Feature/addruletype to sigma rule#230 (#235)

* added ruletype to SIGMA rule #230 * added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00
parent bc230f7cd5
commit 0cfa806baf
1087 changed files with 1186 additions and 90 deletions
--- a/rules/sigma/create_remote_thread/sysmon_cactustorch.yml
+++ b/rules/sigma/create_remote_thread/sysmon_cactustorch.yml
@@ -39,3 +39,4 @@ tags:
 - attack.t1059.005
 - attack.t1059.007
 - attack.t1218.005
+ruletype: SIGMA
--- a/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
+++ b/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
@@ -29,3 +29,4 @@ tags:
 - attack.defense_evasion
 - attack.t1055
 - attack.t1055.001
+ruletype: SIGMA
--- a/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
+++ b/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml
@@ -27,3 +27,4 @@ tags:
 - attack.defense_evasion
 - attack.t1055
 - attack.t1055.001
+ruletype: SIGMA
--- a/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml
+++ b/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml
@@ -30,3 +30,4 @@ tags:
 - attack.t1003
 - attack.s0005
 - attack.t1003.001
+ruletype: SIGMA
--- a/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml
+++ b/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml
@@ -24,3 +24,4 @@ status: experimental
 tags:
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml
+++ b/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml
@@ -29,3 +29,4 @@ tags:
 - attack.t1218.011
 - attack.t1086
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml
+++ b/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml
@@ -86,3 +86,4 @@ tags:
 - attack.privilege_escalation
 - attack.defense_evasion
 - attack.t1055
+ruletype: SIGMA