Feature/addruletype to sigma rule#230 (#235)

* added ruletype to SIGMA rule #230 * added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00
parent bc230f7cd5
commit 0cfa806baf
1087 changed files with 1186 additions and 90 deletions
--- a/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml
+++ b/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml
@@ -37,3 +37,4 @@ status: experimental
 tags:
 - attack.discovery
 - attack.t1012
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml
+++ b/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml
@@ -39,3 +39,4 @@ status: experimental
 tags:
 - attack.discovery
 - attack.t1012
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml
+++ b/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml
@@ -32,3 +32,4 @@ status: experimental
 tags:
 - attack.persistence
 - attack.t1098
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_account_discovery.yml
+++ b/rules/sigma/builtin/win_account_discovery.yml
@@ -41,3 +41,4 @@ tags:
 - attack.discovery
 - attack.t1087
 - attack.t1087.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_ad_object_writedac_access.yml
+++ b/rules/sigma/builtin/win_ad_object_writedac_access.yml
@@ -29,3 +29,4 @@ tags:
 - attack.defense_evasion
 - attack.t1222
 - attack.t1222.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_ad_replication_non_machine_account.yml
+++ b/rules/sigma/builtin/win_ad_replication_non_machine_account.yml
@@ -39,3 +39,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.t1003.006
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_ad_user_enumeration.yml
+++ b/rules/sigma/builtin/win_ad_user_enumeration.yml
@@ -32,3 +32,4 @@ tags:
 - attack.discovery
 - attack.t1087
 - attack.t1087.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml
+++ b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml
@@ -32,3 +32,4 @@ status: experimental
 tags:
 - attack.privilege_escalation
 - attack.credential_access
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml
+++ b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml
@@ -46,3 +46,4 @@ status: experimental
 tags:
 - attack.privilege_escalation
 - attack.credential_access
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_admin_rdp_login.yml
+++ b/rules/sigma/builtin/win_admin_rdp_login.yml
@@ -34,3 +34,4 @@ tags:
 - attack.t1078.002
 - attack.t1078.003
 - car.2016-04-005
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_admin_share_access.yml
+++ b/rules/sigma/builtin/win_admin_share_access.yml
@@ -26,3 +26,4 @@ tags:
 - attack.lateral_movement
 - attack.t1077
 - attack.t1021.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_alert_active_directory_user_control.yml
+++ b/rules/sigma/builtin/win_alert_active_directory_user_control.yml
@@ -29,3 +29,4 @@ status: experimental
 tags:
 - attack.persistence
 - attack.t1098
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_alert_ad_user_backdoors.yml
+++ b/rules/sigma/builtin/win_alert_ad_user_backdoors.yml
@@ -50,3 +50,4 @@ status: experimental
 tags:
 - attack.t1098
 - attack.persistence
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_alert_enable_weak_encryption.yml
+++ b/rules/sigma/builtin/win_alert_enable_weak_encryption.yml
@@ -88,3 +88,4 @@ tags:
 - attack.defense_evasion
 - attack.t1089
 - attack.t1562.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_alert_lsass_access.yml
+++ b/rules/sigma/builtin/win_alert_lsass_access.yml
@@ -28,3 +28,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.t1003.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_alert_mimikatz_keywords.yml
+++ b/rules/sigma/builtin/win_alert_mimikatz_keywords.yml
@@ -43,3 +43,4 @@ tags:
 - attack.t1003.004
 - attack.t1003.001
 - attack.t1003.006
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_alert_ruler.yml
+++ b/rules/sigma/builtin/win_alert_ruler.yml
@@ -38,3 +38,4 @@ tags:
 - attack.t1114
 - attack.t1059
 - attack.t1550.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml
+++ b/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml
@@ -45,3 +45,4 @@ tags:
 - attack.t1059.005
 - attack.t1059.006
 - attack.t1059.007
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_apt_carbonpaper_turla.yml
+++ b/rules/sigma/builtin/win_apt_carbonpaper_turla.yml
@@ -28,3 +28,4 @@ tags:
 - attack.g0010
 - attack.t1050
 - attack.t1543.003
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_apt_chafer_mar18_security.yml
+++ b/rules/sigma/builtin/win_apt_chafer_mar18_security.yml
@@ -39,3 +39,4 @@ tags:
 - attack.command_and_control
 - attack.t1071
 - attack.t1071.004
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_apt_chafer_mar18_system.yml
+++ b/rules/sigma/builtin/win_apt_chafer_mar18_system.yml
@@ -36,3 +36,4 @@ tags:
 - attack.command_and_control
 - attack.t1071
 - attack.t1071.004
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_apt_gallium.yml
+++ b/rules/sigma/builtin/win_apt_gallium.yml
@@ -36,3 +36,4 @@ tags:
 - attack.credential_access
 - attack.command_and_control
 - attack.t1071
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_apt_slingshot.yml
+++ b/rules/sigma/builtin/win_apt_slingshot.yml
@@ -29,3 +29,4 @@ tags:
 - attack.persistence
 - attack.t1053
 - attack.s0111
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_apt_stonedrill.yml
+++ b/rules/sigma/builtin/win_apt_stonedrill.yml
@@ -27,3 +27,4 @@ tags:
 - attack.g0064
 - attack.t1050
 - attack.t1543.003
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_apt_turla_service_png.yml
+++ b/rules/sigma/builtin/win_apt_turla_service_png.yml
@@ -25,3 +25,4 @@ tags:
 - attack.g0010
 - attack.t1050
 - attack.t1543.003
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_apt_wocao.yml
+++ b/rules/sigma/builtin/win_apt_wocao.yml
@@ -35,3 +35,4 @@ tags:
 - attack.t1053
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
+++ b/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
@@ -32,3 +32,4 @@ tags:
 - attack.t1566.001
 - attack.execution
 - attack.initial_access
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml
+++ b/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1218
 - attack.defense_evasion
 - attack.execution
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_atsvc_task.yml
+++ b/rules/sigma/builtin/win_atsvc_task.yml
@@ -33,3 +33,4 @@ tags:
 - car.2013-05-004
 - car.2015-04-001
 - attack.t1053.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_audit_cve.yml
+++ b/rules/sigma/builtin/win_audit_cve.yml
@@ -36,3 +36,4 @@ tags:
 - attack.t1210
 - attack.impact
 - attack.t1499.004
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_av_relevant_match.yml
+++ b/rules/sigma/builtin/win_av_relevant_match.yml
@@ -41,3 +41,4 @@ status: experimental
 tags:
 - attack.resource_development
 - attack.t1588
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_camera_microphone_access.yml
+++ b/rules/sigma/builtin/win_camera_microphone_access.yml
@@ -29,3 +29,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1123
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_cobaltstrike_service_installs.yml
+++ b/rules/sigma/builtin/win_cobaltstrike_service_installs.yml
@@ -46,3 +46,4 @@ tags:
 - attack.t1021.002
 - attack.t1543.003
 - attack.t1569.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
+++ b/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
@@ -28,3 +28,4 @@ status: experimental
 tags:
 - attack.lateral_movement
 - attack.t1021.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml
+++ b/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml
@@ -27,3 +27,4 @@ tags:
 - attack.lateral_movement
 - attack.t1021.002
 - attack.t1021.003
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_dcsync.yml
+++ b/rules/sigma/builtin/win_dcsync.yml
@@ -38,3 +38,4 @@ tags:
 - attack.s0002
 - attack.t1003
 - attack.t1003.006
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_disable_event_logging.yml
+++ b/rules/sigma/builtin/win_disable_event_logging.yml
@@ -37,3 +37,4 @@ tags:
 - attack.defense_evasion
 - attack.t1054
 - attack.t1562.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml
+++ b/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml
@@ -28,3 +28,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.t1003.004
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
+++ b/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
@@ -26,3 +26,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.t1003.004
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_etw_modification.yml
+++ b/rules/sigma/builtin/win_etw_modification.yml
@@ -34,3 +34,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1112
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_event_log_cleared.yml
+++ b/rules/sigma/builtin/win_event_log_cleared.yml
@@ -28,3 +28,4 @@ status: experimental
 tags:
 - attack.t1107
 - attack.t1070.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_exchange_transportagent.yml
+++ b/rules/sigma/builtin/win_exchange_transportagent.yml
@@ -25,3 +25,4 @@ status: experimental
 tags:
 - attack.persistence
 - attack.t1505.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml
+++ b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml
@@ -43,3 +43,4 @@ tags:
 - attack.execution
 - attack.t1569
 - cve.2021.1675
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
+++ b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml
@@ -29,3 +29,4 @@ tags:
 - attack.execution
 - attack.t1569
 - cve.2021.1675
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml
+++ b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml
@@ -32,3 +32,4 @@ tags:
 - attack.t1569
 - cve.2021.1675
 - cve.2021.34527
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_external_device.yml
+++ b/rules/sigma/builtin/win_external_device.yml
@@ -26,3 +26,4 @@ tags:
 - attack.t1200
 - attack.lateral_movement
 - attack.initial_access
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_global_catalog_enumeration.yml
+++ b/rules/sigma/builtin/win_global_catalog_enumeration.yml
@@ -31,3 +31,4 @@ tags:
 - attack.discovery
 - attack.t1087
 - attack.t1087.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_gpo_scheduledtasks.yml
+++ b/rules/sigma/builtin/win_gpo_scheduledtasks.yml
@@ -35,3 +35,4 @@ tags:
 - attack.lateral_movement
 - attack.t1053
 - attack.t1053.005
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_hack_smbexec.yml
+++ b/rules/sigma/builtin/win_hack_smbexec.yml
@@ -33,3 +33,4 @@ tags:
 - attack.t1021.002
 - attack.t1035
 - attack.t1569.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_hidden_user_creation.yml
+++ b/rules/sigma/builtin/win_hidden_user_creation.yml
@@ -26,3 +26,4 @@ status: experimental
 tags:
 - attack.persistence
 - attack.t1136.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml
+++ b/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml
@@ -25,3 +25,4 @@ status: experimental
 tags:
 - attack.persistence
 - attack.t1554
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml
+++ b/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml
@@ -29,3 +29,4 @@ status: experimental
 tags:
 - attack.persistence
 - attack.t1554
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_impacket_psexec.yml
+++ b/rules/sigma/builtin/win_impacket_psexec.yml
@@ -29,3 +29,4 @@ status: experimental
 tags:
 - attack.lateral_movement
 - attack.t1021.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_impacket_secretdump.yml
+++ b/rules/sigma/builtin/win_impacket_secretdump.yml
@@ -32,3 +32,4 @@ tags:
 - attack.t1003.002
 - attack.t1003.004
 - attack.t1003.003
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml
@@ -25,3 +25,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml
@@ -28,3 +28,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
@@ -35,3 +35,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1027
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml
@@ -40,3 +40,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1027
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml
@@ -25,3 +25,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml
@@ -28,3 +28,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml
@@ -25,3 +25,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml
@@ -28,3 +28,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml
@@ -25,3 +25,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml
@@ -28,3 +28,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml
@@ -25,3 +25,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml
@@ -28,3 +28,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml
@@ -25,3 +25,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml
@@ -28,3 +28,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml
@@ -25,3 +25,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml
@@ -28,3 +28,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml
@@ -25,3 +25,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml
@@ -28,3 +28,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
@@ -25,3 +25,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml
@@ -28,3 +28,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml
@@ -25,3 +25,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml
+++ b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml
@@ -28,3 +28,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_iso_mount.yml
+++ b/rules/sigma/builtin/win_iso_mount.yml
@@ -34,3 +34,4 @@ status: experimental
 tags:
 - attack.initial_access
 - attack.t1566.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_lm_namedpipe.yml
+++ b/rules/sigma/builtin/win_lm_namedpipe.yml
@@ -51,3 +51,4 @@ tags:
 - attack.lateral_movement
 - attack.t1077
 - attack.t1021.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml
+++ b/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml
@@ -32,3 +32,4 @@ tags:
 - attack.t1482
 - attack.t1018
 - attack.t1016
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_lsass_access_non_system_account.yml
+++ b/rules/sigma/builtin/win_lsass_access_non_system_account.yml
@@ -67,3 +67,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.t1003.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_mal_creddumper.yml
+++ b/rules/sigma/builtin/win_mal_creddumper.yml
@@ -40,3 +40,4 @@ tags:
 - attack.t1035
 - attack.t1569.002
 - attack.s0005
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_mal_wceaux_dll.yml
+++ b/rules/sigma/builtin/win_mal_wceaux_dll.yml
@@ -31,3 +31,4 @@ tags:
 - attack.credential_access
 - attack.t1003
 - attack.s0005
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_metasploit_authentication.yml
+++ b/rules/sigma/builtin/win_metasploit_authentication.yml
@@ -37,3 +37,4 @@ tags:
 - attack.lateral_movement
 - attack.t1077
 - attack.t1021.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -63,3 +63,4 @@ tags:
 - attack.t1134
 - attack.t1134.001
 - attack.t1134.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_mmc20_lateral_movement.yml
+++ b/rules/sigma/builtin/win_mmc20_lateral_movement.yml
@@ -31,3 +31,4 @@ tags:
 - attack.execution
 - attack.t1175
 - attack.t1021.003
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_moriya_rootkit.yml
+++ b/rules/sigma/builtin/win_moriya_rootkit.yml
@@ -25,3 +25,4 @@ tags:
 - attack.persistence
 - attack.privilege_escalation
 - attack.t1543.003
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_net_ntlm_downgrade.yml
+++ b/rules/sigma/builtin/win_net_ntlm_downgrade.yml
@@ -38,3 +38,4 @@ tags:
 - attack.t1089
 - attack.t1562.001
 - attack.t1112
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_net_use_admin_share.yml
+++ b/rules/sigma/builtin/win_net_use_admin_share.yml
@@ -30,3 +30,4 @@ status: experimental
 tags:
 - attack.lateral_movement
 - attack.t1021.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml
+++ b/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml
@@ -27,3 +27,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1036
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_not_allowed_rdp_access.yml
+++ b/rules/sigma/builtin/win_not_allowed_rdp_access.yml
@@ -28,3 +28,4 @@ tags:
 - attack.lateral_movement
 - attack.t1076
 - attack.t1021.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_ntfs_vuln_exploit.yml
+++ b/rules/sigma/builtin/win_ntfs_vuln_exploit.yml
@@ -31,3 +31,4 @@ status: experimental
 tags:
 - attack.impact
 - attack.t1499.001
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_overpass_the_hash.yml
+++ b/rules/sigma/builtin/win_overpass_the_hash.yml
@@ -29,3 +29,4 @@ tags:
 - attack.t1075
 - attack.s0002
 - attack.t1550.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_pass_the_hash.yml
+++ b/rules/sigma/builtin/win_pass_the_hash.yml
@@ -40,3 +40,4 @@ tags:
 - attack.t1075
 - car.2016-04-004
 - attack.t1550.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_pass_the_hash_2.yml
+++ b/rules/sigma/builtin/win_pass_the_hash_2.yml
@@ -42,3 +42,4 @@ tags:
 - attack.lateral_movement
 - attack.t1075
 - attack.t1550.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_petitpotam_network_share.yml
+++ b/rules/sigma/builtin/win_petitpotam_network_share.yml
@@ -31,3 +31,4 @@ status: experimental
 tags:
 - attack.credential_access
 - attack.t1187
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml
+++ b/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml
@@ -41,3 +41,4 @@ status: experimental
 tags:
 - attack.credential_access
 - attack.t1187
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_possible_dc_shadow.yml
+++ b/rules/sigma/builtin/win_possible_dc_shadow.yml
@@ -32,3 +32,4 @@ status: experimental
 tags:
 - attack.credential_access
 - attack.t1207
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_powershell_script_installed_as_service.yml
+++ b/rules/sigma/builtin/win_powershell_script_installed_as_service.yml
@@ -25,3 +25,4 @@ status: experimental
 tags:
 - attack.execution
 - attack.t1569.002
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_privesc_cve_2020_1472.yml
+++ b/rules/sigma/builtin/win_privesc_cve_2020_1472.yml
@@ -29,3 +29,4 @@ status: experimental
 tags:
 - attack.t1068
 - attack.privilege_escalation
+ruletype: SIGMA
--- a/rules/sigma/builtin/win_protected_storage_service_access.yml
+++ b/rules/sigma/builtin/win_protected_storage_service_access.yml
@@ -27,3 +27,4 @@ tags:
 - attack.lateral_movement
 - attack.t1021
 - attack.t1021.002
+ruletype: SIGMA
--- a/Show More
+++ b/Show More