons_single_source_kerberos3.yml
-win_susp_failed_logons_single_source_ntlm.yml
-win_susp_failed_logons_single_source_ntlm2.yml
-win_susp_failed_remote_logons_single_source.yml
-win_susp_samr_pwset.yml
-```
-
 ## Sigmaルールのパースエラーについて
 
 一部のルールは変換できたものの、パースエラーが発生しています。
diff --git a/tools/sigmac/README-hayabusa-sigma-backend.md b/tools/sigmac/README.md
similarity index 100%
rename from tools/sigmac/README-hayabusa-sigma-backend.md
rename to tools/sigmac/README.md
diff --git a/tools/sigmac/convert.sh b/tools/sigmac/convert.sh
new file mode 100644
index 00000000..6a6e471a
--- /dev/null
+++ b/tools/sigmac/convert.sh
@@ -0,0 +1,3 @@
+rm -rf hayabusa_rules
+python ./tools/sigmac -t hayabusa --config ./tools/config/generic/sysmon.yml --defer-abort -r rules/windows/ > sigma_to_hayabusa.yml
+python splitter.py
\ No newline at end of file
diff --git a/tools/sigmac/hayabusa.py b/tools/sigmac/hayabusa.py
index e111564d..bf69c67b 100644
--- a/tools/sigmac/hayabusa.py
+++ b/tools/sigmac/hayabusa.py
@@ -1,20 +1,22 @@
 import copy
 from collections import OrderedDict
 from io import StringIO
-
 import yaml
+import re
+
 from sigma.backends.base import SingleTextQueryBackend
-from sigma.parser.condition import SigmaAggregationParser
+from sigma.parser.condition import SigmaAggregationParser, ConditionOR, ConditionAND
 from sigma.parser.modifiers.base import SigmaTypeModifier
 from sigma.parser.modifiers.type import SigmaRegularExpressionModifier
 
+SPECIAL_REGEX = re.compile("^\{(\d)+,?(\d+)?\}")
+
 class HayabusaBackend(SingleTextQueryBackend):
     """Base class for backends that generate one text-based expression from a Sigma rule"""
     ## see tools.py
     ## use this value when sigmac parse argument of "-t"
     identifier = "hayabusa"
     active = True
-
     # the following class variables define the generation and behavior of queries from a parse tree some are prefilled with default values that are quite usual
     andToken = " and "                  # Token used for linking expressions with logical AND
     orToken = " or "                    # Same for OR
@@ -22,31 +24,33 @@ class HayabusaBackend(SingleTextQueryBackend):
     subExpression = "(%s)"              # Syntax for subexpressions, usually parenthesis around it. %s is inner expression
     valueExpression = "%s"              # Expression of values, %s represents value
     typedValueExpression = dict()       # Expression of typed values generated by type modifiers. modifier identifier -> expression dict, %s represents value
-
     sort_condition_lists = False
     mapListsSpecialHandling = True
-
     name_idx = 1
     selection_prefix = "SELECTION_{0}"
     name_2_selection = OrderedDict()
-
+    
     def __init__(self, sigmaconfig, options):
         super().__init__(sigmaconfig)
-
+        self.re_init()
+        
+    def re_init(self):
+        self.name_idx = 1
+        self.name_2_selection = OrderedDict()
+    
     def cleanValue(self, val):
         return val
-
+    
     def generateListNode(self, node):
         return self.generateORNode(node)
-
+    
     def create_new_selection(self):
         name = self.selection_prefix.format(self.name_idx)
         self.name_idx+=1
         return name
-
+    
     def generateMapItemNode(self, node):
         fieldname, value = node
-
         transformed_fieldname = self.fieldNameMapping(fieldname, value)
         if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int):
             name = self.create_new_selection()
@@ -60,12 +64,54 @@ class HayabusaBackend(SingleTextQueryBackend):
             return self.generateNode((transformed_fieldname+"|re","^$")) #nullは正規表現で表す。これでいいのかちょっと不安
         else:
             raise TypeError("Backend does not support map values of type " + str(type(value)))
-
+        
     def generateMapItemTypedNode(self, fieldname, value):
         # `|re`オプションに対応
         if type(value) == SigmaRegularExpressionModifier:
             fieldname = fieldname + "|re"
-            return self.generateNode((fieldname,value.value))
+
+            # pythonとかの正規表現では/(スラッシュ)や"(ダブルクオート)をエスケープしてもエラーが出ないが、Rustの正規表現エンジンではスラッシュやダブルクオートをエスケープするとエラーが出てしまう
+            # そこでスラッシュやダブルクオートのエスケープは消しておく。
+            # あと、この実装は結構怪しいので、将来バージョンではこの実装を無くして、hayabusa側で使用する正規表現エンジンを普通のpythonとかで使われているやつに変えた方がいいと思う。
+            regex_value = value.value.replace('\/','/')
+            regex_value = regex_value.replace("\\\"","\"")
+            
+            ## 追加のケースとして、pythonとかの正規表現では{はエスケープ不要だが、Rustでは必要なので、それを修正するためのコード。めんどい
+            idx = 0
+            prev_regex = regex_value
+            regex_value = ""
+            while idx < len(prev_regex):
+                ## 既にエスケープされているものはスキップする。
+                if prev_regex[idx:idx+2] == "\\{" or prev_regex[idx:idx+2] == "\\}":
+                    regex_value += prev_regex[idx:idx+2]
+                    idx += 2
+                    continue
+                
+                ch = prev_regex[idx]
+                ## エスケープ不要な}はここに来ないように、以降の処理でidxを調整している。なのでここにくる}はエスケープが必要。
+                if ch == "}":
+                    regex_value += "\\}"
+                    idx += 1
+                    continue
+                
+                ## {じゃない場合はそのまま足すだけ
+                if ch != "{":
+                    regex_value += ch
+                    idx += 1
+                    continue
+                
+                ## {の場合の処理
+                reg_match = SPECIAL_REGEX.match(prev_regex[idx:])
+                if reg_match == None:
+                    ## 文字列としての{なので、エスケープ必要
+                    regex_value += "\\{"
+                    idx += 1
+                else:
+                    ## これは桁数を指定する{なので、エスケープ不要で}までidxをスキップ
+                    regex_value += reg_match.group()
+                    idx += len(reg_match.group())
+
+            return self.generateNode((fieldname, regex_value))
         else:
             raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier))
 
@@ -75,20 +121,28 @@ class HayabusaBackend(SingleTextQueryBackend):
         ###     EventID:
         ###         - 1
         ###         - 2
-
         ### 基本的にリストはORと良く、generateListNodeもORNodeを生成している。
         ### しかし、上記のケースでgenerateListNode()を実行すると、下記のようなYAMLになってしまう。
         ### selection:
         ###     EventID: 1 or 2
-
         ### 上記のようにならないように、修正している。
         ### なお、generateMapItemListNode()を有効にするために、self.mapListsSpecialHandling = Trueとしている
+        if self._is_all_str(value):
+            name = self.create_new_selection()
+            self.name_2_selection[name] = [(fieldname,value)]
+            return name
+
         list_values = list()
         for sub_node in value:
             list_values.append((fieldname,sub_node))
-
         return self.subExpression % self.generateORNode(list_values) 
-
+    
+    def _is_all_str(self, values):
+        for value in values:
+            if type(value) != str:
+                return False
+        return True
+    
     def generateAggregation(self, agg):
         # python3 tools/sigmac rules/windows/process_creation/win_dnscat2_powershell_implementation.yml --config tools/config/generic/sysmon.yml --target hayabusa
         if agg == None:
@@ -97,26 +151,106 @@ class HayabusaBackend(SingleTextQueryBackend):
             # condition の中に "|" は1つのみ
             # | 以降をそのまま出力する
             target = '|'
-            index = agg.parser.parsedyaml["detection"]["condition"].find(target)
-            return agg.parser.parsedyaml["detection"]["condition"][index:]
-
+            condition = agg.parser.parsedyaml["detection"]["condition"]
+            
+            ### conditionはなんと複数指定されることもあるらしい!!!!!
+            ### If multiple conditions are given, they are logically linked with OR.と仕様書に書いてある。詳細はSigmaRuleの仕様を参照のこと。
+            ### とりあえず、複数指定のconditionは未対応ということでエラーにするとして、(なお、デフォルトのbase.pyの実装で複数指定のconditionはexceptionがraiseされるので、そのような処理は追加で実装しなくてよい)
+            ### 問題となるのはagg.parser.parsedyaml["detection"]["condition"]の型
+            ###
+            ### 下記のように指定すると、agg.parser.parsedyaml["detection"]["condition"]の型はstringになるが
+            ### conditon: selection1
+            ###
+            ### 下記のように指定すると、agg.parser.parsedyaml["detection"]["condition"]の型はlistになる
+            ### conditon: 
+            ###  - selection1
+            ###
+            ### なのでlistのケースも想定して、下記のような実装とする。
+            if type(condition) == list: 
+                condition = condition[0]
+            index = condition.find(target)
+            return condition[index:]
         ## count以外は対応していないので、エラーを返す
         raise NotImplementedError("This rule contains aggregation operator not implemented for this backend")
-
+    
     def generateValueNode(self, node):
         ## このメソッドをオーバーライドしておかないとint型もstr型として扱われてしまうので、int型やint型として、str型はstr型として処理するために実装した。
         ## このメソッドは最悪無くてもいいような気もする。
-
         if type(node) == int:
             return node
         else:
             return self.valueExpression % (self.cleanValue(str(node)))
+    
+    ### 全部strかどうかを判定
+    def is_keyword_list(self, node ):
+        if type(node) != ConditionOR:
+            return False
+        
+        for item in node.items:
+            if type(item) != str:
+                return False
+        
+        return True
+    
+    def generateANDNode(self, node):        
+        generated = list()
+        for val in node:
+            if type(val) == str:
+                ### 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース
+                ### keyが指定されていない場合は、EventLog全体をgrep検索することになっている。(詳細はSigmaルールの仕様書を参照のこと)
+                ### 具体的には"all of"とか使うとこの分岐に来る
+                name = self.create_new_selection()
+                self.name_2_selection[name] = [(None, val)]
+                generated_node = name
+            else:
+                ### 普通はこっちにくる
+                generated_node = self.generateNode(val)
+            generated.append(generated_node)
+        filtered = [ g for g in generated if g is not None ]
+        if filtered:
+            if self.sort_condition_lists:
+                filtered = sorted(filtered)
+            return self.andToken.join(filtered)
+        else:
+            return None
+        
+    def generateORNode(self, node):
+        if self.is_keyword_list(node) == True:
+            ## 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース
+            ## 全てkeyが指定されていない場合はここに来る。
+            name = self.create_new_selection()
+            self.name_2_selection[name] = [(None, val) for val in node]
+            return name
+        
+        name = None
+        generated = list()
+        for val in node:
+            ### 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース
+            if type(val) == str:
+                if name is None:
+                    name = self.create_new_selection()
+                    self.name_2_selection[name] = list()
+                self.name_2_selection[name].append((None,val))
+            else:
+                generated.append(self.generateNode(val))
+        if name is not None:
+            generated.append(name)
 
+        filtered = [ g for g in generated if g is not None ]
+        if filtered:
+            if self.sort_condition_lists:
+                filtered = sorted(filtered)
+            return self.orToken.join(filtered)
+        else:
+            return None
+        
     def generateQuery(self, parsed):
+        ### このクラスのインスタンスは再利用されるので、内部のメンバ変数をresetする。
+        self.re_init()
         result = self.generateNode(parsed.parsedSearch)
         if parsed.parsedAgg:
             res = self.generateAggregation(parsed.parsedAgg)
-            result += res
+            result += " " + res
         ret = ""
         with StringIO() as bs:
             ## 元のyamlをいじるとこの後の処理に影響を与える可能性があるので、deepCopyする
@@ -131,11 +265,23 @@ class HayabusaBackend(SingleTextQueryBackend):
             parsed_yaml["detection"] = {}
             parsed_yaml["detection"]["condition"] = result
             for key, values in self.name_2_selection.items():
-                parsed_yaml["detection"][key] = {}
+                ### fieldnameの有無を確認している
+                if values[0][0]:
+                    ## 通常はfieldnameがあってその場合は連想配列で初期化
+                    parsed_yaml["detection"][key] = {}
+                else:
+                    ## is_keyword_list() == Trueの場合だけ、ここにくる
+                    parsed_yaml["detection"][key] = []
+                    
                 for fieldname, value in values:
-                    parsed_yaml["detection"][key][fieldname] = value
-
+                    if fieldname == None:
+                        ## is_keyword_list() == Trueの場合
+                        parsed_yaml["detection"][key].append(value)
+                    else:
+                        ## is_keyword_list() == Falseの場合
+                        parsed_yaml["detection"][key][fieldname] = value
             yaml.dump(parsed_yaml, bs, indent=4, default_flow_style=False)
             ret = bs.getvalue()
-
-        return ret
+            ret += "---\n"
+        
+        return ret
\ No newline at end of file
diff --git a/tools/sigmac/requirements.txt b/tools/sigmac/requirements.txt
index d72a3dda..9d7c838d 100644
--- a/tools/sigmac/requirements.txt
+++ b/tools/sigmac/requirements.txt
@@ -1,3 +1,3 @@
 pyyaml
-ruamel_yaml
+ruamel.yaml
 requests
\ No newline at end of file
diff --git a/tools/sigmac/splitter.py b/tools/sigmac/splitter.py
new file mode 100644
index 00000000..9566bee9
--- /dev/null
+++ b/tools/sigmac/splitter.py
@@ -0,0 +1,38 @@
+## pip install pyyaml
+
+import os
+import ruamel.yaml
+
+yaml = ruamel.yaml.YAML()
+
+
+def load_ymls( filepath ):
+    with open(filepath) as f:
+        return list(yaml.load_all(f))
+
+def dump_yml( filepath, data ):
+    with open(filepath, "w") as stream:
+        yaml.dump(data, stream )
+
+def main():
+    loaded_ymls = load_ymls("sigma_to_hayabusa.yml")
+    for loaded_yml in loaded_ymls:
+        if loaded_yml == None:
+            continue
+
+        if loaded_yml["yml_path"] == None or len(loaded_yml["yml_path"]) == 0:
+            continue
+
+        out_dir = "hayabusa_rules/" + loaded_yml["yml_path"]
+        out_path = out_dir + "/" + loaded_yml["yml_filename"]
+
+        if not os.path.exists(out_dir):
+            os.makedirs(out_dir)
+
+        loaded_yml.pop("yml_path")
+        loaded_yml.pop("yml_filename")
+
+        dump_yml(out_path,loaded_yml)
+
+if __name__ == "__main__":
+    main()