Feature/addruletype to sigma rule#230 (#235)

* added ruletype to SIGMA rule #230 * added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00
parent bc230f7cd5
commit 0cfa806baf
1087 changed files with 1186 additions and 90 deletions
--- a/rules/sigma/file_event/file_event_advanced_ip_scanner.yml
+++ b/rules/sigma/file_event/file_event_advanced_ip_scanner.yml
@@ -31,3 +31,4 @@ status: experimental
 tags:
 - attack.discovery
 - attack.t1046
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml
+++ b/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml
@@ -27,3 +27,4 @@ tags:
 - attack.execution
 - attack.t1218.011
 - attack.t1085
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
+++ b/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -38,3 +38,4 @@ tags:
 - attack.t1203
 - cve.2021.33771
 - cve.2021.31979
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_hack_dumpert.yml
+++ b/rules/sigma/file_event/file_event_hack_dumpert.yml
@@ -29,3 +29,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.t1003.001
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_hktl_createminidump.yml
+++ b/rules/sigma/file_event/file_event_hktl_createminidump.yml
@@ -28,3 +28,4 @@ tags:
 - attack.credential_access
 - attack.t1003.001
 - attack.t1003
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_lsass_dump.yml
+++ b/rules/sigma/file_event/file_event_lsass_dump.yml
@@ -35,3 +35,4 @@ tags:
 - attack.credential_access
 - attack.t1003.001
 - attack.t1003
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_mal_adwind.yml
+++ b/rules/sigma/file_event/file_event_mal_adwind.yml
@@ -33,3 +33,4 @@ tags:
 - attack.t1059.005
 - attack.t1059.007
 - attack.t1064
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_mal_vhd_download.yml
+++ b/rules/sigma/file_event/file_event_mal_vhd_download.yml
@@ -38,3 +38,4 @@ status: test
 tags:
 - attack.resource_development
 - attack.t1587.001
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml
+++ b/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml
@@ -23,3 +23,4 @@ status: test
 tags:
 - attack.credential_access
 - attack.t1558
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_moriya_rootkit.yml
+++ b/rules/sigma/file_event/file_event_moriya_rootkit.yml
@@ -28,3 +28,4 @@ tags:
 - attack.persistence
 - attack.privilege_escalation
 - attack.t1543.003
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_pingback_backdoor.yml
+++ b/rules/sigma/file_event/file_event_pingback_backdoor.yml
@@ -27,3 +27,4 @@ status: experimental
 tags:
 - attack.persistence
 - attack.t1574.001
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml
+++ b/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml
@@ -44,3 +44,4 @@ tags:
 - attack.t1218.010
 - attack.execution
 - attack.defense_evasion
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_susp_task_write.yml
+++ b/rules/sigma/file_event/file_event_susp_task_write.yml
@@ -28,3 +28,4 @@ tags:
 - attack.persistence
 - attack.execution
 - attack.t1053
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_tool_psexec.yml
+++ b/rules/sigma/file_event/file_event_tool_psexec.yml
@@ -38,3 +38,4 @@ tags:
 - attack.t1035
 - attack.t1569.002
 - attack.s0029
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_uac_bypass_winsat.yml
+++ b/rules/sigma/file_event/file_event_uac_bypass_winsat.yml
@@ -28,3 +28,4 @@ tags:
 - attack.defense_evasion
 - attack.privilege_escalation
 - attack.t1548.002
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_uac_bypass_wmp.yml
+++ b/rules/sigma/file_event/file_event_uac_bypass_wmp.yml
@@ -30,3 +30,4 @@ tags:
 - attack.defense_evasion
 - attack.privilege_escalation
 - attack.t1548.002
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml
+++ b/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml
@@ -47,3 +47,4 @@ logsource:
 references:
 - No references
 status: experimental
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_winrm_awl_bypass.yml
+++ b/rules/sigma/file_event/file_event_winrm_awl_bypass.yml
@@ -33,3 +33,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1216
+ruletype: SIGMA
--- a/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml
+++ b/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml
@@ -28,3 +28,4 @@ tags:
 - attack.t1047
 - attack.lateral_movement
 - attack.t1021.002
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_creation_system_file.yml
+++ b/rules/sigma/file_event/sysmon_creation_system_file.yml
@@ -65,3 +65,4 @@ tags:
 - attack.defense_evasion
 - attack.t1036
 - attack.t1036.005
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml
+++ b/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml
@@ -55,3 +55,4 @@ tags:
 - attack.t1003.003
 - attack.t1003.004
 - attack.t1003.005
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml
+++ b/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml
@@ -36,3 +36,4 @@ tags:
 - attack.t1203
 - attack.execution
 - cve.2021.26858
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml
+++ b/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml
@@ -30,3 +30,4 @@ tags:
 - attack.privilege_escalation
 - attack.defense_evasion
 - attack.t1574.001
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml
+++ b/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml
@@ -24,3 +24,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.t1003.001
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml
+++ b/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml
@@ -32,3 +32,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.t1003.001
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_office_persistence.yml
+++ b/rules/sigma/file_event/sysmon_office_persistence.yml
@@ -38,3 +38,4 @@ tags:
 - attack.persistence
 - attack.t1137
 - attack.t1137.006
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_outlook_newform.yml
+++ b/rules/sigma/file_event/sysmon_outlook_newform.yml
@@ -27,3 +27,4 @@ status: experimental
 tags:
 - attack.persistence
 - attack.t1137.003
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml
+++ b/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml
@@ -24,3 +24,4 @@ status: experimental
 tags:
 - attack.execution
 - attack.t1059
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml
+++ b/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml
@@ -118,3 +118,4 @@ tags:
 - attack.execution
 - attack.t1086
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml
+++ b/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml
@@ -35,3 +35,4 @@ status: experimental
 tags:
 - attack.registry_run_keys_/_startup_folder
 - attack.t1547.001
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_quarkspw_filedump.yml
+++ b/rules/sigma/file_event/sysmon_quarkspw_filedump.yml
@@ -26,3 +26,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.t1003.002
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml
+++ b/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml
@@ -25,3 +25,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1027
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_startup_folder_file_write.yml
+++ b/rules/sigma/file_event/sysmon_startup_folder_file_write.yml
@@ -24,3 +24,4 @@ status: experimental
 tags:
 - attack.persistence
 - attack.t1547.001
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml
+++ b/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml
@@ -37,3 +37,4 @@ tags:
 - attack.t1071
 - attack.t1001.003
 - attack.command_and_control
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_susp_clr_logs.yml
+++ b/rules/sigma/file_event/sysmon_susp_clr_logs.yml
@@ -42,3 +42,4 @@ tags:
 - attack.defense_evasion
 - attack.t1059.001
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_susp_desktop_ini.yml
+++ b/rules/sigma/file_event/sysmon_susp_desktop_ini.yml
@@ -31,3 +31,4 @@ tags:
 - attack.persistence
 - attack.t1023
 - attack.t1547.009
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml
+++ b/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml
@@ -24,3 +24,4 @@ status: experimental
 tags:
 - attack.credential_access
 - attack.t1552.004
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
+++ b/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
@@ -36,3 +36,4 @@ tags:
 - attack.t1089
 - attack.t1562.001
 - attack.defense_evasion
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml
+++ b/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml
@@ -28,3 +28,4 @@ tags:
 - attack.persistence
 - attack.privilege_escalation
 - attack.t1546.013
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml
+++ b/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml
@@ -23,3 +23,4 @@ status: experimental
 tags:
 - attack.command_and_control
 - attack.t1219
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml
+++ b/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml
@@ -26,3 +26,4 @@ tags:
 - attack.defense_evasion
 - attack.privilege_escalation
 - attack.t1548.002
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml
+++ b/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml
@@ -26,3 +26,4 @@ tags:
 - attack.defense_evasion
 - attack.privilege_escalation
 - attack.t1548.002
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml
+++ b/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml
@@ -29,3 +29,4 @@ tags:
 - attack.defense_evasion
 - attack.privilege_escalation
 - attack.t1548.002
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml
+++ b/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml
@@ -25,3 +25,4 @@ tags:
 - attack.defense_evasion
 - attack.privilege_escalation
 - attack.t1548.002
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml
+++ b/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml
@@ -26,3 +26,4 @@ tags:
 - attack.defense_evasion
 - attack.privilege_escalation
 - attack.t1548.002
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_webshell_creation_detect.yml
+++ b/rules/sigma/file_event/sysmon_webshell_creation_detect.yml
@@ -57,3 +57,4 @@ tags:
 - attack.persistence
 - attack.t1100
 - attack.t1505.003
+ruletype: SIGMA
--- a/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
+++ b/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml
@@ -24,3 +24,4 @@ tags:
 - attack.t1084
 - attack.t1546.003
 - attack.persistence
+ruletype: SIGMA
--- a/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml
+++ b/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml
@@ -34,3 +34,4 @@ tags:
 - attack.resource_development
 - attack.t1587
 - cve.2021.1675
+ruletype: SIGMA
--- a/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml
+++ b/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml
@@ -36,3 +36,4 @@ status: experimental
 tags:
 - attack.resource_development
 - attack.t1587
+ruletype: SIGMA
--- a/rules/sigma/file_event/win_hivenightmare_file_exports.yml
+++ b/rules/sigma/file_event/win_hivenightmare_file_exports.yml
@@ -37,3 +37,4 @@ tags:
 - attack.credential_access
 - attack.t1552.001
 - cve.2021.36934
+ruletype: SIGMA
--- a/rules/sigma/file_event/win_outlook_c2_macro_creation.yml
+++ b/rules/sigma/file_event/win_outlook_c2_macro_creation.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1137
 - attack.t1008
 - attack.t1546
+ruletype: SIGMA
--- a/rules/sigma/file_event/win_rclone_exec_file.yml
+++ b/rules/sigma/file_event/win_rclone_exec_file.yml
@@ -25,3 +25,4 @@ status: experimental
 tags:
 - attack.exfiltration
 - attack.t1567.002
+ruletype: SIGMA
--- a/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml
+++ b/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml
@@ -38,3 +38,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1105
+ruletype: SIGMA