Feature/addruletype to sigma rule#230 (#235)

* added ruletype to SIGMA rule #230 * added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00
parent bc230f7cd5
commit 0cfa806baf
1087 changed files with 1186 additions and 90 deletions
--- a/rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml
+++ b/rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml
@@ -35,3 +35,4 @@ tags:
 - attack.persistence
 - attack.t1112
 - attack.t1053
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml
+++ b/rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml
@@ -28,3 +28,4 @@ status: experimental
 tags:
 - attack.discovery
 - attack.t1046
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_alternate_data_streams.yml
+++ b/rules/sigma/process_creation/process_creation_alternate_data_streams.yml
@@ -49,3 +49,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1564.004
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_apt_gallium.yml
+++ b/rules/sigma/process_creation/process_creation_apt_gallium.yml
@@ -35,3 +35,4 @@ tags:
 - attack.t1212
 - attack.command_and_control
 - attack.t1071
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml
+++ b/rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml
@@ -46,3 +46,4 @@ tags:
 - attack.t1212
 - attack.command_and_control
 - attack.t1071
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_apt_pandemic.yml
+++ b/rules/sigma/process_creation/process_creation_apt_pandemic.yml
@@ -34,3 +34,4 @@ status: experimental
 tags:
 - attack.lateral_movement
 - attack.t1105
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_apt_slingshot.yml
+++ b/rules/sigma/process_creation/process_creation_apt_slingshot.yml
@@ -33,3 +33,4 @@ tags:
 - attack.persistence
 - attack.t1053.005
 - attack.s0111
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml
+++ b/rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml
@@ -33,3 +33,4 @@ tags:
 - attack.discovery
 - attack.t1083
 - attack.t1135
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_apt_wocao.yml
+++ b/rules/sigma/process_creation/process_creation_apt_wocao.yml
@@ -46,3 +46,4 @@ tags:
 - attack.t1053
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_automated_collection.yml
+++ b/rules/sigma/process_creation/process_creation_automated_collection.yml
@@ -43,3 +43,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1119
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml
+++ b/rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml
@@ -26,3 +26,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218.011
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_certoc_execution.yml
+++ b/rules/sigma/process_creation/process_creation_certoc_execution.yml
@@ -30,3 +30,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_clip.yml
+++ b/rules/sigma/process_creation/process_creation_clip.yml
@@ -24,3 +24,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1115
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml
+++ b/rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml
@@ -29,3 +29,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218.011
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml
+++ b/rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml
@@ -35,3 +35,4 @@ tags:
 - attack.impact
 - attack.s0575
 - attack.t1486
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_coti_sqlcmd.yml
+++ b/rules/sigma/process_creation/process_creation_coti_sqlcmd.yml
@@ -33,3 +33,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1005
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_discover_private_keys.yml
+++ b/rules/sigma/process_creation/process_creation_discover_private_keys.yml
@@ -42,3 +42,4 @@ status: experimental
 tags:
 - attack.credential_access
 - attack.t1552.004
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml
+++ b/rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml
@@ -41,3 +41,4 @@ tags:
 - attack.t1073
 - attack.t1574.002
 - attack.t1112
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_dotnet.yml
+++ b/rules/sigma/process_creation/process_creation_dotnet.yml
@@ -35,3 +35,4 @@ status: experimental
 tags:
 - attack.execution
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_hack_dumpert.yml
+++ b/rules/sigma/process_creation/process_creation_hack_dumpert.yml
@@ -26,3 +26,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.t1003.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_infdefaultinstall.yml
+++ b/rules/sigma/process_creation/process_creation_infdefaultinstall.yml
@@ -31,3 +31,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1562.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
+++ b/rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
@@ -40,3 +40,4 @@ status: experimental
 tags:
 - attack.exfiltration
 - attack.t1567
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml
+++ b/rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml
@@ -37,3 +37,4 @@ tags:
 - attack.t1218.010
 - attack.execution
 - attack.defense_evasion
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
+++ b/rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
@@ -43,3 +43,4 @@ tags:
 - attack.persistence
 - attack.t1547
 - attack.t1547.006
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml
+++ b/rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml
@@ -34,3 +34,4 @@ tags:
 - attack.t1218.010
 - attack.execution
 - attack.defense_evasion
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_msdeploy.yml
+++ b/rules/sigma/process_creation/process_creation_msdeploy.yml
@@ -37,3 +37,4 @@ status: experimental
 tags:
 - attack.execution
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml
+++ b/rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml
@@ -40,3 +40,4 @@ tags:
 - attack.t1218.010
 - attack.execution
 - attack.defense_evasion
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml
+++ b/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml
@@ -56,3 +56,4 @@ tags:
 - attack.t1218.010
 - attack.execution
 - attack.defense_evasion
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
+++ b/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
@@ -52,3 +52,4 @@ tags:
 - attack.t1218.010
 - attack.execution
 - attack.defense_evasion
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml
+++ b/rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml
@@ -35,3 +35,4 @@ tags:
 - attack.t1218.010
 - attack.execution
 - attack.defense_evasion
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_pingback_backdoor.yml
+++ b/rules/sigma/process_creation/process_creation_pingback_backdoor.yml
@@ -34,3 +34,4 @@ status: experimental
 tags:
 - attack.persistence
 - attack.t1574.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml
+++ b/rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml
@@ -32,3 +32,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_root_certificate_installed.yml
+++ b/rules/sigma/process_creation/process_creation_root_certificate_installed.yml
@@ -37,3 +37,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1553.004
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_sdelete.yml
+++ b/rules/sigma/process_creation/process_creation_sdelete.yml
@@ -33,3 +33,4 @@ status: experimental
 tags:
 - attack.impact
 - attack.t1485
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_software_discovery.yml
+++ b/rules/sigma/process_creation/process_creation_software_discovery.yml
@@ -38,3 +38,4 @@ status: experimental
 tags:
 - attack.discovery
 - attack.t1518
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml
+++ b/rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml
@@ -42,3 +42,4 @@ tags:
 - attack.t1546.008
 - car.2014-11-003
 - car.2014-11-008
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_stordiag_execution.yml
+++ b/rules/sigma/process_creation/process_creation_stordiag_execution.yml
@@ -33,3 +33,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_susp_7z.yml
+++ b/rules/sigma/process_creation/process_creation_susp_7z.yml
@@ -35,3 +35,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1560.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml
@@ -39,3 +39,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_susp_del.yml
+++ b/rules/sigma/process_creation/process_creation_susp_del.yml
@@ -33,3 +33,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1070.004
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_susp_recon.yml
+++ b/rules/sigma/process_creation/process_creation_susp_recon.yml
@@ -29,3 +29,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1119
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml
+++ b/rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml
@@ -32,3 +32,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_susp_winzip.yml
+++ b/rules/sigma/process_creation/process_creation_susp_winzip.yml
@@ -32,3 +32,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1560.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_susp_zip_compress.yml
+++ b/rules/sigma/process_creation/process_creation_susp_zip_compress.yml
@@ -33,3 +33,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1074.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
+++ b/rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
@@ -34,3 +34,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
+++ b/rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
@@ -32,3 +32,4 @@ tags:
 - attack.defense_evasion
 - attack.t1218
 - attack.t1216
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml
+++ b/rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml
@@ -28,3 +28,4 @@ status: experimental
 tags:
 - attack.resource_development
 - attack.t1588.002
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml
+++ b/rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml
@@ -35,3 +35,4 @@ tags:
 - attack.t1088
 - attack.t1548.002
 - car.2019-04-001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_tool_psexec.yml
+++ b/rules/sigma/process_creation/process_creation_tool_psexec.yml
@@ -40,3 +40,4 @@ tags:
 - attack.t1035
 - attack.t1569.002
 - attack.s0029
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml
+++ b/rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml
@@ -26,3 +26,4 @@ status: experimental
 tags:
 - attack.persistence
 - attack.t1505.002
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_mailboxexport_share.yml
+++ b/rules/sigma/process_creation/process_mailboxexport_share.yml
@@ -34,3 +34,4 @@ tags:
 - attack.t1505.003
 - attack.resource_development
 - attack.t1584.006
+ruletype: SIGMA
--- a/rules/sigma/process_creation/process_susp_esentutl_params.yml
+++ b/rules/sigma/process_creation/process_susp_esentutl_params.yml
@@ -34,3 +34,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.t1003.003
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml
+++ b/rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml
@@ -48,3 +48,4 @@ status: experimental
 tags:
 - attack.privilege_escalation
 - attack.t1548
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml
+++ b/rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml
@@ -33,3 +33,4 @@ status: experimental
 tags:
 - attack.discovery
 - attack.t1069.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
+++ b/rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
@@ -35,3 +35,4 @@ status: experimental
 tags:
 - attack.privilege_escalation
 - attack.t1548.002
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml
+++ b/rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml
@@ -44,3 +44,4 @@ status: experimental
 tags:
 - attack.privilege_escalation
 - attack.t1548.002
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml
+++ b/rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml
@@ -31,3 +31,4 @@ tags:
 - attack.command_and_control
 - attack.t1071
 - attack.t1071.004
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_apt_sourgrum.yml
+++ b/rules/sigma/process_creation/sysmon_apt_sourgrum.yml
@@ -46,3 +46,4 @@ tags:
 - attack.t1546.015
 - attack.persistence
 - attack.privilege_escalation
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
+++ b/rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
@@ -36,3 +36,4 @@ tags:
 - attack.execution
 - attack.t1190
 - attack.t1059
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml
+++ b/rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml
@@ -32,3 +32,4 @@ tags:
 - attack.t1218.003
 - attack.g0069
 - car.2019-04-001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml
+++ b/rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml
@@ -35,3 +35,4 @@ tags:
 - attack.collection
 - attack.t1218
 - attack.t1056.004
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml
+++ b/rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml
@@ -29,3 +29,4 @@ tags:
 - attack.t1203
 - attack.execution
 - cve.2021.26857
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_expand_cabinet_files.yml
+++ b/rules/sigma/process_creation/sysmon_expand_cabinet_files.yml
@@ -40,3 +40,4 @@ status: experimental
 tags:
 - attack.execution
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_hack_wce.yml
+++ b/rules/sigma/process_creation/sysmon_hack_wce.yml
@@ -36,3 +36,4 @@ tags:
 - attack.t1003
 - attack.t1003.001
 - attack.s0005
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml
+++ b/rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml
@@ -27,3 +27,4 @@ tags:
 - attack.privilege_escalation
 - attack.defense_evasion
 - attack.t1548.002
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
+++ b/rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
@@ -36,3 +36,4 @@ tags:
 - attack.t1037
 - attack.t1037.001
 - attack.persistence
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_long_powershell_commandline.yml
+++ b/rules/sigma/process_creation/sysmon_long_powershell_commandline.yml
@@ -31,3 +31,4 @@ status: experimental
 tags:
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_netcat_execution.yml
+++ b/rules/sigma/process_creation/sysmon_netcat_execution.yml
@@ -31,3 +31,4 @@ status: experimental
 tags:
 - attack.command_and_control
 - attack.t1095
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml
+++ b/rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml
@@ -37,3 +37,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml
+++ b/rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml
@@ -33,3 +33,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1562.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_sdclt_child_process.yml
+++ b/rules/sigma/process_creation/sysmon_sdclt_child_process.yml
@@ -24,3 +24,4 @@ status: experimental
 tags:
 - attack.privilege_escalation
 - attack.t1548.002
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml
+++ b/rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1572
 - attack.lateral_movement
 - attack.t1021.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_susp_service_modification.yml
+++ b/rules/sigma/process_creation/sysmon_susp_service_modification.yml
@@ -35,3 +35,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1562.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml
+++ b/rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml
@@ -27,3 +27,4 @@ status: experimental
 tags:
 - attack.exfiltration
 - attack.t1048.003
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml
+++ b/rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml
@@ -32,3 +32,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1562.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml
+++ b/rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml
@@ -43,3 +43,4 @@ tags:
 - attack.execution
 - attack.persistence
 - attack.t1059
+ruletype: SIGMA
--- a/rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml
+++ b/rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml
@@ -56,3 +56,4 @@ tags:
 - attack.command_and_control
 - attack.t1071
 - attack.t1071.004
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_ad_find_discovery.yml
+++ b/rules/sigma/process_creation/win_ad_find_discovery.yml
@@ -45,3 +45,4 @@ tags:
 - attack.discovery
 - attack.t1482
 - attack.t1018
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_anydesk_silent_install.yml
+++ b/rules/sigma/process_creation/win_anydesk_silent_install.yml
@@ -31,3 +31,4 @@ references:
 status: experimental
 tags:
 - attack.t1219
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_apt29_thinktanks.yml
+++ b/rules/sigma/process_creation/win_apt_apt29_thinktanks.yml
@@ -34,3 +34,4 @@ tags:
 - attack.t1086
 - attack.t1059
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_babyshark.yml
+++ b/rules/sigma/process_creation/win_apt_babyshark.yml
@@ -35,3 +35,4 @@ tags:
 - attack.t1170
 - attack.t1218
 - attack.t1218.005
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml
+++ b/rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml
@@ -49,3 +49,4 @@ tags:
 - attack.t1003
 - attack.t1552.001
 - attack.t1003.003
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_bluemashroom.yml
+++ b/rules/sigma/process_creation/win_apt_bluemashroom.yml
@@ -28,3 +28,4 @@ tags:
 - attack.defense_evasion
 - attack.t1117
 - attack.t1218.010
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_cloudhopper.yml
+++ b/rules/sigma/process_creation/win_apt_cloudhopper.yml
@@ -31,3 +31,4 @@ tags:
 - attack.g0045
 - attack.t1064
 - attack.t1059.005
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_dragonfly.yml
+++ b/rules/sigma/process_creation/win_apt_dragonfly.yml
@@ -27,3 +27,4 @@ tags:
 - attack.discovery
 - attack.t1110
 - attack.t1087
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_elise.yml
+++ b/rules/sigma/process_creation/win_apt_elise.yml
@@ -31,3 +31,4 @@ tags:
 - attack.execution
 - attack.t1059
 - attack.t1059.003
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml
+++ b/rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml
@@ -28,3 +28,4 @@ tags:
 - attack.defense_evasion
 - attack.t1073
 - attack.t1574.002
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_empiremonkey.yml
+++ b/rules/sigma/process_creation/win_apt_empiremonkey.yml
@@ -28,3 +28,4 @@ tags:
 - attack.defense_evasion
 - attack.t1218.010
 - attack.t1117
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml
+++ b/rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml
@@ -31,3 +31,4 @@ tags:
 - attack.defense_evasion
 - attack.t1085
 - attack.t1218.011
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_evilnum_jul20.yml
+++ b/rules/sigma/process_creation/win_apt_evilnum_jul20.yml
@@ -35,3 +35,4 @@ tags:
 - attack.defense_evasion
 - attack.t1085
 - attack.t1218.011
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_greenbug_may20.yml
+++ b/rules/sigma/process_creation/win_apt_greenbug_may20.yml
@@ -60,3 +60,4 @@ tags:
 - attack.defense_evasion
 - attack.t1036
 - attack.t1036.005
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_hafnium.yml
+++ b/rules/sigma/process_creation/win_apt_hafnium.yml
@@ -91,3 +91,4 @@ tags:
 - attack.persistence
 - attack.t1546
 - attack.t1053
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_hurricane_panda.yml
+++ b/rules/sigma/process_creation/win_apt_hurricane_panda.yml
@@ -30,3 +30,4 @@ tags:
 - attack.privilege_escalation
 - attack.g0009
 - attack.t1068
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml
+++ b/rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml
@@ -41,3 +41,4 @@ tags:
 - attack.exfiltration
 - attack.t1002
 - attack.t1560.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_ke3chang_regadd.yml
+++ b/rules/sigma/process_creation/win_apt_ke3chang_regadd.yml
@@ -29,3 +29,4 @@ tags:
 - attack.defense_evasion
 - attack.t1089
 - attack.t1562.001
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml
+++ b/rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml
@@ -40,3 +40,4 @@ tags:
 - attack.g0032
 - attack.execution
 - attack.t1106
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml
+++ b/rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml
@@ -43,3 +43,4 @@ tags:
 - attack.g0032
 - attack.execution
 - attack.t1059
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_lazarus_loader.yml
+++ b/rules/sigma/process_creation/win_apt_lazarus_loader.yml
@@ -45,3 +45,4 @@ tags:
 - attack.g0032
 - attack.execution
 - attack.t1059
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml
+++ b/rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml
@@ -30,3 +30,4 @@ tags:
 - attack.defense_evasion
 - attack.t1036
 - attack.t1036.005
+ruletype: SIGMA
--- a/rules/sigma/process_creation/win_apt_mustangpanda.yml
+++ b/rules/sigma/process_creation/win_apt_mustangpanda.yml
@@ -42,3 +42,4 @@ status: experimental
 tags:
 - attack.t1587.001
 - attack.resource_development
+ruletype: SIGMA
--- a/Show More
+++ b/Show More