From 0cfa806baf9e4aaa847b55b5feebee7a83ba592c Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sun, 28 Nov 2021 18:14:51 +0900 Subject: [PATCH] Feature/addruletype to sigma rule#230 (#235) * added ruletype to SIGMA rule #230 * added ruletype to SIGMA rule converter tool #231 --- .../win_aadhealth_mon_agent_regkey_access.yml | 1 + .../win_aadhealth_svc_agent_regkey_access.yml | 1 + .../win_account_backdoor_dcsync_rights.yml | 1 + rules/sigma/builtin/win_account_discovery.yml | 1 + .../builtin/win_ad_object_writedac_access.yml | 1 + ...win_ad_replication_non_machine_account.yml | 1 + .../sigma/builtin/win_ad_user_enumeration.yml | 1 + ...e_template_configuration_vulnerability.yml | 1 + ...mplate_configuration_vulnerability_eku.yml | 1 + rules/sigma/builtin/win_admin_rdp_login.yml | 1 + .../sigma/builtin/win_admin_share_access.yml | 1 + ...in_alert_active_directory_user_control.yml | 1 + .../builtin/win_alert_ad_user_backdoors.yml | 1 + .../win_alert_enable_weak_encryption.yml | 1 + .../sigma/builtin/win_alert_lsass_access.yml | 1 + .../builtin/win_alert_mimikatz_keywords.yml | 1 + rules/sigma/builtin/win_alert_ruler.yml | 1 + ..._applocker_file_was_not_allowed_to_run.yml | 1 + .../builtin/win_apt_carbonpaper_turla.yml | 1 + .../builtin/win_apt_chafer_mar18_security.yml | 1 + .../builtin/win_apt_chafer_mar18_system.yml | 1 + rules/sigma/builtin/win_apt_gallium.yml | 1 + rules/sigma/builtin/win_apt_slingshot.yml | 1 + rules/sigma/builtin/win_apt_stonedrill.yml | 1 + .../builtin/win_apt_turla_service_png.yml | 1 + rules/sigma/builtin/win_apt_wocao.yml | 1 + ...ary_shell_execution_via_settingcontent.yml | 1 + .../builtin/win_asr_bypass_via_appvlp_re.yml | 1 + rules/sigma/builtin/win_atsvc_task.yml | 1 + rules/sigma/builtin/win_audit_cve.yml | 1 + rules/sigma/builtin/win_av_relevant_match.yml | 1 + .../builtin/win_camera_microphone_access.yml | 1 + .../win_cobaltstrike_service_installs.yml | 1 + .../win_dce_rpc_smb_spoolss_named_pipe.yml | 1 + .../builtin/win_dcom_iertutil_dll_hijack.yml | 1 + rules/sigma/builtin/win_dcsync.yml | 1 + .../builtin/win_disable_event_logging.yml | 1 + .../win_dpapi_domain_backupkey_extraction.yml | 1 + ..._dpapi_domain_masterkey_backup_attempt.yml | 1 + rules/sigma/builtin/win_etw_modification.yml | 1 + rules/sigma/builtin/win_event_log_cleared.yml | 1 + .../builtin/win_exchange_transportagent.yml | 1 + ...win_exploit_cve_2021_1675_printspooler.yml | 1 + ...cve_2021_1675_printspooler_operational.yml | 1 + ...it_cve_2021_1675_printspooler_security.yml | 1 + rules/sigma/builtin/win_external_device.yml | 1 + .../win_global_catalog_enumeration.yml | 1 + .../sigma/builtin/win_gpo_scheduledtasks.yml | 1 + rules/sigma/builtin/win_hack_smbexec.yml | 1 + .../builtin/win_hidden_user_creation.yml | 1 + ...n_hybridconnectionmgr_svc_installation.yml | 1 + .../win_hybridconnectionmgr_svc_running.yml | 1 + rules/sigma/builtin/win_impacket_psexec.yml | 1 + .../sigma/builtin/win_impacket_secretdump.yml | 1 + .../win_invoke_obfuscation_clip_services.yml | 1 + ...oke_obfuscation_clip_services_security.yml | 1 + ...ke_obfuscation_obfuscated_iex_services.yml | 1 + ...ation_obfuscated_iex_services_security.yml | 1 + .../win_invoke_obfuscation_stdin_services.yml | 1 + ...ke_obfuscation_stdin_services_security.yml | 1 + .../win_invoke_obfuscation_var_services.yml | 1 + ...voke_obfuscation_var_services_security.yml | 1 + ...voke_obfuscation_via_compress_services.yml | 1 + ...scation_via_compress_services_security.yml | 1 + ...invoke_obfuscation_via_rundll_services.yml | 1 + ...fuscation_via_rundll_services_security.yml | 1 + ..._invoke_obfuscation_via_stdin_services.yml | 1 + ...bfuscation_via_stdin_services_security.yml | 1 + ...voke_obfuscation_via_use_clip_services.yml | 1 + ...scation_via_use_clip_services_security.yml | 1 + ...oke_obfuscation_via_use_mshta_services.yml | 1 + ...cation_via_use_mshta_services_security.yml | 1 + ..._obfuscation_via_use_rundll32_services.yml | 1 + ...ion_via_use_rundll32_services_security.yml | 1 + ...in_invoke_obfuscation_via_var_services.yml | 1 + ..._obfuscation_via_var_services_security.yml | 1 + rules/sigma/builtin/win_iso_mount.yml | 1 + rules/sigma/builtin/win_lm_namedpipe.yml | 1 + .../win_lolbas_execution_of_nltest.yml | 1 + .../win_lsass_access_non_system_account.yml | 1 + rules/sigma/builtin/win_mal_creddumper.yml | 1 + rules/sigma/builtin/win_mal_wceaux_dll.yml | 1 + .../builtin/win_metasploit_authentication.yml | 1 + ...tstrike_getsystem_service_installation.yml | 1 + .../builtin/win_mmc20_lateral_movement.yml | 1 + rules/sigma/builtin/win_moriya_rootkit.yml | 1 + .../sigma/builtin/win_net_ntlm_downgrade.yml | 1 + .../sigma/builtin/win_net_use_admin_share.yml | 1 + ..._renamed_user_account_with_dollar_sign.yml | 1 + .../builtin/win_not_allowed_rdp_access.yml | 1 + rules/sigma/builtin/win_ntfs_vuln_exploit.yml | 1 + rules/sigma/builtin/win_overpass_the_hash.yml | 1 + rules/sigma/builtin/win_pass_the_hash.yml | 1 + rules/sigma/builtin/win_pass_the_hash_2.yml | 1 + .../builtin/win_petitpotam_network_share.yml | 1 + .../win_petitpotam_susp_tgt_request.yml | 1 + .../sigma/builtin/win_possible_dc_shadow.yml | 1 + ...powershell_script_installed_as_service.yml | 1 + .../builtin/win_privesc_cve_2020_1472.yml | 1 + .../win_protected_storage_service_access.yml | 1 + ...rkspwdump_clearing_hive_access_history.yml | 1 + .../builtin/win_rare_schtasks_creations.yml | 1 + .../builtin/win_rare_service_installs.yml | 1 + .../builtin/win_rdp_bluekeep_poc_scanner.yml | 1 + .../sigma/builtin/win_rdp_localhost_login.yml | 1 + .../win_rdp_potential_cve_2019_0708.yml | 1 + .../sigma/builtin/win_rdp_reverse_tunnel.yml | 1 + ...n_register_new_logon_process_by_rubeus.yml | 1 + .../builtin/win_remote_powershell_session.yml | 1 + ..._registry_management_using_reg_utility.yml | 1 + .../win_root_certificate_installed.yml | 1 + .../win_sam_registry_hive_handle_request.yml | 1 + .../builtin/win_scheduled_task_deletion.yml | 1 + .../win_scm_database_handle_failure.yml | 1 + .../win_scm_database_privileged_operation.yml | 1 + ...scrcons_remote_wmi_scripteventconsumer.yml | 1 + ...security_cobaltstrike_service_installs.yml | 1 + .../builtin/win_security_mal_creddumper.yml | 1 + .../win_security_mal_service_installs.yml | 1 + ...or_impacket_smb_psexec_service_install.yml | 1 + ...cobaltstrike_getsystem_service_install.yml | 1 + ...powershell_script_installed_as_service.yml | 1 + .../win_security_tap_driver_installation.yml | 1 + ...in_set_oabvirtualdirectory_externalurl.yml | 1 + .../win_smb_file_creation_admin_shares.yml | 1 + .../win_software_atera_rmm_agent_install.yml | 1 + .../builtin/win_susp_add_domain_trust.yml | 1 + .../builtin/win_susp_add_sid_history.yml | 1 + .../sigma/builtin/win_susp_backup_delete.yml | 1 + .../win_susp_codeintegrity_check_failure.yml | 1 + rules/sigma/builtin/win_susp_dhcp_config.yml | 1 + .../builtin/win_susp_dhcp_config_failed.yml | 1 + rules/sigma/builtin/win_susp_dns_config.yml | 1 + .../builtin/win_susp_dsrm_password_change.yml | 1 + .../builtin/win_susp_eventlog_cleared.yml | 1 + .../builtin/win_susp_failed_guest_logon.yml | 1 + .../builtin/win_susp_failed_logon_reasons.yml | 1 + .../builtin/win_susp_failed_logon_source.yml | 1 + ...usp_failed_logons_explicit_credentials.yml | 1 + .../win_susp_failed_logons_single_process.yml | 1 + .../win_susp_failed_logons_single_source.yml | 1 + .../win_susp_failed_logons_single_source2.yml | 1 + ...p_failed_logons_single_source_kerberos.yml | 1 + ..._failed_logons_single_source_kerberos2.yml | 1 + ..._failed_logons_single_source_kerberos3.yml | 1 + ..._susp_failed_logons_single_source_ntlm.yml | 1 + ...susp_failed_logons_single_source_ntlm2.yml | 1 + ...usp_failed_remote_logons_single_source.yml | 1 + .../builtin/win_susp_interactive_logons.yml | 1 + .../win_susp_kerberos_manipulation.yml | 1 + .../builtin/win_susp_ldap_dataexchange.yml | 1 + .../win_susp_local_anon_logon_created.yml | 1 + .../win_susp_logon_explicit_credentials.yml | 1 + rules/sigma/builtin/win_susp_lsass_dump.yml | 1 + .../builtin/win_susp_lsass_dump_generic.yml | 1 + .../builtin/win_susp_mshta_execution.yml | 1 + .../sigma/builtin/win_susp_msmpeng_crash.yml | 1 + ...susp_multiple_files_renamed_or_deleted.yml | 1 + .../builtin/win_susp_net_recon_activity.yml | 1 + rules/sigma/builtin/win_susp_ntlm_auth.yml | 1 + rules/sigma/builtin/win_susp_ntlm_rdp.yml | 1 + rules/sigma/builtin/win_susp_proceshacker.yml | 1 + rules/sigma/builtin/win_susp_psexec.yml | 1 + .../win_susp_raccess_sensitive_fext.yml | 1 + rules/sigma/builtin/win_susp_rc4_kerberos.yml | 1 + rules/sigma/builtin/win_susp_rottenpotato.yml | 1 + rules/sigma/builtin/win_susp_sam_dump.yml | 1 + rules/sigma/builtin/win_susp_sdelete.yml | 1 + .../builtin/win_susp_time_modification.yml | 1 + rules/sigma/builtin/win_susp_wmi_login.yml | 1 + ...uspicious_outbound_kerberos_connection.yml | 1 + .../builtin/win_svcctl_remote_service.yml | 1 + .../builtin/win_syskey_registry_access.yml | 1 + .../win_sysmon_channel_reference_deletion.yml | 1 + .../win_system_susp_eventlog_cleared.yml | 1 + .../builtin/win_tap_driver_installation.yml | 1 + ...ith_credential_data_via_network_shares.yml | 1 + .../sigma/builtin/win_usb_device_plugged.yml | 1 + ...win_user_added_to_local_administrators.yml | 1 + ...ileged_service_lsaregisterlogonprocess.yml | 1 + rules/sigma/builtin/win_user_creation.yml | 1 + .../sigma/builtin/win_user_driver_loaded.yml | 1 + .../builtin/win_volume_shadow_copy_mount.yml | 1 + ..._vssaudit_secevent_source_registration.yml | 1 + rules/sigma/builtin/win_vul_cve_2020_0688.yml | 1 + rules/sigma/builtin/win_vul_cve_2020_1472.yml | 1 + .../win_wmiprvse_wbemcomn_dll_hijack.yml | 1 + .../sysmon_cactustorch.yml | 1 + .../sysmon_cobaltstrike_process_injection.yml | 1 + .../sysmon_createremotethread_loadlibrary.yml | 1 + .../sysmon_password_dumper_lsass.yml | 1 + .../sysmon_powershell_code_injection.yml | 1 + .../sysmon_susp_powershell_rundll32.yml | 1 + .../sysmon_suspicious_remote_thread.yml | 1 + .../sysmon_ads_executable.yml | 1 + .../sysmon_regedit_export_to_ads.yml | 1 + .../dns_query/dns_net_mal_cobaltstrike.yml | 1 + rules/sigma/dns_query/dns_net_susp_ipify.yml | 1 + ...s_query_hybridconnectionmgr_servicebus.yml | 1 + rules/sigma/dns_query/dns_query_mega_nz.yml | 1 + .../dns_query_possible_dns_rebinding.yml | 1 + .../dns_query_regsvr32_network_activity.yml | 1 + .../driver_load_mal_creddumper.yml | 1 + ...tstrike_getsystem_service_installation.yml | 1 + ...powershell_script_installed_as_service.yml | 1 + .../driver_load/driver_load_susp_temp_use.yml | 1 + .../driver_load_vuln_dell_driver.yml | 1 + .../driver_load/driver_load_windivert.yml | 1 + ...mmand_execution_by_office_applications.yml | 1 + .../file_delete/sysmon_delete_prefetch.yml | 1 + ...mon_sysinternals_sdelete_file_deletion.yml | 1 + .../win_cve_2021_1675_printspooler_del.yml | 1 + .../file_event_advanced_ip_scanner.yml | 1 + .../file_event_apt_unidentified_nov_18.yml | 1 + ...cve_2021_31979_cve_2021_33771_exploits.yml | 1 + .../file_event/file_event_hack_dumpert.yml | 1 + .../file_event_hktl_createminidump.yml | 1 + .../file_event/file_event_lsass_dump.yml | 1 + .../file_event/file_event_mal_adwind.yml | 1 + .../file_event_mal_vhd_download.yml | 1 + ...ile_event_mimikatz_kirbi_file_creation.yml | 1 + .../file_event/file_event_moriya_rootkit.yml | 1 + .../file_event_pingback_backdoor.yml | 1 + ...ript_creation_by_office_using_file_ext.yml | 1 + .../file_event/file_event_susp_task_write.yml | 1 + .../file_event/file_event_tool_psexec.yml | 1 + .../file_event_uac_bypass_winsat.yml | 1 + .../file_event/file_event_uac_bypass_wmp.yml | 1 + ...e_event_win_shell_write_susp_directory.yml | 1 + .../file_event_winrm_awl_bypass.yml | 1 + ...ile_event_wmiprvse_wbemcomn_dll_hijack.yml | 1 + .../sysmon_creation_system_file.yml | 1 + .../sysmon_cred_dump_tools_dropped_files.yml | 1 + .../sysmon_cve_2021_26858_msexchange.yml | 1 + .../sysmon_detect_powerup_dllhijacking.yml | 1 + .../sysmon_ghostpack_safetykatz.yml | 1 + ...sysmon_lsass_memory_dump_file_creation.yml | 1 + .../file_event/sysmon_office_persistence.yml | 1 + .../file_event/sysmon_outlook_newform.yml | 1 + .../file_event/sysmon_pcre_net_temp_file.yml | 1 + .../sysmon_powershell_exploit_scripts.yml | 1 + .../sysmon_powershell_startup_shortcuts.yml | 1 + .../file_event/sysmon_quarkspw_filedump.yml | 1 + .../sysmon_redmimicry_winnti_filedrop.yml | 1 + .../sysmon_startup_folder_file_write.yml | 1 + .../sysmon_susp_adsi_cache_usage.yml | 1 + .../sigma/file_event/sysmon_susp_clr_logs.yml | 1 + .../file_event/sysmon_susp_desktop_ini.yml | 1 + .../sysmon_susp_pfx_file_creation.yml | 1 + ...cexplorer_driver_created_in_tmp_folder.yml | 1 + ...n_suspicious_powershell_profile_create.yml | 1 + .../sysmon_tsclient_filewrite_startup.yml | 1 + .../sysmon_uac_bypass_consent_comctl32.yml | 1 + .../sysmon_uac_bypass_dotnet_profiler.yml | 1 + .../file_event/sysmon_uac_bypass_ieinstal.yml | 1 + .../sysmon_uac_bypass_msconfig_gui.yml | 1 + .../sysmon_uac_bypass_ntfs_reparse_point.yml | 1 + .../sysmon_webshell_creation_detect.yml | 1 + ...ersistence_script_event_consumer_write.yml | 1 + .../win_cve_2021_1675_printspooler.yml | 1 + .../win_file_winword_cve_2021_40444.yml | 1 + .../win_hivenightmare_file_exports.yml | 1 + .../win_outlook_c2_macro_creation.yml | 1 + .../sigma/file_event/win_rclone_exec_file.yml | 1 + .../win_susp_desktopimgdownldr_file.yml | 1 + .../image_load_pingback_backdoor.yml | 1 + .../image_load_silenttrinity_stage_use.yml | 1 + ...mage_load_wmiprvse_wbemcomn_dll_hijack.yml | 1 + .../process_creation_tttracer_mod_load.yml | 1 + .../sysmon_abusing_azure_browser_sso.yml | 1 + ..._alternate_powershell_hosts_moduleload.yml | 1 + .../image_load/sysmon_foggyweb_nobelium.yml | 1 + .../sysmon_in_memory_powershell.yml | 1 + .../sigma/image_load/sysmon_pcre_net_load.yml | 1 + ...cons_imageload_wmi_scripteventconsumer.yml | 1 + .../image_load/sysmon_spoolsv_dll_load.yml | 1 + .../sigma/image_load/sysmon_susp_fax_dll.yml | 1 + .../image_load/sysmon_susp_image_load.yml | 1 + ...n_susp_office_dotnet_assembly_dll_load.yml | 1 + ...sysmon_susp_office_dotnet_clr_dll_load.yml | 1 + ...sysmon_susp_office_dotnet_gac_dll_load.yml | 1 + .../sysmon_susp_office_dsparse_dll_load.yml | 1 + .../sysmon_susp_office_kerberos_dll_load.yml | 1 + .../sysmon_susp_python_image_load.yml | 1 + ...sysmon_susp_script_dotnet_clr_dll_load.yml | 1 + .../sysmon_susp_system_drawing_load.yml | 1 + .../sysmon_susp_winword_vbadll_load.yml | 1 + .../sysmon_susp_winword_wmidll_load.yml | 1 + ...sysmon_suspicious_dbghelp_dbgcore_load.yml | 1 + ...sysmon_svchost_dll_search_order_hijack.yml | 1 + .../image_load/sysmon_tttracer_mod_load.yml | 1 + .../image_load/sysmon_uac_bypass_via_dism.yml | 1 + .../sysmon_uipromptforcreds_dlls.yml | 1 + ...ysmon_unsigned_image_loaded_into_lsass.yml | 1 + .../image_load/sysmon_wmi_module_load.yml | 1 + ...persistence_commandline_event_consumer.yml | 1 + .../sysmon_wmic_remote_xsl_scripting_dlls.yml | 1 + .../sysmon_wsman_provider_image_load.yml | 1 + .../image_load/win_susp_svchost_clfsw32.yml | 1 + .../image_load/win_suspicious_vss_ps_load.yml | 1 + rules/sigma/malware/av_exploiting.yml | 1 + rules/sigma/malware/av_hacktool.yml | 1 + rules/sigma/malware/av_password_dumper.yml | 1 + .../av_printernightmare_cve_2021_34527.yml | 1 + rules/sigma/malware/av_relevant_files.yml | 1 + rules/sigma/malware/av_webshell.yml | 1 + .../file_event_mal_octopus_scanner.yml | 1 + .../process_creation_mal_blue_mockingbird.yml | 1 + ...ocess_creation_mal_darkside_ransomware.yml | 1 + ...ess_creation_mal_lockergoga_ransomware.yml | 1 + .../malware/process_creation_mal_ryuk.yml | 1 + .../malware/registry_event_mal_azorult.yml | 1 + .../registry_event_mal_blue_mockingbird.yml | 1 + .../malware/registry_event_mal_flowcloud.yml | 1 + .../malware/registry_event_mal_netwire.yml | 1 + .../malware/registry_event_mal_ursnif.yml | 1 + .../silenttrinity_stager_msbuild_activity.yml | 1 + .../sysmon_dllhost_net_connections.yml | 1 + ...smon_excel_outbound_network_connection.yml | 1 + .../sysmon_malware_backconnect_ports.yml | 1 + .../sysmon_notepad_network_connection.yml | 1 + .../sysmon_powershell_network_connection.yml | 1 + .../sysmon_rdp_reverse_tunnel.yml | 1 + .../sysmon_regsvr32_network_activity.yml | 1 + ...smon_remote_powershell_session_network.yml | 1 + .../sysmon_rundll32_net_connections.yml | 1 + ..._susp_prog_location_network_connection.yml | 1 + .../network_connection/sysmon_susp_rdp.yml | 1 + ...uspicious_outbound_kerberos_connection.yml | 1 + .../sysmon_win_binary_github_com.yml | 1 + .../sysmon_win_binary_susp_com.yml | 1 + .../sysmon_wuauclt_network_connection.yml | 1 + .../win_net_crypto_mining.yml | 1 + .../sigma/other/win_defender_amsi_trigger.yml | 1 + rules/sigma/other/win_defender_bypass.yml | 1 + rules/sigma/other/win_defender_disabled.yml | 1 + rules/sigma/other/win_defender_exclusions.yml | 1 + .../other/win_defender_history_delete.yml | 1 + .../other/win_defender_psexec_wmi_asr.yml | 1 + ...win_defender_tamper_protection_trigger.yml | 1 + rules/sigma/other/win_defender_threat.yml | 1 + .../other/win_exchange_cve_2021_42321.yml | 1 + .../win_exchange_proxylogon_oabvirtualdir.yml | 1 + ...ange_proxyshell_certificate_generation.yml | 1 + ...win_exchange_proxyshell_mailbox_export.yml | 1 + ...hange_proxyshell_remove_mailbox_export.yml | 1 + .../win_exchange_transportagent_failed.yml | 1 + .../other/win_lateral_movement_condrv.yml | 1 + rules/sigma/other/win_ldap_recon.yml | 1 + rules/sigma/other/win_pcap_drivers.yml | 1 + ...gon_exploitation_using_wellknown_tools.yml | 1 + .../sigma/other/win_rare_schtask_creation.yml | 1 + .../other/win_security_wmi_persistence.yml | 1 + .../other/win_system_defender_disabled.yml | 1 + rules/sigma/other/win_tool_psexec.yml | 1 + rules/sigma/other/win_wmi_persistence.yml | 1 + .../pipe_created/pipe_created_tool_psexec.yml | 1 + ...sysmon_alternate_powershell_hosts_pipe.yml | 1 + .../sysmon_apt_turla_namedpipes.yml | 1 + .../sysmon_cred_dump_tools_named_pipes.yml | 1 + .../sysmon_efspotato_namedpipe.yml | 1 + .../pipe_created/sysmon_mal_cobaltstrike.yml | 1 + .../sysmon_mal_cobaltstrike_re.yml | 1 + .../pipe_created/sysmon_mal_namedpipes.yml | 1 + .../sysmon_powershell_execution_pipe.yml | 1 + .../sysmon_psexec_pipes_artifacts.yml | 1 + .../sysmon_susp_adfs_namedpipe_connection.yml | 1 + ...sysmon_susp_cobaltstrike_pipe_patterns.yml | 1 + .../sysmon_susp_wmi_consumer_namedpipe.yml | 1 + ...ell_classic_alternate_powershell_hosts.yml | 1 + .../powershell_classic_powercat.yml | 1 + ...hell_classic_remote_powershell_session.yml | 1 + ...susp_athremotefxvgpudisablementcommand.yml | 1 + .../powershell_classic_susp_zip_compress.yml | 1 + ...powershell_classic_suspicious_download.yml | 1 + ...powershell_delete_volume_shadow_copies.yml | 1 + .../powershell_downgrade_attack.yml | 1 + .../powershell_exe_calling_ps.yml | 1 + .../powershell_renamed_powershell.yml | 1 + ...owershell_tamper_with_windows_defender.yml | 1 + ...shell_wsman_com_provider_no_powershell.yml | 1 + .../powershell_xor_commandline.yml | 1 + .../powershell_alternate_powershell_hosts.yml | 1 + .../powershell_bad_opsec_artifacts.yml | 1 + .../powershell_clear_powershell_history.yml | 1 + .../powershell_decompress_commands.yml | 1 + .../powershell_get_clipboard.yml | 1 + .../powershell_invoke_obfuscation_clip.yml | 1 + ...hell_invoke_obfuscation_obfuscated_iex.yml | 1 + .../powershell_invoke_obfuscation_stdin.yml | 1 + .../powershell_invoke_obfuscation_var.yml | 1 + ...rshell_invoke_obfuscation_via_compress.yml | 1 + ...wershell_invoke_obfuscation_via_rundll.yml | 1 + ...owershell_invoke_obfuscation_via_stdin.yml | 1 + ...rshell_invoke_obfuscation_via_use_clip.yml | 1 + ...shell_invoke_obfuscation_via_use_mhsta.yml | 1 + ...ll_invoke_obfuscation_via_use_rundll32.yml | 1 + .../powershell_invoke_obfuscation_via_var.yml | 1 + .../powershell_module/powershell_powercat.yml | 1 + .../powershell_remote_powershell_session.yml | 1 + ...susp_athremotefxvgpudisablementcommand.yml | 1 + .../powershell_susp_zip_compress.yml | 1 + ...ell_suspicious_download_in_contextinfo.yml | 1 + ...ious_invocation_generic_in_contextinfo.yml | 1 + ...ous_invocation_specific_in_contextinfo.yml | 1 + ...ppvpublishingserver_exe_in_contextinfo.yml | 1 + .../powershell_accessing_win_api.yml | 1 + .../powershell_adrecon_execution.yml | 1 + .../powershell_automated_collection.yml | 1 + .../powershell_azurehound_commands.yml | 1 + .../powershell_cl_invocation_lolscript.yml | 1 + ...wershell_cl_invocation_lolscript_count.yml | 1 + ...powershell_cl_mutexverifiers_lolscript.yml | 1 + ...hell_cl_mutexverifiers_lolscript_count.yml | 1 + .../powershell_create_local_user.yml | 1 + .../powershell_data_compressed.yml | 1 + .../powershell_detect_vm_env.yml | 1 + .../powershell_dnscat_execution.yml | 1 + .../powershell_icmp_exfiltration.yml | 1 + .../powershell_invoke_nightmare.yml | 1 + ...ke_obfuscation_clip_in_scriptblocktext.yml | 1 + ...tion_obfuscated_iex_in_scriptblocktext.yml | 1 + ...e_obfuscation_stdin_in_scriptblocktext.yml | 1 + ...oke_obfuscation_var_in_scriptblocktext.yml | 1 + ...cation_via_compress_in_scriptblocktext.yml | 1 + ...uscation_via_rundll_in_scriptblocktext.yml | 1 + ...fuscation_via_stdin_in_scriptblocktext.yml | 1 + ...cation_via_use_clip_in_scriptblocktext.yml | 1 + ...ation_via_use_mhsta_in_scriptblocktext.yml | 1 + ...on_via_use_rundll32_in_scriptblocktext.yml | 1 + ...obfuscation_via_var_in_scriptblocktext.yml | 1 + .../powershell_keylogging.yml | 1 + .../powershell_malicious_commandlets.yml | 1 + .../powershell_malicious_keywords.yml | 1 + ...ll_memorydump_getstoragediagnosticinfo.yml | 1 + ...wershell_nishang_malicious_commandlets.yml | 1 + .../powershell_ntfs_ads_access.yml | 1 + ...rshell_powerview_malicious_commandlets.yml | 1 + .../powershell_prompt_credentials.yml | 1 + .../powershell_script/powershell_psattack.yml | 1 + ...ershell_set_policies_to_unsecure_level.yml | 1 + .../powershell_shellcode_b64.yml | 1 + ...shell_shellintel_malicious_commandlets.yml | 1 + .../powershell_software_discovery.yml | 1 + ...ll_store_file_in_alternate_data_stream.yml | 1 + ...l_susp_zip_compress_in_scriptblocktext.yml | 1 + ...suspicious_download_in_scriptblocktext.yml | 1 + ...shell_suspicious_export_pfxcertificate.yml | 1 + ...powershell_suspicious_getprocess_lsass.yml | 1 + ..._invocation_generic_in_scriptblocktext.yml | 1 + ..._invocation_specific_in_scripblocktext.yml | 1 + .../powershell_suspicious_keywords.yml | 1 + .../powershell_suspicious_mail_acces.yml | 1 + ...hell_suspicious_mounted_share_deletion.yml | 1 + .../powershell_suspicious_recon.yml | 1 + .../powershell_suspicious_win32_pnpentity.yml | 1 + .../powershell_suspicious_windowstyle.yml | 1 + ...ublishingserver_exe_in_scriptblocktext.yml | 1 + .../powershell_timestomp.yml | 1 + .../powershell_trigger_profiles.yml | 1 + .../powershell_web_request.yml | 1 + ...hell_windows_firewall_profile_disabled.yml | 1 + .../powershell_winlogon_helper_dll.yml | 1 + .../powershell_wmi_persistence.yml | 1 + .../powershell_wmimplant.yml | 1 + .../sysmon_cmstp_execution_by_access.yml | 1 + ...mon_cobaltstrike_bof_injection_pattern.yml | 1 + .../sysmon_cred_dump_lsass_access.yml | 1 + .../sysmon_direct_syscall_ntopenprocess.yml | 1 + .../sysmon_in_memory_assembly_execution.yml | 1 + .../process_access/sysmon_invoke_phantom.yml | 1 + .../sysmon_lazagne_cred_dump_lsass_access.yml | 1 + ...sysmon_littlecorporal_generated_maldoc.yml | 1 + ...ndocumented_autoelevated_com_interface.yml | 1 + .../sysmon_lsass_dump_comsvcs_dll.yml | 1 + .../process_access/sysmon_lsass_memdump.yml | 1 + .../sysmon_malware_verclsid_shellcode.yml | 1 + .../sysmon_mimikatz_trough_winrm.yml | 1 + ...sysmon_pypykatz_cred_dump_lsass_access.yml | 1 + .../sysmon_svchost_cred_dump.yml | 1 + .../sysmon_uac_bypass_wow64_logger.yml | 1 + .../win_susp_shell_spawn_from_winrm.yml | 1 + ...sing_windows_telemetry_for_persistence.yml | 1 + .../process_creation_advanced_ip_scanner.yml | 1 + ...rocess_creation_alternate_data_streams.yml | 1 + .../process_creation_apt_gallium.yml | 1 + .../process_creation_apt_gallium_sha1.yml | 1 + .../process_creation_apt_pandemic.yml | 1 + .../process_creation_apt_slingshot.yml | 1 + ...s_creation_apt_turla_commands_critical.yml | 1 + .../process_creation_apt_wocao.yml | 1 + .../process_creation_automated_collection.yml | 1 + .../process_creation_c3_load_by_rundll32.yml | 1 + .../process_creation_certoc_execution.yml | 1 + .../process_creation_clip.yml | 1 + ...creation_cobaltstrike_load_by_rundll32.yml | 1 + .../process_creation_conti_cmd_ransomware.yml | 1 + .../process_creation_coti_sqlcmd.yml | 1 + ...process_creation_discover_private_keys.yml | 1 + ...cess_creation_dns_serverlevelplugindll.yml | 1 + .../process_creation_dotnet.yml | 1 + .../process_creation_hack_dumpert.yml | 1 + .../process_creation_infdefaultinstall.yml | 1 + ...data_exfiltration_by_using_datasvcutil.yml | 1 + ...reation_lolbins_by_office_applications.yml | 1 + ...suspicious_driver_installed_by_pnputil.yml | 1 + ...n_lolbins_with_wmiprvse_parent_process.yml | 1 + .../process_creation_msdeploy.yml | 1 + ..._applications_spawning_wmi_commandline.yml | 1 + ..._from_proxy_executing_regsvr32_payload.yml | 1 + ...from_proxy_executing_regsvr32_payload2.yml | 1 + ...eation_office_spawning_wmi_commandline.yml | 1 + .../process_creation_pingback_backdoor.yml | 1 + ...eation_protocolhandler_suspicious_file.yml | 1 + ...ss_creation_root_certificate_installed.yml | 1 + .../process_creation_sdelete.yml | 1 + .../process_creation_software_discovery.yml | 1 + ...ocess_creation_stickykey_like_backdoor.yml | 1 + .../process_creation_stordiag_execution.yml | 1 + .../process_creation_susp_7z.yml | 1 + ...susp_athremotefxvgpudisablementcommand.yml | 1 + .../process_creation_susp_del.yml | 1 + .../process_creation_susp_recon.yml | 1 + .../process_creation_susp_web_request_cmd.yml | 1 + .../process_creation_susp_winzip.yml | 1 + .../process_creation_susp_zip_compress.yml | 1 + ...ingserver_execute_arbitrary_powershell.yml | 1 + ...ublishingserver_vbs_execute_powershell.yml | 1 + ...ss_creation_sysinternals_eula_accepted.yml | 1 + ...ss_creation_sysmon_uac_bypass_eventvwr.yml | 1 + .../process_creation_tool_psexec.yml | 1 + ...s_creation_win_exchange_transportagent.yml | 1 + .../process_mailboxexport_share.yml | 1 + .../process_susp_esentutl_params.yml | 1 + .../sysmon_abusing_debug_privilege.yml | 1 + ..._accesschk_usage_after_priv_escalation.yml | 1 + ...levated_msi_spawned_cmd_and_powershell.yml | 1 + ...ays_install_elevated_windows_installer.yml | 1 + .../sysmon_apt_muddywater_dnstunnel.yml | 1 + .../process_creation/sysmon_apt_sourgrum.yml | 1 + ...sian_confluence_cve_2021_26084_exploit.yml | 1 + .../sysmon_cmstp_execution_by_creation.yml | 1 + .../sysmon_creation_mavinject_dll.yml | 1 + .../sysmon_cve_2021_26857_msexchange.yml | 1 + .../sysmon_expand_cabinet_files.yml | 1 + .../process_creation/sysmon_hack_wce.yml | 1 + .../sysmon_high_integrity_sdclt.yml | 1 + ...on_scripts_userinitmprlogonscript_proc.yml | 1 + .../sysmon_long_powershell_commandline.yml | 1 + .../sysmon_netcat_execution.yml | 1 + .../sysmon_proxy_execution_wuauclt.yml | 1 + ...move_windows_defender_definition_files.yml | 1 + .../sysmon_sdclt_child_process.yml | 1 + .../sysmon_susp_plink_remote_forward.yml | 1 + .../sysmon_susp_service_modification.yml | 1 + .../sysmon_susp_webdav_client_execution.yml | 1 + .../sysmon_uninstall_crowdstrike_falcon.yml | 1 + .../sysmon_vmtoolsd_susp_child_process.yml | 1 + .../wim_pc_apt_chafer_mar18.yml | 1 + .../win_ad_find_discovery.yml | 1 + .../win_anydesk_silent_install.yml | 1 + .../win_apt_apt29_thinktanks.yml | 1 + .../process_creation/win_apt_babyshark.yml | 1 + .../win_apt_bear_activity_gtr19.yml | 1 + .../process_creation/win_apt_bluemashroom.yml | 1 + .../process_creation/win_apt_cloudhopper.yml | 1 + .../process_creation/win_apt_dragonfly.yml | 1 + .../sigma/process_creation/win_apt_elise.yml | 1 + .../win_apt_emissarypanda_sep19.yml | 1 + .../process_creation/win_apt_empiremonkey.yml | 1 + .../win_apt_equationgroup_dll_u_load.yml | 1 + .../win_apt_evilnum_jul20.yml | 1 + .../win_apt_greenbug_may20.yml | 1 + .../process_creation/win_apt_hafnium.yml | 1 + .../win_apt_hurricane_panda.yml | 1 + .../win_apt_judgement_panda_gtr19.yml | 1 + .../win_apt_ke3chang_regadd.yml | 1 + .../win_apt_lazarus_activity_apr21.yml | 1 + .../win_apt_lazarus_activity_dec20.yml | 1 + .../win_apt_lazarus_loader.yml | 1 + .../win_apt_lazarus_session_highjack.yml | 1 + .../process_creation/win_apt_mustangpanda.yml | 1 + .../process_creation/win_apt_revil_kaseya.yml | 1 + .../sigma/process_creation/win_apt_sofacy.yml | 1 + .../process_creation/win_apt_ta17_293a_ps.yml | 1 + .../win_apt_ta505_dropper.yml | 1 + .../process_creation/win_apt_taidoor.yml | 1 + .../win_apt_tropictrooper.yml | 1 + .../win_apt_turla_comrat_may20.yml | 1 + .../process_creation/win_apt_unc2452_cmds.yml | 1 + .../process_creation/win_apt_unc2452_ps.yml | 1 + .../win_apt_unidentified_nov_18.yml | 1 + .../win_apt_winnti_mal_hk_jan20.yml | 1 + .../win_apt_winnti_pipemon.yml | 1 + .../process_creation/win_apt_zxshell.yml | 1 + .../win_attrib_hiding_files.yml | 1 + .../win_bad_opsec_sacrificial_processes.yml | 1 + .../process_creation/win_bootconf_mod.yml | 1 + .../win_bypass_squiblytwo.yml | 1 + .../win_change_default_file_association.yml | 1 + .../win_cl_invocation_lolscript.yml | 1 + .../win_cl_mutexverifiers_lolscript.yml | 1 + .../win_class_exec_xwizard.yml | 1 + .../process_creation/win_cmdkey_recon.yml | 1 + .../win_cmstp_com_object_access.yml | 1 + .../win_cobaltstrike_process_patterns.yml | 1 + .../win_commandline_path_traversal.yml | 1 + ...win_commandline_path_traversal_evasion.yml | 1 + .../win_control_panel_item.yml | 1 + ...g_sensitive_files_with_credential_data.yml | 1 + ..._credential_access_via_password_filter.yml | 1 + .../process_creation/win_crime_fireball.yml | 1 + .../win_crime_maze_ransomware.yml | 1 + .../win_crime_snatch_ransomware.yml | 1 + .../win_crypto_mining_monero.yml | 1 + .../win_data_compressed_with_rar.yml | 1 + .../win_detecting_fake_instances_of_hxtsr.yml | 1 + .../win_dll_sideload_xwizard.yml | 1 + .../win_dns_exfiltration_tools_execution.yml | 1 + .../win_dnscat2_powershell_implementation.yml | 1 + .../win_encoded_frombase64string.yml | 1 + .../process_creation/win_encoded_iex.yml | 1 + .../win_etw_modification_cmdline.yml | 1 + .../win_etw_trace_evasion.yml | 1 + ...ltration_and_tunneling_tools_execution.yml | 1 + .../win_exploit_cve_2015_1641.yml | 1 + .../win_exploit_cve_2017_0261.yml | 1 + .../win_exploit_cve_2017_11882.yml | 1 + .../win_exploit_cve_2017_8759.yml | 1 + .../win_exploit_cve_2019_1378.yml | 1 + .../win_exploit_cve_2019_1388.yml | 1 + .../win_exploit_cve_2020_10189.yml | 1 + .../win_exploit_cve_2020_1048.yml | 1 + .../win_exploit_cve_2020_1350.yml | 1 + .../win_exploit_systemnightmare.yml | 1 + .../win_file_permission_modifications.yml | 1 + .../win_grabbing_sensitive_hives_via_reg.yml | 1 + .../process_creation/win_hack_adcspwn.yml | 1 + .../process_creation/win_hack_bloodhound.yml | 1 + .../process_creation/win_hack_koadic.yml | 1 + .../process_creation/win_hack_rubeus.yml | 1 + .../win_hack_secutyxploded.yml | 1 + rules/sigma/process_creation/win_hh_chm.yml | 1 + .../win_hiding_malware_in_fonts_folder.yml | 1 + .../win_hktl_createminidump.yml | 1 + .../win_hktl_uacme_uac_bypass.yml | 1 + .../process_creation/win_html_help_spawn.yml | 1 + .../process_creation/win_hwp_exploits.yml | 1 + .../win_impacket_compiled_tools.yml | 1 + .../win_impacket_lateralization.yml | 1 + .../process_creation/win_indirect_cmd.yml | 1 + ...n_indirect_cmd_compatibility_assistant.yml | 1 + .../win_install_reg_debugger_backdoor.yml | 1 + .../process_creation/win_interactive_at.yml | 1 + .../win_invoke_obfuscation_clip.yml | 1 + ...obfuscation_obfuscated_iex_commandline.yml | 1 + .../win_invoke_obfuscation_stdin.yml | 1 + .../win_invoke_obfuscation_var.yml | 1 + .../win_invoke_obfuscation_via_compress.yml | 1 + .../win_invoke_obfuscation_via_rundll.yml | 1 + .../win_invoke_obfuscation_via_stdin.yml | 1 + .../win_invoke_obfuscation_via_use_clip.yml | 1 + .../win_invoke_obfuscation_via_use_mhsta.yml | 1 + ...in_invoke_obfuscation_via_use_rundll32.yml | 1 + .../win_invoke_obfuscation_via_var.yml | 1 + .../sigma/process_creation/win_lethalhta.yml | 1 + ...n_local_system_owner_account_discovery.yml | 1 + .../win_lolbas_execution_of_wuauclt.yml | 1 + .../win_lolbin_execution_via_winget.yml | 1 + .../sigma/process_creation/win_lsass_dump.yml | 1 + .../sigma/process_creation/win_mal_adwind.yml | 1 + .../process_creation/win_malware_conti.yml | 1 + .../win_malware_conti_7zip.yml | 1 + .../win_malware_conti_shadowcopy.yml | 1 + .../process_creation/win_malware_dridex.yml | 1 + .../process_creation/win_malware_dtrack.yml | 1 + .../process_creation/win_malware_emotet.yml | 1 + .../process_creation/win_malware_formbook.yml | 1 + .../process_creation/win_malware_notpetya.yml | 1 + .../process_creation/win_malware_qbot.yml | 1 + .../process_creation/win_malware_ryuk.yml | 1 + .../win_malware_script_dropper.yml | 1 + .../win_malware_trickbot_recon_activity.yml | 1 + .../win_malware_trickbot_wermgr.yml | 1 + .../process_creation/win_malware_wannacry.yml | 1 + .../win_manage_bde_lolbas.yml | 1 + .../win_mavinject_proc_inj.yml | 1 + ...r_cobaltstrike_getsystem_service_start.yml | 1 + .../win_mimikatz_command_line.yml | 1 + .../process_creation/win_mmc_spawn_shell.yml | 1 + ..._modif_of_services_for_via_commandline.yml | 1 + ...in_monitoring_for_persistence_via_bits.yml | 1 + .../sigma/process_creation/win_mouse_lock.yml | 1 + .../process_creation/win_mshta_javascript.yml | 1 + .../win_mshta_spawn_shell.yml | 1 + .../win_multiple_suspicious_cli.yml | 1 + rules/sigma/process_creation/win_net_enum.yml | 1 + .../process_creation/win_net_user_add.yml | 1 + .../win_netsh_allow_port_rdp.yml | 1 + .../process_creation/win_netsh_fw_add.yml | 1 + .../win_netsh_fw_add_susp_image.yml | 1 + .../win_netsh_packet_capture.yml | 1 + .../process_creation/win_netsh_port_fwd.yml | 1 + .../win_netsh_port_fwd_3389.yml | 1 + .../win_netsh_wifi_credential_harvesting.yml | 1 + .../process_creation/win_network_sniffing.yml | 1 + .../win_new_service_creation.yml | 1 + .../process_creation/win_nltest_recon.yml | 1 + .../win_non_interactive_powershell.yml | 1 + .../win_non_priv_reg_or_ps.yml | 1 + .../process_creation/win_office_shell.yml | 1 + ..._office_spawn_exe_from_users_directory.yml | 1 + .../win_pc_set_policies_to_unsecure_level.yml | 1 + .../win_pc_susp_cmdl32_lolbas.yml | 1 + .../win_pc_susp_reg_bitlocker.yml | 1 + .../win_pc_susp_schtasks_user_temp.yml | 1 + .../process_creation/win_pc_susp_zipexec.yml | 1 + .../win_plugx_susp_exe_locations.yml | 1 + .../win_possible_applocker_bypass.yml | 1 + ...ation_via_service_registry_permissions.yml | 1 + .../win_powershell_amsi_bypass.yml | 1 + .../win_powershell_audio_capture.yml | 1 + .../win_powershell_b64_shellcode.yml | 1 + .../win_powershell_bitsjob.yml | 1 + ...in_powershell_cmdline_reversed_strings.yml | 1 + ..._powershell_cmdline_special_characters.yml | 1 + ...wershell_cmdline_specific_comb_methods.yml | 1 + .../win_powershell_defender_exclusion.yml | 1 + .../win_powershell_disable_windef_av.yml | 1 + .../win_powershell_dll_execution.yml | 1 + .../win_powershell_downgrade_attack.yml | 1 + .../win_powershell_download.yml | 1 + .../win_powershell_frombase64string.yml | 1 + ...in_powershell_reverse_shell_connection.yml | 1 + ...ershell_suspicious_parameter_variation.yml | 1 + .../win_powershell_xor_commandline.yml | 1 + .../win_powersploit_empire_schtasks.yml | 1 + .../win_proc_wrong_parent.yml | 1 + rules/sigma/process_creation/win_procdump.yml | 1 + ...in_process_creation_bitsadmin_download.yml | 1 + .../win_process_dump_rdrleakdiag.yml | 1 + .../win_process_dump_rundll32_comsvcs.yml | 1 + .../process_creation/win_psexesvc_start.yml | 1 + .../win_purplesharp_indicators.yml | 1 + .../process_creation/win_query_registry.yml | 1 + .../win_rasautou_dll_execution.yml | 1 + .../win_rdp_hijack_shadowing.yml | 1 + .../win_redmimicry_winnti_proc.yml | 1 + .../process_creation/win_reg_add_run_key.yml | 1 + .../win_regedit_export_critical_keys.yml | 1 + .../win_regedit_export_keys.yml | 1 + .../win_regedit_import_keys.yml | 1 + .../win_regedit_import_keys_ads.yml | 1 + rules/sigma/process_creation/win_regini.yml | 1 + .../sigma/process_creation/win_regini_ads.yml | 1 + .../win_remote_powershell_session_process.yml | 1 + .../win_remote_time_discovery.yml | 1 + .../process_creation/win_renamed_binary.yml | 1 + .../win_renamed_binary_highly_relevant.yml | 1 + .../process_creation/win_renamed_jusched.yml | 1 + .../process_creation/win_renamed_megasync.yml | 1 + .../process_creation/win_renamed_paexec.yml | 1 + .../win_renamed_powershell.yml | 1 + .../process_creation/win_renamed_procdump.yml | 1 + .../process_creation/win_renamed_psexec.yml | 1 + .../process_creation/win_renamed_whoami.yml | 1 + .../win_run_powershell_script_from_ads.yml | 1 + ...un_powershell_script_from_input_stream.yml | 1 + .../process_creation/win_run_virtualbox.yml | 1 + .../win_rundll32_without_parameters.yml | 1 + .../win_script_event_consumer_spawn.yml | 1 + .../win_sdbinst_shim_persistence.yml | 1 + .../win_service_execution.yml | 1 + .../process_creation/win_service_stop.yml | 1 + .../win_shadow_copies_access_symlink.yml | 1 + .../win_shadow_copies_creation.yml | 1 + .../win_shadow_copies_deletion.yml | 1 + .../win_shell_spawn_mshta.yml | 1 + .../win_shell_spawn_susp_program.yml | 1 + .../win_silenttrinity_stage_use.yml | 1 + .../win_soundrec_audio_capture.yml | 1 + rules/sigma/process_creation/win_spn_enum.yml | 1 + ...uthenticated_privileged_console_access.yml | 1 + .../win_sus_auditpol_usage.yml | 1 + .../process_creation/win_susp_adfind.yml | 1 + .../process_creation/win_susp_atbroker.yml | 1 + .../process_creation/win_susp_bcdedit.yml | 1 + .../process_creation/win_susp_bginfo.yml | 1 + .../win_susp_bitstransfer.yml | 1 + .../sigma/process_creation/win_susp_calc.yml | 1 + rules/sigma/process_creation/win_susp_cdb.yml | 1 + .../win_susp_certutil_command.yml | 1 + .../win_susp_certutil_encode.yml | 1 + .../win_susp_child_process_as_system_.yml | 1 + .../process_creation/win_susp_cli_escape.yml | 1 + .../win_susp_cmd_http_appdata.yml | 1 + .../win_susp_cmd_shadowcopy_access.yml | 1 + .../win_susp_codepage_switch.yml | 1 + .../win_susp_commands_recon_activity.yml | 1 + .../win_susp_compression_params.yml | 1 + .../win_susp_comsvcs_procdump.yml | 1 + .../process_creation/win_susp_conhost.yml | 1 + .../win_susp_control_cve_2021_40444.yml | 1 + .../win_susp_control_dll_load.yml | 1 + .../win_susp_copy_lateral_movement.yml | 1 + .../win_susp_copy_system32.yml | 1 + .../process_creation/win_susp_covenant.yml | 1 + .../win_susp_crackmapexec_execution.yml | 1 + ...sp_crackmapexec_powershell_obfuscation.yml | 1 + rules/sigma/process_creation/win_susp_csc.yml | 1 + .../process_creation/win_susp_csc_folder.yml | 1 + rules/sigma/process_creation/win_susp_csi.yml | 1 + .../win_susp_curl_download.yml | 1 + .../win_susp_curl_fileupload.yml | 1 + .../win_susp_curl_start_combo.yml | 1 + .../win_susp_dctask64_proc_inject.yml | 1 + .../win_susp_desktopimgdownldr.yml | 1 + .../win_susp_devtoolslauncher.yml | 1 + ...susp_direct_asep_reg_keys_modification.yml | 1 + .../win_susp_disable_eventlog.yml | 1 + .../win_susp_disable_ie_features.yml | 1 + .../win_susp_disable_raccine.yml | 1 + .../process_creation/win_susp_diskshadow.yml | 1 + .../process_creation/win_susp_ditsnap.yml | 1 + rules/sigma/process_creation/win_susp_dnx.yml | 1 + .../win_susp_double_extension.yml | 1 + .../sigma/process_creation/win_susp_dxcap.yml | 1 + .../win_susp_emotet_rundll32_execution.yml | 1 + .../win_susp_eventlog_clear.yml | 1 + .../win_susp_execution_path.yml | 1 + .../win_susp_execution_path_webserver.yml | 1 + .../process_creation/win_susp_explorer.yml | 1 + .../win_susp_explorer_break_proctree.yml | 1 + .../win_susp_file_characteristics.yml | 1 + ...p_file_download_via_gfxdownloadwrapper.yml | 1 + .../process_creation/win_susp_findstr.yml | 1 + .../process_creation/win_susp_findstr_lnk.yml | 1 + .../win_susp_finger_usage.yml | 1 + .../win_susp_firewall_disable.yml | 1 + .../win_susp_fsutil_usage.yml | 1 + rules/sigma/process_creation/win_susp_ftp.yml | 1 + rules/sigma/process_creation/win_susp_gup.yml | 1 + .../win_susp_iss_module_install.yml | 1 + .../win_susp_mounted_share_deletion.yml | 1 + .../win_susp_mpcmdrun_download.yml | 1 + .../win_susp_mshta_pattern.yml | 1 + .../process_creation/win_susp_msiexec_cwd.yml | 1 + .../win_susp_msiexec_web_install.yml | 1 + .../process_creation/win_susp_msoffice.yml | 1 + .../win_susp_net_execution.yml | 1 + .../win_susp_netsh_dll_persistence.yml | 1 + .../process_creation/win_susp_ngrok_pua.yml | 1 + .../process_creation/win_susp_ntdsutil.yml | 1 + .../process_creation/win_susp_odbcconf.yml | 1 + .../process_creation/win_susp_openwith.yml | 1 + .../process_creation/win_susp_outlook.yml | 1 + .../win_susp_outlook_temp.yml | 1 + .../process_creation/win_susp_pcwutl.yml | 1 + .../process_creation/win_susp_pester.yml | 1 + .../process_creation/win_susp_ping_hex_ip.yml | 1 + .../win_susp_powershell_empire_launch.yml | 1 + .../win_susp_powershell_empire_uac_bypass.yml | 1 + .../win_susp_powershell_enc_cmd.yml | 1 + .../win_susp_powershell_encoded_param.yml | 1 + .../win_susp_powershell_getprocess_lsass.yml | 1 + .../win_susp_powershell_hidden_b64_cmd.yml | 1 + .../win_susp_powershell_parent_combo.yml | 1 + .../win_susp_powershell_parent_process.yml | 1 + .../win_susp_powershell_sam_access.yml | 1 + .../sigma/process_creation/win_susp_print.yml | 1 + .../process_creation/win_susp_procdump.yml | 1 + .../win_susp_procdump_lsass.yml | 1 + .../process_creation/win_susp_ps_appdata.yml | 1 + .../win_susp_ps_downloadfile.yml | 1 + .../process_creation/win_susp_psexec_eula.yml | 1 + .../win_susp_psexex_paexec_flags.yml | 1 + .../win_susp_psr_capture_screenshots.yml | 1 + .../process_creation/win_susp_rar_flags.yml | 1 + .../win_susp_rasdial_activity.yml | 1 + .../win_susp_razorinstaller_explorer.yml | 1 + .../win_susp_rclone_execution.yml | 1 + .../win_susp_recon_activity.yml | 1 + .../win_susp_reg_disable_sec_services.yml | 1 + .../win_susp_regedit_trustedinstaller.yml | 1 + .../win_susp_register_cimprovider.yml | 1 + .../win_susp_registration_via_cscript.yml | 1 + .../win_susp_regsvr32_anomalies.yml | 1 + .../win_susp_regsvr32_flags_anomaly.yml | 1 + .../win_susp_regsvr32_no_dll.yml | 1 + .../win_susp_renamed_dctask64.yml | 1 + .../win_susp_renamed_debugview.yml | 1 + .../win_susp_renamed_paexec.yml | 1 + .../process_creation/win_susp_rpcping.yml | 1 + .../win_susp_run_locations.yml | 1 + .../win_susp_rundll32_activity.yml | 1 + .../win_susp_rundll32_by_ordinal.yml | 1 + .../win_susp_rundll32_inline_vbs.yml | 1 + .../win_susp_rundll32_no_params.yml | 1 + ...p_rundll32_setupapi_installhinfsection.yml | 1 + .../win_susp_rundll32_sys.yml | 1 + .../win_susp_runonce_execution.yml | 1 + .../win_susp_runscripthelper.yml | 1 + .../win_susp_schtask_creation.yml | 1 + .../win_susp_schtask_creation_temp_folder.yml | 1 + .../win_susp_screenconnect_access.yml | 1 + .../win_susp_screensaver_reg.yml | 1 + .../win_susp_script_exec_from_temp.yml | 1 + .../win_susp_script_execution.yml | 1 + .../win_susp_service_dacl_modification.yml | 1 + .../process_creation/win_susp_service_dir.yml | 1 + .../win_susp_service_path_modification.yml | 1 + ...susp_servu_exploitation_cve_2021_35211.yml | 1 + .../win_susp_servu_process_pattern.yml | 1 + .../win_susp_shell_spawn_from_mssql.yml | 1 + .../win_susp_shimcache_flush.yml | 1 + .../process_creation/win_susp_splwow64.yml | 1 + .../win_susp_spoolsv_child_processes.yml | 1 + .../win_susp_sqldumper_activity.yml | 1 + .../win_susp_squirrel_lolbin.yml | 1 + .../process_creation/win_susp_svchost.yml | 1 + .../win_susp_svchost_no_cli.yml | 1 + .../win_susp_sysprep_appdata.yml | 1 + .../win_susp_sysvol_access.yml | 1 + .../win_susp_taskmgr_localsystem.yml | 1 + .../win_susp_taskmgr_parent.yml | 1 + .../win_susp_tracker_execution.yml | 1 + .../win_susp_tscon_localsystem.yml | 1 + .../win_susp_tscon_rdp_redirect.yml | 1 + .../win_susp_uac_bypass_trustedpath.yml | 1 + .../win_susp_use_of_csharp_console.yml | 1 + .../win_susp_use_of_sqlps_bin.yml | 1 + .../win_susp_use_of_sqltoolsps_bin.yml | 1 + .../win_susp_use_of_te_bin.yml | 1 + .../win_susp_use_of_vsjitdebugger_bin.yml | 1 + .../win_susp_userinit_child.yml | 1 + .../process_creation/win_susp_vboxdrvinst.yml | 1 + .../win_susp_vbscript_unc2452.yml | 1 + .../win_susp_volsnap_disable.yml | 1 + .../process_creation/win_susp_whoami.yml | 1 + .../win_susp_whoami_anomaly.yml | 1 + .../win_susp_winrar_execution.yml | 1 + .../win_susp_winrm_awl_bypass.yml | 1 + .../win_susp_winrm_execution.yml | 1 + .../win_susp_wmi_execution.yml | 1 + .../win_susp_wmic_eventconsumer_create.yml | 1 + .../win_susp_wmic_proc_create_rundll32.yml | 1 + ...n_susp_wmic_security_product_uninstall.yml | 1 + .../process_creation/win_susp_workfolders.yml | 1 + .../process_creation/win_susp_wsl_lolbin.yml | 1 + .../process_creation/win_susp_wuauclt.yml | 1 + .../win_sysmon_driver_unload.yml | 1 + .../win_system_exe_anomaly.yml | 1 + .../win_tap_installer_execution.yml | 1 + .../win_task_folder_evasion.yml | 1 + .../win_termserv_proc_spawn.yml | 1 + .../win_tools_relay_attacks.yml | 1 + .../process_creation/win_trust_discovery.yml | 1 + .../win_uac_bypass_changepk_slui.yml | 1 + .../win_uac_bypass_cleanmgr.yml | 1 + .../win_uac_bypass_computerdefaults.yml | 1 + .../win_uac_bypass_consent_comctl32.yml | 1 + .../win_uac_bypass_dismhost.yml | 1 + .../win_uac_bypass_ieinstal.yml | 1 + .../win_uac_bypass_msconfig_gui.yml | 1 + .../win_uac_bypass_ntfs_reparse_point.yml | 1 + .../win_uac_bypass_pkgmgr_dism.yml | 1 + .../win_uac_bypass_winsat.yml | 1 + .../process_creation/win_uac_bypass_wmp.yml | 1 + .../win_uac_bypass_wsreset.yml | 1 + .../sigma/process_creation/win_uac_cmstp.yml | 1 + .../process_creation/win_uac_fodhelper.yml | 1 + .../process_creation/win_uac_wsreset.yml | 1 + ..._change_sevice_image_path_by_non_admin.yml | 1 + .../win_using_settingsynchost_as_lolbin.yml | 1 + .../win_verclsid_runs_com.yml | 1 + .../win_visual_basic_compiler.yml | 1 + .../win_vul_java_remote_debugging.yml | 1 + .../win_webshell_detection.yml | 1 + .../win_webshell_recon_detection.yml | 1 + .../process_creation/win_webshell_spawn.yml | 1 + .../process_creation/win_whoami_as_system.yml | 1 + .../process_creation/win_whoami_priv.yml | 1 + .../win_win10_sched_task_0day.yml | 1 + .../process_creation/win_winword_dll_load.yml | 1 + ..._wmi_backdoor_exchange_transport_agent.yml | 1 + ..._wmi_persistence_script_event_consumer.yml | 1 + .../win_wmi_spwns_powershell.yml | 1 + .../win_wmiprvse_spawning_process.yml | 1 + .../win_workflow_compiler.yml | 1 + ...win_write_protect_for_storage_disabled.yml | 1 + .../win_wsreset_uac_bypass.yml | 1 + .../win_xsl_script_processing.yml | 1 + ...w_disk_access_using_illegitimate_tools.yml | 1 + ...sing_windows_telemetry_for_persistence.yml | 1 + .../registry_event_apt_chafer_mar18.yml | 1 + .../registry_event_apt_pandemic.yml | 1 + ...cve_2021_31979_cve_2021_33771_exploits.yml | 1 + .../registry_event_defender_disabled.yml | 1 + .../registry_event_defender_exclusions.yml | 1 + ..._defender_realtime_protection_disabled.yml | 1 + ...egistry_event_dns_serverlevelplugindll.yml | 1 + .../registry_event_mal_adwind.yml | 1 + .../registry_event_mstsc_history_cleared.yml | 1 + .../registry_event_net_ntlm_downgrade.yml | 1 + ...registry_event_stickykey_like_backdoor.yml | 1 + ...istry_event_sysinternals_eula_accepted.yml | 1 + .../registry_event_uac_bypass_eventvwr.yml | 1 + .../registry_event_uac_bypass_winsat.yml | 1 + .../registry_event_uac_bypass_wmp.yml | 1 + .../registry_event/sysmon_apt_leviathan.yml | 1 + .../sysmon_apt_oceanlotus_registry.yml | 1 + .../sysmon_asep_reg_keys_modification.yml | 1 + .../sysmon_bypass_via_wsreset.yml | 1 + .../sysmon_cmstp_execution_by_registry.yml | 1 + .../sysmon_cobaltstrike_service_installs.yml | 1 + .../registry_event/sysmon_comhijack_sdclt.yml | 1 + .../registry_event/sysmon_cve_2020_1048.yml | 1 + .../registry_event/sysmon_dhcp_calloutdll.yml | 1 + ...ble_microsoft_office_security_features.yml | 1 + ...y_events_logging_adding_reg_key_minint.yml | 1 + ...ysmon_disable_wdigest_credential_guard.yml | 1 + ...twork_protection_on_microsoft_defender.yml | 1 + ...d_pua_protection_on_microsoft_defender.yml | 1 + ...amper_protection_on_microsoft_defender.yml | 1 + .../sysmon_dns_over_https_enabled.yml | 1 + ...on_enabling_cor_profiler_env_variables.yml | 1 + .../registry_event/sysmon_etw_disabled.yml | 1 + .../registry_event/sysmon_hack_wce_reg.yml | 1 + ...n_hybridconnectionmgr_svc_installation.yml | 1 + ...gon_scripts_userinitmprlogonscript_reg.yml | 1 + .../sysmon_modify_screensaver_binary_path.yml | 1 + .../sysmon_narrator_feedback_persistance.yml | 1 + .../sysmon_new_application_appcompat.yml | 1 + ..._dll_added_to_appcertdlls_registry_key.yml | 1 + ...dll_added_to_appinit_dlls_registry_key.yml | 1 + .../sysmon_office_test_regadd.yml | 1 + .../sysmon_office_vsto_persistence.yml | 1 + .../sysmon_powershell_as_service.yml | 1 + .../sysmon_rdp_registry_modification.yml | 1 + .../sysmon_rdp_settings_hijack.yml | 1 + .../sysmon_redmimicry_winnti_reg.yml | 1 + .../sysmon_reg_office_security.yml | 1 + .../sysmon_reg_silentprocessexit.yml | 1 + .../sysmon_reg_silentprocessexit_lsass.yml | 1 + .../sysmon_reg_vbs_payload_stored.yml | 1 + .../sysmon_registry_add_local_hidden_user.yml | 1 + ...ysmon_registry_persistence_key_linking.yml | 1 + ...smon_registry_persistence_search_order.yml | 1 + .../sysmon_registry_susp_printer_driver.yml | 1 + ...mon_registry_trust_record_modification.yml | 1 + .../sysmon_removal_amsi_registry_key.yml | 1 + ...mon_removal_com_hijacking_registry_key.yml | 1 + .../registry_event/sysmon_runkey_winekey.yml | 1 + .../sysmon_runonce_persistence.yml | 1 + .../sysmon_ssp_added_lsa_config.yml | 1 + .../sysmon_susp_atbroker_change.yml | 1 + .../sysmon_susp_download_run_key.yml | 1 + .../sysmon_susp_lsass_dll_load.yml | 1 + .../sysmon_susp_mic_cam_access.yml | 1 + .../sysmon_susp_reg_persist_explorer_run.yml | 1 + .../sysmon_susp_run_key_img_folder.yml | 1 + .../sysmon_susp_service_installed.yml | 1 + ...sysmon_suspicious_keyboard_layout_load.yml | 1 + ...mon_sysinternals_sdelete_registry_keys.yml | 1 + .../registry_event/sysmon_taskcache_entry.yml | 1 + .../sysmon_uac_bypass_sdclt.yml | 1 + ...sysmon_volume_shadow_copy_service_keys.yml | 1 + .../sysmon_wab_dllpath_reg_change.yml | 1 + ...smon_wdigest_enable_uselogoncredential.yml | 1 + .../sysmon_win_reg_persistence.yml | 1 + ...sysmon_win_reg_persistence_recycle_bin.yml | 1 + .../sysmon_win_reg_telemetry_persistence.yml | 1 + .../win_outlook_c2_registry_key.yml | 1 + .../win_outlook_registry_todaypage.yml | 1 + .../win_outlook_registry_webview.yml | 1 + .../win_portproxy_registry_key.yml | 1 + .../win_registry_file_association_exefile.yml | 1 + ...win_registry_mimikatz_printernightmare.yml | 1 + ..._registry_shell_open_keys_manipulation.yml | 1 + ...napi_in_powershell_credentials_dumping.yml | 1 + .../sysmon_config_modification_error.yml | 1 + .../sysmon_config_modification_status.yml | 1 + .../sysmon_dcom_iertutil_dll_hijack.yml | 1 + .../sysmon_wmi_event_subscription.yml | 1 + .../sysmon_wmi_susp_encoded_scripts.yml | 1 + .../wmi_event/sysmon_wmi_susp_scripting.yml | 1 + tools/sigmac/hayabusa.py | 190 +++++++++--------- 1087 files changed, 1186 insertions(+), 90 deletions(-) diff --git a/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml b/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml index 2606218c..f95c5efa 100644 --- a/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml +++ b/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.discovery - attack.t1012 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml b/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml index fc58977e..21db7456 100644 --- a/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml +++ b/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.discovery - attack.t1012 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml b/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml index 14368dbb..68bea3d8 100644 --- a/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml +++ b/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.persistence - attack.t1098 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_account_discovery.yml b/rules/sigma/builtin/win_account_discovery.yml index ef8b4bb5..05caa275 100644 --- a/rules/sigma/builtin/win_account_discovery.yml +++ b/rules/sigma/builtin/win_account_discovery.yml @@ -41,3 +41,4 @@ tags: - attack.discovery - attack.t1087 - attack.t1087.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_object_writedac_access.yml b/rules/sigma/builtin/win_ad_object_writedac_access.yml index d186b4be..15733227 100644 --- a/rules/sigma/builtin/win_ad_object_writedac_access.yml +++ b/rules/sigma/builtin/win_ad_object_writedac_access.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1222 - attack.t1222.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_replication_non_machine_account.yml b/rules/sigma/builtin/win_ad_replication_non_machine_account.yml index 9ba3f9f4..5bd9e091 100644 --- a/rules/sigma/builtin/win_ad_replication_non_machine_account.yml +++ b/rules/sigma/builtin/win_ad_replication_non_machine_account.yml @@ -39,3 +39,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.006 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_user_enumeration.yml b/rules/sigma/builtin/win_ad_user_enumeration.yml index e294af0b..d0b4ef44 100644 --- a/rules/sigma/builtin/win_ad_user_enumeration.yml +++ b/rules/sigma/builtin/win_ad_user_enumeration.yml @@ -32,3 +32,4 @@ tags: - attack.discovery - attack.t1087 - attack.t1087.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml index 642fb109..8dca1652 100644 --- a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml +++ b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.privilege_escalation - attack.credential_access +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml index b6aa5de9..13145824 100644 --- a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml +++ b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml @@ -46,3 +46,4 @@ status: experimental tags: - attack.privilege_escalation - attack.credential_access +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_admin_rdp_login.yml b/rules/sigma/builtin/win_admin_rdp_login.yml index 8f957093..9bfb6c01 100644 --- a/rules/sigma/builtin/win_admin_rdp_login.yml +++ b/rules/sigma/builtin/win_admin_rdp_login.yml @@ -34,3 +34,4 @@ tags: - attack.t1078.002 - attack.t1078.003 - car.2016-04-005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_admin_share_access.yml b/rules/sigma/builtin/win_admin_share_access.yml index cc1bcf4e..b884e1fe 100644 --- a/rules/sigma/builtin/win_admin_share_access.yml +++ b/rules/sigma/builtin/win_admin_share_access.yml @@ -26,3 +26,4 @@ tags: - attack.lateral_movement - attack.t1077 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_active_directory_user_control.yml b/rules/sigma/builtin/win_alert_active_directory_user_control.yml index aa8c091a..882c68ea 100644 --- a/rules/sigma/builtin/win_alert_active_directory_user_control.yml +++ b/rules/sigma/builtin/win_alert_active_directory_user_control.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.persistence - attack.t1098 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_ad_user_backdoors.yml b/rules/sigma/builtin/win_alert_ad_user_backdoors.yml index 21836995..6d556326 100644 --- a/rules/sigma/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/sigma/builtin/win_alert_ad_user_backdoors.yml @@ -50,3 +50,4 @@ status: experimental tags: - attack.t1098 - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_enable_weak_encryption.yml b/rules/sigma/builtin/win_alert_enable_weak_encryption.yml index ce96e227..ab6468e1 100644 --- a/rules/sigma/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/sigma/builtin/win_alert_enable_weak_encryption.yml @@ -88,3 +88,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_lsass_access.yml b/rules/sigma/builtin/win_alert_lsass_access.yml index ea7e6e0b..d93aece5 100644 --- a/rules/sigma/builtin/win_alert_lsass_access.yml +++ b/rules/sigma/builtin/win_alert_lsass_access.yml @@ -28,3 +28,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_mimikatz_keywords.yml b/rules/sigma/builtin/win_alert_mimikatz_keywords.yml index b9665fb9..f462131e 100644 --- a/rules/sigma/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/sigma/builtin/win_alert_mimikatz_keywords.yml @@ -43,3 +43,4 @@ tags: - attack.t1003.004 - attack.t1003.001 - attack.t1003.006 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_ruler.yml b/rules/sigma/builtin/win_alert_ruler.yml index 63e22a64..4aaf7869 100644 --- a/rules/sigma/builtin/win_alert_ruler.yml +++ b/rules/sigma/builtin/win_alert_ruler.yml @@ -38,3 +38,4 @@ tags: - attack.t1114 - attack.t1059 - attack.t1550.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml index 27e0f507..438305cd 100644 --- a/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml +++ b/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml @@ -45,3 +45,4 @@ tags: - attack.t1059.005 - attack.t1059.006 - attack.t1059.007 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_carbonpaper_turla.yml b/rules/sigma/builtin/win_apt_carbonpaper_turla.yml index 7de917a7..4b762d27 100644 --- a/rules/sigma/builtin/win_apt_carbonpaper_turla.yml +++ b/rules/sigma/builtin/win_apt_carbonpaper_turla.yml @@ -28,3 +28,4 @@ tags: - attack.g0010 - attack.t1050 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_chafer_mar18_security.yml b/rules/sigma/builtin/win_apt_chafer_mar18_security.yml index 81795ac2..ec02fb45 100644 --- a/rules/sigma/builtin/win_apt_chafer_mar18_security.yml +++ b/rules/sigma/builtin/win_apt_chafer_mar18_security.yml @@ -39,3 +39,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_chafer_mar18_system.yml b/rules/sigma/builtin/win_apt_chafer_mar18_system.yml index 7712ff0e..f7d9a946 100644 --- a/rules/sigma/builtin/win_apt_chafer_mar18_system.yml +++ b/rules/sigma/builtin/win_apt_chafer_mar18_system.yml @@ -36,3 +36,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_gallium.yml b/rules/sigma/builtin/win_apt_gallium.yml index 3ea520f6..a85c5c9b 100644 --- a/rules/sigma/builtin/win_apt_gallium.yml +++ b/rules/sigma/builtin/win_apt_gallium.yml @@ -36,3 +36,4 @@ tags: - attack.credential_access - attack.command_and_control - attack.t1071 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_slingshot.yml b/rules/sigma/builtin/win_apt_slingshot.yml index eaf56c37..3824cb83 100644 --- a/rules/sigma/builtin/win_apt_slingshot.yml +++ b/rules/sigma/builtin/win_apt_slingshot.yml @@ -29,3 +29,4 @@ tags: - attack.persistence - attack.t1053 - attack.s0111 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_stonedrill.yml b/rules/sigma/builtin/win_apt_stonedrill.yml index 75be6807..9a58cd58 100644 --- a/rules/sigma/builtin/win_apt_stonedrill.yml +++ b/rules/sigma/builtin/win_apt_stonedrill.yml @@ -27,3 +27,4 @@ tags: - attack.g0064 - attack.t1050 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_turla_service_png.yml b/rules/sigma/builtin/win_apt_turla_service_png.yml index c53a6c1d..6d3424e9 100644 --- a/rules/sigma/builtin/win_apt_turla_service_png.yml +++ b/rules/sigma/builtin/win_apt_turla_service_png.yml @@ -25,3 +25,4 @@ tags: - attack.g0010 - attack.t1050 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_wocao.yml b/rules/sigma/builtin/win_apt_wocao.yml index 8bcc4956..75c0a3b6 100644 --- a/rules/sigma/builtin/win_apt_wocao.yml +++ b/rules/sigma/builtin/win_apt_wocao.yml @@ -35,3 +35,4 @@ tags: - attack.t1053 - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml index fee0c894..870ee845 100644 --- a/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -32,3 +32,4 @@ tags: - attack.t1566.001 - attack.execution - attack.initial_access +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml b/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml index cd230cdf..966f66be 100644 --- a/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml +++ b/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml @@ -27,3 +27,4 @@ tags: - attack.t1218 - attack.defense_evasion - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_atsvc_task.yml b/rules/sigma/builtin/win_atsvc_task.yml index 3ff53480..e15f4db2 100644 --- a/rules/sigma/builtin/win_atsvc_task.yml +++ b/rules/sigma/builtin/win_atsvc_task.yml @@ -33,3 +33,4 @@ tags: - car.2013-05-004 - car.2015-04-001 - attack.t1053.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_audit_cve.yml b/rules/sigma/builtin/win_audit_cve.yml index 226ea2fc..e5a726e8 100644 --- a/rules/sigma/builtin/win_audit_cve.yml +++ b/rules/sigma/builtin/win_audit_cve.yml @@ -36,3 +36,4 @@ tags: - attack.t1210 - attack.impact - attack.t1499.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_av_relevant_match.yml b/rules/sigma/builtin/win_av_relevant_match.yml index 678694fd..6b50e7f4 100644 --- a/rules/sigma/builtin/win_av_relevant_match.yml +++ b/rules/sigma/builtin/win_av_relevant_match.yml @@ -41,3 +41,4 @@ status: experimental tags: - attack.resource_development - attack.t1588 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_camera_microphone_access.yml b/rules/sigma/builtin/win_camera_microphone_access.yml index 37ef15db..14f0bf85 100644 --- a/rules/sigma/builtin/win_camera_microphone_access.yml +++ b/rules/sigma/builtin/win_camera_microphone_access.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.collection - attack.t1123 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_cobaltstrike_service_installs.yml b/rules/sigma/builtin/win_cobaltstrike_service_installs.yml index 16794d2a..13d65f62 100644 --- a/rules/sigma/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/sigma/builtin/win_cobaltstrike_service_installs.yml @@ -46,3 +46,4 @@ tags: - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml index a09fdfcf..e1b45c52 100644 --- a/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml b/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml index bd963770..ad7b67a4 100644 --- a/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml +++ b/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml @@ -27,3 +27,4 @@ tags: - attack.lateral_movement - attack.t1021.002 - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dcsync.yml b/rules/sigma/builtin/win_dcsync.yml index 1415f4f1..0486e61f 100644 --- a/rules/sigma/builtin/win_dcsync.yml +++ b/rules/sigma/builtin/win_dcsync.yml @@ -38,3 +38,4 @@ tags: - attack.s0002 - attack.t1003 - attack.t1003.006 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_disable_event_logging.yml b/rules/sigma/builtin/win_disable_event_logging.yml index f7f4dc13..e641c5dc 100644 --- a/rules/sigma/builtin/win_disable_event_logging.yml +++ b/rules/sigma/builtin/win_disable_event_logging.yml @@ -37,3 +37,4 @@ tags: - attack.defense_evasion - attack.t1054 - attack.t1562.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml index 0c80adc9..5665cfed 100644 --- a/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml @@ -28,3 +28,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml index 8ebc6b42..2d83f8a0 100644 --- a/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml @@ -26,3 +26,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_etw_modification.yml b/rules/sigma/builtin/win_etw_modification.yml index 1ecdce1d..e9c22434 100644 --- a/rules/sigma/builtin/win_etw_modification.yml +++ b/rules/sigma/builtin/win_etw_modification.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_event_log_cleared.yml b/rules/sigma/builtin/win_event_log_cleared.yml index b76a87ed..13eedec4 100644 --- a/rules/sigma/builtin/win_event_log_cleared.yml +++ b/rules/sigma/builtin/win_event_log_cleared.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.t1107 - attack.t1070.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exchange_transportagent.yml b/rules/sigma/builtin/win_exchange_transportagent.yml index be3d4154..45b86cf0 100644 --- a/rules/sigma/builtin/win_exchange_transportagent.yml +++ b/rules/sigma/builtin/win_exchange_transportagent.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.persistence - attack.t1505.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml index 7c0b99db..50c5cb01 100644 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -43,3 +43,4 @@ tags: - attack.execution - attack.t1569 - cve.2021.1675 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml index 74a37459..208ccbbf 100644 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -29,3 +29,4 @@ tags: - attack.execution - attack.t1569 - cve.2021.1675 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml index 0517bf55..e27b3a11 100644 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml @@ -32,3 +32,4 @@ tags: - attack.t1569 - cve.2021.1675 - cve.2021.34527 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_external_device.yml b/rules/sigma/builtin/win_external_device.yml index 6eefe6ba..e381b4bc 100644 --- a/rules/sigma/builtin/win_external_device.yml +++ b/rules/sigma/builtin/win_external_device.yml @@ -26,3 +26,4 @@ tags: - attack.t1200 - attack.lateral_movement - attack.initial_access +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_global_catalog_enumeration.yml b/rules/sigma/builtin/win_global_catalog_enumeration.yml index 8d6cd9ac..4d7e1d49 100644 --- a/rules/sigma/builtin/win_global_catalog_enumeration.yml +++ b/rules/sigma/builtin/win_global_catalog_enumeration.yml @@ -31,3 +31,4 @@ tags: - attack.discovery - attack.t1087 - attack.t1087.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_gpo_scheduledtasks.yml b/rules/sigma/builtin/win_gpo_scheduledtasks.yml index 1a920e18..b264d962 100644 --- a/rules/sigma/builtin/win_gpo_scheduledtasks.yml +++ b/rules/sigma/builtin/win_gpo_scheduledtasks.yml @@ -35,3 +35,4 @@ tags: - attack.lateral_movement - attack.t1053 - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hack_smbexec.yml b/rules/sigma/builtin/win_hack_smbexec.yml index a2c20d78..99faa199 100644 --- a/rules/sigma/builtin/win_hack_smbexec.yml +++ b/rules/sigma/builtin/win_hack_smbexec.yml @@ -33,3 +33,4 @@ tags: - attack.t1021.002 - attack.t1035 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hidden_user_creation.yml b/rules/sigma/builtin/win_hidden_user_creation.yml index fb45ac19..526c96dd 100644 --- a/rules/sigma/builtin/win_hidden_user_creation.yml +++ b/rules/sigma/builtin/win_hidden_user_creation.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.persistence - attack.t1136.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml index 114e9c62..747f4c44 100644 --- a/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml +++ b/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.persistence - attack.t1554 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml index 7ae7232e..e1baa865 100644 --- a/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml +++ b/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.persistence - attack.t1554 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_impacket_psexec.yml b/rules/sigma/builtin/win_impacket_psexec.yml index 69ef7dd7..2ae66da8 100644 --- a/rules/sigma/builtin/win_impacket_psexec.yml +++ b/rules/sigma/builtin/win_impacket_psexec.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_impacket_secretdump.yml b/rules/sigma/builtin/win_impacket_secretdump.yml index ceeed743..702db365 100644 --- a/rules/sigma/builtin/win_impacket_secretdump.yml +++ b/rules/sigma/builtin/win_impacket_secretdump.yml @@ -32,3 +32,4 @@ tags: - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml index 8d0a93a9..3708781f 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml index 482b842d..8dede200 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml index 42d9636b..fa8d939f 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml index 150d48ff..f833b779 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml index c60be129..7fbb3b31 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml index c8cf3603..a92fbad5 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml index d95a8dbe..b4e189fb 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml index f07168f1..9882cbdf 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml index a581eb99..d5ca47b4 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml index 7c92c4db..d667dba5 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml index 87b33028..01ab25fd 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml index 381f2ff6..0ba84a39 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml index 2525c04a..89378b77 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml index 2ac6c448..bd8b9f94 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml index aff3bd8b..3ec75741 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml index 6147cc92..aecd5454 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index 741f0654..ed66aa8e 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml index 80ae5c5e..7ccc780b 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index 639bbc88..b51c72f8 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml index 7d5b1b16..750beec7 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml index 42ae63e1..80b11728 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml index 8aa3705b..a639a197 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_iso_mount.yml b/rules/sigma/builtin/win_iso_mount.yml index 1b61e18c..26102f86 100644 --- a/rules/sigma/builtin/win_iso_mount.yml +++ b/rules/sigma/builtin/win_iso_mount.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.initial_access - attack.t1566.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lm_namedpipe.yml b/rules/sigma/builtin/win_lm_namedpipe.yml index 5391ab75..5075f9fc 100644 --- a/rules/sigma/builtin/win_lm_namedpipe.yml +++ b/rules/sigma/builtin/win_lm_namedpipe.yml @@ -51,3 +51,4 @@ tags: - attack.lateral_movement - attack.t1077 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml b/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml index c2434bb1..a87f181a 100644 --- a/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml +++ b/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml @@ -32,3 +32,4 @@ tags: - attack.t1482 - attack.t1018 - attack.t1016 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lsass_access_non_system_account.yml b/rules/sigma/builtin/win_lsass_access_non_system_account.yml index bff50322..87e87b3d 100644 --- a/rules/sigma/builtin/win_lsass_access_non_system_account.yml +++ b/rules/sigma/builtin/win_lsass_access_non_system_account.yml @@ -67,3 +67,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mal_creddumper.yml b/rules/sigma/builtin/win_mal_creddumper.yml index 0daf1500..e9f4807a 100644 --- a/rules/sigma/builtin/win_mal_creddumper.yml +++ b/rules/sigma/builtin/win_mal_creddumper.yml @@ -40,3 +40,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mal_wceaux_dll.yml b/rules/sigma/builtin/win_mal_wceaux_dll.yml index 9350fc66..45c1eb04 100644 --- a/rules/sigma/builtin/win_mal_wceaux_dll.yml +++ b/rules/sigma/builtin/win_mal_wceaux_dll.yml @@ -31,3 +31,4 @@ tags: - attack.credential_access - attack.t1003 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_metasploit_authentication.yml b/rules/sigma/builtin/win_metasploit_authentication.yml index 9f778c97..a1d7f3a3 100644 --- a/rules/sigma/builtin/win_metasploit_authentication.yml +++ b/rules/sigma/builtin/win_metasploit_authentication.yml @@ -37,3 +37,4 @@ tags: - attack.lateral_movement - attack.t1077 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index fa8bd1b4..eec1f046 100644 --- a/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -63,3 +63,4 @@ tags: - attack.t1134 - attack.t1134.001 - attack.t1134.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mmc20_lateral_movement.yml b/rules/sigma/builtin/win_mmc20_lateral_movement.yml index c9e5c481..59d719b3 100644 --- a/rules/sigma/builtin/win_mmc20_lateral_movement.yml +++ b/rules/sigma/builtin/win_mmc20_lateral_movement.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1175 - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_moriya_rootkit.yml b/rules/sigma/builtin/win_moriya_rootkit.yml index de950763..d7ceedf2 100644 --- a/rules/sigma/builtin/win_moriya_rootkit.yml +++ b/rules/sigma/builtin/win_moriya_rootkit.yml @@ -25,3 +25,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_net_ntlm_downgrade.yml b/rules/sigma/builtin/win_net_ntlm_downgrade.yml index 40f423fd..31b36e4b 100644 --- a/rules/sigma/builtin/win_net_ntlm_downgrade.yml +++ b/rules/sigma/builtin/win_net_ntlm_downgrade.yml @@ -38,3 +38,4 @@ tags: - attack.t1089 - attack.t1562.001 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_net_use_admin_share.yml b/rules/sigma/builtin/win_net_use_admin_share.yml index 27179c34..29ad7473 100644 --- a/rules/sigma/builtin/win_net_use_admin_share.yml +++ b/rules/sigma/builtin/win_net_use_admin_share.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index e4ddbbc5..594e73f1 100644 --- a/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_not_allowed_rdp_access.yml b/rules/sigma/builtin/win_not_allowed_rdp_access.yml index f9eb2008..1d79dbb4 100644 --- a/rules/sigma/builtin/win_not_allowed_rdp_access.yml +++ b/rules/sigma/builtin/win_not_allowed_rdp_access.yml @@ -28,3 +28,4 @@ tags: - attack.lateral_movement - attack.t1076 - attack.t1021.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ntfs_vuln_exploit.yml b/rules/sigma/builtin/win_ntfs_vuln_exploit.yml index 41f87cd5..519b471e 100644 --- a/rules/sigma/builtin/win_ntfs_vuln_exploit.yml +++ b/rules/sigma/builtin/win_ntfs_vuln_exploit.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.impact - attack.t1499.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_overpass_the_hash.yml b/rules/sigma/builtin/win_overpass_the_hash.yml index 46bb891e..6681cb74 100644 --- a/rules/sigma/builtin/win_overpass_the_hash.yml +++ b/rules/sigma/builtin/win_overpass_the_hash.yml @@ -29,3 +29,4 @@ tags: - attack.t1075 - attack.s0002 - attack.t1550.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_pass_the_hash.yml b/rules/sigma/builtin/win_pass_the_hash.yml index 5585185a..c9549334 100644 --- a/rules/sigma/builtin/win_pass_the_hash.yml +++ b/rules/sigma/builtin/win_pass_the_hash.yml @@ -40,3 +40,4 @@ tags: - attack.t1075 - car.2016-04-004 - attack.t1550.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_pass_the_hash_2.yml b/rules/sigma/builtin/win_pass_the_hash_2.yml index 42f919b9..2cce718f 100644 --- a/rules/sigma/builtin/win_pass_the_hash_2.yml +++ b/rules/sigma/builtin/win_pass_the_hash_2.yml @@ -42,3 +42,4 @@ tags: - attack.lateral_movement - attack.t1075 - attack.t1550.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_petitpotam_network_share.yml b/rules/sigma/builtin/win_petitpotam_network_share.yml index 455e9744..7c6c8a7e 100644 --- a/rules/sigma/builtin/win_petitpotam_network_share.yml +++ b/rules/sigma/builtin/win_petitpotam_network_share.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.credential_access - attack.t1187 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml b/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml index 579882d1..0bf1ffbc 100644 --- a/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml +++ b/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml @@ -41,3 +41,4 @@ status: experimental tags: - attack.credential_access - attack.t1187 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_possible_dc_shadow.yml b/rules/sigma/builtin/win_possible_dc_shadow.yml index db7a1ae2..698d33a8 100644 --- a/rules/sigma/builtin/win_possible_dc_shadow.yml +++ b/rules/sigma/builtin/win_possible_dc_shadow.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.credential_access - attack.t1207 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_powershell_script_installed_as_service.yml b/rules/sigma/builtin/win_powershell_script_installed_as_service.yml index bb086901..0f2671e9 100644 --- a/rules/sigma/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/sigma/builtin/win_powershell_script_installed_as_service.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_privesc_cve_2020_1472.yml b/rules/sigma/builtin/win_privesc_cve_2020_1472.yml index d3a1e278..1cacfe12 100644 --- a/rules/sigma/builtin/win_privesc_cve_2020_1472.yml +++ b/rules/sigma/builtin/win_privesc_cve_2020_1472.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.t1068 - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_protected_storage_service_access.yml b/rules/sigma/builtin/win_protected_storage_service_access.yml index 9caec014..1fbee11a 100644 --- a/rules/sigma/builtin/win_protected_storage_service_access.yml +++ b/rules/sigma/builtin/win_protected_storage_service_access.yml @@ -27,3 +27,4 @@ tags: - attack.lateral_movement - attack.t1021 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml b/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml index 56adafad..9c1364aa 100644 --- a/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml +++ b/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml @@ -24,3 +24,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rare_schtasks_creations.yml b/rules/sigma/builtin/win_rare_schtasks_creations.yml index 97b16991..2453fd24 100644 --- a/rules/sigma/builtin/win_rare_schtasks_creations.yml +++ b/rules/sigma/builtin/win_rare_schtasks_creations.yml @@ -29,3 +29,4 @@ tags: - attack.t1053 - car.2013-08-001 - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rare_service_installs.yml b/rules/sigma/builtin/win_rare_service_installs.yml index e1906682..956abf96 100644 --- a/rules/sigma/builtin/win_rare_service_installs.yml +++ b/rules/sigma/builtin/win_rare_service_installs.yml @@ -24,3 +24,4 @@ tags: - attack.t1050 - car.2013-09-005 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml index 5b944042..8c6ee0a1 100644 --- a/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml +++ b/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml @@ -26,3 +26,4 @@ tags: - attack.lateral_movement - attack.t1210 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_localhost_login.yml b/rules/sigma/builtin/win_rdp_localhost_login.yml index a5b60e50..e0b37345 100644 --- a/rules/sigma/builtin/win_rdp_localhost_login.yml +++ b/rules/sigma/builtin/win_rdp_localhost_login.yml @@ -29,3 +29,4 @@ tags: - attack.t1076 - car.2013-07-002 - attack.t1021.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml b/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml index 6e2c3e2c..c502101c 100644 --- a/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml +++ b/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml @@ -27,3 +27,4 @@ tags: - attack.lateral_movement - attack.t1210 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_reverse_tunnel.yml b/rules/sigma/builtin/win_rdp_reverse_tunnel.yml index 1b63af63..64eb9646 100644 --- a/rules/sigma/builtin/win_rdp_reverse_tunnel.yml +++ b/rules/sigma/builtin/win_rdp_reverse_tunnel.yml @@ -42,3 +42,4 @@ tags: - attack.t1090.002 - attack.t1021.001 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml index f13755a6..33858382 100644 --- a/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml +++ b/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml @@ -25,3 +25,4 @@ tags: - attack.privilege_escalation - attack.t1208 - attack.t1558.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_remote_powershell_session.yml b/rules/sigma/builtin/win_remote_powershell_session.yml index 05c1f437..0abee6a5 100644 --- a/rules/sigma/builtin/win_remote_powershell_session.yml +++ b/rules/sigma/builtin/win_remote_powershell_session.yml @@ -29,3 +29,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml b/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml index 6035d21a..64260e10 100644 --- a/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml +++ b/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml @@ -30,3 +30,4 @@ tags: - attack.credential_access - attack.t1552.002 - attack.s0075 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_root_certificate_installed.yml b/rules/sigma/builtin/win_root_certificate_installed.yml index f40b81f4..c6afd974 100644 --- a/rules/sigma/builtin/win_root_certificate_installed.yml +++ b/rules/sigma/builtin/win_root_certificate_installed.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1553.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml b/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml index 98d776d2..01917a8b 100644 --- a/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml +++ b/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml @@ -33,3 +33,4 @@ tags: - attack.t1012 - attack.credential_access - attack.t1552.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scheduled_task_deletion.yml b/rules/sigma/builtin/win_scheduled_task_deletion.yml index dc7c8d05..20e4b058 100644 --- a/rules/sigma/builtin/win_scheduled_task_deletion.yml +++ b/rules/sigma/builtin/win_scheduled_task_deletion.yml @@ -29,3 +29,4 @@ tags: - attack.t1053 - car.2013-08-001 - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scm_database_handle_failure.yml b/rules/sigma/builtin/win_scm_database_handle_failure.yml index c890dded..110c061d 100644 --- a/rules/sigma/builtin/win_scm_database_handle_failure.yml +++ b/rules/sigma/builtin/win_scm_database_handle_failure.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.discovery - attack.t1010 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scm_database_privileged_operation.yml b/rules/sigma/builtin/win_scm_database_privileged_operation.yml index 7224c518..568020cb 100644 --- a/rules/sigma/builtin/win_scm_database_privileged_operation.yml +++ b/rules/sigma/builtin/win_scm_database_privileged_operation.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml index 9bbff293..8c3cde51 100644 --- a/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml +++ b/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml @@ -29,3 +29,4 @@ tags: - attack.privilege_escalation - attack.persistence - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml b/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml index af1ea237..4fd129a9 100644 --- a/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml +++ b/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml @@ -49,3 +49,4 @@ tags: - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_mal_creddumper.yml b/rules/sigma/builtin/win_security_mal_creddumper.yml index a18266fa..25aa5e17 100644 --- a/rules/sigma/builtin/win_security_mal_creddumper.yml +++ b/rules/sigma/builtin/win_security_mal_creddumper.yml @@ -43,3 +43,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_mal_service_installs.yml b/rules/sigma/builtin/win_security_mal_service_installs.yml index a8483148..c5ce8b1c 100644 --- a/rules/sigma/builtin/win_security_mal_service_installs.yml +++ b/rules/sigma/builtin/win_security_mal_service_installs.yml @@ -35,3 +35,4 @@ tags: - car.2013-09-005 - attack.t1543.003 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml index cb99ab46..38e48d2a 100644 --- a/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -46,3 +46,4 @@ tags: - attack.t1570 - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index dd86fbb6..12376834 100644 --- a/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -66,3 +66,4 @@ tags: - attack.t1134 - attack.t1134.001 - attack.t1134.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml b/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml index 435c6e13..5ba61d36 100644 --- a/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml +++ b/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_tap_driver_installation.yml b/rules/sigma/builtin/win_security_tap_driver_installation.yml index 9aea52b1..c70dae79 100644 --- a/rules/sigma/builtin/win_security_tap_driver_installation.yml +++ b/rules/sigma/builtin/win_security_tap_driver_installation.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.exfiltration - attack.t1048 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml index b417272d..9e2a8e04 100644 --- a/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml +++ b/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.persistence - attack.t1505.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml b/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml index 6c275f44..9c708842 100644 --- a/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml +++ b/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml b/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml index f8f004b7..9387fcbf 100644 --- a/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml +++ b/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml @@ -25,3 +25,4 @@ references: status: experimental tags: - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_add_domain_trust.yml b/rules/sigma/builtin/win_susp_add_domain_trust.yml index 7e2fc5b4..9df063a5 100644 --- a/rules/sigma/builtin/win_susp_add_domain_trust.yml +++ b/rules/sigma/builtin/win_susp_add_domain_trust.yml @@ -18,3 +18,4 @@ status: stable tags: - attack.persistence - attack.t1098 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_add_sid_history.yml b/rules/sigma/builtin/win_susp_add_sid_history.yml index 38e6f1df..4350892f 100644 --- a/rules/sigma/builtin/win_susp_add_sid_history.yml +++ b/rules/sigma/builtin/win_susp_add_sid_history.yml @@ -33,3 +33,4 @@ tags: - attack.privilege_escalation - attack.t1178 - attack.t1134.005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_backup_delete.yml b/rules/sigma/builtin/win_susp_backup_delete.yml index a3f5d27f..2faf96f1 100644 --- a/rules/sigma/builtin/win_susp_backup_delete.yml +++ b/rules/sigma/builtin/win_susp_backup_delete.yml @@ -25,3 +25,4 @@ tags: - attack.defense_evasion - attack.t1107 - attack.t1070.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml b/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml index 70384e41..ba6e3a58 100644 --- a/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml +++ b/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml @@ -22,3 +22,4 @@ tags: - attack.defense_evasion - attack.t1009 - attack.t1027.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dhcp_config.yml b/rules/sigma/builtin/win_susp_dhcp_config.yml index d9135256..b2720813 100644 --- a/rules/sigma/builtin/win_susp_dhcp_config.yml +++ b/rules/sigma/builtin/win_susp_dhcp_config.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dhcp_config_failed.yml b/rules/sigma/builtin/win_susp_dhcp_config_failed.yml index af2086ef..70697751 100644 --- a/rules/sigma/builtin/win_susp_dhcp_config_failed.yml +++ b/rules/sigma/builtin/win_susp_dhcp_config_failed.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dns_config.yml b/rules/sigma/builtin/win_susp_dns_config.yml index 6aaa09e1..91810c41 100644 --- a/rules/sigma/builtin/win_susp_dns_config.yml +++ b/rules/sigma/builtin/win_susp_dns_config.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dsrm_password_change.yml b/rules/sigma/builtin/win_susp_dsrm_password_change.yml index 01ce1c2c..95ff1bb3 100644 --- a/rules/sigma/builtin/win_susp_dsrm_password_change.yml +++ b/rules/sigma/builtin/win_susp_dsrm_password_change.yml @@ -22,3 +22,4 @@ status: stable tags: - attack.persistence - attack.t1098 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_eventlog_cleared.yml b/rules/sigma/builtin/win_susp_eventlog_cleared.yml index 00fcfea1..8309611a 100644 --- a/rules/sigma/builtin/win_susp_eventlog_cleared.yml +++ b/rules/sigma/builtin/win_susp_eventlog_cleared.yml @@ -34,3 +34,4 @@ tags: - attack.t1070 - attack.t1070.001 - car.2016-04-002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_guest_logon.yml b/rules/sigma/builtin/win_susp_failed_guest_logon.yml index 349fe587..e44823b4 100644 --- a/rules/sigma/builtin/win_susp_failed_guest_logon.yml +++ b/rules/sigma/builtin/win_susp_failed_guest_logon.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.credential_access - attack.t1110.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logon_reasons.yml b/rules/sigma/builtin/win_susp_failed_logon_reasons.yml index 744ce243..2b41b9fd 100644 --- a/rules/sigma/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/sigma/builtin/win_susp_failed_logon_reasons.yml @@ -38,3 +38,4 @@ tags: - attack.privilege_escalation - attack.initial_access - attack.t1078 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logon_source.yml b/rules/sigma/builtin/win_susp_failed_logon_source.yml index 0b238313..51d806bd 100644 --- a/rules/sigma/builtin/win_susp_failed_logon_source.yml +++ b/rules/sigma/builtin/win_susp_failed_logon_source.yml @@ -54,3 +54,4 @@ tags: - attack.t1078 - attack.t1190 - attack.t1133 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml index 3e60d865..b5198853 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml @@ -26,3 +26,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_process.yml b/rules/sigma/builtin/win_susp_failed_logons_single_process.yml index 76bdeea8..9c43959b 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_process.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_process.yml @@ -32,3 +32,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source.yml index 86a08baa..8e6d1d1b 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source.yml @@ -31,3 +31,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1078 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml index b022c620..2f5be1ee 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml @@ -32,3 +32,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1078 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml index 6ff18ae6..85f238bc 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml @@ -32,3 +32,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml index 303512c6..3efef0e8 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml @@ -32,3 +32,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml index 9915f931..ad15a8cb 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml @@ -32,3 +32,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml index 40acd762..f7efc427 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml @@ -31,3 +31,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml index a5be7cdd..c51d606e 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml @@ -31,3 +31,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml index 490cc94e..8002f8f7 100644 --- a/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml +++ b/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml @@ -31,3 +31,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_interactive_logons.yml b/rules/sigma/builtin/win_susp_interactive_logons.yml index 0d308e00..c0f6713d 100644 --- a/rules/sigma/builtin/win_susp_interactive_logons.yml +++ b/rules/sigma/builtin/win_susp_interactive_logons.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1078 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_kerberos_manipulation.yml b/rules/sigma/builtin/win_susp_kerberos_manipulation.yml index 257da46c..84a40a82 100644 --- a/rules/sigma/builtin/win_susp_kerberos_manipulation.yml +++ b/rules/sigma/builtin/win_susp_kerberos_manipulation.yml @@ -57,3 +57,4 @@ status: experimental tags: - attack.credential_access - attack.t1212 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ldap_dataexchange.yml b/rules/sigma/builtin/win_susp_ldap_dataexchange.yml index 666a893b..ff34fef6 100644 --- a/rules/sigma/builtin/win_susp_ldap_dataexchange.yml +++ b/rules/sigma/builtin/win_susp_ldap_dataexchange.yml @@ -33,3 +33,4 @@ tags: - attack.t1071 - attack.t1001.003 - attack.command_and_control +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_local_anon_logon_created.yml b/rules/sigma/builtin/win_susp_local_anon_logon_created.yml index be0b662d..9d4d3d4f 100644 --- a/rules/sigma/builtin/win_susp_local_anon_logon_created.yml +++ b/rules/sigma/builtin/win_susp_local_anon_logon_created.yml @@ -29,3 +29,4 @@ tags: - attack.t1136 - attack.t1136.001 - attack.t1136.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml b/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml index 9d657508..3cdfaa0f 100644 --- a/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.t1078 - attack.lateral_movement +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_lsass_dump.yml b/rules/sigma/builtin/win_susp_lsass_dump.yml index d30ba662..72a5f42b 100644 --- a/rules/sigma/builtin/win_susp_lsass_dump.yml +++ b/rules/sigma/builtin/win_susp_lsass_dump.yml @@ -29,3 +29,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_lsass_dump_generic.yml b/rules/sigma/builtin/win_susp_lsass_dump_generic.yml index f87c18c4..ff536f86 100644 --- a/rules/sigma/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/sigma/builtin/win_susp_lsass_dump_generic.yml @@ -82,3 +82,4 @@ tags: - attack.t1003 - car.2019-04-004 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_mshta_execution.yml b/rules/sigma/builtin/win_susp_mshta_execution.yml index 6dbd6bb3..d18df3fa 100644 --- a/rules/sigma/builtin/win_susp_mshta_execution.yml +++ b/rules/sigma/builtin/win_susp_mshta_execution.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.t1140 - attack.t1218.005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_msmpeng_crash.yml b/rules/sigma/builtin/win_susp_msmpeng_crash.yml index 91009cde..83a03004 100644 --- a/rules/sigma/builtin/win_susp_msmpeng_crash.yml +++ b/rules/sigma/builtin/win_susp_msmpeng_crash.yml @@ -36,3 +36,4 @@ tags: - attack.t1089 - attack.t1211 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml b/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml index e732c2f8..2c7e5f3b 100644 --- a/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.impact - attack.t1486 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_net_recon_activity.yml b/rules/sigma/builtin/win_susp_net_recon_activity.yml index 7a2687a5..a6a1ff0d 100644 --- a/rules/sigma/builtin/win_susp_net_recon_activity.yml +++ b/rules/sigma/builtin/win_susp_net_recon_activity.yml @@ -43,3 +43,4 @@ tags: - attack.t1069 - attack.t1069.002 - attack.s0039 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ntlm_auth.yml b/rules/sigma/builtin/win_susp_ntlm_auth.yml index 9f5eff83..a86566f9 100644 --- a/rules/sigma/builtin/win_susp_ntlm_auth.yml +++ b/rules/sigma/builtin/win_susp_ntlm_auth.yml @@ -27,3 +27,4 @@ tags: - attack.lateral_movement - attack.t1075 - attack.t1550.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ntlm_rdp.yml b/rules/sigma/builtin/win_susp_ntlm_rdp.yml index 8cc21ffe..0d7a6604 100644 --- a/rules/sigma/builtin/win_susp_ntlm_rdp.yml +++ b/rules/sigma/builtin/win_susp_ntlm_rdp.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.command_and_control - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_proceshacker.yml b/rules/sigma/builtin/win_susp_proceshacker.yml index fb6be0ce..1fe43beb 100644 --- a/rules/sigma/builtin/win_susp_proceshacker.yml +++ b/rules/sigma/builtin/win_susp_proceshacker.yml @@ -27,3 +27,4 @@ tags: - attack.privilege_escalation - attack.t1543.003 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_psexec.yml b/rules/sigma/builtin/win_susp_psexec.yml index 874f6f18..2d651b26 100644 --- a/rules/sigma/builtin/win_susp_psexec.yml +++ b/rules/sigma/builtin/win_susp_psexec.yml @@ -39,3 +39,4 @@ tags: - attack.lateral_movement - attack.t1077 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml b/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml index 60daafde..b70fac83 100644 --- a/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml +++ b/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.collection - attack.t1039 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_rc4_kerberos.yml b/rules/sigma/builtin/win_susp_rc4_kerberos.yml index c556f550..1da55067 100644 --- a/rules/sigma/builtin/win_susp_rc4_kerberos.yml +++ b/rules/sigma/builtin/win_susp_rc4_kerberos.yml @@ -30,3 +30,4 @@ tags: - attack.credential_access - attack.t1208 - attack.t1558.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_rottenpotato.yml b/rules/sigma/builtin/win_susp_rottenpotato.yml index 22ba93aa..aee0c95d 100644 --- a/rules/sigma/builtin/win_susp_rottenpotato.yml +++ b/rules/sigma/builtin/win_susp_rottenpotato.yml @@ -32,3 +32,4 @@ tags: - attack.credential_access - attack.t1171 - attack.t1557.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_sam_dump.yml b/rules/sigma/builtin/win_susp_sam_dump.yml index 196f3b60..c2a0a130 100644 --- a/rules/sigma/builtin/win_susp_sam_dump.yml +++ b/rules/sigma/builtin/win_susp_sam_dump.yml @@ -25,3 +25,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_sdelete.yml b/rules/sigma/builtin/win_susp_sdelete.yml index 1495d239..eca49526 100644 --- a/rules/sigma/builtin/win_susp_sdelete.yml +++ b/rules/sigma/builtin/win_susp_sdelete.yml @@ -38,3 +38,4 @@ tags: - attack.t1485 - attack.t1553.002 - attack.s0195 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_time_modification.yml b/rules/sigma/builtin/win_susp_time_modification.yml index 3fdcf5fd..abeb35b5 100644 --- a/rules/sigma/builtin/win_susp_time_modification.yml +++ b/rules/sigma/builtin/win_susp_time_modification.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.t1099 - attack.t1070.006 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_wmi_login.yml b/rules/sigma/builtin/win_susp_wmi_login.yml index f71228a1..af31284e 100644 --- a/rules/sigma/builtin/win_susp_wmi_login.yml +++ b/rules/sigma/builtin/win_susp_wmi_login.yml @@ -21,3 +21,4 @@ status: stable tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml index 04dcba2f..e9d683d5 100644 --- a/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -31,3 +31,4 @@ tags: - attack.lateral_movement - attack.t1208 - attack.t1558.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_svcctl_remote_service.yml b/rules/sigma/builtin/win_svcctl_remote_service.yml index a02dadc2..de4e3024 100644 --- a/rules/sigma/builtin/win_svcctl_remote_service.yml +++ b/rules/sigma/builtin/win_svcctl_remote_service.yml @@ -31,3 +31,4 @@ tags: - attack.persistence - attack.t1077 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_syskey_registry_access.yml b/rules/sigma/builtin/win_syskey_registry_access.yml index a03abe07..09270214 100644 --- a/rules/sigma/builtin/win_syskey_registry_access.yml +++ b/rules/sigma/builtin/win_syskey_registry_access.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.discovery - attack.t1012 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml b/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml index 2e5ec716..d0c57140 100644 --- a/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml +++ b/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml b/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml index 1556a183..56c69cef 100644 --- a/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml +++ b/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml @@ -34,3 +34,4 @@ tags: - attack.t1070 - attack.t1070.001 - car.2016-04-002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_tap_driver_installation.yml b/rules/sigma/builtin/win_tap_driver_installation.yml index 913ab312..0daf9eaa 100644 --- a/rules/sigma/builtin/win_tap_driver_installation.yml +++ b/rules/sigma/builtin/win_tap_driver_installation.yml @@ -22,3 +22,4 @@ status: experimental tags: - attack.exfiltration - attack.t1048 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml index 47dc4116..556771b6 100644 --- a/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml @@ -34,3 +34,4 @@ tags: - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_usb_device_plugged.yml b/rules/sigma/builtin/win_usb_device_plugged.yml index 24d35c90..23f93a97 100644 --- a/rules/sigma/builtin/win_usb_device_plugged.yml +++ b/rules/sigma/builtin/win_usb_device_plugged.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.initial_access - attack.t1200 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_added_to_local_administrators.yml b/rules/sigma/builtin/win_user_added_to_local_administrators.yml index 0ba30fcc..4fe138b6 100644 --- a/rules/sigma/builtin/win_user_added_to_local_administrators.yml +++ b/rules/sigma/builtin/win_user_added_to_local_administrators.yml @@ -28,3 +28,4 @@ tags: - attack.t1078 - attack.persistence - attack.t1098 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index 0fbf2966..92b07a83 100644 --- a/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -29,3 +29,4 @@ tags: - attack.privilege_escalation - attack.t1208 - attack.t1558.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_creation.yml b/rules/sigma/builtin/win_user_creation.yml index c0bd2f4c..aaa45500 100644 --- a/rules/sigma/builtin/win_user_creation.yml +++ b/rules/sigma/builtin/win_user_creation.yml @@ -29,3 +29,4 @@ tags: - attack.persistence - attack.t1136 - attack.t1136.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_driver_loaded.yml b/rules/sigma/builtin/win_user_driver_loaded.yml index b98aef90..951db50a 100644 --- a/rules/sigma/builtin/win_user_driver_loaded.yml +++ b/rules/sigma/builtin/win_user_driver_loaded.yml @@ -49,3 +49,4 @@ tags: - attack.t1089 - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_volume_shadow_copy_mount.yml b/rules/sigma/builtin/win_volume_shadow_copy_mount.yml index cbd86f44..5aec87e1 100644 --- a/rules/sigma/builtin/win_volume_shadow_copy_mount.yml +++ b/rules/sigma/builtin/win_volume_shadow_copy_mount.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml b/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml index 24a406e8..80f1cca6 100644 --- a/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml +++ b/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vul_cve_2020_0688.yml b/rules/sigma/builtin/win_vul_cve_2020_0688.yml index 9575b497..b8960b6d 100644 --- a/rules/sigma/builtin/win_vul_cve_2020_0688.yml +++ b/rules/sigma/builtin/win_vul_cve_2020_0688.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.initial_access - attack.t1190 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vul_cve_2020_1472.yml b/rules/sigma/builtin/win_vul_cve_2020_1472.yml index 52d09c8d..7b73408e 100644 --- a/rules/sigma/builtin/win_vul_cve_2020_1472.yml +++ b/rules/sigma/builtin/win_vul_cve_2020_1472.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml index d31eb0df..3278229c 100644 --- a/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml @@ -27,3 +27,4 @@ tags: - attack.t1047 - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_cactustorch.yml b/rules/sigma/create_remote_thread/sysmon_cactustorch.yml index 23817bfb..75c2655a 100644 --- a/rules/sigma/create_remote_thread/sysmon_cactustorch.yml +++ b/rules/sigma/create_remote_thread/sysmon_cactustorch.yml @@ -39,3 +39,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1218.005 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index b67031bd..4e260051 100644 --- a/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml +++ b/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1055 - attack.t1055.001 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index 981bc40e..aac6829d 100644 --- a/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ b/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1055 - attack.t1055.001 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml index fa0f2607..9c56270b 100644 --- a/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml +++ b/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml @@ -30,3 +30,4 @@ tags: - attack.t1003 - attack.s0005 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml index 3c080014..5a3396c2 100644 --- a/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml +++ b/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml index 4430c13a..65c06f01 100644 --- a/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml +++ b/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml @@ -29,3 +29,4 @@ tags: - attack.t1218.011 - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml b/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml index f0402ae0..62d05fa3 100644 --- a/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml +++ b/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml @@ -86,3 +86,4 @@ tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/create_stream_hash/sysmon_ads_executable.yml b/rules/sigma/create_stream_hash/sysmon_ads_executable.yml index 85044cb1..cf32a722 100644 --- a/rules/sigma/create_stream_hash/sysmon_ads_executable.yml +++ b/rules/sigma/create_stream_hash/sysmon_ads_executable.yml @@ -32,3 +32,4 @@ tags: - attack.t1027 - attack.s0139 - attack.t1564.004 +ruletype: SIGMA diff --git a/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml b/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml index 8df65a8e..9e3a7b40 100644 --- a/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml +++ b/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564.004 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml b/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml index d770ad26..061ce08f 100644 --- a/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml +++ b/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml @@ -32,3 +32,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_net_susp_ipify.yml b/rules/sigma/dns_query/dns_net_susp_ipify.yml index cb5dcf49..6c6a7533 100644 --- a/rules/sigma/dns_query/dns_net_susp_ipify.yml +++ b/rules/sigma/dns_query/dns_net_susp_ipify.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.reconnaissance - attack.t1590 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml b/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml index c7d02945..098f6e01 100644 --- a/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml +++ b/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.persistence - attack.t1554 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_mega_nz.yml b/rules/sigma/dns_query/dns_query_mega_nz.yml index de60de21..d0ae8a7b 100644 --- a/rules/sigma/dns_query/dns_query_mega_nz.yml +++ b/rules/sigma/dns_query/dns_query_mega_nz.yml @@ -22,3 +22,4 @@ status: experimental tags: - attack.exfiltration - attack.t1567.002 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml b/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml index 3e706528..f45dd33d 100644 --- a/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml +++ b/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml @@ -73,3 +73,4 @@ status: experimental tags: - attack.initial_access - attack.t1189 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml b/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml index 3ead6e60..399f4c18 100644 --- a/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml +++ b/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.t1218.010 - attack.t1117 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_mal_creddumper.yml b/rules/sigma/driver_load/driver_load_mal_creddumper.yml index 41e0386b..be4611a2 100644 --- a/rules/sigma/driver_load/driver_load_mal_creddumper.yml +++ b/rules/sigma/driver_load/driver_load_mal_creddumper.yml @@ -43,3 +43,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 34625e24..c3a686f5 100644 --- a/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -66,3 +66,4 @@ tags: - attack.t1134 - attack.t1134.001 - attack.t1134.002 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml index a2f2f2e3..2d4eff19 100644 --- a/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml +++ b/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_susp_temp_use.yml b/rules/sigma/driver_load/driver_load_susp_temp_use.yml index 5f647cad..3c95b5ba 100644 --- a/rules/sigma/driver_load/driver_load_susp_temp_use.yml +++ b/rules/sigma/driver_load/driver_load_susp_temp_use.yml @@ -23,3 +23,4 @@ tags: - attack.privilege_escalation - attack.t1050 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml b/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml index 7e129f9e..1afc0de5 100644 --- a/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml @@ -32,3 +32,4 @@ tags: - attack.privilege_escalation - cve.2021.21551 - attack.t1543 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_windivert.yml b/rules/sigma/driver_load/driver_load_windivert.yml index 202a4b63..bbd6699d 100644 --- a/rules/sigma/driver_load/driver_load_windivert.yml +++ b/rules/sigma/driver_load/driver_load_windivert.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.t1599.001 - attack.t1557.001 +ruletype: SIGMA diff --git a/rules/sigma/edr/edr_command_execution_by_office_applications.yml b/rules/sigma/edr/edr_command_execution_by_office_applications.yml index a00d36a0..aaa27e57 100644 --- a/rules/sigma/edr/edr_command_execution_by_office_applications.yml +++ b/rules/sigma/edr/edr_command_execution_by_office_applications.yml @@ -34,3 +34,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/file_delete/sysmon_delete_prefetch.yml b/rules/sigma/file_delete/sysmon_delete_prefetch.yml index 6ba6585f..ad26aa1a 100644 --- a/rules/sigma/file_delete/sysmon_delete_prefetch.yml +++ b/rules/sigma/file_delete/sysmon_delete_prefetch.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.004 +ruletype: SIGMA diff --git a/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml index f002c41d..09e8b1ac 100644 --- a/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml +++ b/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.004 +ruletype: SIGMA diff --git a/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml index 0f4cea05..2f9f5720 100644 --- a/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml +++ b/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml @@ -31,3 +31,4 @@ tags: - attack.privilege_escalation - attack.t1574 - cve.2021.1675 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_advanced_ip_scanner.yml b/rules/sigma/file_event/file_event_advanced_ip_scanner.yml index 9cefb6c6..5e595fd6 100644 --- a/rules/sigma/file_event/file_event_advanced_ip_scanner.yml +++ b/rules/sigma/file_event/file_event_advanced_ip_scanner.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.discovery - attack.t1046 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml b/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml index 89c748bd..d6f8fd79 100644 --- a/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml +++ b/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1218.011 - attack.t1085 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml index 67caf167..d5138819 100644 --- a/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -38,3 +38,4 @@ tags: - attack.t1203 - cve.2021.33771 - cve.2021.31979 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_hack_dumpert.yml b/rules/sigma/file_event/file_event_hack_dumpert.yml index b777829b..7b10aec1 100644 --- a/rules/sigma/file_event/file_event_hack_dumpert.yml +++ b/rules/sigma/file_event/file_event_hack_dumpert.yml @@ -29,3 +29,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_hktl_createminidump.yml b/rules/sigma/file_event/file_event_hktl_createminidump.yml index caaac0fe..759c245f 100644 --- a/rules/sigma/file_event/file_event_hktl_createminidump.yml +++ b/rules/sigma/file_event/file_event_hktl_createminidump.yml @@ -28,3 +28,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_lsass_dump.yml b/rules/sigma/file_event/file_event_lsass_dump.yml index eefbce4f..f8a18a0b 100644 --- a/rules/sigma/file_event/file_event_lsass_dump.yml +++ b/rules/sigma/file_event/file_event_lsass_dump.yml @@ -35,3 +35,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mal_adwind.yml b/rules/sigma/file_event/file_event_mal_adwind.yml index 640f36e3..89d02db2 100644 --- a/rules/sigma/file_event/file_event_mal_adwind.yml +++ b/rules/sigma/file_event/file_event_mal_adwind.yml @@ -33,3 +33,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mal_vhd_download.yml b/rules/sigma/file_event/file_event_mal_vhd_download.yml index cc3e37b0..d52d9515 100644 --- a/rules/sigma/file_event/file_event_mal_vhd_download.yml +++ b/rules/sigma/file_event/file_event_mal_vhd_download.yml @@ -38,3 +38,4 @@ status: test tags: - attack.resource_development - attack.t1587.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml b/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml index db212b1f..dc9d26df 100644 --- a/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml +++ b/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml @@ -23,3 +23,4 @@ status: test tags: - attack.credential_access - attack.t1558 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_moriya_rootkit.yml b/rules/sigma/file_event/file_event_moriya_rootkit.yml index b01ef6ea..3f7ba19a 100644 --- a/rules/sigma/file_event/file_event_moriya_rootkit.yml +++ b/rules/sigma/file_event/file_event_moriya_rootkit.yml @@ -28,3 +28,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_pingback_backdoor.yml b/rules/sigma/file_event/file_event_pingback_backdoor.yml index de05302b..8b387765 100644 --- a/rules/sigma/file_event/file_event_pingback_backdoor.yml +++ b/rules/sigma/file_event/file_event_pingback_backdoor.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.persistence - attack.t1574.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml index 21100bbd..cf7d60b7 100644 --- a/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml +++ b/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml @@ -44,3 +44,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_susp_task_write.yml b/rules/sigma/file_event/file_event_susp_task_write.yml index 729734d2..5429a0cf 100644 --- a/rules/sigma/file_event/file_event_susp_task_write.yml +++ b/rules/sigma/file_event/file_event_susp_task_write.yml @@ -28,3 +28,4 @@ tags: - attack.persistence - attack.execution - attack.t1053 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_tool_psexec.yml b/rules/sigma/file_event/file_event_tool_psexec.yml index 004327bb..f5a257b3 100644 --- a/rules/sigma/file_event/file_event_tool_psexec.yml +++ b/rules/sigma/file_event/file_event_tool_psexec.yml @@ -38,3 +38,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0029 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_uac_bypass_winsat.yml b/rules/sigma/file_event/file_event_uac_bypass_winsat.yml index 0866da20..81183bbd 100644 --- a/rules/sigma/file_event/file_event_uac_bypass_winsat.yml +++ b/rules/sigma/file_event/file_event_uac_bypass_winsat.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_uac_bypass_wmp.yml b/rules/sigma/file_event/file_event_uac_bypass_wmp.yml index cdbae4e8..d5ca7ab4 100644 --- a/rules/sigma/file_event/file_event_uac_bypass_wmp.yml +++ b/rules/sigma/file_event/file_event_uac_bypass_wmp.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml b/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml index b93b9117..e442758a 100644 --- a/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml @@ -47,3 +47,4 @@ logsource: references: - No references status: experimental +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_winrm_awl_bypass.yml b/rules/sigma/file_event/file_event_winrm_awl_bypass.yml index 6add2daf..8d003e2a 100644 --- a/rules/sigma/file_event/file_event_winrm_awl_bypass.yml +++ b/rules/sigma/file_event/file_event_winrm_awl_bypass.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml index 30783eb6..a6f4e9a5 100644 --- a/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml @@ -28,3 +28,4 @@ tags: - attack.t1047 - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_creation_system_file.yml b/rules/sigma/file_event/sysmon_creation_system_file.yml index aa8389f4..fca4521b 100644 --- a/rules/sigma/file_event/sysmon_creation_system_file.yml +++ b/rules/sigma/file_event/sysmon_creation_system_file.yml @@ -65,3 +65,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.005 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml b/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml index 189b3f81..cf546df7 100644 --- a/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml +++ b/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml @@ -55,3 +55,4 @@ tags: - attack.t1003.003 - attack.t1003.004 - attack.t1003.005 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml index 99213c30..1a282c20 100644 --- a/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml +++ b/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -36,3 +36,4 @@ tags: - attack.t1203 - attack.execution - cve.2021.26858 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml index 1a080745..a66f5b02 100644 --- a/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -30,3 +30,4 @@ tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1574.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml b/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml index 4829dfc3..ace295fb 100644 --- a/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml +++ b/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml @@ -24,3 +24,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml index ff534e89..9d54ad3e 100644 --- a/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml +++ b/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml @@ -32,3 +32,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_office_persistence.yml b/rules/sigma/file_event/sysmon_office_persistence.yml index 09b9e6de..afa4c9dc 100644 --- a/rules/sigma/file_event/sysmon_office_persistence.yml +++ b/rules/sigma/file_event/sysmon_office_persistence.yml @@ -38,3 +38,4 @@ tags: - attack.persistence - attack.t1137 - attack.t1137.006 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_outlook_newform.yml b/rules/sigma/file_event/sysmon_outlook_newform.yml index bed12314..94b0b8dd 100644 --- a/rules/sigma/file_event/sysmon_outlook_newform.yml +++ b/rules/sigma/file_event/sysmon_outlook_newform.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.persistence - attack.t1137.003 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml b/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml index a700c4bc..2bee4489 100644 --- a/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml +++ b/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml b/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml index 4d8625cd..9c9acc39 100644 --- a/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml +++ b/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml @@ -118,3 +118,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml index 975db71f..d8f3f241 100644 --- a/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml +++ b/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.registry_run_keys_/_startup_folder - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_quarkspw_filedump.yml b/rules/sigma/file_event/sysmon_quarkspw_filedump.yml index 59631cad..0d7e58b5 100644 --- a/rules/sigma/file_event/sysmon_quarkspw_filedump.yml +++ b/rules/sigma/file_event/sysmon_quarkspw_filedump.yml @@ -26,3 +26,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml b/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml index 27dbef75..7144b964 100644 --- a/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml +++ b/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_startup_folder_file_write.yml b/rules/sigma/file_event/sysmon_startup_folder_file_write.yml index c95ceaf6..474f4758 100644 --- a/rules/sigma/file_event/sysmon_startup_folder_file_write.yml +++ b/rules/sigma/file_event/sysmon_startup_folder_file_write.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.persistence - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml index 2192a92f..36e1cb6c 100644 --- a/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml +++ b/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml @@ -37,3 +37,4 @@ tags: - attack.t1071 - attack.t1001.003 - attack.command_and_control +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_clr_logs.yml b/rules/sigma/file_event/sysmon_susp_clr_logs.yml index 51f891cf..cff06d72 100644 --- a/rules/sigma/file_event/sysmon_susp_clr_logs.yml +++ b/rules/sigma/file_event/sysmon_susp_clr_logs.yml @@ -42,3 +42,4 @@ tags: - attack.defense_evasion - attack.t1059.001 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_desktop_ini.yml b/rules/sigma/file_event/sysmon_susp_desktop_ini.yml index 1aa2c2c3..8269eafd 100644 --- a/rules/sigma/file_event/sysmon_susp_desktop_ini.yml +++ b/rules/sigma/file_event/sysmon_susp_desktop_ini.yml @@ -31,3 +31,4 @@ tags: - attack.persistence - attack.t1023 - attack.t1547.009 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml b/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml index 69228b11..71481373 100644 --- a/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml +++ b/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.credential_access - attack.t1552.004 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index efb44c6c..22e29910 100644 --- a/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -36,3 +36,4 @@ tags: - attack.t1089 - attack.t1562.001 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml b/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml index 08781f7b..9f340600 100644 --- a/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml +++ b/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml @@ -28,3 +28,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.013 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml index 2dc971d9..112ec4af 100644 --- a/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml +++ b/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml @@ -23,3 +23,4 @@ status: experimental tags: - attack.command_and_control - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml b/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml index 6fff1ce4..4b4354b6 100644 --- a/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml +++ b/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml b/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml index 9bae5cc2..0754223c 100644 --- a/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml +++ b/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml index 04172c32..9676afb4 100644 --- a/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml +++ b/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml b/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml index 9d470fc6..ff744dca 100644 --- a/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml +++ b/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml @@ -25,3 +25,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml index db909df0..de79c275 100644 --- a/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml +++ b/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_webshell_creation_detect.yml b/rules/sigma/file_event/sysmon_webshell_creation_detect.yml index ce9784b2..40389d2e 100644 --- a/rules/sigma/file_event/sysmon_webshell_creation_detect.yml +++ b/rules/sigma/file_event/sysmon_webshell_creation_detect.yml @@ -57,3 +57,4 @@ tags: - attack.persistence - attack.t1100 - attack.t1505.003 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml index bb1d6f8c..48e26ae1 100644 --- a/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml +++ b/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml @@ -24,3 +24,4 @@ tags: - attack.t1084 - attack.t1546.003 - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml b/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml index bf66f0c7..51720d15 100644 --- a/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml @@ -34,3 +34,4 @@ tags: - attack.resource_development - attack.t1587 - cve.2021.1675 +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml b/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml index 68edbc2b..5042704f 100644 --- a/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml +++ b/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.resource_development - attack.t1587 +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_hivenightmare_file_exports.yml b/rules/sigma/file_event/win_hivenightmare_file_exports.yml index 82bd22cf..6d80bb79 100644 --- a/rules/sigma/file_event/win_hivenightmare_file_exports.yml +++ b/rules/sigma/file_event/win_hivenightmare_file_exports.yml @@ -37,3 +37,4 @@ tags: - attack.credential_access - attack.t1552.001 - cve.2021.36934 +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_outlook_c2_macro_creation.yml b/rules/sigma/file_event/win_outlook_c2_macro_creation.yml index dec1443e..d9f6f964 100644 --- a/rules/sigma/file_event/win_outlook_c2_macro_creation.yml +++ b/rules/sigma/file_event/win_outlook_c2_macro_creation.yml @@ -27,3 +27,4 @@ tags: - attack.t1137 - attack.t1008 - attack.t1546 +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_rclone_exec_file.yml b/rules/sigma/file_event/win_rclone_exec_file.yml index 2213fef9..1455ae44 100644 --- a/rules/sigma/file_event/win_rclone_exec_file.yml +++ b/rules/sigma/file_event/win_rclone_exec_file.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.exfiltration - attack.t1567.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml b/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml index 12ada67a..ec85a436 100644 --- a/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml +++ b/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_pingback_backdoor.yml b/rules/sigma/image_load/image_load_pingback_backdoor.yml index df069556..a9f33802 100644 --- a/rules/sigma/image_load/image_load_pingback_backdoor.yml +++ b/rules/sigma/image_load/image_load_pingback_backdoor.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.persistence - attack.t1574.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml b/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml index c9136ff8..cc88231c 100644 --- a/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml +++ b/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.command_and_control - attack.t1071 +ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml index 9f934c89..f533e5fb 100644 --- a/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml @@ -28,3 +28,4 @@ tags: - attack.t1047 - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/process_creation_tttracer_mod_load.yml b/rules/sigma/image_load/process_creation_tttracer_mod_load.yml index 434af1a5..95031338 100644 --- a/rules/sigma/image_load/process_creation_tttracer_mod_load.yml +++ b/rules/sigma/image_load/process_creation_tttracer_mod_load.yml @@ -31,3 +31,4 @@ tags: - attack.credential_access - attack.t1218 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml b/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml index 7873f0f6..2b9dcdbc 100644 --- a/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml +++ b/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml @@ -35,3 +35,4 @@ tags: - attack.privilege_escalation - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml index 73c7ca5e..cd4202f9 100644 --- a/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml +++ b/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml b/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml index 370faf5a..ae5fc804 100644 --- a/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml +++ b/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml @@ -22,3 +22,4 @@ status: experimental tags: - attack.resource_development - attack.t1587 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_in_memory_powershell.yml b/rules/sigma/image_load/sysmon_in_memory_powershell.yml index c8d5128a..c08df0f6 100644 --- a/rules/sigma/image_load/sysmon_in_memory_powershell.yml +++ b/rules/sigma/image_load/sysmon_in_memory_powershell.yml @@ -49,3 +49,4 @@ tags: - attack.t1086 - attack.t1059.001 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_pcre_net_load.yml b/rules/sigma/image_load/sysmon_pcre_net_load.yml index ce90f8b3..06efb137 100644 --- a/rules/sigma/image_load/sysmon_pcre_net_load.yml +++ b/rules/sigma/image_load/sysmon_pcre_net_load.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml index 25be1a44..2c4d93bc 100644 --- a/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml +++ b/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml @@ -33,3 +33,4 @@ tags: - attack.privilege_escalation - attack.persistence - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml b/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml index acaf7518..7040913e 100644 --- a/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml +++ b/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.t1574 - cve.2021.1675 - cve.2021.34527 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_fax_dll.yml b/rules/sigma/image_load/sysmon_susp_fax_dll.yml index 27671f58..527347bc 100644 --- a/rules/sigma/image_load/sysmon_susp_fax_dll.yml +++ b/rules/sigma/image_load/sysmon_susp_fax_dll.yml @@ -35,3 +35,4 @@ tags: - attack.t1038 - attack.t1574.001 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_image_load.yml b/rules/sigma/image_load/sysmon_susp_image_load.yml index 64630bd8..5e7c1c98 100644 --- a/rules/sigma/image_load/sysmon_susp_image_load.yml +++ b/rules/sigma/image_load/sysmon_susp_image_load.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml index 017745c3..8bf01a6a 100644 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml index 5179191a..2d6e9c41 100644 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml index a58112dc..85d73b1b 100644 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml index b21e9441..e0636a7c 100644 --- a/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml index 6d0ffd63..34c4c4fe 100644 --- a/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_python_image_load.yml b/rules/sigma/image_load/sysmon_susp_python_image_load.yml index f92ee9e2..2af6e561 100644 --- a/rules/sigma/image_load/sysmon_susp_python_image_load.yml +++ b/rules/sigma/image_load/sysmon_susp_python_image_load.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml index faff2405..013da64c 100644 --- a/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml b/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml index adb82add..8d0ea2fe 100644 --- a/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml +++ b/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.collection - attack.t1113 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml index 945e6be0..a91fa571 100644 --- a/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml b/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml index f74c63d2..c63c492f 100644 --- a/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 328753ed..05dc8b88 100644 --- a/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -70,3 +70,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml index c21bce53..9e8e4668 100644 --- a/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -40,3 +40,4 @@ tags: - attack.t1574.002 - attack.t1038 - attack.t1574.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_tttracer_mod_load.yml b/rules/sigma/image_load/sysmon_tttracer_mod_load.yml index 0c26cf85..51ebaf59 100644 --- a/rules/sigma/image_load/sysmon_tttracer_mod_load.yml +++ b/rules/sigma/image_load/sysmon_tttracer_mod_load.yml @@ -31,3 +31,4 @@ tags: - attack.credential_access - attack.t1218 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml b/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml index 086be58e..0f9cf9e9 100644 --- a/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml +++ b/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml @@ -30,3 +30,4 @@ tags: - attack.privilege_escalation - attack.t1548.002 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml index 4bfe4bc8..4066e9f6 100644 --- a/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml +++ b/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml @@ -37,3 +37,4 @@ tags: - attack.credential_access - attack.collection - attack.t1056.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml index c4bc888e..5669d048 100644 --- a/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml +++ b/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml @@ -26,3 +26,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmi_module_load.yml b/rules/sigma/image_load/sysmon_wmi_module_load.yml index 2407090f..dc7ec21f 100644 --- a/rules/sigma/image_load/sysmon_wmi_module_load.yml +++ b/rules/sigma/image_load/sysmon_wmi_module_load.yml @@ -61,3 +61,4 @@ status: experimental tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml index eaa26ec9..e99b0f1b 100644 --- a/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -26,3 +26,4 @@ tags: - attack.t1084 - attack.t1546.003 - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml index 1c04b346..060b0a77 100644 --- a/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml +++ b/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1220 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml b/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml index 2eb5e89e..30483b48 100644 --- a/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml +++ b/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml @@ -46,3 +46,4 @@ tags: - attack.t1059.001 - attack.lateral_movement - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/image_load/win_susp_svchost_clfsw32.yml b/rules/sigma/image_load/win_susp_svchost_clfsw32.yml index 0ea4588c..a6d45e9c 100644 --- a/rules/sigma/image_load/win_susp_svchost_clfsw32.yml +++ b/rules/sigma/image_load/win_susp_svchost_clfsw32.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/image_load/win_suspicious_vss_ps_load.yml b/rules/sigma/image_load/win_suspicious_vss_ps_load.yml index 2d98af3f..c2a7adc2 100644 --- a/rules/sigma/image_load/win_suspicious_vss_ps_load.yml +++ b/rules/sigma/image_load/win_suspicious_vss_ps_load.yml @@ -40,3 +40,4 @@ tags: - attack.defense_evasion - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_exploiting.yml b/rules/sigma/malware/av_exploiting.yml index 0dc45e26..08f613a5 100644 --- a/rules/sigma/malware/av_exploiting.yml +++ b/rules/sigma/malware/av_exploiting.yml @@ -39,3 +39,4 @@ tags: - attack.t1203 - attack.command_and_control - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_hacktool.yml b/rules/sigma/malware/av_hacktool.yml index 39502cc5..e425932b 100644 --- a/rules/sigma/malware/av_hacktool.yml +++ b/rules/sigma/malware/av_hacktool.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.execution - attack.t1204 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_password_dumper.yml b/rules/sigma/malware/av_password_dumper.yml index 69a2a004..e358a522 100644 --- a/rules/sigma/malware/av_password_dumper.yml +++ b/rules/sigma/malware/av_password_dumper.yml @@ -39,3 +39,4 @@ tags: - attack.t1558 - attack.t1003.001 - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml b/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml index 676fcd5e..11ea7d57 100644 --- a/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml +++ b/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml @@ -27,3 +27,4 @@ status: stable tags: - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_relevant_files.yml b/rules/sigma/malware/av_relevant_files.yml index d1214c71..084f4989 100644 --- a/rules/sigma/malware/av_relevant_files.yml +++ b/rules/sigma/malware/av_relevant_files.yml @@ -79,3 +79,4 @@ status: experimental tags: - attack.resource_development - attack.t1588 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_webshell.yml b/rules/sigma/malware/av_webshell.yml index 73b6e098..1ffda88b 100644 --- a/rules/sigma/malware/av_webshell.yml +++ b/rules/sigma/malware/av_webshell.yml @@ -77,3 +77,4 @@ tags: - attack.persistence - attack.t1100 - attack.t1505.003 +ruletype: SIGMA diff --git a/rules/sigma/malware/file_event_mal_octopus_scanner.yml b/rules/sigma/malware/file_event_mal_octopus_scanner.yml index 9e9d151f..611a0e31 100644 --- a/rules/sigma/malware/file_event_mal_octopus_scanner.yml +++ b/rules/sigma/malware/file_event_mal_octopus_scanner.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.t1195 - attack.t1195.001 +ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml b/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml index c193a043..dcb7ae82 100644 --- a/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml +++ b/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml @@ -36,3 +36,4 @@ tags: - attack.execution - attack.t1112 - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml b/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml index 972dd8c1..a1ed5f01 100644 --- a/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml +++ b/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.execution - attack.t1204 +ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml b/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml index efe7aeb7..37d2a39a 100644 --- a/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml +++ b/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.impact - attack.t1486 +ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_ryuk.yml b/rules/sigma/malware/process_creation_mal_ryuk.yml index 0a388e82..3c24bb4f 100644 --- a/rules/sigma/malware/process_creation_mal_ryuk.yml +++ b/rules/sigma/malware/process_creation_mal_ryuk.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.execution - attack.t1204 +ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_azorult.yml b/rules/sigma/malware/registry_event_mal_azorult.yml index ad726d65..99935e08 100644 --- a/rules/sigma/malware/registry_event_mal_azorult.yml +++ b/rules/sigma/malware/registry_event_mal_azorult.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.execution - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml b/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml index 0c355ce1..44f831f6 100644 --- a/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml +++ b/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1112 - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_flowcloud.yml b/rules/sigma/malware/registry_event_mal_flowcloud.yml index db1beb5e..b1058002 100644 --- a/rules/sigma/malware/registry_event_mal_flowcloud.yml +++ b/rules/sigma/malware/registry_event_mal_flowcloud.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.persistence - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_netwire.yml b/rules/sigma/malware/registry_event_mal_netwire.yml index cdb4e8ee..1ce88a79 100644 --- a/rules/sigma/malware/registry_event_mal_netwire.yml +++ b/rules/sigma/malware/registry_event_mal_netwire.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_ursnif.yml b/rules/sigma/malware/registry_event_mal_ursnif.yml index 217993b5..dcf82a6a 100644 --- a/rules/sigma/malware/registry_event_mal_ursnif.yml +++ b/rules/sigma/malware/registry_event_mal_ursnif.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.execution - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml index 892dfc91..9d47d0d6 100644 --- a/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml +++ b/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.execution - attack.t1127.001 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml b/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml index d8311bee..8394040b 100644 --- a/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml +++ b/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml @@ -50,3 +50,4 @@ tags: - attack.execution - attack.t1559.001 - attack.t1175 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml index ea505fe0..98f059c7 100644 --- a/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml +++ b/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml @@ -58,3 +58,4 @@ status: experimental tags: - attack.execution - attack.t1203 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml b/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml index 88f7e2a4..5576ab1e 100644 --- a/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml +++ b/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml @@ -108,3 +108,4 @@ tags: - attack.command_and_control - attack.t1571 - attack.t1043 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_notepad_network_connection.yml b/rules/sigma/network_connection/sysmon_notepad_network_connection.yml index a3b04bc1..0911c917 100644 --- a/rules/sigma/network_connection/sysmon_notepad_network_connection.yml +++ b/rules/sigma/network_connection/sysmon_notepad_network_connection.yml @@ -28,3 +28,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_powershell_network_connection.yml b/rules/sigma/network_connection/sysmon_powershell_network_connection.yml index 58f7e71b..96429c14 100644 --- a/rules/sigma/network_connection/sysmon_powershell_network_connection.yml +++ b/rules/sigma/network_connection/sysmon_powershell_network_connection.yml @@ -60,3 +60,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml index e72a8a6f..38e1f4b9 100644 --- a/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -39,3 +39,4 @@ tags: - attack.t1021.001 - attack.t1076 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml b/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml index 8bba95c9..e3c3567c 100644 --- a/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml +++ b/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.t1218.010 - attack.t1117 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml b/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml index 52bcf32d..79b124ec 100644 --- a/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml +++ b/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml @@ -32,3 +32,4 @@ tags: - attack.lateral_movement - attack.t1021.006 - attack.t1028 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml b/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml index 9f88bd02..b3db683e 100644 --- a/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml +++ b/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml @@ -49,3 +49,4 @@ tags: - attack.t1218.011 - attack.t1085 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml index fe34a3c4..0a65bd83 100644 --- a/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml +++ b/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_susp_rdp.yml b/rules/sigma/network_connection/sysmon_susp_rdp.yml index 0297cae8..5113f650 100644 --- a/rules/sigma/network_connection/sysmon_susp_rdp.yml +++ b/rules/sigma/network_connection/sysmon_susp_rdp.yml @@ -51,3 +51,4 @@ tags: - attack.t1021.001 - attack.t1076 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml index 8d9c613b..1ea0e858 100644 --- a/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml @@ -36,3 +36,4 @@ tags: - attack.lateral_movement - attack.t1550.003 - attack.t1097 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_win_binary_github_com.yml b/rules/sigma/network_connection/sysmon_win_binary_github_com.yml index 80024fbc..8c594e4a 100644 --- a/rules/sigma/network_connection/sysmon_win_binary_github_com.yml +++ b/rules/sigma/network_connection/sysmon_win_binary_github_com.yml @@ -35,3 +35,4 @@ tags: - attack.exfiltration - attack.t1567.001 - attack.t1048 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml b/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml index 2ba79e73..cd1b5e3e 100644 --- a/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml +++ b/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml b/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml index 78ff9b9b..ebb03586 100644 --- a/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml +++ b/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/win_net_crypto_mining.yml b/rules/sigma/network_connection/win_net_crypto_mining.yml index 231d212e..51a5bf04 100644 --- a/rules/sigma/network_connection/win_net_crypto_mining.yml +++ b/rules/sigma/network_connection/win_net_crypto_mining.yml @@ -44,3 +44,4 @@ status: stable tags: - attack.impact - attack.t1496 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_amsi_trigger.yml b/rules/sigma/other/win_defender_amsi_trigger.yml index adc37c0e..ceb96d3e 100644 --- a/rules/sigma/other/win_defender_amsi_trigger.yml +++ b/rules/sigma/other/win_defender_amsi_trigger.yml @@ -23,3 +23,4 @@ status: stable tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_bypass.yml b/rules/sigma/other/win_defender_bypass.yml index 0fc20e93..934a7dfd 100644 --- a/rules/sigma/other/win_defender_bypass.yml +++ b/rules/sigma/other/win_defender_bypass.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_disabled.yml b/rules/sigma/other/win_defender_disabled.yml index 27c285ee..5f668850 100644 --- a/rules/sigma/other/win_defender_disabled.yml +++ b/rules/sigma/other/win_defender_disabled.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_exclusions.yml b/rules/sigma/other/win_defender_exclusions.yml index 38cadac8..392ae2b0 100644 --- a/rules/sigma/other/win_defender_exclusions.yml +++ b/rules/sigma/other/win_defender_exclusions.yml @@ -24,3 +24,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_history_delete.yml b/rules/sigma/other/win_defender_history_delete.yml index 0328eb8f..f91be5ee 100644 --- a/rules/sigma/other/win_defender_history_delete.yml +++ b/rules/sigma/other/win_defender_history_delete.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_psexec_wmi_asr.yml b/rules/sigma/other/win_defender_psexec_wmi_asr.yml index cef87a24..7f411ec9 100644 --- a/rules/sigma/other/win_defender_psexec_wmi_asr.yml +++ b/rules/sigma/other/win_defender_psexec_wmi_asr.yml @@ -32,3 +32,4 @@ tags: - attack.t1047 - attack.t1035 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_tamper_protection_trigger.yml b/rules/sigma/other/win_defender_tamper_protection_trigger.yml index 5798cdf7..ddd5ea17 100644 --- a/rules/sigma/other/win_defender_tamper_protection_trigger.yml +++ b/rules/sigma/other/win_defender_tamper_protection_trigger.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_threat.yml b/rules/sigma/other/win_defender_threat.yml index bd01bd2d..1ba96d93 100644 --- a/rules/sigma/other/win_defender_threat.yml +++ b/rules/sigma/other/win_defender_threat.yml @@ -26,3 +26,4 @@ status: stable tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_cve_2021_42321.yml b/rules/sigma/other/win_exchange_cve_2021_42321.yml index 6cde2afc..77e2a949 100644 --- a/rules/sigma/other/win_exchange_cve_2021_42321.yml +++ b/rules/sigma/other/win_exchange_cve_2021_42321.yml @@ -19,3 +19,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1210 +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml b/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml index 431a2dd7..7d698702 100644 --- a/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml +++ b/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.t1587.001 - attack.resource_development +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_proxyshell_certificate_generation.yml b/rules/sigma/other/win_exchange_proxyshell_certificate_generation.yml index 6e81d25a..a4cf41b3 100644 --- a/rules/sigma/other/win_exchange_proxyshell_certificate_generation.yml +++ b/rules/sigma/other/win_exchange_proxyshell_certificate_generation.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.persistence - attack.t1505.003 +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_proxyshell_mailbox_export.yml b/rules/sigma/other/win_exchange_proxyshell_mailbox_export.yml index ff00aace..476a404b 100644 --- a/rules/sigma/other/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/sigma/other/win_exchange_proxyshell_mailbox_export.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.persistence - attack.t1505.003 +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/sigma/other/win_exchange_proxyshell_remove_mailbox_export.yml index c2261028..1d2b913d 100644 --- a/rules/sigma/other/win_exchange_proxyshell_remove_mailbox_export.yml +++ b/rules/sigma/other/win_exchange_proxyshell_remove_mailbox_export.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070 +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_transportagent_failed.yml b/rules/sigma/other/win_exchange_transportagent_failed.yml index 61c5afe1..1970f784 100644 --- a/rules/sigma/other/win_exchange_transportagent_failed.yml +++ b/rules/sigma/other/win_exchange_transportagent_failed.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.persistence - attack.t1505.002 +ruletype: SIGMA diff --git a/rules/sigma/other/win_lateral_movement_condrv.yml b/rules/sigma/other/win_lateral_movement_condrv.yml index 313514f4..e725bd25 100644 --- a/rules/sigma/other/win_lateral_movement_condrv.yml +++ b/rules/sigma/other/win_lateral_movement_condrv.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.t1021 - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/other/win_ldap_recon.yml b/rules/sigma/other/win_ldap_recon.yml index f73b214a..d6bd1659 100644 --- a/rules/sigma/other/win_ldap_recon.yml +++ b/rules/sigma/other/win_ldap_recon.yml @@ -79,3 +79,4 @@ tags: - attack.t1069.002 - attack.t1087.002 - attack.t1482 +ruletype: SIGMA diff --git a/rules/sigma/other/win_pcap_drivers.yml b/rules/sigma/other/win_pcap_drivers.yml index 41f30ba2..139528fd 100644 --- a/rules/sigma/other/win_pcap_drivers.yml +++ b/rules/sigma/other/win_pcap_drivers.yml @@ -40,3 +40,4 @@ tags: - attack.discovery - attack.credential_access - attack.t1040 +ruletype: SIGMA diff --git a/rules/sigma/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/sigma/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml index a4a4b044..e4fc4bfb 100644 --- a/rules/sigma/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml +++ b/rules/sigma/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -27,3 +27,4 @@ status: stable tags: - attack.t1210 - attack.lateral_movement +ruletype: SIGMA diff --git a/rules/sigma/other/win_rare_schtask_creation.yml b/rules/sigma/other/win_rare_schtask_creation.yml index 2c57427f..dd190b17 100644 --- a/rules/sigma/other/win_rare_schtask_creation.yml +++ b/rules/sigma/other/win_rare_schtask_creation.yml @@ -22,3 +22,4 @@ tags: - attack.t1053 - attack.s0111 - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/other/win_security_wmi_persistence.yml b/rules/sigma/other/win_security_wmi_persistence.yml index 8d6da1ba..6d8823c7 100644 --- a/rules/sigma/other/win_security_wmi_persistence.yml +++ b/rules/sigma/other/win_security_wmi_persistence.yml @@ -32,3 +32,4 @@ tags: - attack.privilege_escalation - attack.t1084 - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/other/win_system_defender_disabled.yml b/rules/sigma/other/win_system_defender_disabled.yml index ce21edc6..f7cced97 100644 --- a/rules/sigma/other/win_system_defender_disabled.yml +++ b/rules/sigma/other/win_system_defender_disabled.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_tool_psexec.yml b/rules/sigma/other/win_tool_psexec.yml index 716d9d1c..1220752d 100644 --- a/rules/sigma/other/win_tool_psexec.yml +++ b/rules/sigma/other/win_tool_psexec.yml @@ -39,3 +39,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0029 +ruletype: SIGMA diff --git a/rules/sigma/other/win_wmi_persistence.yml b/rules/sigma/other/win_wmi_persistence.yml index 12064004..c2c4058b 100644 --- a/rules/sigma/other/win_wmi_persistence.yml +++ b/rules/sigma/other/win_wmi_persistence.yml @@ -33,3 +33,4 @@ tags: - attack.privilege_escalation - attack.t1084 - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/pipe_created_tool_psexec.yml b/rules/sigma/pipe_created/pipe_created_tool_psexec.yml index 78f31d32..b3af623c 100644 --- a/rules/sigma/pipe_created/pipe_created_tool_psexec.yml +++ b/rules/sigma/pipe_created/pipe_created_tool_psexec.yml @@ -46,3 +46,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0029 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/sigma/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index 9bef3ed3..5cd00728 100644 --- a/rules/sigma/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/sigma/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -36,3 +36,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_apt_turla_namedpipes.yml b/rules/sigma/pipe_created/sysmon_apt_turla_namedpipes.yml index a0407181..ade9f287 100644 --- a/rules/sigma/pipe_created/sysmon_apt_turla_namedpipes.yml +++ b/rules/sigma/pipe_created/sysmon_apt_turla_namedpipes.yml @@ -37,3 +37,4 @@ tags: - attack.g0010 - attack.execution - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_cred_dump_tools_named_pipes.yml b/rules/sigma/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index 1830b3c6..b16e722d 100644 --- a/rules/sigma/pipe_created/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/sigma/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -39,3 +39,4 @@ tags: - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml index bf58ef3e..135bd2b7 100644 --- a/rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml +++ b/rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml @@ -34,3 +34,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/sigma/pipe_created/sysmon_mal_cobaltstrike.yml index d4f17979..2d2aa7f7 100644 --- a/rules/sigma/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/sigma/pipe_created/sysmon_mal_cobaltstrike.yml @@ -46,3 +46,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml index ce3bb40d..b65a1149 100644 --- a/rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -76,3 +76,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_mal_namedpipes.yml b/rules/sigma/pipe_created/sysmon_mal_namedpipes.yml index f15598d9..d0bdd3bf 100644 --- a/rules/sigma/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/sigma/pipe_created/sysmon_mal_namedpipes.yml @@ -68,3 +68,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_powershell_execution_pipe.yml b/rules/sigma/pipe_created/sysmon_powershell_execution_pipe.yml index d0b1567f..3305c48f 100644 --- a/rules/sigma/pipe_created/sysmon_powershell_execution_pipe.yml +++ b/rules/sigma/pipe_created/sysmon_powershell_execution_pipe.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_psexec_pipes_artifacts.yml b/rules/sigma/pipe_created/sysmon_psexec_pipes_artifacts.yml index b127e1cb..d8a9cf17 100644 --- a/rules/sigma/pipe_created/sysmon_psexec_pipes_artifacts.yml +++ b/rules/sigma/pipe_created/sysmon_psexec_pipes_artifacts.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml b/rules/sigma/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml index af8e9489..3e1d1fcc 100644 --- a/rules/sigma/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml +++ b/rules/sigma/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.collection - attack.t1005 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/sigma/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index bf7d55d3..29ac1f99 100644 --- a/rules/sigma/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/sigma/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -74,3 +74,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/sigma/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml index d0831c31..4317b12c 100644 --- a/rules/sigma/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml +++ b/rules/sigma/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.t1047 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml index 6ae70b9c..b129b6ef 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml index 082e2277..84be8344 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.command_and_control - attack.t1095 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml index 90e19d33..3acb6208 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml @@ -31,3 +31,4 @@ tags: - attack.lateral_movement - attack.t1021.006 - attack.t1028 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml index 6cf210da..e905f40f 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml index 0effda91..5d7da005 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.collection - attack.t1074.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml index 3b6b8025..19b754a7 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml @@ -28,3 +28,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml b/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml index d3494f13..f12618f2 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml b/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml index 26eff79e..0bc76d22 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml @@ -28,3 +28,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml b/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml index 74bcecbe..da705169 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml b/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml index 6d3f2e41..4f13e805 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml b/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml index 6d7ee6f4..b3ef5615 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml b/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml index 113645d7..54d7cf2e 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml @@ -29,3 +29,4 @@ tags: - attack.t1059.001 - attack.lateral_movement - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml b/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml index cad79788..aabd04f6 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index 2a8b6e82..94b5c525 100644 --- a/rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml +++ b/rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -28,3 +28,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index 89a12bb1..e743cdc4 100644 --- a/rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml +++ b/rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -38,3 +38,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml index b72240cd..3bd801bc 100644 --- a/rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -37,3 +37,4 @@ tags: - attack.defense_evasion - attack.t1070.003 - attack.t1146 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml b/rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml index 3e351139..5a0df3af 100644 --- a/rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml +++ b/rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1140 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml b/rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml index 78098bc6..d45c5560 100644 --- a/rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml +++ b/rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.collection - attack.t1115 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index 69dd2eba..8de8a9b0 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index 60dbd5a1..70477331 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -40,3 +40,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index 7104bb9d..cb6fa371 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index 98092567..f6382508 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index 54d02b0d..05fc8781 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index cbc49feb..db5e95e7 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index 64dceebd..23274f42 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 87064602..7944dcc9 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index 13c5308e..05e71589 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index eb89454a..17701049 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 80201302..d2fb0c38 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_powercat.yml b/rules/sigma/powershell/powershell_module/powershell_powercat.yml index 0a70fa09..2d636ee3 100644 --- a/rules/sigma/powershell/powershell_module/powershell_powercat.yml +++ b/rules/sigma/powershell/powershell_module/powershell_powercat.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.command_and_control - attack.t1095 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml index 4c77f359..bc852c78 100644 --- a/rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml +++ b/rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -28,3 +28,4 @@ tags: - attack.lateral_movement - attack.t1021.006 - attack.t1028 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml index e95289fc..df562b92 100644 --- a/rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml index b1dbc676..74cf57f5 100644 --- a/rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.collection - attack.t1074.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml b/rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml index b1b5d29e..086318ea 100644 --- a/rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml +++ b/rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml b/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml index 6acaa178..c95e63cb 100644 --- a/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml +++ b/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml @@ -35,3 +35,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml b/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml index 4f85a6b7..17237bfc 100644 --- a/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml +++ b/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml @@ -92,3 +92,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml b/rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml index 0b506ae9..fee2b3fb 100644 --- a/rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml +++ b/rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml b/rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml index 33e6bce4..4ad79ed9 100644 --- a/rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml +++ b/rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml @@ -70,3 +70,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml b/rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml index 5edf13a1..4fda5bb3 100644 --- a/rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml +++ b/rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml @@ -27,3 +27,4 @@ tags: - attack.discovery - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_automated_collection.yml b/rules/sigma/powershell/powershell_script/powershell_automated_collection.yml index 2cf0cc52..30594c2c 100644 --- a/rules/sigma/powershell/powershell_script/powershell_automated_collection.yml +++ b/rules/sigma/powershell/powershell_script/powershell_automated_collection.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.collection - attack.t1119 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml b/rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml index fbba403e..9d4f4032 100644 --- a/rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml +++ b/rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml @@ -29,3 +29,4 @@ tags: - attack.t1069.001 - attack.t1069.002 - attack.t1069 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml b/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml index 221ee898..fd3cd4a8 100644 --- a/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml +++ b/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml b/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml index 4f78b7df..e48150ef 100644 --- a/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml +++ b/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml b/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml index a01ea32f..deaa9875 100644 --- a/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml +++ b/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml index 61f935a4..0581347a 100644 --- a/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml +++ b/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_create_local_user.yml b/rules/sigma/powershell/powershell_script/powershell_create_local_user.yml index 6f6d38ad..b3c67d5d 100644 --- a/rules/sigma/powershell/powershell_script/powershell_create_local_user.yml +++ b/rules/sigma/powershell/powershell_script/powershell_create_local_user.yml @@ -26,3 +26,4 @@ tags: - attack.persistence - attack.t1136.001 - attack.t1136 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_data_compressed.yml b/rules/sigma/powershell/powershell_script/powershell_data_compressed.yml index 277c2054..2234755d 100644 --- a/rules/sigma/powershell/powershell_script/powershell_data_compressed.yml +++ b/rules/sigma/powershell/powershell_script/powershell_data_compressed.yml @@ -29,3 +29,4 @@ tags: - attack.exfiltration - attack.t1560 - attack.t1002 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml b/rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml index 0a2cd462..67d5590d 100644 --- a/rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml +++ b/rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1497.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml b/rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml index 4993de7d..84047140 100644 --- a/rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml +++ b/rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml @@ -23,3 +23,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml b/rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml index 00d272ea..16c38b9b 100644 --- a/rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml +++ b/rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.exfiltration - attack.t1048.003 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml index 29e134d7..bf5307d3 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml @@ -22,3 +22,4 @@ status: test tags: - attack.privilege_escalation - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml index 991077af..bb0cc012 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml index a99d1725..3c882dae 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml index 10751f80..835457f7 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml index 604ac728..11437409 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml index 9a2a8eb7..ce67206d 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml index 77141983..6351b70f 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml index 4dbdb15c..6f801ddb 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml index 3e99fdc8..c733f87c 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml index fd72b483..054e5628 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml index ec0a3c13..fe5e9d80 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml index 5d2ab8c3..df52c285 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_keylogging.yml b/rules/sigma/powershell/powershell_script/powershell_keylogging.yml index 9f1143b2..f6863858 100644 --- a/rules/sigma/powershell/powershell_script/powershell_keylogging.yml +++ b/rules/sigma/powershell/powershell_script/powershell_keylogging.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.collection - attack.t1056.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml index 48130617..ca621e46 100644 --- a/rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml +++ b/rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml @@ -121,3 +121,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml b/rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml index e7d60deb..165ba0e2 100644 --- a/rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml +++ b/rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml @@ -44,3 +44,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml index 952c468b..6b077362 100644 --- a/rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml +++ b/rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml @@ -24,3 +24,4 @@ references: status: experimental tags: - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml b/rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml index c53aaa7f..393a2b6b 100644 --- a/rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml +++ b/rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml @@ -94,3 +94,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml index b4fb1d52..5c3e523b 100644 --- a/rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml +++ b/rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml b/rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml index 45dc63b3..9ae67c71 100644 --- a/rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml +++ b/rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml @@ -147,3 +147,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml b/rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml index a063939c..fb926ab8 100644 --- a/rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml +++ b/rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml @@ -25,3 +25,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_psattack.yml b/rules/sigma/powershell/powershell_script/powershell_psattack.yml index b5b33ea1..27a01dad 100644 --- a/rules/sigma/powershell/powershell_script/powershell_psattack.yml +++ b/rules/sigma/powershell/powershell_script/powershell_psattack.yml @@ -23,3 +23,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml b/rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml index 5faa925d..cca361d0 100644 --- a/rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml +++ b/rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml b/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml index dd3ea6da..f7309bb6 100644 --- a/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml +++ b/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml @@ -30,3 +30,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml b/rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml index 5e671fab..20fda8a3 100644 --- a/rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml +++ b/rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_software_discovery.yml b/rules/sigma/powershell/powershell_script/powershell_software_discovery.yml index 7b7ecaae..14c17ae4 100644 --- a/rules/sigma/powershell/powershell_script/powershell_software_discovery.yml +++ b/rules/sigma/powershell/powershell_script/powershell_software_discovery.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.discovery - attack.t1518 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml b/rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml index 83e70370..9d9ff315 100644 --- a/rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml +++ b/rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564.004 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml index 1e260625..51c21a50 100644 --- a/rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.collection - attack.t1074.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml index 6892568b..fdb419d1 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml index 81d5f760..8cc5f7c2 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.credential_access - attack.t1552.004 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml index 3a2d0b46..4c51cf26 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml index 2327b537..cb3d60a4 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml @@ -35,3 +35,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml index 0f8f53af..4d8af680 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml @@ -92,3 +92,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml index 46050db5..5f7848b7 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml index 1bcafe80..0f264fdb 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.collection - attack.t1114.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml index 317a983c..11465ddb 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.005 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml index b75974f9..cce18b1a 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.collection - attack.t1119 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml index 5a7776ba..2851d113 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml @@ -23,3 +23,4 @@ status: experimental tags: - attack.discovery - attack.t1120 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml index bdaed16a..b6b5db5f 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564.003 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml index 2ff81987..7ca13350 100644 --- a/rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_timestomp.yml b/rules/sigma/powershell/powershell_script/powershell_timestomp.yml index fc7b7e0e..eae20ab9 100644 --- a/rules/sigma/powershell/powershell_script/powershell_timestomp.yml +++ b/rules/sigma/powershell/powershell_script/powershell_timestomp.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.006 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml b/rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml index ac71ad5c..248e37fb 100644 --- a/rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml +++ b/rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1546.013 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_web_request.yml b/rules/sigma/powershell/powershell_script/powershell_web_request.yml index eb71f58e..e89ed7d2 100644 --- a/rules/sigma/powershell/powershell_script/powershell_web_request.yml +++ b/rules/sigma/powershell/powershell_script/powershell_web_request.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml b/rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml index f04b14e1..b3c3407f 100644 --- a/rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml +++ b/rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.004 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml b/rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml index 64455fed..240bbc16 100644 --- a/rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml +++ b/rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml @@ -33,3 +33,4 @@ tags: - attack.persistence - attack.t1547.004 - attack.t1004 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml b/rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml index b126f634..79a636c5 100644 --- a/rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml +++ b/rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_wmimplant.yml b/rules/sigma/powershell/powershell_script/powershell_wmimplant.yml index 94014edb..f5238541 100644 --- a/rules/sigma/powershell/powershell_script/powershell_wmimplant.yml +++ b/rules/sigma/powershell/powershell_script/powershell_wmimplant.yml @@ -42,3 +42,4 @@ tags: - attack.t1047 - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_cmstp_execution_by_access.yml b/rules/sigma/process_access/sysmon_cmstp_execution_by_access.yml index 2e1b415e..f2c73c44 100644 --- a/rules/sigma/process_access/sysmon_cmstp_execution_by_access.yml +++ b/rules/sigma/process_access/sysmon_cmstp_execution_by_access.yml @@ -35,3 +35,4 @@ tags: - attack.g0069 - attack.g0080 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml b/rules/sigma/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml index 0aaa09de..afd66cae 100644 --- a/rules/sigma/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml +++ b/rules/sigma/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml @@ -30,3 +30,4 @@ tags: - attack.t1106 - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml b/rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml index 35a34ac3..0ae109eb 100644 --- a/rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml @@ -76,3 +76,4 @@ tags: - attack.t1003 - attack.s0002 - car.2019-04-004 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml b/rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml index 00bce1d0..f09a794a 100644 --- a/rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml +++ b/rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml @@ -23,3 +23,4 @@ status: experimental tags: - attack.execution - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml b/rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml index e52f3b8b..355b3989 100644 --- a/rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml @@ -77,3 +77,4 @@ tags: - attack.t1055.001 - attack.t1055.002 - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_invoke_phantom.yml b/rules/sigma/process_access/sysmon_invoke_phantom.yml index 390ac4fc..d14366e3 100644 --- a/rules/sigma/process_access/sysmon_invoke_phantom.yml +++ b/rules/sigma/process_access/sysmon_invoke_phantom.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1562.002 - attack.t1089 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/sigma/process_access/sysmon_lazagne_cred_dump_lsass_access.yml index c7344327..7bc875ac 100644 --- a/rules/sigma/process_access/sysmon_lazagne_cred_dump_lsass_access.yml +++ b/rules/sigma/process_access/sysmon_lazagne_cred_dump_lsass_access.yml @@ -34,3 +34,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.s0349 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_littlecorporal_generated_maldoc.yml b/rules/sigma/process_access/sysmon_littlecorporal_generated_maldoc.yml index 70671a30..2b9ac073 100644 --- a/rules/sigma/process_access/sysmon_littlecorporal_generated_maldoc.yml +++ b/rules/sigma/process_access/sysmon_littlecorporal_generated_maldoc.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1204.002 - attack.t1055.003 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/sigma/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml index 5bc48ff5..a00d411e 100644 --- a/rules/sigma/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml +++ b/rules/sigma/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml b/rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml index 1797721a..6b77f92f 100644 --- a/rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml +++ b/rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_lsass_memdump.yml b/rules/sigma/process_access/sysmon_lsass_memdump.yml index 0d7e7e72..66f25dbf 100644 --- a/rules/sigma/process_access/sysmon_lsass_memdump.yml +++ b/rules/sigma/process_access/sysmon_lsass_memdump.yml @@ -32,3 +32,4 @@ tags: - attack.t1003.001 - attack.t1003 - attack.s0002 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml b/rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml index 3ad5ee8f..f8a9ecc7 100644 --- a/rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml +++ b/rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/sigma/process_access/sysmon_mimikatz_trough_winrm.yml index 7a508673..9aab467d 100644 --- a/rules/sigma/process_access/sysmon_mimikatz_trough_winrm.yml +++ b/rules/sigma/process_access/sysmon_mimikatz_trough_winrm.yml @@ -34,3 +34,4 @@ tags: - attack.t1021.006 - attack.t1028 - attack.s0002 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml b/rules/sigma/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml index 0b85033c..8fe3d37a 100644 --- a/rules/sigma/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml +++ b/rules/sigma/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_svchost_cred_dump.yml b/rules/sigma/process_access/sysmon_svchost_cred_dump.yml index c796d818..a1e494f6 100644 --- a/rules/sigma/process_access/sysmon_svchost_cred_dump.yml +++ b/rules/sigma/process_access/sysmon_svchost_cred_dump.yml @@ -26,3 +26,4 @@ logsource: status: experimental tags: - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_uac_bypass_wow64_logger.yml b/rules/sigma/process_access/sysmon_uac_bypass_wow64_logger.yml index 95c8faa9..1f6c6daf 100644 --- a/rules/sigma/process_access/sysmon_uac_bypass_wow64_logger.yml +++ b/rules/sigma/process_access/sysmon_uac_bypass_wow64_logger.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/sigma/process_access/win_susp_shell_spawn_from_winrm.yml index 1be3400d..34870643 100644 --- a/rules/sigma/process_access/win_susp_shell_spawn_from_winrm.yml +++ b/rules/sigma/process_access/win_susp_shell_spawn_from_winrm.yml @@ -33,3 +33,4 @@ tags: - attack.initial_access - attack.persistence - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml b/rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml index 4ed438a4..cf0531cc 100644 --- a/rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml +++ b/rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml @@ -35,3 +35,4 @@ tags: - attack.persistence - attack.t1112 - attack.t1053 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml b/rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml index cbe02627..eab10a4b 100644 --- a/rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml +++ b/rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.discovery - attack.t1046 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_alternate_data_streams.yml b/rules/sigma/process_creation/process_creation_alternate_data_streams.yml index 77dcc021..4be82e88 100644 --- a/rules/sigma/process_creation/process_creation_alternate_data_streams.yml +++ b/rules/sigma/process_creation/process_creation_alternate_data_streams.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_gallium.yml b/rules/sigma/process_creation/process_creation_apt_gallium.yml index 534b8a8a..0967bca2 100644 --- a/rules/sigma/process_creation/process_creation_apt_gallium.yml +++ b/rules/sigma/process_creation/process_creation_apt_gallium.yml @@ -35,3 +35,4 @@ tags: - attack.t1212 - attack.command_and_control - attack.t1071 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml b/rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml index 9d162292..ee1c1436 100644 --- a/rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml +++ b/rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml @@ -46,3 +46,4 @@ tags: - attack.t1212 - attack.command_and_control - attack.t1071 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_pandemic.yml b/rules/sigma/process_creation/process_creation_apt_pandemic.yml index ddf58638..b6dc70b1 100644 --- a/rules/sigma/process_creation/process_creation_apt_pandemic.yml +++ b/rules/sigma/process_creation/process_creation_apt_pandemic.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_slingshot.yml b/rules/sigma/process_creation/process_creation_apt_slingshot.yml index ac825e03..0ea4e96b 100644 --- a/rules/sigma/process_creation/process_creation_apt_slingshot.yml +++ b/rules/sigma/process_creation/process_creation_apt_slingshot.yml @@ -33,3 +33,4 @@ tags: - attack.persistence - attack.t1053.005 - attack.s0111 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml b/rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml index 8b67f48a..0fa9ba89 100644 --- a/rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml +++ b/rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml @@ -33,3 +33,4 @@ tags: - attack.discovery - attack.t1083 - attack.t1135 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_wocao.yml b/rules/sigma/process_creation/process_creation_apt_wocao.yml index 89e3ba6a..42ee3340 100644 --- a/rules/sigma/process_creation/process_creation_apt_wocao.yml +++ b/rules/sigma/process_creation/process_creation_apt_wocao.yml @@ -46,3 +46,4 @@ tags: - attack.t1053 - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_automated_collection.yml b/rules/sigma/process_creation/process_creation_automated_collection.yml index 156d4a86..00aac6e1 100644 --- a/rules/sigma/process_creation/process_creation_automated_collection.yml +++ b/rules/sigma/process_creation/process_creation_automated_collection.yml @@ -43,3 +43,4 @@ status: experimental tags: - attack.collection - attack.t1119 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml b/rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml index bc1e8098..4a6ed644 100644 --- a/rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml +++ b/rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_certoc_execution.yml b/rules/sigma/process_creation/process_creation_certoc_execution.yml index 95610712..7dac646f 100644 --- a/rules/sigma/process_creation/process_creation_certoc_execution.yml +++ b/rules/sigma/process_creation/process_creation_certoc_execution.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_clip.yml b/rules/sigma/process_creation/process_creation_clip.yml index bf91eaa3..d39b8b6d 100644 --- a/rules/sigma/process_creation/process_creation_clip.yml +++ b/rules/sigma/process_creation/process_creation_clip.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.collection - attack.t1115 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml index d44fdbef..df1125b3 100644 --- a/rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml +++ b/rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml b/rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml index 7650a607..c9d5b758 100644 --- a/rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml +++ b/rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml @@ -35,3 +35,4 @@ tags: - attack.impact - attack.s0575 - attack.t1486 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_coti_sqlcmd.yml b/rules/sigma/process_creation/process_creation_coti_sqlcmd.yml index ff4a5dd9..8545f587 100644 --- a/rules/sigma/process_creation/process_creation_coti_sqlcmd.yml +++ b/rules/sigma/process_creation/process_creation_coti_sqlcmd.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.collection - attack.t1005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_discover_private_keys.yml b/rules/sigma/process_creation/process_creation_discover_private_keys.yml index 4123a159..c5aec594 100644 --- a/rules/sigma/process_creation/process_creation_discover_private_keys.yml +++ b/rules/sigma/process_creation/process_creation_discover_private_keys.yml @@ -42,3 +42,4 @@ status: experimental tags: - attack.credential_access - attack.t1552.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml b/rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml index d8758df3..f5d7e1d5 100644 --- a/rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml +++ b/rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml @@ -41,3 +41,4 @@ tags: - attack.t1073 - attack.t1574.002 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_dotnet.yml b/rules/sigma/process_creation/process_creation_dotnet.yml index 05f07ba5..b2baa7f7 100644 --- a/rules/sigma/process_creation/process_creation_dotnet.yml +++ b/rules/sigma/process_creation/process_creation_dotnet.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_hack_dumpert.yml b/rules/sigma/process_creation/process_creation_hack_dumpert.yml index 99503438..6abc5f87 100644 --- a/rules/sigma/process_creation/process_creation_hack_dumpert.yml +++ b/rules/sigma/process_creation/process_creation_hack_dumpert.yml @@ -26,3 +26,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_infdefaultinstall.yml b/rules/sigma/process_creation/process_creation_infdefaultinstall.yml index b808f3ef..e9719186 100644 --- a/rules/sigma/process_creation/process_creation_infdefaultinstall.yml +++ b/rules/sigma/process_creation/process_creation_infdefaultinstall.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml index 2692492b..1367d099 100644 --- a/rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml +++ b/rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.exfiltration - attack.t1567 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml b/rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml index 9dd2c465..94f98b21 100644 --- a/rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml +++ b/rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml @@ -37,3 +37,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml index 790bf9e7..88769ec9 100644 --- a/rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml +++ b/rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -43,3 +43,4 @@ tags: - attack.persistence - attack.t1547 - attack.t1547.006 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml b/rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml index f8b861d1..acf5eb79 100644 --- a/rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml @@ -34,3 +34,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_msdeploy.yml b/rules/sigma/process_creation/process_creation_msdeploy.yml index 830f1258..69ef9452 100644 --- a/rules/sigma/process_creation/process_creation_msdeploy.yml +++ b/rules/sigma/process_creation/process_creation_msdeploy.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml b/rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml index ffa12c65..9cb05479 100644 --- a/rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml +++ b/rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml @@ -40,3 +40,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml index 5b6bdf31..cc1f0913 100644 --- a/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml @@ -56,3 +56,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml index 763db361..91572efc 100644 --- a/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml @@ -52,3 +52,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml b/rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml index 91b26d77..7182ab78 100644 --- a/rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml +++ b/rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml @@ -35,3 +35,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_pingback_backdoor.yml b/rules/sigma/process_creation/process_creation_pingback_backdoor.yml index 864e6773..bf876d96 100644 --- a/rules/sigma/process_creation/process_creation_pingback_backdoor.yml +++ b/rules/sigma/process_creation/process_creation_pingback_backdoor.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.persistence - attack.t1574.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml b/rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml index 08ee1334..4fe2de3c 100644 --- a/rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml +++ b/rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_root_certificate_installed.yml b/rules/sigma/process_creation/process_creation_root_certificate_installed.yml index 5d17a358..8f1f9e5c 100644 --- a/rules/sigma/process_creation/process_creation_root_certificate_installed.yml +++ b/rules/sigma/process_creation/process_creation_root_certificate_installed.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1553.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_sdelete.yml b/rules/sigma/process_creation/process_creation_sdelete.yml index 863a6111..9c1c5782 100644 --- a/rules/sigma/process_creation/process_creation_sdelete.yml +++ b/rules/sigma/process_creation/process_creation_sdelete.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.impact - attack.t1485 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_software_discovery.yml b/rules/sigma/process_creation/process_creation_software_discovery.yml index 4225cf8a..1a1e28de 100644 --- a/rules/sigma/process_creation/process_creation_software_discovery.yml +++ b/rules/sigma/process_creation/process_creation_software_discovery.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.discovery - attack.t1518 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml b/rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml index 09dca05f..a1fe0c99 100644 --- a/rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml +++ b/rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml @@ -42,3 +42,4 @@ tags: - attack.t1546.008 - car.2014-11-003 - car.2014-11-008 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_stordiag_execution.yml b/rules/sigma/process_creation/process_creation_stordiag_execution.yml index d6873cdb..b6267d45 100644 --- a/rules/sigma/process_creation/process_creation_stordiag_execution.yml +++ b/rules/sigma/process_creation/process_creation_stordiag_execution.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_7z.yml b/rules/sigma/process_creation/process_creation_susp_7z.yml index 89b4264d..ff8267b8 100644 --- a/rules/sigma/process_creation/process_creation_susp_7z.yml +++ b/rules/sigma/process_creation/process_creation_susp_7z.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.collection - attack.t1560.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml b/rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml index 6db8e7ed..dc04c42b 100644 --- a/rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_del.yml b/rules/sigma/process_creation/process_creation_susp_del.yml index 0fe3665d..1790d924 100644 --- a/rules/sigma/process_creation/process_creation_susp_del.yml +++ b/rules/sigma/process_creation/process_creation_susp_del.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_recon.yml b/rules/sigma/process_creation/process_creation_susp_recon.yml index 07c6cc1d..a792eff4 100644 --- a/rules/sigma/process_creation/process_creation_susp_recon.yml +++ b/rules/sigma/process_creation/process_creation_susp_recon.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.collection - attack.t1119 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml b/rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml index 1e41f6fa..8f5aec97 100644 --- a/rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml +++ b/rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml @@ -32,3 +32,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_winzip.yml b/rules/sigma/process_creation/process_creation_susp_winzip.yml index 6d165697..007fa229 100644 --- a/rules/sigma/process_creation/process_creation_susp_winzip.yml +++ b/rules/sigma/process_creation/process_creation_susp_winzip.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.collection - attack.t1560.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_zip_compress.yml b/rules/sigma/process_creation/process_creation_susp_zip_compress.yml index 4afc6d49..cf49b7fb 100644 --- a/rules/sigma/process_creation/process_creation_susp_zip_compress.yml +++ b/rules/sigma/process_creation/process_creation_susp_zip_compress.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.collection - attack.t1074.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml b/rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml index 9979f413..b48a3851 100644 --- a/rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml +++ b/rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml index 3472d02b..ddcfe6b3 100644 --- a/rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml +++ b/rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml b/rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml index e7722dd8..c49444eb 100644 --- a/rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml +++ b/rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.resource_development - attack.t1588.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml b/rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml index 23ca6e38..c27690b3 100644 --- a/rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml +++ b/rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml @@ -35,3 +35,4 @@ tags: - attack.t1088 - attack.t1548.002 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_tool_psexec.yml b/rules/sigma/process_creation/process_creation_tool_psexec.yml index 4476fa14..b4fe39f7 100644 --- a/rules/sigma/process_creation/process_creation_tool_psexec.yml +++ b/rules/sigma/process_creation/process_creation_tool_psexec.yml @@ -40,3 +40,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0029 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml b/rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml index 93108f3d..cf9f59a7 100644 --- a/rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml +++ b/rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.persistence - attack.t1505.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_mailboxexport_share.yml b/rules/sigma/process_creation/process_mailboxexport_share.yml index 95071c03..c4a35ae4 100644 --- a/rules/sigma/process_creation/process_mailboxexport_share.yml +++ b/rules/sigma/process_creation/process_mailboxexport_share.yml @@ -34,3 +34,4 @@ tags: - attack.t1505.003 - attack.resource_development - attack.t1584.006 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_susp_esentutl_params.yml b/rules/sigma/process_creation/process_susp_esentutl_params.yml index c1f06134..ccc58671 100644 --- a/rules/sigma/process_creation/process_susp_esentutl_params.yml +++ b/rules/sigma/process_creation/process_susp_esentutl_params.yml @@ -34,3 +34,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml b/rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml index 810a8011..9215cda1 100644 --- a/rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml @@ -48,3 +48,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml index 5e6561e5..fd2a7a4c 100644 --- a/rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml +++ b/rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.discovery - attack.t1069.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml index fdd4403a..3c06a9f7 100644 --- a/rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml +++ b/rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml index 911fc9aa..17f1e102 100644 --- a/rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml +++ b/rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml @@ -44,3 +44,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml b/rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml index 3e0b8cdb..9bf4d4d0 100644 --- a/rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml @@ -31,3 +31,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_apt_sourgrum.yml b/rules/sigma/process_creation/sysmon_apt_sourgrum.yml index eddf6811..ceaa4d59 100644 --- a/rules/sigma/process_creation/sysmon_apt_sourgrum.yml +++ b/rules/sigma/process_creation/sysmon_apt_sourgrum.yml @@ -46,3 +46,4 @@ tags: - attack.t1546.015 - attack.persistence - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml b/rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml index 33f81cd8..f4143416 100644 --- a/rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml +++ b/rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml @@ -36,3 +36,4 @@ tags: - attack.execution - attack.t1190 - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml b/rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml index f03dc1eb..e3fc5185 100644 --- a/rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml +++ b/rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml @@ -32,3 +32,4 @@ tags: - attack.t1218.003 - attack.g0069 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml b/rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml index 28c3af54..fd4eac65 100644 --- a/rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml +++ b/rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml @@ -35,3 +35,4 @@ tags: - attack.collection - attack.t1218 - attack.t1056.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml b/rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml index 09ae9bbd..61289f3f 100644 --- a/rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml +++ b/rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml @@ -29,3 +29,4 @@ tags: - attack.t1203 - attack.execution - cve.2021.26857 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_expand_cabinet_files.yml b/rules/sigma/process_creation/sysmon_expand_cabinet_files.yml index 9a05f81f..5709c9ed 100644 --- a/rules/sigma/process_creation/sysmon_expand_cabinet_files.yml +++ b/rules/sigma/process_creation/sysmon_expand_cabinet_files.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_hack_wce.yml b/rules/sigma/process_creation/sysmon_hack_wce.yml index e8a75801..82dfe65a 100644 --- a/rules/sigma/process_creation/sysmon_hack_wce.yml +++ b/rules/sigma/process_creation/sysmon_hack_wce.yml @@ -36,3 +36,4 @@ tags: - attack.t1003 - attack.t1003.001 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml b/rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml index 92ec9d82..33d3d0e0 100644 --- a/rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml +++ b/rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml @@ -27,3 +27,4 @@ tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml index 4c4689fc..a2df47f8 100644 --- a/rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml @@ -36,3 +36,4 @@ tags: - attack.t1037 - attack.t1037.001 - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_long_powershell_commandline.yml b/rules/sigma/process_creation/sysmon_long_powershell_commandline.yml index 13385e3f..ee4a0ca8 100644 --- a/rules/sigma/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/sigma/process_creation/sysmon_long_powershell_commandline.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_netcat_execution.yml b/rules/sigma/process_creation/sysmon_netcat_execution.yml index b3a01fae..242c674d 100644 --- a/rules/sigma/process_creation/sysmon_netcat_execution.yml +++ b/rules/sigma/process_creation/sysmon_netcat_execution.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.command_and_control - attack.t1095 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml index 772e528c..37d18933 100644 --- a/rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml +++ b/rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml b/rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml index 2cfdf710..c4b39b89 100644 --- a/rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml +++ b/rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_sdclt_child_process.yml b/rules/sigma/process_creation/sysmon_sdclt_child_process.yml index 6f3c9696..0a418ffa 100644 --- a/rules/sigma/process_creation/sysmon_sdclt_child_process.yml +++ b/rules/sigma/process_creation/sysmon_sdclt_child_process.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml b/rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml index 70e384ab..61e241f0 100644 --- a/rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml +++ b/rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml @@ -27,3 +27,4 @@ tags: - attack.t1572 - attack.lateral_movement - attack.t1021.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_susp_service_modification.yml b/rules/sigma/process_creation/sysmon_susp_service_modification.yml index f13fd76e..1071bf85 100644 --- a/rules/sigma/process_creation/sysmon_susp_service_modification.yml +++ b/rules/sigma/process_creation/sysmon_susp_service_modification.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml b/rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml index b5323fd2..73749f55 100644 --- a/rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml +++ b/rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.exfiltration - attack.t1048.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml b/rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml index cae61af4..1499249b 100644 --- a/rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml +++ b/rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml b/rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml index 291620cc..ed1f4445 100644 --- a/rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml +++ b/rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml @@ -43,3 +43,4 @@ tags: - attack.execution - attack.persistence - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml b/rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml index 37e65b4e..da3e6907 100644 --- a/rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml +++ b/rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml @@ -56,3 +56,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_ad_find_discovery.yml b/rules/sigma/process_creation/win_ad_find_discovery.yml index 88760312..3b96b582 100644 --- a/rules/sigma/process_creation/win_ad_find_discovery.yml +++ b/rules/sigma/process_creation/win_ad_find_discovery.yml @@ -45,3 +45,4 @@ tags: - attack.discovery - attack.t1482 - attack.t1018 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_anydesk_silent_install.yml b/rules/sigma/process_creation/win_anydesk_silent_install.yml index 1a6558b0..d9b25886 100644 --- a/rules/sigma/process_creation/win_anydesk_silent_install.yml +++ b/rules/sigma/process_creation/win_anydesk_silent_install.yml @@ -31,3 +31,4 @@ references: status: experimental tags: - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_apt29_thinktanks.yml b/rules/sigma/process_creation/win_apt_apt29_thinktanks.yml index 4b1f78bc..c177046d 100644 --- a/rules/sigma/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/sigma/process_creation/win_apt_apt29_thinktanks.yml @@ -34,3 +34,4 @@ tags: - attack.t1086 - attack.t1059 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_babyshark.yml b/rules/sigma/process_creation/win_apt_babyshark.yml index e4cf610c..82ca8b98 100644 --- a/rules/sigma/process_creation/win_apt_babyshark.yml +++ b/rules/sigma/process_creation/win_apt_babyshark.yml @@ -35,3 +35,4 @@ tags: - attack.t1170 - attack.t1218 - attack.t1218.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml b/rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml index de569e2f..8f4aebb7 100644 --- a/rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml @@ -49,3 +49,4 @@ tags: - attack.t1003 - attack.t1552.001 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_bluemashroom.yml b/rules/sigma/process_creation/win_apt_bluemashroom.yml index 1aa02e81..9a1f2087 100644 --- a/rules/sigma/process_creation/win_apt_bluemashroom.yml +++ b/rules/sigma/process_creation/win_apt_bluemashroom.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.t1117 - attack.t1218.010 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_cloudhopper.yml b/rules/sigma/process_creation/win_apt_cloudhopper.yml index 26350656..498e0741 100644 --- a/rules/sigma/process_creation/win_apt_cloudhopper.yml +++ b/rules/sigma/process_creation/win_apt_cloudhopper.yml @@ -31,3 +31,4 @@ tags: - attack.g0045 - attack.t1064 - attack.t1059.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_dragonfly.yml b/rules/sigma/process_creation/win_apt_dragonfly.yml index f16b484a..19c329c2 100644 --- a/rules/sigma/process_creation/win_apt_dragonfly.yml +++ b/rules/sigma/process_creation/win_apt_dragonfly.yml @@ -27,3 +27,4 @@ tags: - attack.discovery - attack.t1110 - attack.t1087 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_elise.yml b/rules/sigma/process_creation/win_apt_elise.yml index d0f2dd4f..8e1df888 100644 --- a/rules/sigma/process_creation/win_apt_elise.yml +++ b/rules/sigma/process_creation/win_apt_elise.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1059 - attack.t1059.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml b/rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml index ebb10f90..b3c8762a 100644 --- a/rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml +++ b/rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_empiremonkey.yml b/rules/sigma/process_creation/win_apt_empiremonkey.yml index 8f2f5198..ca014a07 100644 --- a/rules/sigma/process_creation/win_apt_empiremonkey.yml +++ b/rules/sigma/process_creation/win_apt_empiremonkey.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.t1218.010 - attack.t1117 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml index 9fae02a4..7dad647a 100644 --- a/rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_evilnum_jul20.yml b/rules/sigma/process_creation/win_apt_evilnum_jul20.yml index 41625fdd..04e2de66 100644 --- a/rules/sigma/process_creation/win_apt_evilnum_jul20.yml +++ b/rules/sigma/process_creation/win_apt_evilnum_jul20.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_greenbug_may20.yml b/rules/sigma/process_creation/win_apt_greenbug_may20.yml index 264040d5..3a2b5fcc 100644 --- a/rules/sigma/process_creation/win_apt_greenbug_may20.yml +++ b/rules/sigma/process_creation/win_apt_greenbug_may20.yml @@ -60,3 +60,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_hafnium.yml b/rules/sigma/process_creation/win_apt_hafnium.yml index 7f34eaad..4d358ba9 100644 --- a/rules/sigma/process_creation/win_apt_hafnium.yml +++ b/rules/sigma/process_creation/win_apt_hafnium.yml @@ -91,3 +91,4 @@ tags: - attack.persistence - attack.t1546 - attack.t1053 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_hurricane_panda.yml b/rules/sigma/process_creation/win_apt_hurricane_panda.yml index 2eb25834..038fcd00 100644 --- a/rules/sigma/process_creation/win_apt_hurricane_panda.yml +++ b/rules/sigma/process_creation/win_apt_hurricane_panda.yml @@ -30,3 +30,4 @@ tags: - attack.privilege_escalation - attack.g0009 - attack.t1068 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml index 4d6b8aca..8716625c 100644 --- a/rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml @@ -41,3 +41,4 @@ tags: - attack.exfiltration - attack.t1002 - attack.t1560.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_ke3chang_regadd.yml b/rules/sigma/process_creation/win_apt_ke3chang_regadd.yml index a3c317a8..4c38a72f 100644 --- a/rules/sigma/process_creation/win_apt_ke3chang_regadd.yml +++ b/rules/sigma/process_creation/win_apt_ke3chang_regadd.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml b/rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml index 6907dd89..aca32e54 100644 --- a/rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml +++ b/rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml @@ -40,3 +40,4 @@ tags: - attack.g0032 - attack.execution - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml b/rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml index 048988b7..963ec7e1 100644 --- a/rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml +++ b/rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml @@ -43,3 +43,4 @@ tags: - attack.g0032 - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_lazarus_loader.yml b/rules/sigma/process_creation/win_apt_lazarus_loader.yml index 0db05a88..2f7eaa47 100644 --- a/rules/sigma/process_creation/win_apt_lazarus_loader.yml +++ b/rules/sigma/process_creation/win_apt_lazarus_loader.yml @@ -45,3 +45,4 @@ tags: - attack.g0032 - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml b/rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml index 10d97282..5fc99293 100644 --- a/rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_mustangpanda.yml b/rules/sigma/process_creation/win_apt_mustangpanda.yml index 868b160f..6050d061 100644 --- a/rules/sigma/process_creation/win_apt_mustangpanda.yml +++ b/rules/sigma/process_creation/win_apt_mustangpanda.yml @@ -42,3 +42,4 @@ status: experimental tags: - attack.t1587.001 - attack.resource_development +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_revil_kaseya.yml b/rules/sigma/process_creation/win_apt_revil_kaseya.yml index cdadc9c4..4cfc6311 100644 --- a/rules/sigma/process_creation/win_apt_revil_kaseya.yml +++ b/rules/sigma/process_creation/win_apt_revil_kaseya.yml @@ -46,3 +46,4 @@ tags: - attack.execution - attack.t1059 - attack.g0115 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_sofacy.yml b/rules/sigma/process_creation/win_apt_sofacy.yml index 3ad219ac..508d3142 100644 --- a/rules/sigma/process_creation/win_apt_sofacy.yml +++ b/rules/sigma/process_creation/win_apt_sofacy.yml @@ -37,3 +37,4 @@ tags: - attack.t1085 - car.2013-10-002 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_ta17_293a_ps.yml b/rules/sigma/process_creation/win_apt_ta17_293a_ps.yml index 87d4cf80..35ac8106 100644 --- a/rules/sigma/process_creation/win_apt_ta17_293a_ps.yml +++ b/rules/sigma/process_creation/win_apt_ta17_293a_ps.yml @@ -27,3 +27,4 @@ tags: - attack.t1036 - attack.t1036.003 - car.2013-05-009 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_ta505_dropper.yml b/rules/sigma/process_creation/win_apt_ta505_dropper.yml index 300c5997..85b9c709 100644 --- a/rules/sigma/process_creation/win_apt_ta505_dropper.yml +++ b/rules/sigma/process_creation/win_apt_ta505_dropper.yml @@ -26,3 +26,4 @@ tags: - attack.execution - attack.g0092 - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_taidoor.yml b/rules/sigma/process_creation/win_apt_taidoor.yml index ebe10664..e8dca757 100644 --- a/rules/sigma/process_creation/win_apt_taidoor.yml +++ b/rules/sigma/process_creation/win_apt_taidoor.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.t1055 - attack.t1055.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_tropictrooper.yml b/rules/sigma/process_creation/win_apt_tropictrooper.yml index badba166..bec37578 100644 --- a/rules/sigma/process_creation/win_apt_tropictrooper.yml +++ b/rules/sigma/process_creation/win_apt_tropictrooper.yml @@ -23,3 +23,4 @@ tags: - attack.execution - attack.t1059 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_turla_comrat_may20.yml b/rules/sigma/process_creation/win_apt_turla_comrat_may20.yml index 62912b86..8e90dafe 100644 --- a/rules/sigma/process_creation/win_apt_turla_comrat_may20.yml +++ b/rules/sigma/process_creation/win_apt_turla_comrat_may20.yml @@ -35,3 +35,4 @@ tags: - attack.t1053 - attack.t1053.005 - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_unc2452_cmds.yml b/rules/sigma/process_creation/win_apt_unc2452_cmds.yml index a20216d6..c20f6136 100644 --- a/rules/sigma/process_creation/win_apt_unc2452_cmds.yml +++ b/rules/sigma/process_creation/win_apt_unc2452_cmds.yml @@ -58,3 +58,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_unc2452_ps.yml b/rules/sigma/process_creation/win_apt_unc2452_ps.yml index 905477c0..5557f436 100644 --- a/rules/sigma/process_creation/win_apt_unc2452_ps.yml +++ b/rules/sigma/process_creation/win_apt_unc2452_ps.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_unidentified_nov_18.yml b/rules/sigma/process_creation/win_apt_unidentified_nov_18.yml index ed9f69de..96679043 100644 --- a/rules/sigma/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/sigma/process_creation/win_apt_unidentified_nov_18.yml @@ -26,3 +26,4 @@ tags: - attack.execution - attack.t1218.011 - attack.t1085 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/sigma/process_creation/win_apt_winnti_mal_hk_jan20.yml index bc531f20..4782d153 100644 --- a/rules/sigma/process_creation/win_apt_winnti_mal_hk_jan20.yml +++ b/rules/sigma/process_creation/win_apt_winnti_mal_hk_jan20.yml @@ -44,3 +44,4 @@ tags: - attack.t1574.002 - attack.t1073 - attack.g0044 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_winnti_pipemon.yml b/rules/sigma/process_creation/win_apt_winnti_pipemon.yml index f8228429..818a0ee9 100644 --- a/rules/sigma/process_creation/win_apt_winnti_pipemon.yml +++ b/rules/sigma/process_creation/win_apt_winnti_pipemon.yml @@ -33,3 +33,4 @@ tags: - attack.t1574.002 - attack.t1073 - attack.g0044 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_zxshell.yml b/rules/sigma/process_creation/win_apt_zxshell.yml index 5ffae81d..0aa5c7c1 100644 --- a/rules/sigma/process_creation/win_apt_zxshell.yml +++ b/rules/sigma/process_creation/win_apt_zxshell.yml @@ -37,3 +37,4 @@ tags: - attack.t1085 - attack.s0412 - attack.g0001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_attrib_hiding_files.yml b/rules/sigma/process_creation/win_attrib_hiding_files.yml index 55099e81..0549a0ea 100644 --- a/rules/sigma/process_creation/win_attrib_hiding_files.yml +++ b/rules/sigma/process_creation/win_attrib_hiding_files.yml @@ -41,3 +41,4 @@ tags: - attack.defense_evasion - attack.t1564.001 - attack.t1158 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/sigma/process_creation/win_bad_opsec_sacrificial_processes.yml index 70a4a4fb..b310fd90 100644 --- a/rules/sigma/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/sigma/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -61,3 +61,4 @@ tags: - attack.defense_evasion - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_bootconf_mod.yml b/rules/sigma/process_creation/win_bootconf_mod.yml index 3061bb34..e9974c56 100644 --- a/rules/sigma/process_creation/win_bootconf_mod.yml +++ b/rules/sigma/process_creation/win_bootconf_mod.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_bypass_squiblytwo.yml b/rules/sigma/process_creation/win_bypass_squiblytwo.yml index cf159c1a..b31bfe1e 100644 --- a/rules/sigma/process_creation/win_bypass_squiblytwo.yml +++ b/rules/sigma/process_creation/win_bypass_squiblytwo.yml @@ -45,3 +45,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_change_default_file_association.yml b/rules/sigma/process_creation/win_change_default_file_association.yml index 39f864a9..b72876b5 100644 --- a/rules/sigma/process_creation/win_change_default_file_association.yml +++ b/rules/sigma/process_creation/win_change_default_file_association.yml @@ -41,3 +41,4 @@ tags: - attack.persistence - attack.t1546.001 - attack.t1042 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_cl_invocation_lolscript.yml b/rules/sigma/process_creation/win_cl_invocation_lolscript.yml index ce9958b5..262f34e3 100644 --- a/rules/sigma/process_creation/win_cl_invocation_lolscript.yml +++ b/rules/sigma/process_creation/win_cl_invocation_lolscript.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_cl_mutexverifiers_lolscript.yml b/rules/sigma/process_creation/win_cl_mutexverifiers_lolscript.yml index 60cb6a2e..26620003 100644 --- a/rules/sigma/process_creation/win_cl_mutexverifiers_lolscript.yml +++ b/rules/sigma/process_creation/win_cl_mutexverifiers_lolscript.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_class_exec_xwizard.yml b/rules/sigma/process_creation/win_class_exec_xwizard.yml index 837d391b..878c7b0c 100644 --- a/rules/sigma/process_creation/win_class_exec_xwizard.yml +++ b/rules/sigma/process_creation/win_class_exec_xwizard.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_cmdkey_recon.yml b/rules/sigma/process_creation/win_cmdkey_recon.yml index e84288c7..d1c691c0 100644 --- a/rules/sigma/process_creation/win_cmdkey_recon.yml +++ b/rules/sigma/process_creation/win_cmdkey_recon.yml @@ -31,3 +31,4 @@ tags: - attack.credential_access - attack.t1003.005 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_cmstp_com_object_access.yml b/rules/sigma/process_creation/win_cmstp_com_object_access.yml index 68ed8434..9395e4d7 100644 --- a/rules/sigma/process_creation/win_cmstp_com_object_access.yml +++ b/rules/sigma/process_creation/win_cmstp_com_object_access.yml @@ -49,3 +49,4 @@ tags: - attack.t1191 - attack.g0069 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml b/rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml index 4a1213e2..d6bfb229 100644 --- a/rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml +++ b/rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml @@ -48,3 +48,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_commandline_path_traversal.yml b/rules/sigma/process_creation/win_commandline_path_traversal.yml index a0a99b38..76761fbc 100644 --- a/rules/sigma/process_creation/win_commandline_path_traversal.yml +++ b/rules/sigma/process_creation/win_commandline_path_traversal.yml @@ -30,3 +30,4 @@ tags: - attack.execution - attack.t1059.003 - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_commandline_path_traversal_evasion.yml b/rules/sigma/process_creation/win_commandline_path_traversal_evasion.yml index ebac3b47..4917ad2e 100644 --- a/rules/sigma/process_creation/win_commandline_path_traversal_evasion.yml +++ b/rules/sigma/process_creation/win_commandline_path_traversal_evasion.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_control_panel_item.yml b/rules/sigma/process_creation/win_control_panel_item.yml index f1374c3c..4082f179 100644 --- a/rules/sigma/process_creation/win_control_panel_item.yml +++ b/rules/sigma/process_creation/win_control_panel_item.yml @@ -40,3 +40,4 @@ tags: - attack.t1196 - attack.persistence - attack.t1546 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml index 5eb389c0..68071bc1 100644 --- a/rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml +++ b/rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml @@ -48,3 +48,4 @@ tags: - attack.t1003 - car.2013-07-001 - attack.s0404 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_credential_access_via_password_filter.yml b/rules/sigma/process_creation/win_credential_access_via_password_filter.yml index 501a3d7b..ae22133a 100644 --- a/rules/sigma/process_creation/win_credential_access_via_password_filter.yml +++ b/rules/sigma/process_creation/win_credential_access_via_password_filter.yml @@ -30,3 +30,4 @@ tags: - attack.credential_access - attack.t1174 - attack.t1556.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_crime_fireball.yml b/rules/sigma/process_creation/win_crime_fireball.yml index 140d326c..0371bb23 100644 --- a/rules/sigma/process_creation/win_crime_fireball.yml +++ b/rules/sigma/process_creation/win_crime_fireball.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1218.011 - attack.t1085 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_crime_maze_ransomware.yml b/rules/sigma/process_creation/win_crime_maze_ransomware.yml index 3634b66a..c11b6e56 100644 --- a/rules/sigma/process_creation/win_crime_maze_ransomware.yml +++ b/rules/sigma/process_creation/win_crime_maze_ransomware.yml @@ -49,3 +49,4 @@ tags: - attack.t1047 - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_crime_snatch_ransomware.yml b/rules/sigma/process_creation/win_crime_snatch_ransomware.yml index 304681cb..85266602 100644 --- a/rules/sigma/process_creation/win_crime_snatch_ransomware.yml +++ b/rules/sigma/process_creation/win_crime_snatch_ransomware.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.execution - attack.t1204 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_crypto_mining_monero.yml b/rules/sigma/process_creation/win_crypto_mining_monero.yml index 5550b968..7a3725e1 100644 --- a/rules/sigma/process_creation/win_crypto_mining_monero.yml +++ b/rules/sigma/process_creation/win_crypto_mining_monero.yml @@ -38,3 +38,4 @@ status: stable tags: - attack.impact - attack.t1496 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_data_compressed_with_rar.yml b/rules/sigma/process_creation/win_data_compressed_with_rar.yml index dc31ae53..3b7efdcd 100644 --- a/rules/sigma/process_creation/win_data_compressed_with_rar.yml +++ b/rules/sigma/process_creation/win_data_compressed_with_rar.yml @@ -38,3 +38,4 @@ tags: - attack.t1002 - attack.collection - attack.t1560.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_detecting_fake_instances_of_hxtsr.yml b/rules/sigma/process_creation/win_detecting_fake_instances_of_hxtsr.yml index 81f72a7c..dc1724d6 100644 --- a/rules/sigma/process_creation/win_detecting_fake_instances_of_hxtsr.yml +++ b/rules/sigma/process_creation/win_detecting_fake_instances_of_hxtsr.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_dll_sideload_xwizard.yml b/rules/sigma/process_creation/win_dll_sideload_xwizard.yml index bca98893..d53dc057 100644 --- a/rules/sigma/process_creation/win_dll_sideload_xwizard.yml +++ b/rules/sigma/process_creation/win_dll_sideload_xwizard.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/sigma/process_creation/win_dns_exfiltration_tools_execution.yml index a1443e87..cc5b35a5 100644 --- a/rules/sigma/process_creation/win_dns_exfiltration_tools_execution.yml +++ b/rules/sigma/process_creation/win_dns_exfiltration_tools_execution.yml @@ -29,3 +29,4 @@ tags: - attack.t1071 - attack.t1132.001 - attack.t1132 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_dnscat2_powershell_implementation.yml b/rules/sigma/process_creation/win_dnscat2_powershell_implementation.yml index 2bd254fd..2ddfb8c3 100644 --- a/rules/sigma/process_creation/win_dnscat2_powershell_implementation.yml +++ b/rules/sigma/process_creation/win_dnscat2_powershell_implementation.yml @@ -38,3 +38,4 @@ tags: - attack.t1071.004 - attack.t1001.003 - attack.t1041 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_encoded_frombase64string.yml b/rules/sigma/process_creation/win_encoded_frombase64string.yml index 65092fcd..4cc92caa 100644 --- a/rules/sigma/process_creation/win_encoded_frombase64string.yml +++ b/rules/sigma/process_creation/win_encoded_frombase64string.yml @@ -30,3 +30,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_encoded_iex.yml b/rules/sigma/process_creation/win_encoded_iex.yml index 4443cc19..885fb7ca 100644 --- a/rules/sigma/process_creation/win_encoded_iex.yml +++ b/rules/sigma/process_creation/win_encoded_iex.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_etw_modification_cmdline.yml b/rules/sigma/process_creation/win_etw_modification_cmdline.yml index 376f80c9..415a5775 100644 --- a/rules/sigma/process_creation/win_etw_modification_cmdline.yml +++ b/rules/sigma/process_creation/win_etw_modification_cmdline.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_etw_trace_evasion.yml b/rules/sigma/process_creation/win_etw_trace_evasion.yml index b20be104..ab84d4b1 100644 --- a/rules/sigma/process_creation/win_etw_trace_evasion.yml +++ b/rules/sigma/process_creation/win_etw_trace_evasion.yml @@ -69,3 +69,4 @@ tags: - attack.t1070 - attack.t1562.006 - car.2016-04-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml index 944759ec..43ab45e3 100644 --- a/rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml +++ b/rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml @@ -29,3 +29,4 @@ tags: - attack.t1041 - attack.t1572 - attack.t1071.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2015_1641.yml b/rules/sigma/process_creation/win_exploit_cve_2015_1641.yml index 260ed96d..f7793c7d 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2015_1641.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2015_1641.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1036.005 - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2017_0261.yml b/rules/sigma/process_creation/win_exploit_cve_2017_0261.yml index 32870701..81e9e369 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2017_0261.yml @@ -32,3 +32,4 @@ tags: - attack.initial_access - attack.t1566.001 - attack.t1193 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2017_11882.yml b/rules/sigma/process_creation/win_exploit_cve_2017_11882.yml index b46045bb..4288080d 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2017_11882.yml @@ -32,3 +32,4 @@ tags: - attack.initial_access - attack.t1566.001 - attack.t1193 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2017_8759.yml b/rules/sigma/process_creation/win_exploit_cve_2017_8759.yml index a2809398..9203d869 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2017_8759.yml @@ -32,3 +32,4 @@ tags: - attack.initial_access - attack.t1566.001 - attack.t1193 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2019_1378.yml b/rules/sigma/process_creation/win_exploit_cve_2019_1378.yml index 04975758..07fed794 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2019_1378.yml @@ -44,3 +44,4 @@ tags: - attack.t1059 - attack.t1574 - cve.2019.1378 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2019_1388.yml b/rules/sigma/process_creation/win_exploit_cve_2019_1388.yml index 7042ecbf..75c6a884 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2019_1388.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2019_1388.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1068 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2020_10189.yml b/rules/sigma/process_creation/win_exploit_cve_2020_10189.yml index 9afb47b5..130e48b7 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2020_10189.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2020_10189.yml @@ -36,3 +36,4 @@ tags: - attack.t1059 - attack.s0190 - cve.2020.10189 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2020_1048.yml b/rules/sigma/process_creation/win_exploit_cve_2020_1048.yml index 279fd128..fa227418 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2020_1048.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2020_1048.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2020_1350.yml b/rules/sigma/process_creation/win_exploit_cve_2020_1350.yml index 86946aa0..e1dd17b2 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2020_1350.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2020_1350.yml @@ -31,3 +31,4 @@ tags: - attack.t1190 - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_systemnightmare.yml b/rules/sigma/process_creation/win_exploit_systemnightmare.yml index df133512..5903a73b 100644 --- a/rules/sigma/process_creation/win_exploit_systemnightmare.yml +++ b/rules/sigma/process_creation/win_exploit_systemnightmare.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1068 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_file_permission_modifications.yml b/rules/sigma/process_creation/win_file_permission_modifications.yml index caad29f5..8a3d6c92 100644 --- a/rules/sigma/process_creation/win_file_permission_modifications.yml +++ b/rules/sigma/process_creation/win_file_permission_modifications.yml @@ -37,3 +37,4 @@ tags: - attack.defense_evasion - attack.t1222.001 - attack.t1222 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/sigma/process_creation/win_grabbing_sensitive_hives_via_reg.yml index 8f30c99a..8e25fec6 100644 --- a/rules/sigma/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/sigma/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -53,3 +53,4 @@ tags: - attack.t1003.005 - attack.t1003 - car.2013-07-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hack_adcspwn.yml b/rules/sigma/process_creation/win_hack_adcspwn.yml index 43a825dd..2ef74deb 100644 --- a/rules/sigma/process_creation/win_hack_adcspwn.yml +++ b/rules/sigma/process_creation/win_hack_adcspwn.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.credential_access - attack.t1557.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hack_bloodhound.yml b/rules/sigma/process_creation/win_hack_bloodhound.yml index d3da3091..82f12d3a 100644 --- a/rules/sigma/process_creation/win_hack_bloodhound.yml +++ b/rules/sigma/process_creation/win_hack_bloodhound.yml @@ -51,3 +51,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hack_koadic.yml b/rules/sigma/process_creation/win_hack_koadic.yml index eead4fd1..d3908f08 100644 --- a/rules/sigma/process_creation/win_hack_koadic.yml +++ b/rules/sigma/process_creation/win_hack_koadic.yml @@ -38,3 +38,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hack_rubeus.yml b/rules/sigma/process_creation/win_hack_rubeus.yml index 5c15df58..5ac072d5 100644 --- a/rules/sigma/process_creation/win_hack_rubeus.yml +++ b/rules/sigma/process_creation/win_hack_rubeus.yml @@ -39,3 +39,4 @@ tags: - attack.lateral_movement - attack.t1550.003 - attack.t1097 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hack_secutyxploded.yml b/rules/sigma/process_creation/win_hack_secutyxploded.yml index 26c695ef..c529e825 100644 --- a/rules/sigma/process_creation/win_hack_secutyxploded.yml +++ b/rules/sigma/process_creation/win_hack_secutyxploded.yml @@ -30,3 +30,4 @@ tags: - attack.t1555 - attack.t1003 - attack.t1503 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hh_chm.yml b/rules/sigma/process_creation/win_hh_chm.yml index 679fd8a6..eaf5952d 100644 --- a/rules/sigma/process_creation/win_hh_chm.yml +++ b/rules/sigma/process_creation/win_hh_chm.yml @@ -32,3 +32,4 @@ tags: - attack.t1218.001 - attack.execution - attack.t1223 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/sigma/process_creation/win_hiding_malware_in_fonts_folder.yml index 585eb4a5..92efeb1c 100644 --- a/rules/sigma/process_creation/win_hiding_malware_in_fonts_folder.yml +++ b/rules/sigma/process_creation/win_hiding_malware_in_fonts_folder.yml @@ -32,3 +32,4 @@ tags: - attack.t1059 - attack.defense_evasion - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hktl_createminidump.yml b/rules/sigma/process_creation/win_hktl_createminidump.yml index e24d8d32..3b749c27 100644 --- a/rules/sigma/process_creation/win_hktl_createminidump.yml +++ b/rules/sigma/process_creation/win_hktl_createminidump.yml @@ -27,3 +27,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml b/rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml index 46f9e476..d6c5058b 100644 --- a/rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml +++ b/rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_html_help_spawn.yml b/rules/sigma/process_creation/win_html_help_spawn.yml index f16b4fb7..b2afb198 100644 --- a/rules/sigma/process_creation/win_html_help_spawn.yml +++ b/rules/sigma/process_creation/win_html_help_spawn.yml @@ -45,3 +45,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hwp_exploits.yml b/rules/sigma/process_creation/win_hwp_exploits.yml index 5900bb75..750d8b15 100644 --- a/rules/sigma/process_creation/win_hwp_exploits.yml +++ b/rules/sigma/process_creation/win_hwp_exploits.yml @@ -36,3 +36,4 @@ tags: - attack.t1059.003 - attack.t1059 - attack.g0032 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_impacket_compiled_tools.yml b/rules/sigma/process_creation/win_impacket_compiled_tools.yml index 5653b928..3ff46142 100644 --- a/rules/sigma/process_creation/win_impacket_compiled_tools.yml +++ b/rules/sigma/process_creation/win_impacket_compiled_tools.yml @@ -60,3 +60,4 @@ status: experimental tags: - attack.execution - attack.t1557.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_impacket_lateralization.yml b/rules/sigma/process_creation/win_impacket_lateralization.yml index 6f157258..a9a1598c 100644 --- a/rules/sigma/process_creation/win_impacket_lateralization.yml +++ b/rules/sigma/process_creation/win_impacket_lateralization.yml @@ -56,3 +56,4 @@ tags: - attack.t1175 - attack.t1021.003 - attack.t1021 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_indirect_cmd.yml b/rules/sigma/process_creation/win_indirect_cmd.yml index e7e6de9d..a8e83504 100644 --- a/rules/sigma/process_creation/win_indirect_cmd.yml +++ b/rules/sigma/process_creation/win_indirect_cmd.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_indirect_cmd_compatibility_assistant.yml b/rules/sigma/process_creation/win_indirect_cmd_compatibility_assistant.yml index 03b99b13..0515a198 100644 --- a/rules/sigma/process_creation/win_indirect_cmd_compatibility_assistant.yml +++ b/rules/sigma/process_creation/win_indirect_cmd_compatibility_assistant.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_install_reg_debugger_backdoor.yml b/rules/sigma/process_creation/win_install_reg_debugger_backdoor.yml index 5fba8e96..90e4a59c 100644 --- a/rules/sigma/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/sigma/process_creation/win_install_reg_debugger_backdoor.yml @@ -34,3 +34,4 @@ tags: - attack.privilege_escalation - attack.t1546.008 - attack.t1015 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_interactive_at.yml b/rules/sigma/process_creation/win_interactive_at.yml index 7e2c101c..f6edcbce 100644 --- a/rules/sigma/process_creation/win_interactive_at.yml +++ b/rules/sigma/process_creation/win_interactive_at.yml @@ -32,3 +32,4 @@ tags: - attack.privilege_escalation - attack.t1053.002 - attack.t1053 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_clip.yml b/rules/sigma/process_creation/win_invoke_obfuscation_clip.yml index 6638eeac..10be869f 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_clip.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_clip.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/sigma/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml index a95029dd..6e8d96aa 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -38,3 +38,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_stdin.yml b/rules/sigma/process_creation/win_invoke_obfuscation_stdin.yml index fef0cadc..560f1daa 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_stdin.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_stdin.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_var.yml b/rules/sigma/process_creation/win_invoke_obfuscation_var.yml index 5479f07a..71dec6bf 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_var.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_var.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_compress.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_compress.yml index 34f30fa7..ac865dda 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_compress.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_compress.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_rundll.yml index dedb22ae..fc36204c 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_rundll.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_rundll.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_stdin.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_stdin.yml index 8cee1ab8..893c5d97 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_stdin.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_stdin.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_clip.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_clip.yml index dc8943f5..1fecd4f8 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_clip.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_clip.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_mhsta.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_mhsta.yml index b737c688..cbc56261 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_mhsta.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_rundll32.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_rundll32.yml index 6a2a7b9a..5dc8f6d9 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_rundll32.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_var.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_var.yml index 13ded1d9..04549739 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_var.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_var.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_lethalhta.yml b/rules/sigma/process_creation/win_lethalhta.yml index 3a621ee0..a8b24a15 100644 --- a/rules/sigma/process_creation/win_lethalhta.yml +++ b/rules/sigma/process_creation/win_lethalhta.yml @@ -27,3 +27,4 @@ tags: - attack.t1218.005 - attack.execution - attack.t1170 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_local_system_owner_account_discovery.yml b/rules/sigma/process_creation/win_local_system_owner_account_discovery.yml index 06cc042c..3108ad6f 100644 --- a/rules/sigma/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/sigma/process_creation/win_local_system_owner_account_discovery.yml @@ -78,3 +78,4 @@ tags: - attack.t1033 - attack.t1087.001 - attack.t1087 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/sigma/process_creation/win_lolbas_execution_of_wuauclt.yml index e3af2ec2..9e96d554 100644 --- a/rules/sigma/process_creation/win_lolbas_execution_of_wuauclt.yml +++ b/rules/sigma/process_creation/win_lolbas_execution_of_wuauclt.yml @@ -32,3 +32,4 @@ tags: - attack.execution - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_lolbin_execution_via_winget.yml b/rules/sigma/process_creation/win_lolbin_execution_via_winget.yml index b794867f..2f048be2 100644 --- a/rules/sigma/process_creation/win_lolbin_execution_via_winget.yml +++ b/rules/sigma/process_creation/win_lolbin_execution_via_winget.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_lsass_dump.yml b/rules/sigma/process_creation/win_lsass_dump.yml index cb5bfa34..783d6508 100644 --- a/rules/sigma/process_creation/win_lsass_dump.yml +++ b/rules/sigma/process_creation/win_lsass_dump.yml @@ -43,3 +43,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mal_adwind.yml b/rules/sigma/process_creation/win_mal_adwind.yml index 47f8ff2e..059886e7 100644 --- a/rules/sigma/process_creation/win_mal_adwind.yml +++ b/rules/sigma/process_creation/win_mal_adwind.yml @@ -35,3 +35,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_conti.yml b/rules/sigma/process_creation/win_malware_conti.yml index 3ea05012..ae2c8fcc 100644 --- a/rules/sigma/process_creation/win_malware_conti.yml +++ b/rules/sigma/process_creation/win_malware_conti.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.t1587.001 - attack.resource_development +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_conti_7zip.yml b/rules/sigma/process_creation/win_malware_conti_7zip.yml index 4961b844..80b54994 100644 --- a/rules/sigma/process_creation/win_malware_conti_7zip.yml +++ b/rules/sigma/process_creation/win_malware_conti_7zip.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.collection - attack.t1560 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_conti_shadowcopy.yml b/rules/sigma/process_creation/win_malware_conti_shadowcopy.yml index 14bfb6b2..73ef1ef9 100644 --- a/rules/sigma/process_creation/win_malware_conti_shadowcopy.yml +++ b/rules/sigma/process_creation/win_malware_conti_shadowcopy.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_dridex.yml b/rules/sigma/process_creation/win_malware_dridex.yml index 23962991..a4e7ecd1 100644 --- a/rules/sigma/process_creation/win_malware_dridex.yml +++ b/rules/sigma/process_creation/win_malware_dridex.yml @@ -46,3 +46,4 @@ tags: - attack.discovery - attack.t1135 - attack.t1033 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_dtrack.yml b/rules/sigma/process_creation/win_malware_dtrack.yml index ffef1743..77a1657c 100644 --- a/rules/sigma/process_creation/win_malware_dtrack.yml +++ b/rules/sigma/process_creation/win_malware_dtrack.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_emotet.yml b/rules/sigma/process_creation/win_malware_emotet.yml index 5a075efe..5bbf0ef9 100644 --- a/rules/sigma/process_creation/win_malware_emotet.yml +++ b/rules/sigma/process_creation/win_malware_emotet.yml @@ -41,3 +41,4 @@ tags: - attack.t1086 - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_formbook.yml b/rules/sigma/process_creation/win_malware_formbook.yml index a898d572..a254954f 100644 --- a/rules/sigma/process_creation/win_malware_formbook.yml +++ b/rules/sigma/process_creation/win_malware_formbook.yml @@ -61,3 +61,4 @@ status: experimental tags: - attack.develop_capabilities - attack.t1587.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_notpetya.yml b/rules/sigma/process_creation/win_malware_notpetya.yml index 88af539a..32138ad6 100644 --- a/rules/sigma/process_creation/win_malware_notpetya.yml +++ b/rules/sigma/process_creation/win_malware_notpetya.yml @@ -46,3 +46,4 @@ tags: - attack.t1003.001 - attack.t1003 - car.2016-04-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_qbot.yml b/rules/sigma/process_creation/win_malware_qbot.yml index 335dc265..c86ef187 100644 --- a/rules/sigma/process_creation/win_malware_qbot.yml +++ b/rules/sigma/process_creation/win_malware_qbot.yml @@ -40,3 +40,4 @@ tags: - attack.t1059.005 - attack.defense_evasion - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_ryuk.yml b/rules/sigma/process_creation/win_malware_ryuk.yml index 75b4c7f3..68cf8730 100644 --- a/rules/sigma/process_creation/win_malware_ryuk.yml +++ b/rules/sigma/process_creation/win_malware_ryuk.yml @@ -29,3 +29,4 @@ tags: - attack.persistence - attack.t1547.001 - attack.t1060 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_script_dropper.yml b/rules/sigma/process_creation/win_malware_script_dropper.yml index e72e89e0..663aeac7 100644 --- a/rules/sigma/process_creation/win_malware_script_dropper.yml +++ b/rules/sigma/process_creation/win_malware_script_dropper.yml @@ -44,3 +44,4 @@ tags: - attack.t1059.007 - attack.defense_evasion - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_trickbot_recon_activity.yml b/rules/sigma/process_creation/win_malware_trickbot_recon_activity.yml index 0d40f63d..e486ea85 100644 --- a/rules/sigma/process_creation/win_malware_trickbot_recon_activity.yml +++ b/rules/sigma/process_creation/win_malware_trickbot_recon_activity.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.discovery - attack.t1482 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_trickbot_wermgr.yml b/rules/sigma/process_creation/win_malware_trickbot_wermgr.yml index c65c3862..3c074dc3 100644 --- a/rules/sigma/process_creation/win_malware_trickbot_wermgr.yml +++ b/rules/sigma/process_creation/win_malware_trickbot_wermgr.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.execution - attack.t1559 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_wannacry.yml b/rules/sigma/process_creation/win_malware_wannacry.yml index effc56e5..ae3c8781 100644 --- a/rules/sigma/process_creation/win_malware_wannacry.yml +++ b/rules/sigma/process_creation/win_malware_wannacry.yml @@ -82,3 +82,4 @@ tags: - attack.impact - attack.t1486 - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_manage_bde_lolbas.yml b/rules/sigma/process_creation/win_manage_bde_lolbas.yml index 359be25f..c385b705 100644 --- a/rules/sigma/process_creation/win_manage_bde_lolbas.yml +++ b/rules/sigma/process_creation/win_manage_bde_lolbas.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mavinject_proc_inj.yml b/rules/sigma/process_creation/win_mavinject_proc_inj.yml index 07da4807..98d8f939 100644 --- a/rules/sigma/process_creation/win_mavinject_proc_inj.yml +++ b/rules/sigma/process_creation/win_mavinject_proc_inj.yml @@ -26,3 +26,4 @@ tags: - attack.t1055 - attack.t1055.001 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index c8944626..fe399755 100644 --- a/rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -67,3 +67,4 @@ tags: - attack.t1134 - attack.t1134.001 - attack.t1134.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mimikatz_command_line.yml b/rules/sigma/process_creation/win_mimikatz_command_line.yml index 08d650a8..0a86eee3 100644 --- a/rules/sigma/process_creation/win_mimikatz_command_line.yml +++ b/rules/sigma/process_creation/win_mimikatz_command_line.yml @@ -44,3 +44,4 @@ tags: - attack.t1003.004 - attack.t1003.005 - attack.t1003.006 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mmc_spawn_shell.yml b/rules/sigma/process_creation/win_mmc_spawn_shell.yml index f23e77c2..65cd66d0 100644 --- a/rules/sigma/process_creation/win_mmc_spawn_shell.yml +++ b/rules/sigma/process_creation/win_mmc_spawn_shell.yml @@ -39,3 +39,4 @@ tags: - attack.lateral_movement - attack.t1175 - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/sigma/process_creation/win_modif_of_services_for_via_commandline.yml index b20dba40..b488ca62 100644 --- a/rules/sigma/process_creation/win_modif_of_services_for_via_commandline.yml +++ b/rules/sigma/process_creation/win_modif_of_services_for_via_commandline.yml @@ -32,3 +32,4 @@ tags: - attack.t1543.003 - attack.t1058 - attack.t1574.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml b/rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml index 3b184a5f..a7f46669 100644 --- a/rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml +++ b/rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1197 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mouse_lock.yml b/rules/sigma/process_creation/win_mouse_lock.yml index e483223f..a0444812 100644 --- a/rules/sigma/process_creation/win_mouse_lock.yml +++ b/rules/sigma/process_creation/win_mouse_lock.yml @@ -34,3 +34,4 @@ tags: - attack.credential_access - attack.collection - attack.t1056.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mshta_javascript.yml b/rules/sigma/process_creation/win_mshta_javascript.yml index e87ff501..46852f00 100644 --- a/rules/sigma/process_creation/win_mshta_javascript.yml +++ b/rules/sigma/process_creation/win_mshta_javascript.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1170 - attack.t1218.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mshta_spawn_shell.yml b/rules/sigma/process_creation/win_mshta_spawn_shell.yml index 6c624355..c47f3c3b 100644 --- a/rules/sigma/process_creation/win_mshta_spawn_shell.yml +++ b/rules/sigma/process_creation/win_mshta_spawn_shell.yml @@ -44,3 +44,4 @@ tags: - car.2013-02-003 - car.2013-03-001 - car.2014-04-003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_multiple_suspicious_cli.yml b/rules/sigma/process_creation/win_multiple_suspicious_cli.yml index 2b1029e7..0e60a2f8 100644 --- a/rules/sigma/process_creation/win_multiple_suspicious_cli.yml +++ b/rules/sigma/process_creation/win_multiple_suspicious_cli.yml @@ -63,3 +63,4 @@ tags: - car.2013-04-002 - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_net_enum.yml b/rules/sigma/process_creation/win_net_enum.yml index 1ecb75c1..f592dc38 100644 --- a/rules/sigma/process_creation/win_net_enum.yml +++ b/rules/sigma/process_creation/win_net_enum.yml @@ -35,3 +35,4 @@ status: stable tags: - attack.discovery - attack.t1018 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_net_user_add.yml b/rules/sigma/process_creation/win_net_user_add.yml index d20f614c..ab20baf1 100644 --- a/rules/sigma/process_creation/win_net_user_add.yml +++ b/rules/sigma/process_creation/win_net_user_add.yml @@ -36,3 +36,4 @@ tags: - attack.persistence - attack.t1136 - attack.t1136.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_allow_port_rdp.yml b/rules/sigma/process_creation/win_netsh_allow_port_rdp.yml index 10058033..36fbe1d5 100644 --- a/rules/sigma/process_creation/win_netsh_allow_port_rdp.yml +++ b/rules/sigma/process_creation/win_netsh_allow_port_rdp.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_fw_add.yml b/rules/sigma/process_creation/win_netsh_fw_add.yml index 1b91cd52..861da866 100644 --- a/rules/sigma/process_creation/win_netsh_fw_add.yml +++ b/rules/sigma/process_creation/win_netsh_fw_add.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_fw_add_susp_image.yml b/rules/sigma/process_creation/win_netsh_fw_add_susp_image.yml index 4d14c024..1f0d4e05 100644 --- a/rules/sigma/process_creation/win_netsh_fw_add_susp_image.yml +++ b/rules/sigma/process_creation/win_netsh_fw_add_susp_image.yml @@ -69,3 +69,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_packet_capture.yml b/rules/sigma/process_creation/win_netsh_packet_capture.yml index 4c010108..f1d2a627 100644 --- a/rules/sigma/process_creation/win_netsh_packet_capture.yml +++ b/rules/sigma/process_creation/win_netsh_packet_capture.yml @@ -29,3 +29,4 @@ tags: - attack.discovery - attack.credential_access - attack.t1040 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_port_fwd.yml b/rules/sigma/process_creation/win_netsh_port_fwd.yml index bde31e3c..ed7d73e2 100644 --- a/rules/sigma/process_creation/win_netsh_port_fwd.yml +++ b/rules/sigma/process_creation/win_netsh_port_fwd.yml @@ -43,3 +43,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1090 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_port_fwd_3389.yml b/rules/sigma/process_creation/win_netsh_port_fwd_3389.yml index bcf10308..96fac741 100644 --- a/rules/sigma/process_creation/win_netsh_port_fwd_3389.yml +++ b/rules/sigma/process_creation/win_netsh_port_fwd_3389.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1090 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_wifi_credential_harvesting.yml b/rules/sigma/process_creation/win_netsh_wifi_credential_harvesting.yml index d04d3e5a..ee236f4e 100644 --- a/rules/sigma/process_creation/win_netsh_wifi_credential_harvesting.yml +++ b/rules/sigma/process_creation/win_netsh_wifi_credential_harvesting.yml @@ -36,3 +36,4 @@ tags: - attack.discovery - attack.credential_access - attack.t1040 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_network_sniffing.yml b/rules/sigma/process_creation/win_network_sniffing.yml index 5a12e598..2c6c6dfc 100644 --- a/rules/sigma/process_creation/win_network_sniffing.yml +++ b/rules/sigma/process_creation/win_network_sniffing.yml @@ -39,3 +39,4 @@ tags: - attack.credential_access - attack.discovery - attack.t1040 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_new_service_creation.yml b/rules/sigma/process_creation/win_new_service_creation.yml index c6ca9f15..045b6dfc 100644 --- a/rules/sigma/process_creation/win_new_service_creation.yml +++ b/rules/sigma/process_creation/win_new_service_creation.yml @@ -34,3 +34,4 @@ tags: - attack.privilege_escalation - attack.t1050 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_nltest_recon.yml b/rules/sigma/process_creation/win_nltest_recon.yml index 97a2516c..2a404f47 100644 --- a/rules/sigma/process_creation/win_nltest_recon.yml +++ b/rules/sigma/process_creation/win_nltest_recon.yml @@ -44,3 +44,4 @@ tags: - attack.discovery - attack.t1016 - attack.t1482 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_non_interactive_powershell.yml b/rules/sigma/process_creation/win_non_interactive_powershell.yml index e874cbc5..baf938ed 100644 --- a/rules/sigma/process_creation/win_non_interactive_powershell.yml +++ b/rules/sigma/process_creation/win_non_interactive_powershell.yml @@ -29,3 +29,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_non_priv_reg_or_ps.yml b/rules/sigma/process_creation/win_non_priv_reg_or_ps.yml index e9515007..b0504e87 100644 --- a/rules/sigma/process_creation/win_non_priv_reg_or_ps.yml +++ b/rules/sigma/process_creation/win_non_priv_reg_or_ps.yml @@ -48,3 +48,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_office_shell.yml b/rules/sigma/process_creation/win_office_shell.yml index f0347cfe..7696f593 100644 --- a/rules/sigma/process_creation/win_office_shell.yml +++ b/rules/sigma/process_creation/win_office_shell.yml @@ -59,3 +59,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml index 1cc48bac..2f13cf2d 100644 --- a/rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -43,3 +43,4 @@ tags: - attack.t1204.002 - attack.g0046 - car.2013-05-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_pc_set_policies_to_unsecure_level.yml b/rules/sigma/process_creation/win_pc_set_policies_to_unsecure_level.yml index 2affa1c2..56d409b2 100644 --- a/rules/sigma/process_creation/win_pc_set_policies_to_unsecure_level.yml +++ b/rules/sigma/process_creation/win_pc_set_policies_to_unsecure_level.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_pc_susp_cmdl32_lolbas.yml b/rules/sigma/process_creation/win_pc_susp_cmdl32_lolbas.yml index 8569767d..08811692 100644 --- a/rules/sigma/process_creation/win_pc_susp_cmdl32_lolbas.yml +++ b/rules/sigma/process_creation/win_pc_susp_cmdl32_lolbas.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_pc_susp_reg_bitlocker.yml b/rules/sigma/process_creation/win_pc_susp_reg_bitlocker.yml index b3181d2b..7f37650e 100644 --- a/rules/sigma/process_creation/win_pc_susp_reg_bitlocker.yml +++ b/rules/sigma/process_creation/win_pc_susp_reg_bitlocker.yml @@ -41,3 +41,4 @@ status: experimental tags: - attack.impact - attack.t1486 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml b/rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml index 12b1c1a4..9c4ea7cc 100644 --- a/rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml +++ b/rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.execution - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_pc_susp_zipexec.yml b/rules/sigma/process_creation/win_pc_susp_zipexec.yml index 368f8e5b..c7093b3b 100644 --- a/rules/sigma/process_creation/win_pc_susp_zipexec.yml +++ b/rules/sigma/process_creation/win_pc_susp_zipexec.yml @@ -37,3 +37,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_plugx_susp_exe_locations.yml b/rules/sigma/process_creation/win_plugx_susp_exe_locations.yml index 9ded65bd..3c6ec290 100644 --- a/rules/sigma/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/sigma/process_creation/win_plugx_susp_exe_locations.yml @@ -105,3 +105,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_possible_applocker_bypass.yml b/rules/sigma/process_creation/win_possible_applocker_bypass.yml index 34a03c59..4cf64c6c 100644 --- a/rules/sigma/process_creation/win_possible_applocker_bypass.yml +++ b/rules/sigma/process_creation/win_possible_applocker_bypass.yml @@ -43,3 +43,4 @@ tags: - attack.t1170 - attack.t1218.005 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml b/rules/sigma/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml index 4f6dc54e..528f12e3 100644 --- a/rules/sigma/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml +++ b/rules/sigma/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml @@ -38,3 +38,4 @@ tags: - attack.privilege_escalation - attack.t1058 - attack.t1574.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_amsi_bypass.yml b/rules/sigma/process_creation/win_powershell_amsi_bypass.yml index 6d2dc3bd..0b5bcdfc 100644 --- a/rules/sigma/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/sigma/process_creation/win_powershell_amsi_bypass.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_audio_capture.yml b/rules/sigma/process_creation/win_powershell_audio_capture.yml index df058cdd..582e0de9 100644 --- a/rules/sigma/process_creation/win_powershell_audio_capture.yml +++ b/rules/sigma/process_creation/win_powershell_audio_capture.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.collection - attack.t1123 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_b64_shellcode.yml b/rules/sigma/process_creation/win_powershell_b64_shellcode.yml index 5e08a0e9..9104ff9f 100644 --- a/rules/sigma/process_creation/win_powershell_b64_shellcode.yml +++ b/rules/sigma/process_creation/win_powershell_b64_shellcode.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_bitsjob.yml b/rules/sigma/process_creation/win_powershell_bitsjob.yml index bb8f93d9..d5fcfcba 100644 --- a/rules/sigma/process_creation/win_powershell_bitsjob.yml +++ b/rules/sigma/process_creation/win_powershell_bitsjob.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.persistence - attack.t1197 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_cmdline_reversed_strings.yml b/rules/sigma/process_creation/win_powershell_cmdline_reversed_strings.yml index 656384b5..b31177c7 100644 --- a/rules/sigma/process_creation/win_powershell_cmdline_reversed_strings.yml +++ b/rules/sigma/process_creation/win_powershell_cmdline_reversed_strings.yml @@ -53,3 +53,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml b/rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml index d4934af9..7485d0de 100644 --- a/rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml +++ b/rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml @@ -35,3 +35,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml b/rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml index e79b7e2a..37f9f263 100644 --- a/rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml +++ b/rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml @@ -57,3 +57,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_defender_exclusion.yml b/rules/sigma/process_creation/win_powershell_defender_exclusion.yml index 5327a7a0..ac097a3a 100644 --- a/rules/sigma/process_creation/win_powershell_defender_exclusion.yml +++ b/rules/sigma/process_creation/win_powershell_defender_exclusion.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_disable_windef_av.yml b/rules/sigma/process_creation/win_powershell_disable_windef_av.yml index 4722b8e3..99fc958d 100644 --- a/rules/sigma/process_creation/win_powershell_disable_windef_av.yml +++ b/rules/sigma/process_creation/win_powershell_disable_windef_av.yml @@ -47,3 +47,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_dll_execution.yml b/rules/sigma/process_creation/win_powershell_dll_execution.yml index 387ab490..b46dff39 100644 --- a/rules/sigma/process_creation/win_powershell_dll_execution.yml +++ b/rules/sigma/process_creation/win_powershell_dll_execution.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_downgrade_attack.yml b/rules/sigma/process_creation/win_powershell_downgrade_attack.yml index e54b24ef..67e15ddc 100644 --- a/rules/sigma/process_creation/win_powershell_downgrade_attack.yml +++ b/rules/sigma/process_creation/win_powershell_downgrade_attack.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_download.yml b/rules/sigma/process_creation/win_powershell_download.yml index c8fcabbf..ab08f8e4 100644 --- a/rules/sigma/process_creation/win_powershell_download.yml +++ b/rules/sigma/process_creation/win_powershell_download.yml @@ -36,3 +36,4 @@ tags: - attack.t1086 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_frombase64string.yml b/rules/sigma/process_creation/win_powershell_frombase64string.yml index 7d70c8e8..03c47c24 100644 --- a/rules/sigma/process_creation/win_powershell_frombase64string.yml +++ b/rules/sigma/process_creation/win_powershell_frombase64string.yml @@ -25,3 +25,4 @@ tags: - attack.defense_evasion - attack.t1140 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_reverse_shell_connection.yml b/rules/sigma/process_creation/win_powershell_reverse_shell_connection.yml index 41f3e59b..6fc6e72c 100644 --- a/rules/sigma/process_creation/win_powershell_reverse_shell_connection.yml +++ b/rules/sigma/process_creation/win_powershell_reverse_shell_connection.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/sigma/process_creation/win_powershell_suspicious_parameter_variation.yml index 96119cd3..b349a7c7 100644 --- a/rules/sigma/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/sigma/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -67,3 +67,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_xor_commandline.yml b/rules/sigma/process_creation/win_powershell_xor_commandline.yml index ba29864c..1146a19c 100644 --- a/rules/sigma/process_creation/win_powershell_xor_commandline.yml +++ b/rules/sigma/process_creation/win_powershell_xor_commandline.yml @@ -32,3 +32,4 @@ tags: - attack.t1059.001 - attack.t1140 - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powersploit_empire_schtasks.yml b/rules/sigma/process_creation/win_powersploit_empire_schtasks.yml index 59a90334..e3aa2259 100644 --- a/rules/sigma/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/sigma/process_creation/win_powersploit_empire_schtasks.yml @@ -54,3 +54,4 @@ tags: - car.2013-08-001 - attack.t1053.005 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_proc_wrong_parent.yml b/rules/sigma/process_creation/win_proc_wrong_parent.yml index f4732826..527b8aaa 100644 --- a/rules/sigma/process_creation/win_proc_wrong_parent.yml +++ b/rules/sigma/process_creation/win_proc_wrong_parent.yml @@ -52,3 +52,4 @@ tags: - attack.t1036 - attack.t1036.003 - attack.t1036.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_procdump.yml b/rules/sigma/process_creation/win_procdump.yml index 27abc1b2..ba8d94c8 100644 --- a/rules/sigma/process_creation/win_procdump.yml +++ b/rules/sigma/process_creation/win_procdump.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml b/rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml index 53299119..749805ec 100644 --- a/rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml +++ b/rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml @@ -48,3 +48,4 @@ tags: - attack.t1197 - attack.s0190 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_process_dump_rdrleakdiag.yml b/rules/sigma/process_creation/win_process_dump_rdrleakdiag.yml index d3346f1c..71371bf2 100644 --- a/rules/sigma/process_creation/win_process_dump_rdrleakdiag.yml +++ b/rules/sigma/process_creation/win_process_dump_rdrleakdiag.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/sigma/process_creation/win_process_dump_rundll32_comsvcs.yml index f1585f88..d3f232d7 100644 --- a/rules/sigma/process_creation/win_process_dump_rundll32_comsvcs.yml +++ b/rules/sigma/process_creation/win_process_dump_rundll32_comsvcs.yml @@ -31,3 +31,4 @@ tags: - attack.t1003 - car.2013-05-009 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_psexesvc_start.yml b/rules/sigma/process_creation/win_psexesvc_start.yml index f42e6c54..05ce187d 100644 --- a/rules/sigma/process_creation/win_psexesvc_start.yml +++ b/rules/sigma/process_creation/win_psexesvc_start.yml @@ -23,3 +23,4 @@ tags: - attack.t1035 - attack.s0029 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_purplesharp_indicators.yml b/rules/sigma/process_creation/win_purplesharp_indicators.yml index 7f1b2229..a2878b4b 100644 --- a/rules/sigma/process_creation/win_purplesharp_indicators.yml +++ b/rules/sigma/process_creation/win_purplesharp_indicators.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.t1587 - attack.resource_development +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_query_registry.yml b/rules/sigma/process_creation/win_query_registry.yml index 5aae1241..b234c5fe 100644 --- a/rules/sigma/process_creation/win_query_registry.yml +++ b/rules/sigma/process_creation/win_query_registry.yml @@ -48,3 +48,4 @@ tags: - attack.discovery - attack.t1012 - attack.t1007 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_rasautou_dll_execution.yml b/rules/sigma/process_creation/win_rasautou_dll_execution.yml index e4de4dbb..f227df12 100644 --- a/rules/sigma/process_creation/win_rasautou_dll_execution.yml +++ b/rules/sigma/process_creation/win_rasautou_dll_execution.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_rdp_hijack_shadowing.yml b/rules/sigma/process_creation/win_rdp_hijack_shadowing.yml index a6286db7..c163bc3e 100644 --- a/rules/sigma/process_creation/win_rdp_hijack_shadowing.yml +++ b/rules/sigma/process_creation/win_rdp_hijack_shadowing.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1563.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_redmimicry_winnti_proc.yml b/rules/sigma/process_creation/win_redmimicry_winnti_proc.yml index 6b83a6b6..4add0c60 100644 --- a/rules/sigma/process_creation/win_redmimicry_winnti_proc.yml +++ b/rules/sigma/process_creation/win_redmimicry_winnti_proc.yml @@ -34,3 +34,4 @@ tags: - attack.t1106 - attack.t1059.003 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_reg_add_run_key.yml b/rules/sigma/process_creation/win_reg_add_run_key.yml index eb7d6de2..64ef082f 100644 --- a/rules/sigma/process_creation/win_reg_add_run_key.yml +++ b/rules/sigma/process_creation/win_reg_add_run_key.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.persistence - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regedit_export_critical_keys.yml b/rules/sigma/process_creation/win_regedit_export_critical_keys.yml index 749a600e..36a460f3 100644 --- a/rules/sigma/process_creation/win_regedit_export_critical_keys.yml +++ b/rules/sigma/process_creation/win_regedit_export_critical_keys.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.exfiltration - attack.t1012 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regedit_export_keys.yml b/rules/sigma/process_creation/win_regedit_export_keys.yml index 57c6783a..caef01b6 100644 --- a/rules/sigma/process_creation/win_regedit_export_keys.yml +++ b/rules/sigma/process_creation/win_regedit_export_keys.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.exfiltration - attack.t1012 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regedit_import_keys.yml b/rules/sigma/process_creation/win_regedit_import_keys.yml index c9c18c20..f172e8f3 100644 --- a/rules/sigma/process_creation/win_regedit_import_keys.yml +++ b/rules/sigma/process_creation/win_regedit_import_keys.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.t1112 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regedit_import_keys_ads.yml b/rules/sigma/process_creation/win_regedit_import_keys_ads.yml index 72b9ccb1..f6bd79ae 100644 --- a/rules/sigma/process_creation/win_regedit_import_keys_ads.yml +++ b/rules/sigma/process_creation/win_regedit_import_keys_ads.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.t1112 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regini.yml b/rules/sigma/process_creation/win_regini.yml index ab7e1d70..83f0910a 100644 --- a/rules/sigma/process_creation/win_regini.yml +++ b/rules/sigma/process_creation/win_regini.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.t1112 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regini_ads.yml b/rules/sigma/process_creation/win_regini_ads.yml index b0e7422c..523b72e9 100644 --- a/rules/sigma/process_creation/win_regini_ads.yml +++ b/rules/sigma/process_creation/win_regini_ads.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.t1112 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_remote_powershell_session_process.yml b/rules/sigma/process_creation/win_remote_powershell_session_process.yml index 45b82709..f7a454e9 100644 --- a/rules/sigma/process_creation/win_remote_powershell_session_process.yml +++ b/rules/sigma/process_creation/win_remote_powershell_session_process.yml @@ -33,3 +33,4 @@ tags: - attack.t1086 - attack.t1059.001 - attack.t1021.006 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_remote_time_discovery.yml b/rules/sigma/process_creation/win_remote_time_discovery.yml index a4e6e30b..52de2534 100644 --- a/rules/sigma/process_creation/win_remote_time_discovery.yml +++ b/rules/sigma/process_creation/win_remote_time_discovery.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.discovery - attack.t1124 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_binary.yml b/rules/sigma/process_creation/win_renamed_binary.yml index 8863cd80..248f0dd6 100644 --- a/rules/sigma/process_creation/win_renamed_binary.yml +++ b/rules/sigma/process_creation/win_renamed_binary.yml @@ -71,3 +71,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_binary_highly_relevant.yml b/rules/sigma/process_creation/win_renamed_binary_highly_relevant.yml index 1907cce3..c4266ec9 100644 --- a/rules/sigma/process_creation/win_renamed_binary_highly_relevant.yml +++ b/rules/sigma/process_creation/win_renamed_binary_highly_relevant.yml @@ -56,3 +56,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_jusched.yml b/rules/sigma/process_creation/win_renamed_jusched.yml index 22f1b7fa..8852e916 100644 --- a/rules/sigma/process_creation/win_renamed_jusched.yml +++ b/rules/sigma/process_creation/win_renamed_jusched.yml @@ -33,3 +33,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_megasync.yml b/rules/sigma/process_creation/win_renamed_megasync.yml index 1e88f243..605520be 100644 --- a/rules/sigma/process_creation/win_renamed_megasync.yml +++ b/rules/sigma/process_creation/win_renamed_megasync.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_paexec.yml b/rules/sigma/process_creation/win_renamed_paexec.yml index 80bb0aab..f58777ef 100644 --- a/rules/sigma/process_creation/win_renamed_paexec.yml +++ b/rules/sigma/process_creation/win_renamed_paexec.yml @@ -40,3 +40,4 @@ tags: - attack.t1036.003 - attack.g0046 - car.2013-05-009 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_powershell.yml b/rules/sigma/process_creation/win_renamed_powershell.yml index 34e4de1b..e9ddecde 100644 --- a/rules/sigma/process_creation/win_renamed_powershell.yml +++ b/rules/sigma/process_creation/win_renamed_powershell.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_procdump.yml b/rules/sigma/process_creation/win_renamed_procdump.yml index ed25b8f5..1f585505 100644 --- a/rules/sigma/process_creation/win_renamed_procdump.yml +++ b/rules/sigma/process_creation/win_renamed_procdump.yml @@ -41,3 +41,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_psexec.yml b/rules/sigma/process_creation/win_renamed_psexec.yml index bf14a6b0..1a981867 100644 --- a/rules/sigma/process_creation/win_renamed_psexec.yml +++ b/rules/sigma/process_creation/win_renamed_psexec.yml @@ -33,3 +33,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_whoami.yml b/rules/sigma/process_creation/win_renamed_whoami.yml index 7de993ab..b86506db 100644 --- a/rules/sigma/process_creation/win_renamed_whoami.yml +++ b/rules/sigma/process_creation/win_renamed_whoami.yml @@ -27,3 +27,4 @@ tags: - attack.discovery - attack.t1033 - car.2016-03-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_run_powershell_script_from_ads.yml b/rules/sigma/process_creation/win_run_powershell_script_from_ads.yml index b92d04fb..cb3f8cc7 100644 --- a/rules/sigma/process_creation/win_run_powershell_script_from_ads.yml +++ b/rules/sigma/process_creation/win_run_powershell_script_from_ads.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1096 - attack.t1564.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_run_powershell_script_from_input_stream.yml b/rules/sigma/process_creation/win_run_powershell_script_from_input_stream.yml index 81cf3560..a19c2d59 100644 --- a/rules/sigma/process_creation/win_run_powershell_script_from_input_stream.yml +++ b/rules/sigma/process_creation/win_run_powershell_script_from_input_stream.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_run_virtualbox.yml b/rules/sigma/process_creation/win_run_virtualbox.yml index 073552cd..d07a0a48 100644 --- a/rules/sigma/process_creation/win_run_virtualbox.yml +++ b/rules/sigma/process_creation/win_run_virtualbox.yml @@ -41,3 +41,4 @@ tags: - attack.defense_evasion - attack.t1564.006 - attack.t1564 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_rundll32_without_parameters.yml b/rules/sigma/process_creation/win_rundll32_without_parameters.yml index e25ffcaa..784b34c7 100644 --- a/rules/sigma/process_creation/win_rundll32_without_parameters.yml +++ b/rules/sigma/process_creation/win_rundll32_without_parameters.yml @@ -32,3 +32,4 @@ tags: - attack.t1570 - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_script_event_consumer_spawn.yml b/rules/sigma/process_creation/win_script_event_consumer_spawn.yml index d73d7a2c..7e7fb735 100644 --- a/rules/sigma/process_creation/win_script_event_consumer_spawn.yml +++ b/rules/sigma/process_creation/win_script_event_consumer_spawn.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_sdbinst_shim_persistence.yml b/rules/sigma/process_creation/win_sdbinst_shim_persistence.yml index d300eb18..687f3378 100644 --- a/rules/sigma/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/sigma/process_creation/win_sdbinst_shim_persistence.yml @@ -31,3 +31,4 @@ tags: - attack.privilege_escalation - attack.t1546.011 - attack.t1138 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_service_execution.yml b/rules/sigma/process_creation/win_service_execution.yml index 6c923f4a..935b2889 100644 --- a/rules/sigma/process_creation/win_service_execution.yml +++ b/rules/sigma/process_creation/win_service_execution.yml @@ -28,3 +28,4 @@ tags: - attack.execution - attack.t1035 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_service_stop.yml b/rules/sigma/process_creation/win_service_stop.yml index e38dab39..1241c8a7 100644 --- a/rules/sigma/process_creation/win_service_stop.yml +++ b/rules/sigma/process_creation/win_service_stop.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.impact - attack.t1489 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_shadow_copies_access_symlink.yml b/rules/sigma/process_creation/win_shadow_copies_access_symlink.yml index 94e55433..3ddac79f 100644 --- a/rules/sigma/process_creation/win_shadow_copies_access_symlink.yml +++ b/rules/sigma/process_creation/win_shadow_copies_access_symlink.yml @@ -27,3 +27,4 @@ tags: - attack.t1003 - attack.t1003.002 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_shadow_copies_creation.yml b/rules/sigma/process_creation/win_shadow_copies_creation.yml index 34a1cb88..bc1ff2d6 100644 --- a/rules/sigma/process_creation/win_shadow_copies_creation.yml +++ b/rules/sigma/process_creation/win_shadow_copies_creation.yml @@ -33,3 +33,4 @@ tags: - attack.t1003 - attack.t1003.002 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_shadow_copies_deletion.yml b/rules/sigma/process_creation/win_shadow_copies_deletion.yml index e6d6f8de..dd564216 100644 --- a/rules/sigma/process_creation/win_shadow_copies_deletion.yml +++ b/rules/sigma/process_creation/win_shadow_copies_deletion.yml @@ -64,3 +64,4 @@ tags: - attack.impact - attack.t1070 - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_shell_spawn_mshta.yml b/rules/sigma/process_creation/win_shell_spawn_mshta.yml index 8e807b6e..1399cccd 100644 --- a/rules/sigma/process_creation/win_shell_spawn_mshta.yml +++ b/rules/sigma/process_creation/win_shell_spawn_mshta.yml @@ -35,3 +35,4 @@ tags: - attack.t1059.005 - attack.t1059.001 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_shell_spawn_susp_program.yml b/rules/sigma/process_creation/win_shell_spawn_susp_program.yml index 4a84307c..2b4a3776 100644 --- a/rules/sigma/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/sigma/process_creation/win_shell_spawn_susp_program.yml @@ -46,3 +46,4 @@ tags: - attack.t1059.005 - attack.t1059.001 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_silenttrinity_stage_use.yml b/rules/sigma/process_creation/win_silenttrinity_stage_use.yml index f617b04a..f0ec5a59 100644 --- a/rules/sigma/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/sigma/process_creation/win_silenttrinity_stage_use.yml @@ -23,3 +23,4 @@ status: experimental tags: - attack.command_and_control - attack.t1071 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_soundrec_audio_capture.yml b/rules/sigma/process_creation/win_soundrec_audio_capture.yml index 30b9c394..29b404dd 100644 --- a/rules/sigma/process_creation/win_soundrec_audio_capture.yml +++ b/rules/sigma/process_creation/win_soundrec_audio_capture.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.collection - attack.t1123 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_spn_enum.yml b/rules/sigma/process_creation/win_spn_enum.yml index 24b49e05..4f415e61 100644 --- a/rules/sigma/process_creation/win_spn_enum.yml +++ b/rules/sigma/process_creation/win_spn_enum.yml @@ -29,3 +29,4 @@ tags: - attack.credential_access - attack.t1558.003 - attack.t1208 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/sigma/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index 0d12159f..f8683c4f 100644 --- a/rules/sigma/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/sigma/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -31,3 +31,4 @@ tags: - attack.t1015 - attack.t1546.008 - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_sus_auditpol_usage.yml b/rules/sigma/process_creation/win_sus_auditpol_usage.yml index b9f50fe5..6044a107 100644 --- a/rules/sigma/process_creation/win_sus_auditpol_usage.yml +++ b/rules/sigma/process_creation/win_sus_auditpol_usage.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_adfind.yml b/rules/sigma/process_creation/win_susp_adfind.yml index fa161b2c..d6559fe2 100644 --- a/rules/sigma/process_creation/win_susp_adfind.yml +++ b/rules/sigma/process_creation/win_susp_adfind.yml @@ -35,3 +35,4 @@ tags: - attack.t1087.002 - attack.t1482 - attack.t1069.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_atbroker.yml b/rules/sigma/process_creation/win_susp_atbroker.yml index e4575d76..1d488f21 100644 --- a/rules/sigma/process_creation/win_susp_atbroker.yml +++ b/rules/sigma/process_creation/win_susp_atbroker.yml @@ -55,3 +55,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_bcdedit.yml b/rules/sigma/process_creation/win_susp_bcdedit.yml index 6d7e22f8..7ed14ab1 100644 --- a/rules/sigma/process_creation/win_susp_bcdedit.yml +++ b/rules/sigma/process_creation/win_susp_bcdedit.yml @@ -32,3 +32,4 @@ tags: - attack.persistence - attack.t1542.003 - attack.t1067 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_bginfo.yml b/rules/sigma/process_creation/win_susp_bginfo.yml index a11e9408..5374400c 100644 --- a/rules/sigma/process_creation/win_susp_bginfo.yml +++ b/rules/sigma/process_creation/win_susp_bginfo.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_bitstransfer.yml b/rules/sigma/process_creation/win_susp_bitstransfer.yml index 617a2df5..e2544113 100644 --- a/rules/sigma/process_creation/win_susp_bitstransfer.yml +++ b/rules/sigma/process_creation/win_susp_bitstransfer.yml @@ -35,3 +35,4 @@ tags: - attack.exfiltration - attack.persistence - attack.t1197 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_calc.yml b/rules/sigma/process_creation/win_susp_calc.yml index 41fc493f..dd1b859a 100644 --- a/rules/sigma/process_creation/win_susp_calc.yml +++ b/rules/sigma/process_creation/win_susp_calc.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_cdb.yml b/rules/sigma/process_creation/win_susp_cdb.yml index 7ba506b2..b64aca41 100644 --- a/rules/sigma/process_creation/win_susp_cdb.yml +++ b/rules/sigma/process_creation/win_susp_cdb.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1127 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_certutil_command.yml b/rules/sigma/process_creation/win_susp_certutil_command.yml index 02aff336..d310d013 100644 --- a/rules/sigma/process_creation/win_susp_certutil_command.yml +++ b/rules/sigma/process_creation/win_susp_certutil_command.yml @@ -58,3 +58,4 @@ tags: - attack.g0049 - attack.g0075 - attack.g0096 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_certutil_encode.yml b/rules/sigma/process_creation/win_susp_certutil_encode.yml index c78521d5..ae6f3c17 100644 --- a/rules/sigma/process_creation/win_susp_certutil_encode.yml +++ b/rules/sigma/process_creation/win_susp_certutil_encode.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_child_process_as_system_.yml b/rules/sigma/process_creation/win_susp_child_process_as_system_.yml index aaa01fd6..224e5b32 100644 --- a/rules/sigma/process_creation/win_susp_child_process_as_system_.yml +++ b/rules/sigma/process_creation/win_susp_child_process_as_system_.yml @@ -44,3 +44,4 @@ tags: - attack.privilege_escalation - attack.t1134 - attack.t1134.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_cli_escape.yml b/rules/sigma/process_creation/win_susp_cli_escape.yml index c33b682a..a9b33c29 100644 --- a/rules/sigma/process_creation/win_susp_cli_escape.yml +++ b/rules/sigma/process_creation/win_susp_cli_escape.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1140 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_cmd_http_appdata.yml b/rules/sigma/process_creation/win_susp_cmd_http_appdata.yml index d6f6e55b..80900c67 100644 --- a/rules/sigma/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/sigma/process_creation/win_susp_cmd_http_appdata.yml @@ -38,3 +38,4 @@ tags: - attack.t1059.001 - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_cmd_shadowcopy_access.yml b/rules/sigma/process_creation/win_susp_cmd_shadowcopy_access.yml index 53d62e27..c90bd4e8 100644 --- a/rules/sigma/process_creation/win_susp_cmd_shadowcopy_access.yml +++ b/rules/sigma/process_creation/win_susp_cmd_shadowcopy_access.yml @@ -23,3 +23,4 @@ status: experimental tags: - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_codepage_switch.yml b/rules/sigma/process_creation/win_susp_codepage_switch.yml index 7ef415cd..e9d9a8fc 100644 --- a/rules/sigma/process_creation/win_susp_codepage_switch.yml +++ b/rules/sigma/process_creation/win_susp_codepage_switch.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.t1036 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_commands_recon_activity.yml b/rules/sigma/process_creation/win_susp_commands_recon_activity.yml index 983f7a7a..c40ac091 100644 --- a/rules/sigma/process_creation/win_susp_commands_recon_activity.yml +++ b/rules/sigma/process_creation/win_susp_commands_recon_activity.yml @@ -49,3 +49,4 @@ tags: - attack.t1087 - attack.t1082 - car.2016-03-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_compression_params.yml b/rules/sigma/process_creation/win_susp_compression_params.yml index 29335439..c2330d1b 100644 --- a/rules/sigma/process_creation/win_susp_compression_params.yml +++ b/rules/sigma/process_creation/win_susp_compression_params.yml @@ -40,3 +40,4 @@ tags: - attack.exfiltration - attack.t1020 - attack.t1002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_comsvcs_procdump.yml b/rules/sigma/process_creation/win_susp_comsvcs_procdump.yml index 154bff4c..ad450f29 100644 --- a/rules/sigma/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/sigma/process_creation/win_susp_comsvcs_procdump.yml @@ -39,3 +39,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_conhost.yml b/rules/sigma/process_creation/win_susp_conhost.yml index ccf456d7..9acbf50d 100644 --- a/rules/sigma/process_creation/win_susp_conhost.yml +++ b/rules/sigma/process_creation/win_susp_conhost.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_control_cve_2021_40444.yml b/rules/sigma/process_creation/win_susp_control_cve_2021_40444.yml index 03aaa648..296b47b7 100644 --- a/rules/sigma/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/sigma/process_creation/win_susp_control_cve_2021_40444.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_control_dll_load.yml b/rules/sigma/process_creation/win_susp_control_dll_load.yml index c9262984..65537df4 100644 --- a/rules/sigma/process_creation/win_susp_control_dll_load.yml +++ b/rules/sigma/process_creation/win_susp_control_dll_load.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_copy_lateral_movement.yml b/rules/sigma/process_creation/win_susp_copy_lateral_movement.yml index ae70e66e..ac84dd49 100644 --- a/rules/sigma/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/sigma/process_creation/win_susp_copy_lateral_movement.yml @@ -52,3 +52,4 @@ tags: - attack.t1105 - attack.t1048 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_copy_system32.yml b/rules/sigma/process_creation/win_susp_copy_system32.yml index 8c5596c3..c20be8f9 100644 --- a/rules/sigma/process_creation/win_susp_copy_system32.yml +++ b/rules/sigma/process_creation/win_susp_copy_system32.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_covenant.yml b/rules/sigma/process_creation/win_susp_covenant.yml index c47bcc43..beb20a76 100644 --- a/rules/sigma/process_creation/win_susp_covenant.yml +++ b/rules/sigma/process_creation/win_susp_covenant.yml @@ -40,3 +40,4 @@ tags: - attack.t1059.001 - attack.t1564.003 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_crackmapexec_execution.yml b/rules/sigma/process_creation/win_susp_crackmapexec_execution.yml index 277f8a50..e0a34355 100644 --- a/rules/sigma/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/sigma/process_creation/win_susp_crackmapexec_execution.yml @@ -38,3 +38,4 @@ tags: - attack.t1059.001 - attack.s0106 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/sigma/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index e7d75b21..024851fe 100644 --- a/rules/sigma/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/sigma/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -40,3 +40,4 @@ tags: - attack.t1027.005 - attack.t1027 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_csc.yml b/rules/sigma/process_creation/win_susp_csc.yml index 2c883a5c..9a62d434 100644 --- a/rules/sigma/process_creation/win_susp_csc.yml +++ b/rules/sigma/process_creation/win_susp_csc.yml @@ -34,3 +34,4 @@ tags: - attack.t1500 - attack.t1218.005 - attack.t1027.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_csc_folder.yml b/rules/sigma/process_creation/win_susp_csc_folder.yml index 76a4c81b..5ababa6c 100644 --- a/rules/sigma/process_creation/win_susp_csc_folder.yml +++ b/rules/sigma/process_creation/win_susp_csc_folder.yml @@ -43,3 +43,4 @@ tags: - attack.defense_evasion - attack.t1500 - attack.t1027.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_csi.yml b/rules/sigma/process_creation/win_susp_csi.yml index 17d16643..7efec0c8 100644 --- a/rules/sigma/process_creation/win_susp_csi.yml +++ b/rules/sigma/process_creation/win_susp_csi.yml @@ -45,3 +45,4 @@ tags: - attack.t1072 - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_curl_download.yml b/rules/sigma/process_creation/win_susp_curl_download.yml index ebe37152..b30d7811 100644 --- a/rules/sigma/process_creation/win_susp_curl_download.yml +++ b/rules/sigma/process_creation/win_susp_curl_download.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_curl_fileupload.yml b/rules/sigma/process_creation/win_susp_curl_fileupload.yml index 7bdaccef..3a04fe5f 100644 --- a/rules/sigma/process_creation/win_susp_curl_fileupload.yml +++ b/rules/sigma/process_creation/win_susp_curl_fileupload.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.exfiltration - attack.t1567 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_curl_start_combo.yml b/rules/sigma/process_creation/win_susp_curl_start_combo.yml index 8f74e8dd..d7222ef7 100644 --- a/rules/sigma/process_creation/win_susp_curl_start_combo.yml +++ b/rules/sigma/process_creation/win_susp_curl_start_combo.yml @@ -31,3 +31,4 @@ tags: - attack.t1218 - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_dctask64_proc_inject.yml b/rules/sigma/process_creation/win_susp_dctask64_proc_inject.yml index 6395d703..f08246f2 100644 --- a/rules/sigma/process_creation/win_susp_dctask64_proc_inject.yml +++ b/rules/sigma/process_creation/win_susp_dctask64_proc_inject.yml @@ -34,3 +34,4 @@ tags: - attack.defense_evasion - attack.t1055.001 - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_desktopimgdownldr.yml b/rules/sigma/process_creation/win_susp_desktopimgdownldr.yml index 8a2b0c54..d835cde8 100644 --- a/rules/sigma/process_creation/win_susp_desktopimgdownldr.yml +++ b/rules/sigma/process_creation/win_susp_desktopimgdownldr.yml @@ -41,3 +41,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_devtoolslauncher.yml b/rules/sigma/process_creation/win_susp_devtoolslauncher.yml index 9b6b6a0d..da072a61 100644 --- a/rules/sigma/process_creation/win_susp_devtoolslauncher.yml +++ b/rules/sigma/process_creation/win_susp_devtoolslauncher.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml index f9eef227..a1f5056c 100644 --- a/rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -44,3 +44,4 @@ tags: - attack.persistence - attack.t1547.001 - attack.t1060 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_disable_eventlog.yml b/rules/sigma/process_creation/win_susp_disable_eventlog.yml index 203ba0bb..5c633b4d 100644 --- a/rules/sigma/process_creation/win_susp_disable_eventlog.yml +++ b/rules/sigma/process_creation/win_susp_disable_eventlog.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.t1562.001 - attack.t1070.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_disable_ie_features.yml b/rules/sigma/process_creation/win_susp_disable_ie_features.yml index d93a684c..51047ffa 100644 --- a/rules/sigma/process_creation/win_susp_disable_ie_features.yml +++ b/rules/sigma/process_creation/win_susp_disable_ie_features.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.t1562.001 - attack.t1089 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_disable_raccine.yml b/rules/sigma/process_creation/win_susp_disable_raccine.yml index 3fdc59a9..2cb54f69 100644 --- a/rules/sigma/process_creation/win_susp_disable_raccine.yml +++ b/rules/sigma/process_creation/win_susp_disable_raccine.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_diskshadow.yml b/rules/sigma/process_creation/win_susp_diskshadow.yml index 00382b38..c421bafc 100644 --- a/rules/sigma/process_creation/win_susp_diskshadow.yml +++ b/rules/sigma/process_creation/win_susp_diskshadow.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ditsnap.yml b/rules/sigma/process_creation/win_susp_ditsnap.yml index d567ef9f..129afb8c 100644 --- a/rules/sigma/process_creation/win_susp_ditsnap.yml +++ b/rules/sigma/process_creation/win_susp_ditsnap.yml @@ -28,3 +28,4 @@ tags: - attack.credential_access - attack.t1003.003 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_dnx.yml b/rules/sigma/process_creation/win_susp_dnx.yml index 3fd0469a..476e4498 100644 --- a/rules/sigma/process_creation/win_susp_dnx.yml +++ b/rules/sigma/process_creation/win_susp_dnx.yml @@ -26,3 +26,4 @@ tags: - attack.t1218 - attack.t1027.004 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_double_extension.yml b/rules/sigma/process_creation/win_susp_double_extension.yml index 2ec6bfbd..79be6245 100644 --- a/rules/sigma/process_creation/win_susp_double_extension.yml +++ b/rules/sigma/process_creation/win_susp_double_extension.yml @@ -37,3 +37,4 @@ tags: - attack.initial_access - attack.t1566.001 - attack.t1193 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_dxcap.yml b/rules/sigma/process_creation/win_susp_dxcap.yml index 47e7bbee..f0790011 100644 --- a/rules/sigma/process_creation/win_susp_dxcap.yml +++ b/rules/sigma/process_creation/win_susp_dxcap.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_emotet_rundll32_execution.yml b/rules/sigma/process_creation/win_susp_emotet_rundll32_execution.yml index c991b5c9..c64a7329 100644 --- a/rules/sigma/process_creation/win_susp_emotet_rundll32_execution.yml +++ b/rules/sigma/process_creation/win_susp_emotet_rundll32_execution.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_eventlog_clear.yml b/rules/sigma/process_creation/win_susp_eventlog_clear.yml index 4b49fff0..150808bc 100644 --- a/rules/sigma/process_creation/win_susp_eventlog_clear.yml +++ b/rules/sigma/process_creation/win_susp_eventlog_clear.yml @@ -48,3 +48,4 @@ tags: - attack.t1070.001 - attack.t1070 - car.2016-04-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_execution_path.yml b/rules/sigma/process_creation/win_susp_execution_path.yml index 172443e7..c94b47a9 100644 --- a/rules/sigma/process_creation/win_susp_execution_path.yml +++ b/rules/sigma/process_creation/win_susp_execution_path.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_execution_path_webserver.yml b/rules/sigma/process_creation/win_susp_execution_path_webserver.yml index 807db25d..850d15d1 100644 --- a/rules/sigma/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/sigma/process_creation/win_susp_execution_path_webserver.yml @@ -37,3 +37,4 @@ tags: - attack.persistence - attack.t1505.003 - attack.t1100 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_explorer.yml b/rules/sigma/process_creation/win_susp_explorer.yml index 997eeac8..e2acd3fc 100644 --- a/rules/sigma/process_creation/win_susp_explorer.yml +++ b/rules/sigma/process_creation/win_susp_explorer.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_explorer_break_proctree.yml b/rules/sigma/process_creation/win_susp_explorer_break_proctree.yml index 664249c6..b51b27fa 100644 --- a/rules/sigma/process_creation/win_susp_explorer_break_proctree.yml +++ b/rules/sigma/process_creation/win_susp_explorer_break_proctree.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_file_characteristics.yml b/rules/sigma/process_creation/win_susp_file_characteristics.yml index 91dd3b07..8e03c93c 100644 --- a/rules/sigma/process_creation/win_susp_file_characteristics.yml +++ b/rules/sigma/process_creation/win_susp_file_characteristics.yml @@ -39,3 +39,4 @@ tags: - attack.t1059.006 - attack.defense_evasion - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/sigma/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml index c02e6c78..08acdaac 100644 --- a/rules/sigma/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml +++ b/rules/sigma/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_findstr.yml b/rules/sigma/process_creation/win_susp_findstr.yml index be4e59b6..c6aa2a4d 100644 --- a/rules/sigma/process_creation/win_susp_findstr.yml +++ b/rules/sigma/process_creation/win_susp_findstr.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_findstr_lnk.yml b/rules/sigma/process_creation/win_susp_findstr_lnk.yml index 592dd6fd..4d8760ce 100644 --- a/rules/sigma/process_creation/win_susp_findstr_lnk.yml +++ b/rules/sigma/process_creation/win_susp_findstr_lnk.yml @@ -32,3 +32,4 @@ tags: - attack.t1036 - attack.t1202 - attack.t1027.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_finger_usage.yml b/rules/sigma/process_creation/win_susp_finger_usage.yml index d1e4cf27..04be3ea9 100644 --- a/rules/sigma/process_creation/win_susp_finger_usage.yml +++ b/rules/sigma/process_creation/win_susp_finger_usage.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_firewall_disable.yml b/rules/sigma/process_creation/win_susp_firewall_disable.yml index a35af3c7..c86787b5 100644 --- a/rules/sigma/process_creation/win_susp_firewall_disable.yml +++ b/rules/sigma/process_creation/win_susp_firewall_disable.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1562.004 - attack.s0108 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_fsutil_usage.yml b/rules/sigma/process_creation/win_susp_fsutil_usage.yml index a110a656..c58b6006 100644 --- a/rules/sigma/process_creation/win_susp_fsutil_usage.yml +++ b/rules/sigma/process_creation/win_susp_fsutil_usage.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ftp.yml b/rules/sigma/process_creation/win_susp_ftp.yml index 08cae4f2..2f4a5192 100644 --- a/rules/sigma/process_creation/win_susp_ftp.yml +++ b/rules/sigma/process_creation/win_susp_ftp.yml @@ -43,3 +43,4 @@ tags: - attack.t1059 - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_gup.yml b/rules/sigma/process_creation/win_susp_gup.yml index 08c505f7..05add07f 100644 --- a/rules/sigma/process_creation/win_susp_gup.yml +++ b/rules/sigma/process_creation/win_susp_gup.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1574.002 - attack.t1073 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_iss_module_install.yml b/rules/sigma/process_creation/win_susp_iss_module_install.yml index 0938f179..dcbfb246 100644 --- a/rules/sigma/process_creation/win_susp_iss_module_install.yml +++ b/rules/sigma/process_creation/win_susp_iss_module_install.yml @@ -31,3 +31,4 @@ tags: - attack.persistence - attack.t1505.003 - attack.t1100 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_mounted_share_deletion.yml b/rules/sigma/process_creation/win_susp_mounted_share_deletion.yml index fac22b63..dfd6ca8a 100644 --- a/rules/sigma/process_creation/win_susp_mounted_share_deletion.yml +++ b/rules/sigma/process_creation/win_susp_mounted_share_deletion.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_mpcmdrun_download.yml b/rules/sigma/process_creation/win_susp_mpcmdrun_download.yml index 893c3b65..abe9d68d 100644 --- a/rules/sigma/process_creation/win_susp_mpcmdrun_download.yml +++ b/rules/sigma/process_creation/win_susp_mpcmdrun_download.yml @@ -33,3 +33,4 @@ tags: - attack.t1218 - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_mshta_pattern.yml b/rules/sigma/process_creation/win_susp_mshta_pattern.yml index 239b7e78..3ff795bd 100644 --- a/rules/sigma/process_creation/win_susp_mshta_pattern.yml +++ b/rules/sigma/process_creation/win_susp_mshta_pattern.yml @@ -46,3 +46,4 @@ status: experimental tags: - attack.execution - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_msiexec_cwd.yml b/rules/sigma/process_creation/win_susp_msiexec_cwd.yml index b900473b..b7fb39ce 100644 --- a/rules/sigma/process_creation/win_susp_msiexec_cwd.yml +++ b/rules/sigma/process_creation/win_susp_msiexec_cwd.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.t1036.005 - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_msiexec_web_install.yml b/rules/sigma/process_creation/win_susp_msiexec_web_install.yml index 88c81834..72bf73f2 100644 --- a/rules/sigma/process_creation/win_susp_msiexec_web_install.yml +++ b/rules/sigma/process_creation/win_susp_msiexec_web_install.yml @@ -28,3 +28,4 @@ tags: - attack.t1218.007 - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_msoffice.yml b/rules/sigma/process_creation/win_susp_msoffice.yml index bb5cdc64..da52ea01 100644 --- a/rules/sigma/process_creation/win_susp_msoffice.yml +++ b/rules/sigma/process_creation/win_susp_msoffice.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_net_execution.yml b/rules/sigma/process_creation/win_susp_net_execution.yml index 9fb32086..ceb2807b 100644 --- a/rules/sigma/process_creation/win_susp_net_execution.yml +++ b/rules/sigma/process_creation/win_susp_net_execution.yml @@ -55,3 +55,4 @@ tags: - attack.t1021.002 - attack.t1077 - attack.s0039 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml b/rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml index 32aeed50..b61176d4 100644 --- a/rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml +++ b/rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml @@ -34,3 +34,4 @@ tags: - attack.privilege_escalation - attack.t1546.007 - attack.s0108 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ngrok_pua.yml b/rules/sigma/process_creation/win_susp_ngrok_pua.yml index bc129893..61f3cadf 100644 --- a/rules/sigma/process_creation/win_susp_ngrok_pua.yml +++ b/rules/sigma/process_creation/win_susp_ngrok_pua.yml @@ -52,3 +52,4 @@ status: experimental tags: - attack.command_and_control - attack.t1572 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ntdsutil.yml b/rules/sigma/process_creation/win_susp_ntdsutil.yml index 192f82b4..d6a8c396 100644 --- a/rules/sigma/process_creation/win_susp_ntdsutil.yml +++ b/rules/sigma/process_creation/win_susp_ntdsutil.yml @@ -25,3 +25,4 @@ tags: - attack.credential_access - attack.t1003.003 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_odbcconf.yml b/rules/sigma/process_creation/win_susp_odbcconf.yml index 68157db6..70b54b4a 100644 --- a/rules/sigma/process_creation/win_susp_odbcconf.yml +++ b/rules/sigma/process_creation/win_susp_odbcconf.yml @@ -34,3 +34,4 @@ tags: - attack.t1218.008 - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_openwith.yml b/rules/sigma/process_creation/win_susp_openwith.yml index 6b2b3907..364cce87 100644 --- a/rules/sigma/process_creation/win_susp_openwith.yml +++ b/rules/sigma/process_creation/win_susp_openwith.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_outlook.yml b/rules/sigma/process_creation/win_susp_outlook.yml index bab24a0c..d19163fe 100644 --- a/rules/sigma/process_creation/win_susp_outlook.yml +++ b/rules/sigma/process_creation/win_susp_outlook.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.t1059 - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_outlook_temp.yml b/rules/sigma/process_creation/win_susp_outlook_temp.yml index 24628d62..de3e9fb5 100644 --- a/rules/sigma/process_creation/win_susp_outlook_temp.yml +++ b/rules/sigma/process_creation/win_susp_outlook_temp.yml @@ -25,3 +25,4 @@ tags: - attack.initial_access - attack.t1566.001 - attack.t1193 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_pcwutl.yml b/rules/sigma/process_creation/win_susp_pcwutl.yml index 716554e7..234ce7d6 100644 --- a/rules/sigma/process_creation/win_susp_pcwutl.yml +++ b/rules/sigma/process_creation/win_susp_pcwutl.yml @@ -30,3 +30,4 @@ tags: - attack.t1218.011 - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_pester.yml b/rules/sigma/process_creation/win_susp_pester.yml index c2a2a0b1..8d0abd08 100644 --- a/rules/sigma/process_creation/win_susp_pester.yml +++ b/rules/sigma/process_creation/win_susp_pester.yml @@ -42,3 +42,4 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ping_hex_ip.yml b/rules/sigma/process_creation/win_susp_ping_hex_ip.yml index 266671e6..fd7a6daf 100644 --- a/rules/sigma/process_creation/win_susp_ping_hex_ip.yml +++ b/rules/sigma/process_creation/win_susp_ping_hex_ip.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1140 - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_empire_launch.yml b/rules/sigma/process_creation/win_susp_powershell_empire_launch.yml index 6e3cb74a..e35a128a 100644 --- a/rules/sigma/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/sigma/process_creation/win_susp_powershell_empire_launch.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/sigma/process_creation/win_susp_powershell_empire_uac_bypass.yml index 55304b82..5efaf22c 100644 --- a/rules/sigma/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/sigma/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -31,3 +31,4 @@ tags: - attack.t1548.002 - attack.t1088 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_enc_cmd.yml b/rules/sigma/process_creation/win_susp_powershell_enc_cmd.yml index 73876d7b..25148719 100644 --- a/rules/sigma/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/sigma/process_creation/win_susp_powershell_enc_cmd.yml @@ -58,3 +58,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_encoded_param.yml b/rules/sigma/process_creation/win_susp_powershell_encoded_param.yml index 0438015e..bbbb5bad 100644 --- a/rules/sigma/process_creation/win_susp_powershell_encoded_param.yml +++ b/rules/sigma/process_creation/win_susp_powershell_encoded_param.yml @@ -25,3 +25,4 @@ tags: - attack.t1086 - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml b/rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml index ed3d3a94..2f6c0b69 100644 --- a/rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml +++ b/rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.credential_access - attack.t1552.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/sigma/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 78f74daa..72b75736 100644 --- a/rules/sigma/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/sigma/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -76,3 +76,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_parent_combo.yml b/rules/sigma/process_creation/win_susp_powershell_parent_combo.yml index 16d37285..08017080 100644 --- a/rules/sigma/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/sigma/process_creation/win_susp_powershell_parent_combo.yml @@ -35,3 +35,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_parent_process.yml b/rules/sigma/process_creation/win_susp_powershell_parent_process.yml index 07f6e48f..40a80112 100644 --- a/rules/sigma/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/sigma/process_creation/win_susp_powershell_parent_process.yml @@ -64,3 +64,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_sam_access.yml b/rules/sigma/process_creation/win_susp_powershell_sam_access.yml index ded4bc3f..66b21927 100644 --- a/rules/sigma/process_creation/win_susp_powershell_sam_access.yml +++ b/rules/sigma/process_creation/win_susp_powershell_sam_access.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_print.yml b/rules/sigma/process_creation/win_susp_print.yml index 264ac846..f9c8ff9b 100644 --- a/rules/sigma/process_creation/win_susp_print.yml +++ b/rules/sigma/process_creation/win_susp_print.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_procdump.yml b/rules/sigma/process_creation/win_susp_procdump.yml index f8f4c8f3..93ddf935 100644 --- a/rules/sigma/process_creation/win_susp_procdump.yml +++ b/rules/sigma/process_creation/win_susp_procdump.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_procdump_lsass.yml b/rules/sigma/process_creation/win_susp_procdump_lsass.yml index fba4d8fc..3698e60e 100644 --- a/rules/sigma/process_creation/win_susp_procdump_lsass.yml +++ b/rules/sigma/process_creation/win_susp_procdump_lsass.yml @@ -37,3 +37,4 @@ tags: - attack.t1003.001 - attack.t1003 - car.2013-05-009 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ps_appdata.yml b/rules/sigma/process_creation/win_susp_ps_appdata.yml index 1ff47e55..8e9d7a34 100644 --- a/rules/sigma/process_creation/win_susp_ps_appdata.yml +++ b/rules/sigma/process_creation/win_susp_ps_appdata.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ps_downloadfile.yml b/rules/sigma/process_creation/win_susp_ps_downloadfile.yml index a3b540c4..fe12a56c 100644 --- a/rules/sigma/process_creation/win_susp_ps_downloadfile.yml +++ b/rules/sigma/process_creation/win_susp_ps_downloadfile.yml @@ -31,3 +31,4 @@ tags: - attack.command_and_control - attack.t1104 - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_psexec_eula.yml b/rules/sigma/process_creation/win_susp_psexec_eula.yml index ccd05fd2..a8369a1c 100644 --- a/rules/sigma/process_creation/win_susp_psexec_eula.yml +++ b/rules/sigma/process_creation/win_susp_psexec_eula.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1569 - attack.t1021 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_psexex_paexec_flags.yml b/rules/sigma/process_creation/win_susp_psexex_paexec_flags.yml index dd061f87..5bb2f951 100644 --- a/rules/sigma/process_creation/win_susp_psexex_paexec_flags.yml +++ b/rules/sigma/process_creation/win_susp_psexex_paexec_flags.yml @@ -46,3 +46,4 @@ status: experimental tags: - attack.develop_capabilities - attack.t1587.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_psr_capture_screenshots.yml b/rules/sigma/process_creation/win_susp_psr_capture_screenshots.yml index 967f57d7..2dc10ac9 100644 --- a/rules/sigma/process_creation/win_susp_psr_capture_screenshots.yml +++ b/rules/sigma/process_creation/win_susp_psr_capture_screenshots.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.collection - attack.t1113 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rar_flags.yml b/rules/sigma/process_creation/win_susp_rar_flags.yml index fc288237..0f1f8ff7 100644 --- a/rules/sigma/process_creation/win_susp_rar_flags.yml +++ b/rules/sigma/process_creation/win_susp_rar_flags.yml @@ -35,3 +35,4 @@ tags: - attack.t1560.001 - attack.exfiltration - attack.t1002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rasdial_activity.yml b/rules/sigma/process_creation/win_susp_rasdial_activity.yml index aaa83586..0bda6c47 100644 --- a/rules/sigma/process_creation/win_susp_rasdial_activity.yml +++ b/rules/sigma/process_creation/win_susp_rasdial_activity.yml @@ -26,3 +26,4 @@ tags: - attack.execution - attack.t1059 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_razorinstaller_explorer.yml b/rules/sigma/process_creation/win_susp_razorinstaller_explorer.yml index 9ebabbfa..8393f05d 100644 --- a/rules/sigma/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/sigma/process_creation/win_susp_razorinstaller_explorer.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1553 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rclone_execution.yml b/rules/sigma/process_creation/win_susp_rclone_execution.yml index d744b573..6504e07a 100644 --- a/rules/sigma/process_creation/win_susp_rclone_execution.yml +++ b/rules/sigma/process_creation/win_susp_rclone_execution.yml @@ -70,3 +70,4 @@ status: experimental tags: - attack.exfiltration - attack.t1567.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_recon_activity.yml b/rules/sigma/process_creation/win_susp_recon_activity.yml index 640b4a72..107a6814 100644 --- a/rules/sigma/process_creation/win_susp_recon_activity.yml +++ b/rules/sigma/process_creation/win_susp_recon_activity.yml @@ -38,3 +38,4 @@ tags: - attack.t1087.001 - attack.t1087.002 - attack.t1087 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_reg_disable_sec_services.yml b/rules/sigma/process_creation/win_susp_reg_disable_sec_services.yml index bbf42839..671cc882 100644 --- a/rules/sigma/process_creation/win_susp_reg_disable_sec_services.yml +++ b/rules/sigma/process_creation/win_susp_reg_disable_sec_services.yml @@ -44,3 +44,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/sigma/process_creation/win_susp_regedit_trustedinstaller.yml index 8ed9110c..f450845e 100644 --- a/rules/sigma/process_creation/win_susp_regedit_trustedinstaller.yml +++ b/rules/sigma/process_creation/win_susp_regedit_trustedinstaller.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_register_cimprovider.yml b/rules/sigma/process_creation/win_susp_register_cimprovider.yml index 57e4f7ec..24e47762 100644 --- a/rules/sigma/process_creation/win_susp_register_cimprovider.yml +++ b/rules/sigma/process_creation/win_susp_register_cimprovider.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1574 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_registration_via_cscript.yml b/rules/sigma/process_creation/win_susp_registration_via_cscript.yml index 82ca65dd..d5d61a1f 100644 --- a/rules/sigma/process_creation/win_susp_registration_via_cscript.yml +++ b/rules/sigma/process_creation/win_susp_registration_via_cscript.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml b/rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml index c2b633cc..cd876fd6 100644 --- a/rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml @@ -72,3 +72,4 @@ tags: - attack.t1117 - car.2019-04-002 - car.2019-04-003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml index a7e09aa0..aea3af33 100644 --- a/rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml +++ b/rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1218.010 - attack.t1117 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_regsvr32_no_dll.yml b/rules/sigma/process_creation/win_susp_regsvr32_no_dll.yml index dc90051c..9e5cfa2a 100644 --- a/rules/sigma/process_creation/win_susp_regsvr32_no_dll.yml +++ b/rules/sigma/process_creation/win_susp_regsvr32_no_dll.yml @@ -41,3 +41,4 @@ tags: - attack.defense_evasion - attack.t1574 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_renamed_dctask64.yml b/rules/sigma/process_creation/win_susp_renamed_dctask64.yml index ec05f3b8..c1d654bc 100644 --- a/rules/sigma/process_creation/win_susp_renamed_dctask64.yml +++ b/rules/sigma/process_creation/win_susp_renamed_dctask64.yml @@ -35,3 +35,4 @@ tags: - attack.t1055.001 - attack.t1202 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_renamed_debugview.yml b/rules/sigma/process_creation/win_susp_renamed_debugview.yml index 2bf85a4c..11afca8b 100644 --- a/rules/sigma/process_creation/win_susp_renamed_debugview.yml +++ b/rules/sigma/process_creation/win_susp_renamed_debugview.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.resource_development - attack.t1588.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_renamed_paexec.yml b/rules/sigma/process_creation/win_susp_renamed_paexec.yml index 3e10911f..d43935d9 100644 --- a/rules/sigma/process_creation/win_susp_renamed_paexec.yml +++ b/rules/sigma/process_creation/win_susp_renamed_paexec.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rpcping.yml b/rules/sigma/process_creation/win_susp_rpcping.yml index c4026f51..ed4c2bc2 100644 --- a/rules/sigma/process_creation/win_susp_rpcping.yml +++ b/rules/sigma/process_creation/win_susp_rpcping.yml @@ -48,3 +48,4 @@ status: experimental tags: - attack.credential_access - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_run_locations.yml b/rules/sigma/process_creation/win_susp_run_locations.yml index 33b1fd75..fdf5276a 100644 --- a/rules/sigma/process_creation/win_susp_run_locations.yml +++ b/rules/sigma/process_creation/win_susp_run_locations.yml @@ -37,3 +37,4 @@ tags: - attack.defense_evasion - attack.t1036 - car.2013-05-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_activity.yml b/rules/sigma/process_creation/win_susp_rundll32_activity.yml index 9ae36460..c5aaa0b7 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_activity.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_activity.yml @@ -104,3 +104,4 @@ tags: - attack.execution - attack.t1218.011 - attack.t1085 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml index 989ce2eb..805f4e50 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml @@ -36,3 +36,4 @@ tags: - attack.execution - attack.t1218.011 - attack.t1085 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_inline_vbs.yml b/rules/sigma/process_creation/win_susp_rundll32_inline_vbs.yml index 983dbdf5..896ac256 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_inline_vbs.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_inline_vbs.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_no_params.yml b/rules/sigma/process_creation/win_susp_rundll32_no_params.yml index da5fa0a8..668e28b9 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_no_params.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_no_params.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/sigma/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml index 7e67c2b5..7d954d8e 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml @@ -42,3 +42,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_sys.yml b/rules/sigma/process_creation/win_susp_rundll32_sys.yml index 2f9d276b..c1243ec3 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_sys.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_sys.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_runonce_execution.yml b/rules/sigma/process_creation/win_susp_runonce_execution.yml index 56df66d6..247ee4ea 100644 --- a/rules/sigma/process_creation/win_susp_runonce_execution.yml +++ b/rules/sigma/process_creation/win_susp_runonce_execution.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_runscripthelper.yml b/rules/sigma/process_creation/win_susp_runscripthelper.yml index 5bc96a8d..db727292 100644 --- a/rules/sigma/process_creation/win_susp_runscripthelper.yml +++ b/rules/sigma/process_creation/win_susp_runscripthelper.yml @@ -28,3 +28,4 @@ tags: - attack.t1059 - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_schtask_creation.yml b/rules/sigma/process_creation/win_susp_schtask_creation.yml index b39edc12..39681371 100644 --- a/rules/sigma/process_creation/win_susp_schtask_creation.yml +++ b/rules/sigma/process_creation/win_susp_schtask_creation.yml @@ -36,3 +36,4 @@ tags: - attack.t1053 - attack.s0111 - car.2013-08-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_schtask_creation_temp_folder.yml b/rules/sigma/process_creation/win_susp_schtask_creation_temp_folder.yml index dda947a2..0bf21bb3 100644 --- a/rules/sigma/process_creation/win_susp_schtask_creation_temp_folder.yml +++ b/rules/sigma/process_creation/win_susp_schtask_creation_temp_folder.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.persistence - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_screenconnect_access.yml b/rules/sigma/process_creation/win_susp_screenconnect_access.yml index f6929d90..4a1b1f73 100644 --- a/rules/sigma/process_creation/win_susp_screenconnect_access.yml +++ b/rules/sigma/process_creation/win_susp_screenconnect_access.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.initial_access - attack.t1133 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_screensaver_reg.yml b/rules/sigma/process_creation/win_susp_screensaver_reg.yml index fdabba3e..bf3b87ee 100644 --- a/rules/sigma/process_creation/win_susp_screensaver_reg.yml +++ b/rules/sigma/process_creation/win_susp_screensaver_reg.yml @@ -53,3 +53,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1546.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_script_exec_from_temp.yml b/rules/sigma/process_creation/win_susp_script_exec_from_temp.yml index 5168ba26..bb94734c 100644 --- a/rules/sigma/process_creation/win_susp_script_exec_from_temp.yml +++ b/rules/sigma/process_creation/win_susp_script_exec_from_temp.yml @@ -42,3 +42,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_script_execution.yml b/rules/sigma/process_creation/win_susp_script_execution.yml index 6bb9dbd6..2b692f32 100644 --- a/rules/sigma/process_creation/win_susp_script_execution.yml +++ b/rules/sigma/process_creation/win_susp_script_execution.yml @@ -35,3 +35,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_service_dacl_modification.yml b/rules/sigma/process_creation/win_susp_service_dacl_modification.yml index 64ec8860..e54e2999 100644 --- a/rules/sigma/process_creation/win_susp_service_dacl_modification.yml +++ b/rules/sigma/process_creation/win_susp_service_dacl_modification.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.persistence - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_service_dir.yml b/rules/sigma/process_creation/win_susp_service_dir.yml index e63a8779..e07e3caf 100644 --- a/rules/sigma/process_creation/win_susp_service_dir.yml +++ b/rules/sigma/process_creation/win_susp_service_dir.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_service_path_modification.yml b/rules/sigma/process_creation/win_susp_service_path_modification.yml index 5bdc8107..dd2e2607 100644 --- a/rules/sigma/process_creation/win_susp_service_path_modification.yml +++ b/rules/sigma/process_creation/win_susp_service_path_modification.yml @@ -36,3 +36,4 @@ tags: - attack.privilege_escalation - attack.t1543.003 - attack.t1031 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/sigma/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index 0ec193ba..e169f584 100644 --- a/rules/sigma/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/sigma/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -30,3 +30,4 @@ tags: - attack.persistence - attack.t1136.001 - cve.2021.35211 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_servu_process_pattern.yml b/rules/sigma/process_creation/win_susp_servu_process_pattern.yml index 9e73c29f..8f0a6432 100644 --- a/rules/sigma/process_creation/win_susp_servu_process_pattern.yml +++ b/rules/sigma/process_creation/win_susp_servu_process_pattern.yml @@ -41,3 +41,4 @@ tags: - attack.credential_access - attack.t1555 - cve.2021.35211 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml index 5e4a9d4d..71c83d56 100644 --- a/rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml +++ b/rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml @@ -31,3 +31,4 @@ tags: - attack.initial_access - attack.persistence - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_shimcache_flush.yml b/rules/sigma/process_creation/win_susp_shimcache_flush.yml index 4b84acb1..7e0788f0 100644 --- a/rules/sigma/process_creation/win_susp_shimcache_flush.yml +++ b/rules/sigma/process_creation/win_susp_shimcache_flush.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_splwow64.yml b/rules/sigma/process_creation/win_susp_splwow64.yml index 9ec1153e..8d557677 100644 --- a/rules/sigma/process_creation/win_susp_splwow64.yml +++ b/rules/sigma/process_creation/win_susp_splwow64.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_spoolsv_child_processes.yml b/rules/sigma/process_creation/win_susp_spoolsv_child_processes.yml index 1cd77a52..c08f47da 100644 --- a/rules/sigma/process_creation/win_susp_spoolsv_child_processes.yml +++ b/rules/sigma/process_creation/win_susp_spoolsv_child_processes.yml @@ -88,3 +88,4 @@ tags: - attack.t1203 - attack.privilege_escalation - attack.t1068 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_sqldumper_activity.yml b/rules/sigma/process_creation/win_susp_sqldumper_activity.yml index 298104e3..b8b0323c 100644 --- a/rules/sigma/process_creation/win_susp_sqldumper_activity.yml +++ b/rules/sigma/process_creation/win_susp_sqldumper_activity.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_squirrel_lolbin.yml b/rules/sigma/process_creation/win_susp_squirrel_lolbin.yml index 9b9e5bba..caebe2f9 100644 --- a/rules/sigma/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/sigma/process_creation/win_susp_squirrel_lolbin.yml @@ -63,3 +63,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_svchost.yml b/rules/sigma/process_creation/win_susp_svchost.yml index 87bba866..fd45a7dd 100644 --- a/rules/sigma/process_creation/win_susp_svchost.yml +++ b/rules/sigma/process_creation/win_susp_svchost.yml @@ -34,3 +34,4 @@ tags: - attack.defense_evasion - attack.t1036.005 - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_svchost_no_cli.yml b/rules/sigma/process_creation/win_susp_svchost_no_cli.yml index f2c97001..52770889 100644 --- a/rules/sigma/process_creation/win_susp_svchost_no_cli.yml +++ b/rules/sigma/process_creation/win_susp_svchost_no_cli.yml @@ -40,3 +40,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_sysprep_appdata.yml b/rules/sigma/process_creation/win_susp_sysprep_appdata.yml index 6d162f93..d2e2eda4 100644 --- a/rules/sigma/process_creation/win_susp_sysprep_appdata.yml +++ b/rules/sigma/process_creation/win_susp_sysprep_appdata.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_sysvol_access.yml b/rules/sigma/process_creation/win_susp_sysvol_access.yml index 528b45b2..d648c9b8 100644 --- a/rules/sigma/process_creation/win_susp_sysvol_access.yml +++ b/rules/sigma/process_creation/win_susp_sysvol_access.yml @@ -27,3 +27,4 @@ tags: - attack.credential_access - attack.t1552.006 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_taskmgr_localsystem.yml b/rules/sigma/process_creation/win_susp_taskmgr_localsystem.yml index 4d0750cf..ad5d12b4 100644 --- a/rules/sigma/process_creation/win_susp_taskmgr_localsystem.yml +++ b/rules/sigma/process_creation/win_susp_taskmgr_localsystem.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_taskmgr_parent.yml b/rules/sigma/process_creation/win_susp_taskmgr_parent.yml index df4511e3..9b2c7ba1 100644 --- a/rules/sigma/process_creation/win_susp_taskmgr_parent.yml +++ b/rules/sigma/process_creation/win_susp_taskmgr_parent.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_tracker_execution.yml b/rules/sigma/process_creation/win_susp_tracker_execution.yml index 06e49130..1b7a080e 100644 --- a/rules/sigma/process_creation/win_susp_tracker_execution.yml +++ b/rules/sigma/process_creation/win_susp_tracker_execution.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1055.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_tscon_localsystem.yml b/rules/sigma/process_creation/win_susp_tscon_localsystem.yml index d2386454..08f782d2 100644 --- a/rules/sigma/process_creation/win_susp_tscon_localsystem.yml +++ b/rules/sigma/process_creation/win_susp_tscon_localsystem.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.command_and_control - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/sigma/process_creation/win_susp_tscon_rdp_redirect.yml index 2745bb1b..a822286b 100644 --- a/rules/sigma/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/sigma/process_creation/win_susp_tscon_rdp_redirect.yml @@ -27,3 +27,4 @@ tags: - attack.t1076 - attack.t1021.001 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml b/rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml index d324cd05..701fb462 100644 --- a/rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml +++ b/rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_use_of_csharp_console.yml b/rules/sigma/process_creation/win_susp_use_of_csharp_console.yml index cdba698c..6befae4c 100644 --- a/rules/sigma/process_creation/win_susp_use_of_csharp_console.yml +++ b/rules/sigma/process_creation/win_susp_use_of_csharp_console.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.execution - attack.t1127 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/sigma/process_creation/win_susp_use_of_sqlps_bin.yml index 9d4e5f56..4819bdfc 100644 --- a/rules/sigma/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/sigma/process_creation/win_susp_use_of_sqlps_bin.yml @@ -37,3 +37,4 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1127 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/sigma/process_creation/win_susp_use_of_sqltoolsps_bin.yml index c5614e53..7afed0e8 100644 --- a/rules/sigma/process_creation/win_susp_use_of_sqltoolsps_bin.yml +++ b/rules/sigma/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -36,3 +36,4 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1127 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_use_of_te_bin.yml b/rules/sigma/process_creation/win_susp_use_of_te_bin.yml index 54107567..bbfee003 100644 --- a/rules/sigma/process_creation/win_susp_use_of_te_bin.yml +++ b/rules/sigma/process_creation/win_susp_use_of_te_bin.yml @@ -30,3 +30,4 @@ references: status: experimental tags: - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/sigma/process_creation/win_susp_use_of_vsjitdebugger_bin.yml index 41e7ec1d..129cafe2 100644 --- a/rules/sigma/process_creation/win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/sigma/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.t1218 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_userinit_child.yml b/rules/sigma/process_creation/win_susp_userinit_child.yml index b78960dd..69c36675 100644 --- a/rules/sigma/process_creation/win_susp_userinit_child.yml +++ b/rules/sigma/process_creation/win_susp_userinit_child.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_vboxdrvinst.yml b/rules/sigma/process_creation/win_susp_vboxdrvinst.yml index 3baa5a7b..9e22da5f 100644 --- a/rules/sigma/process_creation/win_susp_vboxdrvinst.yml +++ b/rules/sigma/process_creation/win_susp_vboxdrvinst.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_vbscript_unc2452.yml b/rules/sigma/process_creation/win_susp_vbscript_unc2452.yml index f42e5500..ec63af92 100644 --- a/rules/sigma/process_creation/win_susp_vbscript_unc2452.yml +++ b/rules/sigma/process_creation/win_susp_vbscript_unc2452.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.persistence - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_volsnap_disable.yml b/rules/sigma/process_creation/win_susp_volsnap_disable.yml index 336feac0..399b8f0d 100644 --- a/rules/sigma/process_creation/win_susp_volsnap_disable.yml +++ b/rules/sigma/process_creation/win_susp_volsnap_disable.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_whoami.yml b/rules/sigma/process_creation/win_susp_whoami.yml index 5a05b904..3e9b4fb7 100644 --- a/rules/sigma/process_creation/win_susp_whoami.yml +++ b/rules/sigma/process_creation/win_susp_whoami.yml @@ -27,3 +27,4 @@ tags: - attack.discovery - attack.t1033 - car.2016-03-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_whoami_anomaly.yml b/rules/sigma/process_creation/win_susp_whoami_anomaly.yml index bd5727da..5db10318 100644 --- a/rules/sigma/process_creation/win_susp_whoami_anomaly.yml +++ b/rules/sigma/process_creation/win_susp_whoami_anomaly.yml @@ -46,3 +46,4 @@ tags: - attack.discovery - attack.t1033 - car.2016-03-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_winrar_execution.yml b/rules/sigma/process_creation/win_susp_winrar_execution.yml index a4a2429f..67fa7ab4 100644 --- a/rules/sigma/process_creation/win_susp_winrar_execution.yml +++ b/rules/sigma/process_creation/win_susp_winrar_execution.yml @@ -31,3 +31,4 @@ tags: - attack.t1560.001 - attack.exfiltration - attack.t1002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_winrm_awl_bypass.yml b/rules/sigma/process_creation/win_susp_winrm_awl_bypass.yml index 52e6a1c9..e1b0054f 100644 --- a/rules/sigma/process_creation/win_susp_winrm_awl_bypass.yml +++ b/rules/sigma/process_creation/win_susp_winrm_awl_bypass.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_winrm_execution.yml b/rules/sigma/process_creation/win_susp_winrm_execution.yml index e35a781c..44514596 100644 --- a/rules/sigma/process_creation/win_susp_winrm_execution.yml +++ b/rules/sigma/process_creation/win_susp_winrm_execution.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wmi_execution.yml b/rules/sigma/process_creation/win_susp_wmi_execution.yml index 89e7a8f3..28689d46 100644 --- a/rules/sigma/process_creation/win_susp_wmi_execution.yml +++ b/rules/sigma/process_creation/win_susp_wmi_execution.yml @@ -47,3 +47,4 @@ tags: - attack.execution - attack.t1047 - car.2016-03-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wmic_eventconsumer_create.yml b/rules/sigma/process_creation/win_susp_wmic_eventconsumer_create.yml index f14f81a4..105fc0e1 100644 --- a/rules/sigma/process_creation/win_susp_wmic_eventconsumer_create.yml +++ b/rules/sigma/process_creation/win_susp_wmic_eventconsumer_create.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.persistence - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wmic_proc_create_rundll32.yml b/rules/sigma/process_creation/win_susp_wmic_proc_create_rundll32.yml index fc8effbe..798c4a34 100644 --- a/rules/sigma/process_creation/win_susp_wmic_proc_create_rundll32.yml +++ b/rules/sigma/process_creation/win_susp_wmic_proc_create_rundll32.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wmic_security_product_uninstall.yml b/rules/sigma/process_creation/win_susp_wmic_security_product_uninstall.yml index 4a643194..3f81a81a 100644 --- a/rules/sigma/process_creation/win_susp_wmic_security_product_uninstall.yml +++ b/rules/sigma/process_creation/win_susp_wmic_security_product_uninstall.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_workfolders.yml b/rules/sigma/process_creation/win_susp_workfolders.yml index ef3cc086..f2c6c1a3 100644 --- a/rules/sigma/process_creation/win_susp_workfolders.yml +++ b/rules/sigma/process_creation/win_susp_workfolders.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wsl_lolbin.yml b/rules/sigma/process_creation/win_susp_wsl_lolbin.yml index c654622f..4c07fe34 100644 --- a/rules/sigma/process_creation/win_susp_wsl_lolbin.yml +++ b/rules/sigma/process_creation/win_susp_wsl_lolbin.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wuauclt.yml b/rules/sigma/process_creation/win_susp_wuauclt.yml index 12679e91..7e4adefc 100644 --- a/rules/sigma/process_creation/win_susp_wuauclt.yml +++ b/rules/sigma/process_creation/win_susp_wuauclt.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1105 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_sysmon_driver_unload.yml b/rules/sigma/process_creation/win_sysmon_driver_unload.yml index 22bdda8f..40b76b45 100644 --- a/rules/sigma/process_creation/win_sysmon_driver_unload.yml +++ b/rules/sigma/process_creation/win_sysmon_driver_unload.yml @@ -32,3 +32,4 @@ tags: - attack.t1070 - attack.t1562 - attack.t1562.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_system_exe_anomaly.yml b/rules/sigma/process_creation/win_system_exe_anomaly.yml index 9808398b..aa12da3e 100644 --- a/rules/sigma/process_creation/win_system_exe_anomaly.yml +++ b/rules/sigma/process_creation/win_system_exe_anomaly.yml @@ -63,3 +63,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_tap_installer_execution.yml b/rules/sigma/process_creation/win_tap_installer_execution.yml index 7049ea2b..8f6fd41d 100644 --- a/rules/sigma/process_creation/win_tap_installer_execution.yml +++ b/rules/sigma/process_creation/win_tap_installer_execution.yml @@ -21,3 +21,4 @@ status: experimental tags: - attack.exfiltration - attack.t1048 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_task_folder_evasion.yml b/rules/sigma/process_creation/win_task_folder_evasion.yml index 17931b61..c492fdae 100644 --- a/rules/sigma/process_creation/win_task_folder_evasion.yml +++ b/rules/sigma/process_creation/win_task_folder_evasion.yml @@ -42,3 +42,4 @@ tags: - attack.t1574.002 - attack.t1059 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_termserv_proc_spawn.yml b/rules/sigma/process_creation/win_termserv_proc_spawn.yml index 37f5d500..8c1e763c 100644 --- a/rules/sigma/process_creation/win_termserv_proc_spawn.yml +++ b/rules/sigma/process_creation/win_termserv_proc_spawn.yml @@ -31,3 +31,4 @@ tags: - attack.lateral_movement - attack.t1210 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_tools_relay_attacks.yml b/rules/sigma/process_creation/win_tools_relay_attacks.yml index b7a18ed1..2ed03653 100644 --- a/rules/sigma/process_creation/win_tools_relay_attacks.yml +++ b/rules/sigma/process_creation/win_tools_relay_attacks.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.execution - attack.t1557.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_trust_discovery.yml b/rules/sigma/process_creation/win_trust_discovery.yml index c9ffcdd1..dec7db13 100644 --- a/rules/sigma/process_creation/win_trust_discovery.yml +++ b/rules/sigma/process_creation/win_trust_discovery.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.discovery - attack.t1482 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml b/rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml index b96ad635..2ba8c989 100644 --- a/rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml +++ b/rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml b/rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml index ccd8854d..ef872366 100644 --- a/rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml +++ b/rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_computerdefaults.yml b/rules/sigma/process_creation/win_uac_bypass_computerdefaults.yml index 34c0eb75..1035c8e3 100644 --- a/rules/sigma/process_creation/win_uac_bypass_computerdefaults.yml +++ b/rules/sigma/process_creation/win_uac_bypass_computerdefaults.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml b/rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml index 3767f9ea..eb90fc39 100644 --- a/rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml +++ b/rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_dismhost.yml b/rules/sigma/process_creation/win_uac_bypass_dismhost.yml index d9f70da7..9f4d0e1d 100644 --- a/rules/sigma/process_creation/win_uac_bypass_dismhost.yml +++ b/rules/sigma/process_creation/win_uac_bypass_dismhost.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_ieinstal.yml b/rules/sigma/process_creation/win_uac_bypass_ieinstal.yml index 3f6b541a..183ec99e 100644 --- a/rules/sigma/process_creation/win_uac_bypass_ieinstal.yml +++ b/rules/sigma/process_creation/win_uac_bypass_ieinstal.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_msconfig_gui.yml b/rules/sigma/process_creation/win_uac_bypass_msconfig_gui.yml index bc32dd6f..24650495 100644 --- a/rules/sigma/process_creation/win_uac_bypass_msconfig_gui.yml +++ b/rules/sigma/process_creation/win_uac_bypass_msconfig_gui.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml b/rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml index ca41d33f..03d661c9 100644 --- a/rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml @@ -42,3 +42,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml b/rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml index 2231e939..67992196 100644 --- a/rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml +++ b/rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_winsat.yml b/rules/sigma/process_creation/win_uac_bypass_winsat.yml index 953d1596..80e7123d 100644 --- a/rules/sigma/process_creation/win_uac_bypass_winsat.yml +++ b/rules/sigma/process_creation/win_uac_bypass_winsat.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_wmp.yml b/rules/sigma/process_creation/win_uac_bypass_wmp.yml index c17ef57f..1f28c793 100644 --- a/rules/sigma/process_creation/win_uac_bypass_wmp.yml +++ b/rules/sigma/process_creation/win_uac_bypass_wmp.yml @@ -33,3 +33,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_wsreset.yml b/rules/sigma/process_creation/win_uac_bypass_wsreset.yml index 1387c576..b074bad0 100644 --- a/rules/sigma/process_creation/win_uac_bypass_wsreset.yml +++ b/rules/sigma/process_creation/win_uac_bypass_wsreset.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_cmstp.yml b/rules/sigma/process_creation/win_uac_cmstp.yml index 6bd11065..b0962e31 100644 --- a/rules/sigma/process_creation/win_uac_cmstp.yml +++ b/rules/sigma/process_creation/win_uac_cmstp.yml @@ -37,3 +37,4 @@ tags: - attack.t1218.003 - attack.t1191 - attack.t1088 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_fodhelper.yml b/rules/sigma/process_creation/win_uac_fodhelper.yml index 8809fc98..38500baa 100644 --- a/rules/sigma/process_creation/win_uac_fodhelper.yml +++ b/rules/sigma/process_creation/win_uac_fodhelper.yml @@ -30,3 +30,4 @@ tags: - attack.privilege_escalation - attack.t1548.002 - attack.t1088 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_wsreset.yml b/rules/sigma/process_creation/win_uac_wsreset.yml index af1cc9d0..dcd9dfab 100644 --- a/rules/sigma/process_creation/win_uac_wsreset.yml +++ b/rules/sigma/process_creation/win_uac_wsreset.yml @@ -27,3 +27,4 @@ tags: - attack.privilege_escalation - attack.t1548.002 - attack.t1088 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/sigma/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml index fe842e29..8216137c 100644 --- a/rules/sigma/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml +++ b/rules/sigma/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1574.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_using_settingsynchost_as_lolbin.yml b/rules/sigma/process_creation/win_using_settingsynchost_as_lolbin.yml index dd09818a..340c7dd1 100644 --- a/rules/sigma/process_creation/win_using_settingsynchost_as_lolbin.yml +++ b/rules/sigma/process_creation/win_using_settingsynchost_as_lolbin.yml @@ -36,3 +36,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1574.008 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_verclsid_runs_com.yml b/rules/sigma/process_creation/win_verclsid_runs_com.yml index aeb3535d..664edb60 100644 --- a/rules/sigma/process_creation/win_verclsid_runs_com.yml +++ b/rules/sigma/process_creation/win_verclsid_runs_com.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_visual_basic_compiler.yml b/rules/sigma/process_creation/win_visual_basic_compiler.yml index 5ea68bff..7d249831 100644 --- a/rules/sigma/process_creation/win_visual_basic_compiler.yml +++ b/rules/sigma/process_creation/win_visual_basic_compiler.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_vul_java_remote_debugging.yml b/rules/sigma/process_creation/win_vul_java_remote_debugging.yml index d12d2629..246aa1fa 100644 --- a/rules/sigma/process_creation/win_vul_java_remote_debugging.yml +++ b/rules/sigma/process_creation/win_vul_java_remote_debugging.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.t1203 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_webshell_detection.yml b/rules/sigma/process_creation/win_webshell_detection.yml index f7117521..cea2853c 100644 --- a/rules/sigma/process_creation/win_webshell_detection.yml +++ b/rules/sigma/process_creation/win_webshell_detection.yml @@ -83,3 +83,4 @@ tags: - attack.t1087 - attack.privilege_escalation - attack.t1100 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_webshell_recon_detection.yml b/rules/sigma/process_creation/win_webshell_recon_detection.yml index 8e44c26f..fae2818d 100644 --- a/rules/sigma/process_creation/win_webshell_recon_detection.yml +++ b/rules/sigma/process_creation/win_webshell_recon_detection.yml @@ -47,3 +47,4 @@ tags: - attack.t1505.003 - attack.privilege_escalation - attack.t1100 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_webshell_spawn.yml b/rules/sigma/process_creation/win_webshell_spawn.yml index 56fa82f9..615315d3 100644 --- a/rules/sigma/process_creation/win_webshell_spawn.yml +++ b/rules/sigma/process_creation/win_webshell_spawn.yml @@ -40,3 +40,4 @@ tags: - attack.t1505.003 - attack.privilege_escalation - attack.t1190 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_whoami_as_system.yml b/rules/sigma/process_creation/win_whoami_as_system.yml index ddafbb33..149d9c8a 100644 --- a/rules/sigma/process_creation/win_whoami_as_system.yml +++ b/rules/sigma/process_creation/win_whoami_as_system.yml @@ -29,3 +29,4 @@ tags: - attack.privilege_escalation - attack.discovery - attack.t1033 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_whoami_priv.yml b/rules/sigma/process_creation/win_whoami_priv.yml index c7bd199b..1dd1101c 100644 --- a/rules/sigma/process_creation/win_whoami_priv.yml +++ b/rules/sigma/process_creation/win_whoami_priv.yml @@ -27,3 +27,4 @@ tags: - attack.privilege_escalation - attack.discovery - attack.t1033 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_win10_sched_task_0day.yml b/rules/sigma/process_creation/win_win10_sched_task_0day.yml index c1e4995e..e7738854 100644 --- a/rules/sigma/process_creation/win_win10_sched_task_0day.yml +++ b/rules/sigma/process_creation/win_win10_sched_task_0day.yml @@ -34,3 +34,4 @@ tags: - attack.t1053.005 - attack.t1053 - car.2013-08-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_winword_dll_load.yml b/rules/sigma/process_creation/win_winword_dll_load.yml index 14b8447c..0274c2a6 100644 --- a/rules/sigma/process_creation/win_winword_dll_load.yml +++ b/rules/sigma/process_creation/win_winword_dll_load.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/sigma/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index bd7a3238..9582d440 100644 --- a/rules/sigma/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/sigma/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -24,3 +24,4 @@ tags: - attack.persistence - attack.t1546.003 - attack.t1084 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml index cbd76831..43341b28 100644 --- a/rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml +++ b/rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml @@ -27,3 +27,4 @@ tags: - attack.privilege_escalation - attack.t1546.003 - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_wmi_spwns_powershell.yml b/rules/sigma/process_creation/win_wmi_spwns_powershell.yml index 6c27166c..151919c7 100644 --- a/rules/sigma/process_creation/win_wmi_spwns_powershell.yml +++ b/rules/sigma/process_creation/win_wmi_spwns_powershell.yml @@ -37,3 +37,4 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_wmiprvse_spawning_process.yml b/rules/sigma/process_creation/win_wmiprvse_spawning_process.yml index 2c6d0f78..8e5fa0e4 100644 --- a/rules/sigma/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/sigma/process_creation/win_wmiprvse_spawning_process.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_workflow_compiler.yml b/rules/sigma/process_creation/win_workflow_compiler.yml index 3d01e095..317f17fe 100644 --- a/rules/sigma/process_creation/win_workflow_compiler.yml +++ b/rules/sigma/process_creation/win_workflow_compiler.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.t1127 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_write_protect_for_storage_disabled.yml b/rules/sigma/process_creation/win_write_protect_for_storage_disabled.yml index 513ee21f..9734bb56 100644 --- a/rules/sigma/process_creation/win_write_protect_for_storage_disabled.yml +++ b/rules/sigma/process_creation/win_write_protect_for_storage_disabled.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_wsreset_uac_bypass.yml b/rules/sigma/process_creation/win_wsreset_uac_bypass.yml index aea9c179..448f848a 100644 --- a/rules/sigma/process_creation/win_wsreset_uac_bypass.yml +++ b/rules/sigma/process_creation/win_wsreset_uac_bypass.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1548.002 - attack.t1088 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_xsl_script_processing.yml b/rules/sigma/process_creation/win_xsl_script_processing.yml index 2885b16d..dc06f130 100644 --- a/rules/sigma/process_creation/win_xsl_script_processing.yml +++ b/rules/sigma/process_creation/win_xsl_script_processing.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1220 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 1cfb9e57..655fd721 100644 --- a/rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -50,3 +50,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1006 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/sigma/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml index 47a4fc3b..50a11633 100644 --- a/rules/sigma/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml +++ b/rules/sigma/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml @@ -53,3 +53,4 @@ tags: - attack.persistence - attack.t1112 - attack.t1053 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_apt_chafer_mar18.yml b/rules/sigma/registry_event/registry_event_apt_chafer_mar18.yml index 7070f2db..8c2e1ff7 100644 --- a/rules/sigma/registry_event/registry_event_apt_chafer_mar18.yml +++ b/rules/sigma/registry_event/registry_event_apt_chafer_mar18.yml @@ -43,3 +43,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_apt_pandemic.yml b/rules/sigma/registry_event/registry_event_apt_pandemic.yml index 7ee287d2..327c1f6f 100644 --- a/rules/sigma/registry_event/registry_event_apt_pandemic.yml +++ b/rules/sigma/registry_event/registry_event_apt_pandemic.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/sigma/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml index 11f8126e..f89695a2 100644 --- a/rules/sigma/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/sigma/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -36,3 +36,4 @@ tags: - attack.t1203 - cve.2021.33771 - cve.2021.31979 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_defender_disabled.yml b/rules/sigma/registry_event/registry_event_defender_disabled.yml index a3b4d5ad..ea3d5925 100644 --- a/rules/sigma/registry_event/registry_event_defender_disabled.yml +++ b/rules/sigma/registry_event/registry_event_defender_disabled.yml @@ -45,3 +45,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_defender_exclusions.yml b/rules/sigma/registry_event/registry_event_defender_exclusions.yml index 37d849a8..78cd6175 100644 --- a/rules/sigma/registry_event/registry_event_defender_exclusions.yml +++ b/rules/sigma/registry_event/registry_event_defender_exclusions.yml @@ -33,3 +33,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_defender_realtime_protection_disabled.yml b/rules/sigma/registry_event/registry_event_defender_realtime_protection_disabled.yml index 44c19389..ca214320 100644 --- a/rules/sigma/registry_event/registry_event_defender_realtime_protection_disabled.yml +++ b/rules/sigma/registry_event/registry_event_defender_realtime_protection_disabled.yml @@ -45,3 +45,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/sigma/registry_event/registry_event_dns_serverlevelplugindll.yml index a477187d..d4b4318f 100644 --- a/rules/sigma/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/sigma/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -38,3 +38,4 @@ tags: - attack.t1073 - attack.t1574.002 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_mal_adwind.yml b/rules/sigma/registry_event/registry_event_mal_adwind.yml index 0bb3420e..a983849c 100644 --- a/rules/sigma/registry_event/registry_event_mal_adwind.yml +++ b/rules/sigma/registry_event/registry_event_mal_adwind.yml @@ -33,3 +33,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_mstsc_history_cleared.yml b/rules/sigma/registry_event/registry_event_mstsc_history_cleared.yml index c3c71069..d58152ff 100644 --- a/rules/sigma/registry_event/registry_event_mstsc_history_cleared.yml +++ b/rules/sigma/registry_event/registry_event_mstsc_history_cleared.yml @@ -36,3 +36,4 @@ tags: - attack.defense_evasion - attack.t1070 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/sigma/registry_event/registry_event_net_ntlm_downgrade.yml index 35ac8dce..f1a99841 100644 --- a/rules/sigma/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/sigma/registry_event/registry_event_net_ntlm_downgrade.yml @@ -39,3 +39,4 @@ tags: - attack.t1089 - attack.t1562.001 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml index f983bf9b..f2e2bef4 100644 --- a/rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml @@ -39,3 +39,4 @@ tags: - attack.t1546.008 - car.2014-11-003 - car.2014-11-008 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml b/rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml index 16be38c5..642365f2 100644 --- a/rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml +++ b/rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.resource_development - attack.t1588.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_uac_bypass_eventvwr.yml b/rules/sigma/registry_event/registry_event_uac_bypass_eventvwr.yml index 7d91f686..57604345 100644 --- a/rules/sigma/registry_event/registry_event_uac_bypass_eventvwr.yml +++ b/rules/sigma/registry_event/registry_event_uac_bypass_eventvwr.yml @@ -33,3 +33,4 @@ tags: - attack.t1088 - attack.t1548.002 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_uac_bypass_winsat.yml b/rules/sigma/registry_event/registry_event_uac_bypass_winsat.yml index d37c5a83..59f88910 100644 --- a/rules/sigma/registry_event/registry_event_uac_bypass_winsat.yml +++ b/rules/sigma/registry_event/registry_event_uac_bypass_winsat.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_uac_bypass_wmp.yml b/rules/sigma/registry_event/registry_event_uac_bypass_wmp.yml index 4cc90b7b..4bfac7b5 100644 --- a/rules/sigma/registry_event/registry_event_uac_bypass_wmp.yml +++ b/rules/sigma/registry_event/registry_event_uac_bypass_wmp.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_apt_leviathan.yml b/rules/sigma/registry_event/sysmon_apt_leviathan.yml index 3160a30b..9d2fac02 100644 --- a/rules/sigma/registry_event/sysmon_apt_leviathan.yml +++ b/rules/sigma/registry_event/sysmon_apt_leviathan.yml @@ -26,3 +26,4 @@ tags: - attack.persistence - attack.t1060 - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/sigma/registry_event/sysmon_apt_oceanlotus_registry.yml index bd405131..969decd2 100644 --- a/rules/sigma/registry_event/sysmon_apt_oceanlotus_registry.yml +++ b/rules/sigma/registry_event/sysmon_apt_oceanlotus_registry.yml @@ -51,3 +51,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml index d7391e94..8c1f3063 100644 --- a/rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml @@ -231,3 +231,4 @@ tags: - attack.persistence - attack.t1547.001 - attack.t1060 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_bypass_via_wsreset.yml b/rules/sigma/registry_event/sysmon_bypass_via_wsreset.yml index beb70a1b..2f94b1c7 100644 --- a/rules/sigma/registry_event/sysmon_bypass_via_wsreset.yml +++ b/rules/sigma/registry_event/sysmon_bypass_via_wsreset.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml b/rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml index ae74dd3e..6eb2b955 100644 --- a/rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml +++ b/rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml @@ -36,3 +36,4 @@ tags: - attack.t1218.003 - attack.g0069 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml b/rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml index f39eb920..7b730927 100644 --- a/rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml +++ b/rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml @@ -48,3 +48,4 @@ tags: - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_comhijack_sdclt.yml b/rules/sigma/registry_event/sysmon_comhijack_sdclt.yml index 1d037bb5..bf7277dc 100644 --- a/rules/sigma/registry_event/sysmon_comhijack_sdclt.yml +++ b/rules/sigma/registry_event/sysmon_comhijack_sdclt.yml @@ -29,3 +29,4 @@ tags: - attack.privilege_escalation - attack.t1546 - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_cve_2020_1048.yml b/rules/sigma/registry_event/sysmon_cve_2020_1048.yml index 3e5b4efb..fba7657b 100644 --- a/rules/sigma/registry_event/sysmon_cve_2020_1048.yml +++ b/rules/sigma/registry_event/sysmon_cve_2020_1048.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_dhcp_calloutdll.yml b/rules/sigma/registry_event/sysmon_dhcp_calloutdll.yml index 4ff4a311..56e63171 100644 --- a/rules/sigma/registry_event/sysmon_dhcp_calloutdll.yml +++ b/rules/sigma/registry_event/sysmon_dhcp_calloutdll.yml @@ -34,3 +34,4 @@ tags: - attack.t1073 - attack.t1574.002 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disable_microsoft_office_security_features.yml b/rules/sigma/registry_event/sysmon_disable_microsoft_office_security_features.yml index 18b5d1b9..10aa12ca 100644 --- a/rules/sigma/registry_event/sysmon_disable_microsoft_office_security_features.yml +++ b/rules/sigma/registry_event/sysmon_disable_microsoft_office_security_features.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/sigma/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index 74433337..b398fad1 100644 --- a/rules/sigma/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/sigma/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -40,3 +40,4 @@ tags: - attack.t1089 - attack.t1562.001 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disable_wdigest_credential_guard.yml b/rules/sigma/registry_event/sysmon_disable_wdigest_credential_guard.yml index 9fdeea1f..b0d53219 100644 --- a/rules/sigma/registry_event/sysmon_disable_wdigest_credential_guard.yml +++ b/rules/sigma/registry_event/sysmon_disable_wdigest_credential_guard.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml b/rules/sigma/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml index 1ba4eb36..84bb048e 100644 --- a/rules/sigma/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml +++ b/rules/sigma/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/sigma/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml index 1cb3b3bc..9b75869c 100644 --- a/rules/sigma/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/sigma/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml b/rules/sigma/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml index 2cf4c8cf..5ccd2ead 100644 --- a/rules/sigma/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml +++ b/rules/sigma/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_dns_over_https_enabled.yml b/rules/sigma/registry_event/sysmon_dns_over_https_enabled.yml index ce52751a..f5c714ab 100644 --- a/rules/sigma/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/sigma/registry_event/sysmon_dns_over_https_enabled.yml @@ -45,3 +45,4 @@ tags: - attack.defense_evasion - attack.t1140 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_enabling_cor_profiler_env_variables.yml b/rules/sigma/registry_event/sysmon_enabling_cor_profiler_env_variables.yml index a702399a..4fac02e1 100644 --- a/rules/sigma/registry_event/sysmon_enabling_cor_profiler_env_variables.yml +++ b/rules/sigma/registry_event/sysmon_enabling_cor_profiler_env_variables.yml @@ -31,3 +31,4 @@ tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1574.012 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_etw_disabled.yml b/rules/sigma/registry_event/sysmon_etw_disabled.yml index 31f5f21e..b73cb73c 100644 --- a/rules/sigma/registry_event/sysmon_etw_disabled.yml +++ b/rules/sigma/registry_event/sysmon_etw_disabled.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_hack_wce_reg.yml b/rules/sigma/registry_event/sysmon_hack_wce_reg.yml index 4962c14f..0cae5dc2 100644 --- a/rules/sigma/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/sigma/registry_event/sysmon_hack_wce_reg.yml @@ -29,3 +29,4 @@ tags: - attack.t1003 - attack.t1003.001 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/sigma/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml index bfc12fd8..7daf835f 100644 --- a/rules/sigma/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml +++ b/rules/sigma/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.resource_development - attack.t1608 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml index 4777a4cd..887bdde1 100644 --- a/rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml @@ -30,3 +30,4 @@ tags: - attack.t1037.001 - attack.persistence - attack.lateral_movement +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/sigma/registry_event/sysmon_modify_screensaver_binary_path.yml index e914e036..94c66766 100644 --- a/rules/sigma/registry_event/sysmon_modify_screensaver_binary_path.yml +++ b/rules/sigma/registry_event/sysmon_modify_screensaver_binary_path.yml @@ -34,3 +34,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_narrator_feedback_persistance.yml b/rules/sigma/registry_event/sysmon_narrator_feedback_persistance.yml index d9c8340e..410e93d7 100644 --- a/rules/sigma/registry_event/sysmon_narrator_feedback_persistance.yml +++ b/rules/sigma/registry_event/sysmon_narrator_feedback_persistance.yml @@ -33,3 +33,4 @@ tags: - attack.persistence - attack.t1060 - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_new_application_appcompat.yml b/rules/sigma/registry_event/sysmon_new_application_appcompat.yml index 9c7733c7..835b8d41 100644 --- a/rules/sigma/registry_event/sysmon_new_application_appcompat.yml +++ b/rules/sigma/registry_event/sysmon_new_application_appcompat.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.execution - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/sigma/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index ae044c0b..c84ed6ff 100644 --- a/rules/sigma/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/sigma/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -39,3 +39,4 @@ tags: - attack.persistence - attack.t1182 - attack.t1546.009 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index e0c7bfe5..5a5fa60c 100644 --- a/rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -44,3 +44,4 @@ tags: - attack.persistence - attack.t1103 - attack.t1546.010 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_office_test_regadd.yml b/rules/sigma/registry_event/sysmon_office_test_regadd.yml index 35a4572d..caa8a945 100644 --- a/rules/sigma/registry_event/sysmon_office_test_regadd.yml +++ b/rules/sigma/registry_event/sysmon_office_test_regadd.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.persistence - attack.t1137.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_office_vsto_persistence.yml b/rules/sigma/registry_event/sysmon_office_vsto_persistence.yml index 41a8ba12..9ad28c58 100644 --- a/rules/sigma/registry_event/sysmon_office_vsto_persistence.yml +++ b/rules/sigma/registry_event/sysmon_office_vsto_persistence.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.t1137.006 - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_powershell_as_service.yml b/rules/sigma/registry_event/sysmon_powershell_as_service.yml index 345b7c13..775fc0f7 100644 --- a/rules/sigma/registry_event/sysmon_powershell_as_service.yml +++ b/rules/sigma/registry_event/sysmon_powershell_as_service.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_rdp_registry_modification.yml b/rules/sigma/registry_event/sysmon_rdp_registry_modification.yml index bb969501..51554d98 100644 --- a/rules/sigma/registry_event/sysmon_rdp_registry_modification.yml +++ b/rules/sigma/registry_event/sysmon_rdp_registry_modification.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml b/rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml index e4ad6e3a..36738191 100644 --- a/rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml +++ b/rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_redmimicry_winnti_reg.yml b/rules/sigma/registry_event/sysmon_redmimicry_winnti_reg.yml index 5f2d7f48..c44f57e1 100644 --- a/rules/sigma/registry_event/sysmon_redmimicry_winnti_reg.yml +++ b/rules/sigma/registry_event/sysmon_redmimicry_winnti_reg.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_reg_office_security.yml b/rules/sigma/registry_event/sysmon_reg_office_security.yml index 938c7f92..6caf7c7a 100644 --- a/rules/sigma/registry_event/sysmon_reg_office_security.yml +++ b/rules/sigma/registry_event/sysmon_reg_office_security.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_reg_silentprocessexit.yml b/rules/sigma/registry_event/sysmon_reg_silentprocessexit.yml index de9e5d71..08aec125 100644 --- a/rules/sigma/registry_event/sysmon_reg_silentprocessexit.yml +++ b/rules/sigma/registry_event/sysmon_reg_silentprocessexit.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.persistence - attack.t1546.012 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_reg_silentprocessexit_lsass.yml b/rules/sigma/registry_event/sysmon_reg_silentprocessexit_lsass.yml index 54ee5d2a..6ca17d58 100644 --- a/rules/sigma/registry_event/sysmon_reg_silentprocessexit_lsass.yml +++ b/rules/sigma/registry_event/sysmon_reg_silentprocessexit_lsass.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.007 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/sigma/registry_event/sysmon_reg_vbs_payload_stored.yml index a6b4e5ab..34bb8a51 100644 --- a/rules/sigma/registry_event/sysmon_reg_vbs_payload_stored.yml +++ b/rules/sigma/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -42,3 +42,4 @@ status: experimental tags: - attack.persistence - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/sigma/registry_event/sysmon_registry_add_local_hidden_user.yml index 2c11e9e9..f751b27a 100644 --- a/rules/sigma/registry_event/sysmon_registry_add_local_hidden_user.yml +++ b/rules/sigma/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.persistence - attack.t1136.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/sigma/registry_event/sysmon_registry_persistence_key_linking.yml index df0723ce..d9d67dcd 100644 --- a/rules/sigma/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/sigma/registry_event/sysmon_registry_persistence_key_linking.yml @@ -35,3 +35,4 @@ tags: - attack.persistence - attack.t1122 - attack.t1546.015 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_registry_persistence_search_order.yml b/rules/sigma/registry_event/sysmon_registry_persistence_search_order.yml index 6be91ede..26df3420 100644 --- a/rules/sigma/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/sigma/registry_event/sysmon_registry_persistence_search_order.yml @@ -66,3 +66,4 @@ status: experimental tags: - attack.persistence - attack.t1546.015 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/sigma/registry_event/sysmon_registry_susp_printer_driver.yml index c77c2eb8..e2b54cc4 100644 --- a/rules/sigma/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/sigma/registry_event/sysmon_registry_susp_printer_driver.yml @@ -34,3 +34,4 @@ tags: - attack.privilege_escalation - attack.t1574 - cve.2021.1675 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_registry_trust_record_modification.yml b/rules/sigma/registry_event/sysmon_registry_trust_record_modification.yml index ce240953..8ce84d86 100644 --- a/rules/sigma/registry_event/sysmon_registry_trust_record_modification.yml +++ b/rules/sigma/registry_event/sysmon_registry_trust_record_modification.yml @@ -30,3 +30,4 @@ tags: - attack.initial_access - attack.t1193 - attack.t1566.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_removal_amsi_registry_key.yml b/rules/sigma/registry_event/sysmon_removal_amsi_registry_key.yml index 427629d7..db71adeb 100644 --- a/rules/sigma/registry_event/sysmon_removal_amsi_registry_key.yml +++ b/rules/sigma/registry_event/sysmon_removal_amsi_registry_key.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml b/rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml index 3ca819ae..d66c1d30 100644 --- a/rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml +++ b/rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_runkey_winekey.yml b/rules/sigma/registry_event/sysmon_runkey_winekey.yml index 934a6657..c754976c 100644 --- a/rules/sigma/registry_event/sysmon_runkey_winekey.yml +++ b/rules/sigma/registry_event/sysmon_runkey_winekey.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.persistence - attack.t1547 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_runonce_persistence.yml b/rules/sigma/registry_event/sysmon_runonce_persistence.yml index e2e3a995..de508cbc 100644 --- a/rules/sigma/registry_event/sysmon_runonce_persistence.yml +++ b/rules/sigma/registry_event/sysmon_runonce_persistence.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_ssp_added_lsa_config.yml b/rules/sigma/registry_event/sysmon_ssp_added_lsa_config.yml index 481d4674..b0c3d76d 100644 --- a/rules/sigma/registry_event/sysmon_ssp_added_lsa_config.yml +++ b/rules/sigma/registry_event/sysmon_ssp_added_lsa_config.yml @@ -37,3 +37,4 @@ tags: - attack.persistence - attack.t1101 - attack.t1547.005 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_atbroker_change.yml b/rules/sigma/registry_event/sysmon_susp_atbroker_change.yml index 3f053a8e..0eea2775 100644 --- a/rules/sigma/registry_event/sysmon_susp_atbroker_change.yml +++ b/rules/sigma/registry_event/sysmon_susp_atbroker_change.yml @@ -33,3 +33,4 @@ tags: - attack.t1218 - attack.persistence - attack.t1547 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_download_run_key.yml b/rules/sigma/registry_event/sysmon_susp_download_run_key.yml index 491fd3a9..27cc9d19 100644 --- a/rules/sigma/registry_event/sysmon_susp_download_run_key.yml +++ b/rules/sigma/registry_event/sysmon_susp_download_run_key.yml @@ -34,3 +34,4 @@ tags: - attack.persistence - attack.t1060 - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml index ecbd5173..f3e21aae 100644 --- a/rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml +++ b/rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml @@ -33,3 +33,4 @@ tags: - attack.persistence - attack.t1177 - attack.t1547.008 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_mic_cam_access.yml b/rules/sigma/registry_event/sysmon_susp_mic_cam_access.yml index b94e2ba4..98a7cc29 100644 --- a/rules/sigma/registry_event/sysmon_susp_mic_cam_access.yml +++ b/rules/sigma/registry_event/sysmon_susp_mic_cam_access.yml @@ -45,3 +45,4 @@ tags: - attack.collection - attack.t1125 - attack.t1123 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/sigma/registry_event/sysmon_susp_reg_persist_explorer_run.yml index c5562124..bc41185c 100644 --- a/rules/sigma/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/sigma/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -44,3 +44,4 @@ tags: - attack.persistence - attack.t1060 - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml index da55b2d4..5c1b159d 100644 --- a/rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml @@ -48,3 +48,4 @@ tags: - attack.persistence - attack.t1060 - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_service_installed.yml b/rules/sigma/registry_event/sysmon_susp_service_installed.yml index dd34521c..4fa24636 100644 --- a/rules/sigma/registry_event/sysmon_susp_service_installed.yml +++ b/rules/sigma/registry_event/sysmon_susp_service_installed.yml @@ -43,3 +43,4 @@ tags: - attack.t1089 - attack.t1562.001 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/sigma/registry_event/sysmon_suspicious_keyboard_layout_load.yml index 279f61cd..7fe0ee4a 100644 --- a/rules/sigma/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/sigma/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.resource_development - attack.t1588.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/sigma/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml index a795baf7..424020dc 100644 --- a/rules/sigma/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml +++ b/rules/sigma/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.004 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_taskcache_entry.yml b/rules/sigma/registry_event/sysmon_taskcache_entry.yml index b109b134..01e7fe0f 100644 --- a/rules/sigma/registry_event/sysmon_taskcache_entry.yml +++ b/rules/sigma/registry_event/sysmon_taskcache_entry.yml @@ -31,3 +31,4 @@ tags: - attack.persistence - attack.t1053 - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/sigma/registry_event/sysmon_uac_bypass_sdclt.yml index bc0656b6..e34c74fe 100644 --- a/rules/sigma/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/sigma/registry_event/sysmon_uac_bypass_sdclt.yml @@ -37,3 +37,4 @@ tags: - attack.t1088 - attack.t1548.002 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_volume_shadow_copy_service_keys.yml b/rules/sigma/registry_event/sysmon_volume_shadow_copy_service_keys.yml index ff247a5b..e07ddd1a 100644 --- a/rules/sigma/registry_event/sysmon_volume_shadow_copy_service_keys.yml +++ b/rules/sigma/registry_event/sysmon_volume_shadow_copy_service_keys.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/sigma/registry_event/sysmon_wab_dllpath_reg_change.yml index 4da84d48..0ab1a004 100644 --- a/rules/sigma/registry_event/sysmon_wab_dllpath_reg_change.yml +++ b/rules/sigma/registry_event/sysmon_wab_dllpath_reg_change.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml b/rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml index 457cf9ae..5af07936 100644 --- a/rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml +++ b/rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_win_reg_persistence.yml b/rules/sigma/registry_event/sysmon_win_reg_persistence.yml index 22c7885f..03736a3c 100644 --- a/rules/sigma/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/sigma/registry_event/sysmon_win_reg_persistence.yml @@ -45,3 +45,4 @@ tags: - attack.t1183 - attack.t1546.012 - car.2013-01-002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_win_reg_persistence_recycle_bin.yml b/rules/sigma/registry_event/sysmon_win_reg_persistence_recycle_bin.yml index 18562284..92f1fbf2 100644 --- a/rules/sigma/registry_event/sysmon_win_reg_persistence_recycle_bin.yml +++ b/rules/sigma/registry_event/sysmon_win_reg_persistence_recycle_bin.yml @@ -32,3 +32,4 @@ references: tags: - attack.persistence - attack.t1547 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/sigma/registry_event/sysmon_win_reg_telemetry_persistence.yml index 1a2299f8..b9bfe897 100644 --- a/rules/sigma/registry_event/sysmon_win_reg_telemetry_persistence.yml +++ b/rules/sigma/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.persistence - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_outlook_c2_registry_key.yml b/rules/sigma/registry_event/win_outlook_c2_registry_key.yml index 371ab09e..e96d95ab 100644 --- a/rules/sigma/registry_event/win_outlook_c2_registry_key.yml +++ b/rules/sigma/registry_event/win_outlook_c2_registry_key.yml @@ -34,3 +34,4 @@ tags: - attack.t1137 - attack.t1008 - attack.t1546 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_outlook_registry_todaypage.yml b/rules/sigma/registry_event/win_outlook_registry_todaypage.yml index 89f63689..56824781 100644 --- a/rules/sigma/registry_event/win_outlook_registry_todaypage.yml +++ b/rules/sigma/registry_event/win_outlook_registry_todaypage.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.persistence - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_outlook_registry_webview.yml b/rules/sigma/registry_event/win_outlook_registry_webview.yml index 7ab74484..a613d10d 100644 --- a/rules/sigma/registry_event/win_outlook_registry_webview.yml +++ b/rules/sigma/registry_event/win_outlook_registry_webview.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.persistence - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_portproxy_registry_key.yml b/rules/sigma/registry_event/win_portproxy_registry_key.yml index 49dfc1f4..14db3036 100644 --- a/rules/sigma/registry_event/win_portproxy_registry_key.yml +++ b/rules/sigma/registry_event/win_portproxy_registry_key.yml @@ -33,3 +33,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1090 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_registry_file_association_exefile.yml b/rules/sigma/registry_event/win_registry_file_association_exefile.yml index deab0db5..fb84dab4 100644 --- a/rules/sigma/registry_event/win_registry_file_association_exefile.yml +++ b/rules/sigma/registry_event/win_registry_file_association_exefile.yml @@ -31,3 +31,4 @@ references: status: experimental tags: - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/sigma/registry_event/win_registry_mimikatz_printernightmare.yml index 12a076e7..611b746c 100644 --- a/rules/sigma/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/sigma/registry_event/win_registry_mimikatz_printernightmare.yml @@ -56,3 +56,4 @@ tags: - attack.t1204 - cve.2021.1675 - cve.2021.34527 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml b/rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml index 7077ba25..8c80ff5d 100644 --- a/rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml +++ b/rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml @@ -52,3 +52,4 @@ tags: - attack.privilege_escalation - attack.t1548.002 - attack.t1546.001 +ruletype: SIGMA diff --git a/rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index b2670d61..5d80b975 100644 --- a/rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml +++ b/rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/sysmon/sysmon_config_modification_error.yml b/rules/sigma/sysmon/sysmon_config_modification_error.yml index 3cda69bc..4d865906 100644 --- a/rules/sigma/sysmon/sysmon_config_modification_error.yml +++ b/rules/sigma/sysmon/sysmon_config_modification_error.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564 +ruletype: SIGMA diff --git a/rules/sigma/sysmon/sysmon_config_modification_status.yml b/rules/sigma/sysmon/sysmon_config_modification_status.yml index 909fd4eb..bfeaff0d 100644 --- a/rules/sigma/sysmon/sysmon_config_modification_status.yml +++ b/rules/sigma/sysmon/sysmon_config_modification_status.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564 +ruletype: SIGMA diff --git a/rules/sigma/sysmon/sysmon_dcom_iertutil_dll_hijack.yml b/rules/sigma/sysmon/sysmon_dcom_iertutil_dll_hijack.yml index ef84d38c..ce935828 100644 --- a/rules/sigma/sysmon/sysmon_dcom_iertutil_dll_hijack.yml +++ b/rules/sigma/sysmon/sysmon_dcom_iertutil_dll_hijack.yml @@ -35,3 +35,4 @@ tags: - attack.lateral_movement - attack.t1021.002 - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml b/rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml index c8379776..e727715f 100644 --- a/rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml @@ -23,3 +23,4 @@ tags: - attack.t1084 - attack.persistence - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/sigma/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index e540de8c..80ecfbd6 100644 --- a/rules/sigma/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/sigma/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -40,3 +40,4 @@ tags: - attack.t1047 - attack.persistence - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml index 02aeddd6..c2bb35c3 100644 --- a/rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml @@ -57,3 +57,4 @@ tags: - attack.t1086 - attack.execution - attack.t1059.005 +ruletype: SIGMA diff --git a/tools/sigmac/hayabusa.py b/tools/sigmac/hayabusa.py index bf69c67b..21c23e10 100644 --- a/tools/sigmac/hayabusa.py +++ b/tools/sigmac/hayabusa.py @@ -11,60 +11,67 @@ from sigma.parser.modifiers.type import SigmaRegularExpressionModifier SPECIAL_REGEX = re.compile("^\{(\d)+,?(\d+)?\}") + class HayabusaBackend(SingleTextQueryBackend): """Base class for backends that generate one text-based expression from a Sigma rule""" - ## see tools.py - ## use this value when sigmac parse argument of "-t" + # see tools.py + # use this value when sigmac parse argument of "-t" identifier = "hayabusa" active = True # the following class variables define the generation and behavior of queries from a parse tree some are prefilled with default values that are quite usual - andToken = " and " # Token used for linking expressions with logical AND + # Token used for linking expressions with logical AND + andToken = " and " orToken = " or " # Same for OR notToken = " not " # Same for NOT - subExpression = "(%s)" # Syntax for subexpressions, usually parenthesis around it. %s is inner expression + # Syntax for subexpressions, usually parenthesis around it. %s is inner expression + subExpression = "(%s)" valueExpression = "%s" # Expression of values, %s represents value - typedValueExpression = dict() # Expression of typed values generated by type modifiers. modifier identifier -> expression dict, %s represents value + # Expression of typed values generated by type modifiers. modifier identifier -> expression dict, %s represents value + typedValueExpression = dict() sort_condition_lists = False mapListsSpecialHandling = True name_idx = 1 selection_prefix = "SELECTION_{0}" name_2_selection = OrderedDict() - + def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) self.re_init() - + def re_init(self): self.name_idx = 1 self.name_2_selection = OrderedDict() - + def cleanValue(self, val): return val - + def generateListNode(self, node): return self.generateORNode(node) - + def create_new_selection(self): name = self.selection_prefix.format(self.name_idx) - self.name_idx+=1 + self.name_idx += 1 return name - + def generateMapItemNode(self, node): fieldname, value = node transformed_fieldname = self.fieldNameMapping(fieldname, value) if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): name = self.create_new_selection() - self.name_2_selection[name] = [(transformed_fieldname, self.generateNode(value))] + self.name_2_selection[name] = [ + (transformed_fieldname, self.generateNode(value))] return name elif type(value) == list: return self.generateMapItemListNode(transformed_fieldname, value) elif isinstance(value, SigmaTypeModifier): return self.generateMapItemTypedNode(transformed_fieldname, value) elif value is None: - return self.generateNode((transformed_fieldname+"|re","^$")) #nullは正規表現で表す。これでいいのかちょっと不安 + # nullは正規表現で表す。これでいいのかちょっと不安 + return self.generateNode((transformed_fieldname+"|re", "^$")) else: - raise TypeError("Backend does not support map values of type " + str(type(value))) - + raise TypeError( + "Backend does not support map values of type " + str(type(value))) + def generateMapItemTypedNode(self, fieldname, value): # `|re`オプションに対応 if type(value) == SigmaRegularExpressionModifier: @@ -73,76 +80,77 @@ class HayabusaBackend(SingleTextQueryBackend): # pythonとかの正規表現では/(スラッシュ)や"(ダブルクオート)をエスケープしてもエラーが出ないが、Rustの正規表現エンジンではスラッシュやダブルクオートをエスケープするとエラーが出てしまう # そこでスラッシュやダブルクオートのエスケープは消しておく。 # あと、この実装は結構怪しいので、将来バージョンではこの実装を無くして、hayabusa側で使用する正規表現エンジンを普通のpythonとかで使われているやつに変えた方がいいと思う。 - regex_value = value.value.replace('\/','/') - regex_value = regex_value.replace("\\\"","\"") - - ## 追加のケースとして、pythonとかの正規表現では{はエスケープ不要だが、Rustでは必要なので、それを修正するためのコード。めんどい + regex_value = value.value.replace('\/', '/') + regex_value = regex_value.replace("\\\"", "\"") + + # 追加のケースとして、pythonとかの正規表現では{はエスケープ不要だが、Rustでは必要なので、それを修正するためのコード。めんどい idx = 0 prev_regex = regex_value regex_value = "" while idx < len(prev_regex): - ## 既にエスケープされているものはスキップする。 + # 既にエスケープされているものはスキップする。 if prev_regex[idx:idx+2] == "\\{" or prev_regex[idx:idx+2] == "\\}": regex_value += prev_regex[idx:idx+2] idx += 2 continue - + ch = prev_regex[idx] - ## エスケープ不要な}はここに来ないように、以降の処理でidxを調整している。なのでここにくる}はエスケープが必要。 + # エスケープ不要な}はここに来ないように、以降の処理でidxを調整している。なのでここにくる}はエスケープが必要。 if ch == "}": regex_value += "\\}" idx += 1 continue - - ## {じゃない場合はそのまま足すだけ + + # {じゃない場合はそのまま足すだけ if ch != "{": regex_value += ch idx += 1 continue - - ## {の場合の処理 + + # {の場合の処理 reg_match = SPECIAL_REGEX.match(prev_regex[idx:]) if reg_match == None: - ## 文字列としての{なので、エスケープ必要 + # 文字列としての{なので、エスケープ必要 regex_value += "\\{" idx += 1 else: - ## これは桁数を指定する{なので、エスケープ不要で}までidxをスキップ + # これは桁数を指定する{なので、エスケープ不要で}までidxをスキップ regex_value += reg_match.group() idx += len(reg_match.group()) return self.generateNode((fieldname, regex_value)) else: - raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) + raise NotImplementedError( + "Type modifier '{}' is not supported by backend".format(value.identifier)) def generateMapItemListNode(self, fieldname, value): - ### 下記のようなケースに対応 - ### selection: - ### EventID: + # 下記のようなケースに対応 + # selection: + # EventID: ### - 1 ### - 2 - ### 基本的にリストはORと良く、generateListNodeもORNodeを生成している。 - ### しかし、上記のケースでgenerateListNode()を実行すると、下記のようなYAMLになってしまう。 - ### selection: + # 基本的にリストはORと良く、generateListNodeもORNodeを生成している。 + # しかし、上記のケースでgenerateListNode()を実行すると、下記のようなYAMLになってしまう。 + # selection: ### EventID: 1 or 2 - ### 上記のようにならないように、修正している。 - ### なお、generateMapItemListNode()を有効にするために、self.mapListsSpecialHandling = Trueとしている + # 上記のようにならないように、修正している。 + # なお、generateMapItemListNode()を有効にするために、self.mapListsSpecialHandling = Trueとしている if self._is_all_str(value): name = self.create_new_selection() - self.name_2_selection[name] = [(fieldname,value)] + self.name_2_selection[name] = [(fieldname, value)] return name list_values = list() for sub_node in value: - list_values.append((fieldname,sub_node)) - return self.subExpression % self.generateORNode(list_values) - + list_values.append((fieldname, sub_node)) + return self.subExpression % self.generateORNode(list_values) + def _is_all_str(self, values): for value in values: if type(value) != str: return False return True - + def generateAggregation(self, agg): # python3 tools/sigmac rules/windows/process_creation/win_dnscat2_powershell_implementation.yml --config tools/config/generic/sysmon.yml --target hayabusa if agg == None: @@ -152,100 +160,101 @@ class HayabusaBackend(SingleTextQueryBackend): # | 以降をそのまま出力する target = '|' condition = agg.parser.parsedyaml["detection"]["condition"] - - ### conditionはなんと複数指定されることもあるらしい!!!!! - ### If multiple conditions are given, they are logically linked with OR.と仕様書に書いてある。詳細はSigmaRuleの仕様を参照のこと。 - ### とりあえず、複数指定のconditionは未対応ということでエラーにするとして、(なお、デフォルトのbase.pyの実装で複数指定のconditionはexceptionがraiseされるので、そのような処理は追加で実装しなくてよい) - ### 問題となるのはagg.parser.parsedyaml["detection"]["condition"]の型 + + # conditionはなんと複数指定されることもあるらしい!!!!! + # If multiple conditions are given, they are logically linked with OR.と仕様書に書いてある。詳細はSigmaRuleの仕様を参照のこと。 + # とりあえず、複数指定のconditionは未対応ということでエラーにするとして、(なお、デフォルトのbase.pyの実装で複数指定のconditionはexceptionがraiseされるので、そのような処理は追加で実装しなくてよい) + # 問題となるのはagg.parser.parsedyaml["detection"]["condition"]の型 ### - ### 下記のように指定すると、agg.parser.parsedyaml["detection"]["condition"]の型はstringになるが + # 下記のように指定すると、agg.parser.parsedyaml["detection"]["condition"]の型はstringになるが ### conditon: selection1 ### - ### 下記のように指定すると、agg.parser.parsedyaml["detection"]["condition"]の型はlistになる - ### conditon: + # 下記のように指定すると、agg.parser.parsedyaml["detection"]["condition"]の型はlistになる + # conditon: ### - selection1 ### - ### なのでlistのケースも想定して、下記のような実装とする。 - if type(condition) == list: + # なのでlistのケースも想定して、下記のような実装とする。 + if type(condition) == list: condition = condition[0] index = condition.find(target) return condition[index:] - ## count以外は対応していないので、エラーを返す - raise NotImplementedError("This rule contains aggregation operator not implemented for this backend") - + # count以外は対応していないので、エラーを返す + raise NotImplementedError( + "This rule contains aggregation operator not implemented for this backend") + def generateValueNode(self, node): - ## このメソッドをオーバーライドしておかないとint型もstr型として扱われてしまうので、int型やint型として、str型はstr型として処理するために実装した。 - ## このメソッドは最悪無くてもいいような気もする。 + # このメソッドをオーバーライドしておかないとint型もstr型として扱われてしまうので、int型やint型として、str型はstr型として処理するために実装した。 + # このメソッドは最悪無くてもいいような気もする。 if type(node) == int: return node else: return self.valueExpression % (self.cleanValue(str(node))) - - ### 全部strかどうかを判定 - def is_keyword_list(self, node ): + + # 全部strかどうかを判定 + def is_keyword_list(self, node): if type(node) != ConditionOR: return False - + for item in node.items: if type(item) != str: return False - + return True - - def generateANDNode(self, node): + + def generateANDNode(self, node): generated = list() for val in node: if type(val) == str: - ### 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース - ### keyが指定されていない場合は、EventLog全体をgrep検索することになっている。(詳細はSigmaルールの仕様書を参照のこと) - ### 具体的には"all of"とか使うとこの分岐に来る + # 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース + # keyが指定されていない場合は、EventLog全体をgrep検索することになっている。(詳細はSigmaルールの仕様書を参照のこと) + # 具体的には"all of"とか使うとこの分岐に来る name = self.create_new_selection() self.name_2_selection[name] = [(None, val)] generated_node = name else: - ### 普通はこっちにくる + # 普通はこっちにくる generated_node = self.generateNode(val) generated.append(generated_node) - filtered = [ g for g in generated if g is not None ] + filtered = [g for g in generated if g is not None] if filtered: if self.sort_condition_lists: filtered = sorted(filtered) return self.andToken.join(filtered) else: return None - + def generateORNode(self, node): if self.is_keyword_list(node) == True: - ## 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース - ## 全てkeyが指定されていない場合はここに来る。 + # 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース + # 全てkeyが指定されていない場合はここに来る。 name = self.create_new_selection() self.name_2_selection[name] = [(None, val) for val in node] return name - + name = None generated = list() for val in node: - ### 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース + # 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース if type(val) == str: if name is None: name = self.create_new_selection() self.name_2_selection[name] = list() - self.name_2_selection[name].append((None,val)) + self.name_2_selection[name].append((None, val)) else: generated.append(self.generateNode(val)) if name is not None: generated.append(name) - filtered = [ g for g in generated if g is not None ] + filtered = [g for g in generated if g is not None] if filtered: if self.sort_condition_lists: filtered = sorted(filtered) return self.orToken.join(filtered) else: return None - + def generateQuery(self, parsed): - ### このクラスのインスタンスは再利用されるので、内部のメンバ変数をresetする。 + # このクラスのインスタンスは再利用されるので、内部のメンバ変数をresetする。 self.re_init() result = self.generateNode(parsed.parsedSearch) if parsed.parsedAgg: @@ -253,26 +262,27 @@ class HayabusaBackend(SingleTextQueryBackend): result += " " + res ret = "" with StringIO() as bs: - ## 元のyamlをいじるとこの後の処理に影響を与える可能性があるので、deepCopyする + # 元のyamlをいじるとこの後の処理に影響を与える可能性があるので、deepCopyする parsed_yaml = copy.deepcopy(parsed.sigmaParser.parsedyaml) - ## なんかタイトルは先頭に来てほしいので、そのための処理 - ## parsed.sigmaParser.parsedyamlがOrderedDictならこんなことしなくていい、後で別のやり方があるか調べる - ## 順番固定してもいいかも + # なんかタイトルは先頭に来てほしいので、そのための処理 + # parsed.sigmaParser.parsedyamlがOrderedDictならこんなことしなくていい、後で別のやり方があるか調べる + # 順番固定してもいいかも bs.write("title: " + parsed_yaml["title"]+"\n") + bs.write("ruletype: SIGMA\n") del parsed_yaml["title"] - ## detectionの部分だけ変更して出力する。 + # detectionの部分だけ変更して出力する。 parsed_yaml["detection"] = {} parsed_yaml["detection"]["condition"] = result for key, values in self.name_2_selection.items(): - ### fieldnameの有無を確認している + # fieldnameの有無を確認している if values[0][0]: - ## 通常はfieldnameがあってその場合は連想配列で初期化 + # 通常はfieldnameがあってその場合は連想配列で初期化 parsed_yaml["detection"][key] = {} else: - ## is_keyword_list() == Trueの場合だけ、ここにくる + # is_keyword_list() == Trueの場合だけ、ここにくる parsed_yaml["detection"][key] = [] - + for fieldname, value in values: if fieldname == None: ## is_keyword_list() == Trueの場合 @@ -283,5 +293,5 @@ class HayabusaBackend(SingleTextQueryBackend): yaml.dump(parsed_yaml, bs, indent=4, default_flow_style=False) ret = bs.getvalue() ret += "---\n" - - return ret \ No newline at end of file + + return ret