diff --git a/rules/Sigma/av_exploiting.yml b/rules/Sigma/av_exploiting.yml
new file mode 100644
index 00000000..fe011d8d
--- /dev/null
+++ b/rules/Sigma/av_exploiting.yml
@@ -0,0 +1,55 @@
+title: Antivirus Exploitation Framework Detection
+author: Florian Roth
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports an exploitation
+    framework
+detection:
+    SELECTION_1:
+        Signature: '*MeteTool*'
+    SELECTION_10:
+        Signature: '*CobaltStr*'
+    SELECTION_11:
+        Signature: '*COBEACON*'
+    SELECTION_12:
+        Signature: '*Cometer*'
+    SELECTION_13:
+        Signature: '*Razy*'
+    SELECTION_2:
+        Signature: '*MPreter*'
+    SELECTION_3:
+        Signature: '*Meterpreter*'
+    SELECTION_4:
+        Signature: '*Metasploit*'
+    SELECTION_5:
+        Signature: '*PowerSploit*'
+    SELECTION_6:
+        Signature: '*CobaltSrike*'
+    SELECTION_7:
+        Signature: '*Swrort*'
+    SELECTION_8:
+        Signature: '*Rozena*'
+    SELECTION_9:
+        Signature: '*Backdoor.Cobalt*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13)
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
+level: critical
+logsource:
+    product: antivirus
+modified: 2019/01/16
+references:
+- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
+tags:
+- attack.execution
+- attack.t1203
+- attack.command_and_control
+- attack.t1219
+yml_filename: av_exploiting.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/av_hacktool.yml b/rules/Sigma/av_hacktool.yml
new file mode 100644
index 00000000..7eb298ae
--- /dev/null
+++ b/rules/Sigma/av_hacktool.yml
@@ -0,0 +1,33 @@
+title: Antivirus Hacktool Detection
+author: Florian Roth
+date: 2021/08/16
+description: Detects a highly relevant Antivirus alert that reports a hack tool or
+    other attack tool
+detection:
+    SELECTION_1:
+        Signature: HTOOL*
+    SELECTION_2:
+        Signature: HKTL*
+    SELECTION_3:
+        Signature: SecurityTool*
+    SELECTION_4:
+        Signature: ATK/*
+    SELECTION_5:
+        Signature: '*Hacktool*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) or (SELECTION_5))
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
+level: high
+logsource:
+    product: antivirus
+references:
+- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
+tags:
+- attack.execution
+yml_filename: av_hacktool.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/av_password_dumper.yml b/rules/Sigma/av_password_dumper.yml
new file mode 100644
index 00000000..82080249
--- /dev/null
+++ b/rules/Sigma/av_password_dumper.yml
@@ -0,0 +1,54 @@
+title: Antivirus Password Dumper Detection
+author: Florian Roth
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports a password dumper
+detection:
+    SELECTION_1:
+        Signature: '*DumpCreds*'
+    SELECTION_10:
+        Signature: '*Kekeo*'
+    SELECTION_11:
+        Signature: '*LsassDump*'
+    SELECTION_12:
+        Signature: '*Outflank*'
+    SELECTION_2:
+        Signature: '*Mimikatz*'
+    SELECTION_3:
+        Signature: '*PWCrack*'
+    SELECTION_4:
+        Signature: '*HTool/WCE*'
+    SELECTION_5:
+        Signature: '*PSWtool*'
+    SELECTION_6:
+        Signature: '*PWDump*'
+    SELECTION_7:
+        Signature: '*SecurityTool*'
+    SELECTION_8:
+        Signature: '*PShlSpy*'
+    SELECTION_9:
+        Signature: '*Rubeus*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12)
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
+level: critical
+logsource:
+    product: antivirus
+modified: 2019/10/04
+references:
+- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
+- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1558
+- attack.t1003.001
+- attack.t1003.002
+yml_filename: av_password_dumper.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/av_printernightmare_cve_2021_34527.yml b/rules/Sigma/av_printernightmare_cve_2021_34527.yml
new file mode 100644
index 00000000..27cc0364
--- /dev/null
+++ b/rules/Sigma/av_printernightmare_cve_2021_34527.yml
@@ -0,0 +1,31 @@
+title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
+author: Sittikorn S, Nuttakorn T
+date: 2021/07/01
+description: Detects the suspicious file that is created from PoC code against Windows
+    Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare),
+    CVE-2021-1675 .
+detection:
+    SELECTION_1:
+        FileName: '*C:\Windows\System32\spool\drivers\x64\\*'
+    condition: SELECTION_1
+falsepositives:
+- Unlikely
+fields:
+- Signature
+- FileName
+- ComputerName
+id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
+level: critical
+logsource:
+    product: antivirus
+references:
+- https://twitter.com/mvelazco/status/1410291741241102338
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
+status: stable
+tags:
+- attack.privilege_escalation
+- attack.t1055
+yml_filename: av_printernightmare_cve_2021_34527.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/av_relevant_files.yml b/rules/Sigma/av_relevant_files.yml
new file mode 100644
index 00000000..7cd864e2
--- /dev/null
+++ b/rules/Sigma/av_relevant_files.yml
@@ -0,0 +1,137 @@
+title: Antivirus Relevant File Paths Alerts
+author: Florian Roth, Arnim Rupp
+date: 2018/09/09
+description: Detects an Antivirus alert in a highly relevant file path or with a relevant
+    file name
+detection:
+    SELECTION_1:
+        FileName: C:\Windows\\*
+    SELECTION_10:
+        FileName: '*apache*'
+    SELECTION_11:
+        FileName: '*tomcat*'
+    SELECTION_12:
+        FileName: '*nginx*'
+    SELECTION_13:
+        FileName: '*weblogic*'
+    SELECTION_14:
+        Filename: '*.ps1'
+    SELECTION_15:
+        Filename: '*.psm1'
+    SELECTION_16:
+        Filename: '*.vbs'
+    SELECTION_17:
+        Filename: '*.bat'
+    SELECTION_18:
+        Filename: '*.cmd'
+    SELECTION_19:
+        Filename: '*.sh'
+    SELECTION_2:
+        FileName: C:\Temp\\*
+    SELECTION_20:
+        Filename: '*.chm'
+    SELECTION_21:
+        Filename: '*.xml'
+    SELECTION_22:
+        Filename: '*.txt'
+    SELECTION_23:
+        Filename: '*.jsp'
+    SELECTION_24:
+        Filename: '*.jspx'
+    SELECTION_25:
+        Filename: '*.asp'
+    SELECTION_26:
+        Filename: '*.aspx'
+    SELECTION_27:
+        Filename: '*.ashx'
+    SELECTION_28:
+        Filename: '*.asax'
+    SELECTION_29:
+        Filename: '*.asmx'
+    SELECTION_3:
+        FileName: C:\PerfLogs\\*
+    SELECTION_30:
+        Filename: '*.php'
+    SELECTION_31:
+        Filename: '*.cfm'
+    SELECTION_32:
+        Filename: '*.py'
+    SELECTION_33:
+        Filename: '*.pyc'
+    SELECTION_34:
+        Filename: '*.pl'
+    SELECTION_35:
+        Filename: '*.rb'
+    SELECTION_36:
+        Filename: '*.cgi'
+    SELECTION_37:
+        Filename: '*.war'
+    SELECTION_38:
+        Filename: '*.ear'
+    SELECTION_39:
+        Filename: '*.hta'
+    SELECTION_4:
+        FileName: C:\Users\Public\\*
+    SELECTION_40:
+        Filename: '*.lnk'
+    SELECTION_41:
+        Filename: '*.scf'
+    SELECTION_42:
+        Filename: '*.sct'
+    SELECTION_43:
+        Filename: '*.vbe'
+    SELECTION_44:
+        Filename: '*.wsf'
+    SELECTION_45:
+        Filename: '*.wsh'
+    SELECTION_46:
+        Filename: '*.gif'
+    SELECTION_47:
+        Filename: '*.png'
+    SELECTION_48:
+        Filename: '*.jpg'
+    SELECTION_49:
+        Filename: '*.jpeg'
+    SELECTION_5:
+        FileName: C:\Users\Default\\*
+    SELECTION_50:
+        Filename: '*.svg'
+    SELECTION_51:
+        Filename: '*.dat'
+    SELECTION_6:
+        FileName: '*\Client\\*'
+    SELECTION_7:
+        FileName: '*\tsclient\\*'
+    SELECTION_8:
+        FileName: '*\inetpub\\*'
+    SELECTION_9:
+        FileName: '*/www/*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        or (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13) or (SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
+        or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
+        or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
+        or SELECTION_51))
+falsepositives:
+- Unlikely
+fields:
+- Signature
+- User
+id: c9a88268-0047-4824-ba6e-4d81ce0b907c
+level: high
+logsource:
+    product: antivirus
+modified: 2021/05/09
+references:
+- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
+tags:
+- attack.resource_development
+- attack.t1588
+yml_filename: av_relevant_files.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/av_webshell.yml b/rules/Sigma/av_webshell.yml
new file mode 100644
index 00000000..1db28cc7
--- /dev/null
+++ b/rules/Sigma/av_webshell.yml
@@ -0,0 +1,126 @@
+title: Antivirus Web Shell Detection
+author: Florian Roth, Arnim Rupp
+date: 2018/09/09
+description: Detects a highly relevant Antivirus alert that reports a web shell. It's
+    highly recommended to tune this rule to the specific strings used by your anti
+    virus solution by downloading a big webshell repo from e.g. github and checking
+    the matches.
+detection:
+    SELECTION_1:
+        Signature: PHP/*
+    SELECTION_10:
+        Signature: IIS/BackDoor*
+    SELECTION_11:
+        Signature: JAVA/Backdoor*
+    SELECTION_12:
+        Signature: Troj/ASP*
+    SELECTION_13:
+        Signature: Troj/PHP*
+    SELECTION_14:
+        Signature: Troj/JSP*
+    SELECTION_15:
+        Signature: '*Webshell*'
+    SELECTION_16:
+        Signature: '*Chopper*'
+    SELECTION_17:
+        Signature: '*SinoChoper*'
+    SELECTION_18:
+        Signature: '*ASPXSpy*'
+    SELECTION_19:
+        Signature: '*Aspdoor*'
+    SELECTION_2:
+        Signature: JSP/*
+    SELECTION_20:
+        Signature: '*filebrowser*'
+    SELECTION_21:
+        Signature: '*PHP_*'
+    SELECTION_22:
+        Signature: '*JSP_*'
+    SELECTION_23:
+        Signature: '*ASP_*'
+    SELECTION_24:
+        Signature: '*PHP:*'
+    SELECTION_25:
+        Signature: '*JSP:*'
+    SELECTION_26:
+        Signature: '*ASP:*'
+    SELECTION_27:
+        Signature: '*Perl:*'
+    SELECTION_28:
+        Signature: '*PHPShell*'
+    SELECTION_29:
+        Signature: '*Trojan.PHP*'
+    SELECTION_3:
+        Signature: ASP/*
+    SELECTION_30:
+        Signature: '*Trojan.ASP*'
+    SELECTION_31:
+        Signature: '*Trojan.JSP*'
+    SELECTION_32:
+        Signature: '*Trojan.VBS*'
+    SELECTION_33:
+        Signature: '*PHP?Agent*'
+    SELECTION_34:
+        Signature: '*ASP?Agent*'
+    SELECTION_35:
+        Signature: '*JSP?Agent*'
+    SELECTION_36:
+        Signature: '*VBS?Agent*'
+    SELECTION_37:
+        Signature: '*Backdoor?PHP*'
+    SELECTION_38:
+        Signature: '*Backdoor?JSP*'
+    SELECTION_39:
+        Signature: '*Backdoor?ASP*'
+    SELECTION_4:
+        Signature: Perl/*
+    SELECTION_40:
+        Signature: '*Backdoor?VBS*'
+    SELECTION_41:
+        Signature: '*Backdoor?Java*'
+    SELECTION_5:
+        Signature: PHP.*
+    SELECTION_6:
+        Signature: JSP.*
+    SELECTION_7:
+        Signature: ASP.*
+    SELECTION_8:
+        Signature: Perl.*
+    SELECTION_9:
+        Signature: VBS/Uxor*
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14) or (SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
+        or SELECTION_41))
+falsepositives:
+- Unlikely
+fields:
+- FileName
+- User
+id: fdf135a2-9241-4f96-a114-bb404948f736
+level: critical
+logsource:
+    product: antivirus
+modified: 2021/05/08
+references:
+- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
+- https://github.com/tennc/webshell
+- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
+- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
+- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
+- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
+- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
+- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
+- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
+tags:
+- attack.persistence
+- attack.t1100
+- attack.t1505.003
+yml_filename: av_webshell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/dns_net_mal_cobaltstrike.yml b/rules/Sigma/dns_net_mal_cobaltstrike.yml
new file mode 100644
index 00000000..bf05e904
--- /dev/null
+++ b/rules/Sigma/dns_net_mal_cobaltstrike.yml
@@ -0,0 +1,36 @@
+title: Suspicious Cobalt Strike DNS Beaconing
+author: Florian Roth
+date: 2021/11/09
+description: Detects a program that invoked suspicious DNS queries known from Cobalt
+    Strike beacons
+detection:
+    SELECTION_1:
+        EventID: 22
+    SELECTION_2:
+        QueryName: aaa.stage.*
+    SELECTION_3:
+        QueryName: post.1*
+    SELECTION_4:
+        QueryName: '*.stage.123456.*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- Image
+- CommandLine
+id: f356a9c4-effd-4608-bbf8-408afd5cd006
+level: critical
+logsource:
+    category: dns_query
+    product: windows
+references:
+- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
+yml_filename: dns_net_mal_cobaltstrike.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
+
diff --git a/rules/Sigma/dns_net_susp_ipify.yml b/rules/Sigma/dns_net_susp_ipify.yml
new file mode 100644
index 00000000..a16dda5e
--- /dev/null
+++ b/rules/Sigma/dns_net_susp_ipify.yml
@@ -0,0 +1,75 @@
+title: Suspicious DNS Query for IP Lookup Service APIs
+author: Brandon George (blog post), Thomas Patzke (rule)
+date: 2021/07/08
+description: Detects DNS queries for ip lookup services such as api.ipify.org not
+    originating from a browser process.
+detection:
+    SELECTION_1:
+        EventID: 22
+    SELECTION_10:
+        QueryName: api.ipify.org
+    SELECTION_11:
+        QueryName: ip-api.com
+    SELECTION_12:
+        QueryName: checkip.amazonaws.com
+    SELECTION_13:
+        QueryName: ipecho.net
+    SELECTION_14:
+        QueryName: ipinfo.io
+    SELECTION_15:
+        QueryName: ipv4bot.whatismyipaddress.com
+    SELECTION_16:
+        QueryName: freegeoip.app
+    SELECTION_17:
+        Image: '*\chrome.exe'
+    SELECTION_18:
+        Image: '*\iexplore.exe'
+    SELECTION_19:
+        Image: '*\firefox.exe'
+    SELECTION_2:
+        QueryName: canireachthe.net
+    SELECTION_20:
+        Image: '*\brave.exe'
+    SELECTION_21:
+        Image: '*\opera.exe'
+    SELECTION_22:
+        Image: '*\msedge.exe'
+    SELECTION_23:
+        Image: '*\vivaldi.exe'
+    SELECTION_3:
+        QueryName: ipv4.icanhazip.com
+    SELECTION_4:
+        QueryName: ip.anysrc.net
+    SELECTION_5:
+        QueryName: edns.ip-api.com
+    SELECTION_6:
+        QueryName: wtfismyip.com
+    SELECTION_7:
+        QueryName: checkip.dyndns.org
+    SELECTION_8:
+        QueryName: api.2ip.ua
+    SELECTION_9:
+        QueryName: icanhazip.com
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16) and  not ((SELECTION_17 or SELECTION_18 or SELECTION_19 or
+        SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23)))
+falsepositives:
+- Legitimate usage of ip lookup services such as ipify API
+id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
+level: medium
+logsource:
+    category: dns_query
+    product: windows
+modified: 2021/09/10
+references:
+- https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
+- https://twitter.com/neonprimetime/status/1436376497980428318
+status: experimental
+tags:
+- attack.reconnaissance
+- attack.t1590
+yml_filename: dns_net_susp_ipify.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
+
diff --git a/rules/Sigma/dns_query_hybridconnectionmgr_servicebus.yml b/rules/Sigma/dns_query_hybridconnectionmgr_servicebus.yml
new file mode 100644
index 00000000..49d00926
--- /dev/null
+++ b/rules/Sigma/dns_query_hybridconnectionmgr_servicebus.yml
@@ -0,0 +1,29 @@
+title: DNS HybridConnectionManager Service Bus
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Detects Azure Hybrid Connection Manager services querying the Azure service
+    bus service
+detection:
+    SELECTION_1:
+        EventID: 22
+    SELECTION_2:
+        QueryName: '*servicebus.windows.net*'
+    SELECTION_3:
+        Image: '*HybridConnectionManager*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
+id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
+level: high
+logsource:
+    category: dns_query
+    product: windows
+modified: 2021/06/10
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
+yml_filename: dns_query_hybridconnectionmgr_servicebus.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
+
diff --git a/rules/Sigma/dns_query_mega_nz.yml b/rules/Sigma/dns_query_mega_nz.yml
new file mode 100644
index 00000000..2cea5e65
--- /dev/null
+++ b/rules/Sigma/dns_query_mega_nz.yml
@@ -0,0 +1,26 @@
+title: DNS Query for MEGA.io Upload Domain
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+description: Detects DNS queries for subdomains used for upload to MEGA.io
+detection:
+    SELECTION_1:
+        EventID: 22
+    SELECTION_2:
+        QueryName: '*userstorage.mega.co.nz*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate Mega upload
+id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
+level: high
+logsource:
+    category: dns_query
+    product: windows
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.002
+yml_filename: dns_query_mega_nz.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
+
diff --git a/rules/Sigma/dns_query_possible_dns_rebinding.yml b/rules/Sigma/dns_query_possible_dns_rebinding.yml
new file mode 100644
index 00000000..73682cde
--- /dev/null
+++ b/rules/Sigma/dns_query_possible_dns_rebinding.yml
@@ -0,0 +1,118 @@
+title: Possible DNS Rebinding
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Detects several different DNS-answers by one domain with IPs from internal
+    and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will
+    saved in host cache for a while TTL).
+detection:
+    SELECTION_1:
+        EventID: 22
+    SELECTION_10:
+        QueryResults: (::ffff:)?172.20.*
+    SELECTION_11:
+        QueryResults: (::ffff:)?172.21.*
+    SELECTION_12:
+        QueryResults: (::ffff:)?172.22.*
+    SELECTION_13:
+        QueryResults: (::ffff:)?172.23.*
+    SELECTION_14:
+        QueryResults: (::ffff:)?172.24.*
+    SELECTION_15:
+        QueryResults: (::ffff:)?172.25.*
+    SELECTION_16:
+        QueryResults: (::ffff:)?172.26.*
+    SELECTION_17:
+        QueryResults: (::ffff:)?172.27.*
+    SELECTION_18:
+        QueryResults: (::ffff:)?172.28.*
+    SELECTION_19:
+        QueryResults: (::ffff:)?172.29.*
+    SELECTION_2:
+        QueryName: '*'
+    SELECTION_20:
+        QueryResults: (::ffff:)?172.30.*
+    SELECTION_21:
+        QueryResults: (::ffff:)?172.31.*
+    SELECTION_22:
+        QueryResults: (::ffff:)?127.*
+    SELECTION_23:
+        QueryName: '*'
+    SELECTION_24:
+        QueryStatus: '0'
+    SELECTION_25:
+        QueryResults: (::ffff:)?10.*
+    SELECTION_26:
+        QueryResults: (::ffff:)?192.168.*
+    SELECTION_27:
+        QueryResults: (::ffff:)?172.16.*
+    SELECTION_28:
+        QueryResults: (::ffff:)?172.17.*
+    SELECTION_29:
+        QueryResults: (::ffff:)?172.18.*
+    SELECTION_3:
+        QueryStatus: '0'
+    SELECTION_30:
+        QueryResults: (::ffff:)?172.19.*
+    SELECTION_31:
+        QueryResults: (::ffff:)?172.20.*
+    SELECTION_32:
+        QueryResults: (::ffff:)?172.21.*
+    SELECTION_33:
+        QueryResults: (::ffff:)?172.22.*
+    SELECTION_34:
+        QueryResults: (::ffff:)?172.23.*
+    SELECTION_35:
+        QueryResults: (::ffff:)?172.24.*
+    SELECTION_36:
+        QueryResults: (::ffff:)?172.25.*
+    SELECTION_37:
+        QueryResults: (::ffff:)?172.26.*
+    SELECTION_38:
+        QueryResults: (::ffff:)?172.27.*
+    SELECTION_39:
+        QueryResults: (::ffff:)?172.28.*
+    SELECTION_4:
+        QueryResults: (::ffff:)?10.*
+    SELECTION_40:
+        QueryResults: (::ffff:)?172.29.*
+    SELECTION_41:
+        QueryResults: (::ffff:)?172.30.*
+    SELECTION_42:
+        QueryResults: (::ffff:)?172.31.*
+    SELECTION_43:
+        QueryResults: (::ffff:)?127.*
+    SELECTION_5:
+        QueryResults: (::ffff:)?192.168.*
+    SELECTION_6:
+        QueryResults: (::ffff:)?172.16.*
+    SELECTION_7:
+        QueryResults: (::ffff:)?172.17.*
+    SELECTION_8:
+        QueryResults: (::ffff:)?172.18.*
+    SELECTION_9:
+        QueryResults: (::ffff:)?172.19.*
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22) and (SELECTION_23 and SELECTION_24) and  not
+        ((SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29
+        or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34
+        or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39
+        or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43)))| count(QueryName)
+        by ComputerName > 3
+id: eb07e747-2552-44cd-af36-b659ae0958e4
+level: medium
+logsource:
+    category: dns_query
+    product: windows
+modified: 2020/08/28
+references:
+- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1189
+yml_filename: dns_query_possible_dns_rebinding.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
+
diff --git a/rules/Sigma/dns_query_regsvr32_network_activity.yml b/rules/Sigma/dns_query_regsvr32_network_activity.yml
new file mode 100644
index 00000000..30dd7d05
--- /dev/null
+++ b/rules/Sigma/dns_query_regsvr32_network_activity.yml
@@ -0,0 +1,42 @@
+title: Regsvr32 Network Activity
+author: Dmitriy Lifanov, oscd.community
+date: 2019/10/25
+description: Detects network connections and DNS queries initiated by Regsvr32.exe
+detection:
+    SELECTION_1:
+        EventID: 22
+    SELECTION_2:
+        Image: '*\regsvr32.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- Image
+- DestinationIp
+- DestinationPort
+id: 36e037c4-c228-4866-b6a3-48eb292b9955
+level: high
+logsource:
+    category: dns_query
+    product: windows
+modified: 2021/09/21
+references:
+- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
+related:
+-   id: c7e91a02-d771-4a6d-a700-42587e0b1095
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
+yml_filename: dns_query_regsvr32_network_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/dns_query
+
diff --git a/rules/Sigma/driver_load_mal_creddumper.yml b/rules/Sigma/driver_load_mal_creddumper.yml
new file mode 100644
index 00000000..df44c3f1
--- /dev/null
+++ b/rules/Sigma/driver_load_mal_creddumper.yml
@@ -0,0 +1,52 @@
+title: Credential Dumping Tools Service Execution
+author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2017/03/05
+description: Detects well-known credential dumping tools execution via service execution
+    events
+detection:
+    SELECTION_1:
+        EventID: 6
+    SELECTION_2:
+        ImageLoaded: '*fgexec*'
+    SELECTION_3:
+        ImageLoaded: '*dumpsvc*'
+    SELECTION_4:
+        ImageLoaded: '*cachedump*'
+    SELECTION_5:
+        ImageLoaded: '*mimidrv*'
+    SELECTION_6:
+        ImageLoaded: '*gsecdump*'
+    SELECTION_7:
+        ImageLoaded: '*servpw*'
+    SELECTION_8:
+        ImageLoaded: '*pwdump*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Legitimate Administrator using credential dumping tool for password recovery
+id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
+level: critical
+logsource:
+    category: driver_load
+    product: windows
+modified: 2021/11/10
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+related:
+-   id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
+    type: derived
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
+- attack.t1035
+- attack.t1569.002
+- attack.s0005
+yml_filename: driver_load_mal_creddumper.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
+
diff --git a/rules/Sigma/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/Sigma/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
new file mode 100644
index 00000000..4ee45f46
--- /dev/null
+++ b/rules/Sigma/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -0,0 +1,69 @@
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+    a specific service installation
+detection:
+    SELECTION_1:
+        EventID: 6
+    SELECTION_10:
+        ImagePath: '*cmd.exe*'
+    SELECTION_11:
+        ImagePath: '*/c*'
+    SELECTION_12:
+        ImagePath: '*echo*'
+    SELECTION_13:
+        ImagePath: '*\pipe\\*'
+    SELECTION_14:
+        ImagePath: '*rundll32*'
+    SELECTION_15:
+        ImagePath: '*.dll,a*'
+    SELECTION_16:
+        ImagePath: '*/p:*'
+    SELECTION_2:
+        ImagePath: '*cmd*'
+    SELECTION_3:
+        ImagePath: '*/c*'
+    SELECTION_4:
+        ImagePath: '*echo*'
+    SELECTION_5:
+        ImagePath: '*\pipe\\*'
+    SELECTION_6:
+        ImagePath: '*%COMSPEC%*'
+    SELECTION_7:
+        ImagePath: '*/c*'
+    SELECTION_8:
+        ImagePath: '*echo*'
+    SELECTION_9:
+        ImagePath: '*\pipe\\*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)
+        or (SELECTION_10 and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14
+        and SELECTION_15 and SELECTION_16)))
+falsepositives:
+- Highly unlikely
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ImagePath
+id: d585ab5a-6a69-49a8-96e8-4a726a54de46
+level: critical
+logsource:
+    category: driver_load
+    product: windows
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+related:
+-   id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+    type: derived
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
+yml_filename: driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
+
diff --git a/rules/Sigma/driver_load_powershell_script_installed_as_service.yml b/rules/Sigma/driver_load_powershell_script_installed_as_service.yml
new file mode 100644
index 00000000..6d64cf56
--- /dev/null
+++ b/rules/Sigma/driver_load_powershell_script_installed_as_service.yml
@@ -0,0 +1,32 @@
+title: PowerShell Scripts Run by a Services
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects powershell script installed as a Service
+detection:
+    SELECTION_1:
+        EventID: 6
+    SELECTION_2:
+        ImageLoaded: '*powershell*'
+    SELECTION_3:
+        ImageLoaded: '*pwsh*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
+level: high
+logsource:
+    category: driver_load
+    product: windows
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+related:
+-   id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
+yml_filename: driver_load_powershell_script_installed_as_service.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
+
diff --git a/rules/Sigma/driver_load_susp_temp_use.yml b/rules/Sigma/driver_load_susp_temp_use.yml
new file mode 100644
index 00000000..2b50f583
--- /dev/null
+++ b/rules/Sigma/driver_load_susp_temp_use.yml
@@ -0,0 +1,26 @@
+title: Suspicious Driver Load from Temp
+author: Florian Roth
+date: 2017/02/12
+description: Detects a driver load from a temporary directory
+detection:
+    SELECTION_1:
+        EventID: 6
+    SELECTION_2:
+        ImageLoaded: '*\Temp\\*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- there is a relevant set of false positives depending on applications in the environment
+id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
+level: high
+logsource:
+    category: driver_load
+    product: windows
+modified: 2020/08/23
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1050
+- attack.t1543.003
+yml_filename: driver_load_susp_temp_use.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
+
diff --git a/rules/Sigma/driver_load_vuln_dell_driver.yml b/rules/Sigma/driver_load_vuln_dell_driver.yml
new file mode 100644
index 00000000..c38b2e84
--- /dev/null
+++ b/rules/Sigma/driver_load_vuln_dell_driver.yml
@@ -0,0 +1,39 @@
+title: Vulnerable Dell BIOS Update Driver Load
+author: Florian Roth
+date: 2021/05/05
+description: Detects the load of the vulnerable Dell BIOS update driver as reported
+    in CVE-2021-21551
+detection:
+    SELECTION_1:
+        EventID: 6
+    SELECTION_2:
+        ImageLoaded: '*\DBUtil_2_3.Sys*'
+    SELECTION_3:
+        Hashes: '*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5*'
+    SELECTION_4:
+        Hashes: '*c948ae14761095e4d76b55d9de86412258be7afd*'
+    SELECTION_5:
+        Hashes: '*c996d7971c49252c582171d9380360f2*'
+    SELECTION_6:
+        Hashes: '*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1*'
+    SELECTION_7:
+        Hashes: '*10b30bdee43b3a2ec4aa63375577ade650269d25*'
+    SELECTION_8:
+        Hashes: '*d2fd132ab7bbc6bbb87a84f026fa0244*'
+    condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8)))
+falsepositives:
+- legitimate BIOS driver updates (should be rare)
+id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
+level: high
+logsource:
+    category: driver_load
+    product: windows
+references:
+- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
+tags:
+- attack.privilege_escalation
+- cve.2021.21551
+yml_filename: driver_load_vuln_dell_driver.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
+
diff --git a/rules/Sigma/driver_load_windivert.yml b/rules/Sigma/driver_load_windivert.yml
new file mode 100644
index 00000000..9ca72327
--- /dev/null
+++ b/rules/Sigma/driver_load_windivert.yml
@@ -0,0 +1,32 @@
+title: WinDivert Driver Load
+author: Florian Roth
+date: 2021/07/30
+description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection
+    package for Windows
+detection:
+    SELECTION_1:
+        EventID: 6
+    SELECTION_2:
+        ImageLoaded: '*\WinDivert.sys*'
+    SELECTION_3:
+        ImageLoaded: '*\WinDivert64.sys*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- legitimate WinDivert driver usage
+id: 679085d5-f427-4484-9f58-1dc30a7c426d
+level: high
+logsource:
+    category: driver_load
+    product: windows
+references:
+- https://reqrypt.org/windivert-doc.html
+- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
+status: experimental
+tags:
+- attack.collection
+- attack.defense_evasion
+- attack.t1599.001
+- attack.t1557.001
+yml_filename: driver_load_windivert.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
+
diff --git a/rules/Sigma/edr_command_execution_by_office_applications.yml b/rules/Sigma/edr_command_execution_by_office_applications.yml
new file mode 100644
index 00000000..f52ddc50
--- /dev/null
+++ b/rules/Sigma/edr_command_execution_by_office_applications.yml
@@ -0,0 +1,41 @@
+title: EDR WMI Command Execution by Office Applications
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: Initial execution of malicious document calls wmic Win32_Process::Create
+    to execute the file with regsvr32
+detection:
+    SELECTION_1:
+        EventLog: EDR
+    SELECTION_2:
+        EventType: WMIExecution
+    SELECTION_3:
+        WMIcommand: '*Win32_Process\:\:Create*'
+    SELECTION_4:
+        Image: '*\winword.exe'
+    SELECTION_5:
+        Image: '*\excel.exe'
+    SELECTION_6:
+        Image: '*\powerpnt.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Unknown
+id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
+level: high
+logsource:
+    category: edr
+    product: windows
+modified: 2021/11/09
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
+yml_filename: edr_command_execution_by_office_applications.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/edr
+
diff --git a/rules/Sigma/file_event_advanced_ip_scanner.yml b/rules/Sigma/file_event_advanced_ip_scanner.yml
new file mode 100644
index 00000000..f0ebc47a
--- /dev/null
+++ b/rules/Sigma/file_event_advanced_ip_scanner.yml
@@ -0,0 +1,35 @@
+title: Advanced IP Scanner
+author: '@ROxPinTeddy'
+date: 2020/05/12
+description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for
+    ransomware groups.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\AppData\Local\Temp\Advanced IP Scanner 2*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate administrative use
+id: fed85bf9-e075-4280-9159-fbe8a023d6fa
+level: medium
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/11
+references:
+- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
+- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
+- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
+- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
+related:
+-   id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
+    type: derived
+status: experimental
+tags:
+- attack.discovery
+- attack.t1046
+yml_filename: file_event_advanced_ip_scanner.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_apt_unidentified_nov_18.yml b/rules/Sigma/file_event_apt_unidentified_nov_18.yml
new file mode 100644
index 00000000..9f31ff34
--- /dev/null
+++ b/rules/Sigma/file_event_apt_unidentified_nov_18.yml
@@ -0,0 +1,31 @@
+title: Unidentified Attacker November 2018
+author: '@41thexplorer, Microsoft Defender ATP'
+date: 2018/11/20
+description: A sigma rule detecting an unidetefied attacker who used phishing emails
+    to target high profile orgs on November 2018. The Actor shares some TTPs with
+    YYTRIUM/APT29 campaign in 2016.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*ds7002.lnk*'
+    condition: (SELECTION_1 and SELECTION_2)
+id: 3a3f81ca-652c-482b-adeb-b1c804727f74
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/19
+references:
+- https://twitter.com/DrunkBinary/status/1063075530180886529
+related:
+-   id: 7453575c-a747-40b9-839b-125a0aae324b
+    type: derived
+status: stable
+tags:
+- attack.execution
+- attack.t1218.011
+- attack.t1085
+yml_filename: file_event_apt_unidentified_nov_18.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/Sigma/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
new file mode 100644
index 00000000..3b7a71cc
--- /dev/null
+++ b/rules/Sigma/file_event_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -0,0 +1,52 @@
+title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
+author: Sittikorn S
+date: 2021/07/16
+description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979
+    CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_10:
+        TargetFilename: '*C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
+    SELECTION_11:
+        TargetFilename: '*C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
+    SELECTION_2:
+        TargetFilename: '*C:\Windows\system32\physmem.sys*'
+    SELECTION_3:
+        TargetFilename: '*C:\Windows\System32\IME\IMEJP\imjpueact.dll*'
+    SELECTION_4:
+        TargetFilename: '*C:\Windows\system32\ime\IMETC\IMTCPROT.DLL*'
+    SELECTION_5:
+        TargetFilename: '*C:\Windows\system32\ime\SHARED\imecpmeid.dll*'
+    SELECTION_6:
+        TargetFilename: '*C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat*'
+    SELECTION_7:
+        TargetFilename: '*C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat*'
+    SELECTION_8:
+        TargetFilename: '*C:\Windows\system32\config\config\startwus.dat*'
+    SELECTION_9:
+        TargetFilename: '*C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11))
+falsepositives:
+- Unlikely
+id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
+level: critical
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/09
+references:
+- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
+- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1566
+- attack.t1203
+- cve.2021.33771
+- cve.2021.31979
+yml_filename: file_event_cve_2021_31979_cve_2021_33771_exploits.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_hack_dumpert.yml b/rules/Sigma/file_event_hack_dumpert.yml
new file mode 100644
index 00000000..29e9b434
--- /dev/null
+++ b/rules/Sigma/file_event_hack_dumpert.yml
@@ -0,0 +1,33 @@
+title: Dumpert Process Dumper
+author: Florian Roth
+date: 2020/02/04
+description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
+    process memory
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: C:\Windows\Temp\dumpert.dmp
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Very unlikely
+id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
+level: critical
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/21
+references:
+- https://github.com/outflanknl/Dumpert
+- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
+related:
+-   id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
+    type: derived
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+yml_filename: file_event_hack_dumpert.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_hktl_createminidump.yml b/rules/Sigma/file_event_hktl_createminidump.yml
new file mode 100644
index 00000000..d9115e7e
--- /dev/null
+++ b/rules/Sigma/file_event_hktl_createminidump.yml
@@ -0,0 +1,31 @@
+title: CreateMiniDump Hacktool
+author: Florian Roth
+date: 2019/12/22
+description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process
+    memory for credential extraction on the attacker's machine
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\lsass.dmp'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: db2110f3-479d-42a6-94fb-d35bc1e46492
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/19
+references:
+- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
+related:
+-   id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
+    type: derived
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+yml_filename: file_event_hktl_createminidump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_mal_adwind.yml b/rules/Sigma/file_event_mal_adwind.yml
new file mode 100644
index 00000000..e98cdfa3
--- /dev/null
+++ b/rules/Sigma/file_event_mal_adwind.yml
@@ -0,0 +1,38 @@
+title: Adwind RAT / JRAT
+author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
+date: 2017/11/10
+description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\AppData\Roaming\Oracle\bin\java*'
+    SELECTION_3:
+        TargetFilename: '*.exe*'
+    SELECTION_4:
+        TargetFilename: '*\Retrive*'
+    SELECTION_5:
+        TargetFilename: '*.vbs*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5)))
+id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/19
+references:
+- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
+- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
+related:
+-   id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064
+yml_filename: file_event_mal_adwind.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_mal_octopus_scanner.yml b/rules/Sigma/file_event_mal_octopus_scanner.yml
new file mode 100644
index 00000000..05d53bb7
--- /dev/null
+++ b/rules/Sigma/file_event_mal_octopus_scanner.yml
@@ -0,0 +1,28 @@
+title: Octopus Scanner Malware
+author: NVISO
+date: 2020/06/09
+description: Detects Octopus Scanner Malware.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\AppData\Local\Microsoft\Cache134.dat'
+    SELECTION_3:
+        TargetFilename: '*\AppData\Local\Microsoft\ExplorerSync.db'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 805c55d9-31e6-4846-9878-c34c75054fe9
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
+status: experimental
+tags:
+- attack.t1195
+- attack.t1195.001
+yml_filename: file_event_mal_octopus_scanner.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/file_event_mal_vhd_download.yml b/rules/Sigma/file_event_mal_vhd_download.yml
new file mode 100644
index 00000000..fde162f1
--- /dev/null
+++ b/rules/Sigma/file_event_mal_vhd_download.yml
@@ -0,0 +1,49 @@
+title: Suspicious VHD Image Download From Browser
+author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
+date: 2021/10/25
+description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate
+    payloads and evade security controls
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_10:
+        TargetFilename: '*.vhd*'
+    SELECTION_2:
+        Image: '*chrome.exe'
+    SELECTION_3:
+        Image: '*firefox.exe'
+    SELECTION_4:
+        Image: '*microsoftedge.exe'
+    SELECTION_5:
+        Image: '*microsoftedgecp.exe'
+    SELECTION_6:
+        Image: '*msedge.exe'
+    SELECTION_7:
+        Image: '*iexplorer.exe'
+    SELECTION_8:
+        Image: '*brave.exe'
+    SELECTION_9:
+        Image: '*opera.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10)
+falsepositives:
+- Legitimate user creation
+id: 8468111a-ef07-4654-903b-b863a80bbc95
+level: medium
+logsource:
+    category: file_event
+    definition: in sysmon add "<TargetFilename condition="end with">.vhd</TargetFilename>
+        <!--vhd files for ZLoader and lazarus malware vectors -->"
+    product: windows
+modified: 2021/10/29
+references:
+- https://redcanary.com/blog/intelligence-insights-october-2021/
+- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
+- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
+status: test
+tags:
+- attack.resource_development
+- attack.t1587.001
+yml_filename: file_event_mal_vhd_download.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_mimikatz_kirbi_file_creation.yml b/rules/Sigma/file_event_mimikatz_kirbi_file_creation.yml
new file mode 100644
index 00000000..3d99566e
--- /dev/null
+++ b/rules/Sigma/file_event_mimikatz_kirbi_file_creation.yml
@@ -0,0 +1,27 @@
+title: Mimikatz Kirbi File Creation
+author: Florian Roth
+date: 2021/11/08
+description: Detects the creation of files that contain Kerberos tickets based on
+    an extension used by the popular tool Mimikatz
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*.kirbi'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
+level: critical
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://cobalt.io/blog/kerberoast-attack-techniques
+status: test
+tags:
+- attack.credential_access
+- attack.t1558
+yml_filename: file_event_mimikatz_kirbi_file_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_moriya_rootkit.yml b/rules/Sigma/file_event_moriya_rootkit.yml
new file mode 100644
index 00000000..6b9e6811
--- /dev/null
+++ b/rules/Sigma/file_event_moriya_rootkit.yml
@@ -0,0 +1,32 @@
+title: Moriya Rootkit
+author: Bhabesh Raj
+date: 2021/05/06
+description: Detects the use of Moriya rootkit as described in the securelist's Operation
+    TunnelSnake report
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- None
+id: a1507d71-0b60-44f6-b17c-bf53220fdd88
+level: critical
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/21
+references:
+- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
+related:
+-   id: 25b9c01c-350d-4b95-bed1-836d04a4f324
+    type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1543.003
+yml_filename: file_event_moriya_rootkit.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_pingback_backdoor.yml b/rules/Sigma/file_event_pingback_backdoor.yml
new file mode 100644
index 00000000..ce83802c
--- /dev/null
+++ b/rules/Sigma/file_event_pingback_backdoor.yml
@@ -0,0 +1,31 @@
+title: Pingback Backdoor
+author: Bhabesh Raj
+date: 2021/05/05
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
+    as described in the trustwave report
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: '*updata.exe'
+    SELECTION_3:
+        TargetFilename: C:\Windows\oci.dll
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Very unlikely
+id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/09
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+status: experimental
+tags:
+- attack.persistence
+- attack.t1574.001
+yml_filename: file_event_pingback_backdoor.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_script_creation_by_office_using_file_ext.yml b/rules/Sigma/file_event_script_creation_by_office_using_file_ext.yml
new file mode 100644
index 00000000..acb6f55e
--- /dev/null
+++ b/rules/Sigma/file_event_script_creation_by_office_using_file_ext.yml
@@ -0,0 +1,59 @@
+title: Created Files by Office Applications
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: This rule will monitor executable and script file creation by office
+    applications. Please add more file extensions or magic bytes to the logic of your
+    choice.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_10:
+        TargetFilename: '*.vbs'
+    SELECTION_11:
+        TargetFilename: '*.sys'
+    SELECTION_12:
+        TargetFilename: '*.bat'
+    SELECTION_13:
+        TargetFilename: '*.scr'
+    SELECTION_14:
+        TargetFilename: '*.proj'
+    SELECTION_2:
+        Image: '*winword.exe'
+    SELECTION_3:
+        Image: '*excel.exe'
+    SELECTION_4:
+        Image: '*powerpnt.exe'
+    SELECTION_5:
+        TargetFilename: '*.exe'
+    SELECTION_6:
+        TargetFilename: '*.dll'
+    SELECTION_7:
+        TargetFilename: '*.ocx'
+    SELECTION_8:
+        TargetFilename: '*.com'
+    SELECTION_9:
+        TargetFilename: '*.ps1'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and (SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14))
+falsepositives:
+- Unknown
+id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/11/10
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
+yml_filename: file_event_script_creation_by_office_using_file_ext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_tool_psexec.yml b/rules/Sigma/file_event_tool_psexec.yml
new file mode 100644
index 00000000..5cc5ca99
--- /dev/null
+++ b/rules/Sigma/file_event_tool_psexec.yml
@@ -0,0 +1,42 @@
+title: PsExec Tool Execution
+author: Thomas Patzke
+date: 2017/06/12
+description: Detects PsExec service installation and execution events (service and
+    Sysmon)
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\PSEXESVC.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- ServiceName
+- ServiceFileName
+- TargetFilename
+- PipeName
+id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
+level: low
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/21
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+related:
+-   id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+- attack.s0029
+yml_filename: file_event_tool_psexec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_uac_bypass_winsat.yml b/rules/Sigma/file_event_uac_bypass_winsat.yml
new file mode 100644
index 00000000..19eb45a5
--- /dev/null
+++ b/rules/Sigma/file_event_uac_bypass_winsat.yml
@@ -0,0 +1,32 @@
+title: UAC Bypass Abusing Winsat Path Parsing - File
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe
+    (UACMe 52)
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: C:\Users\\*
+    SELECTION_3:
+        TargetFilename: '*\AppData\Local\Temp\system32\winsat.exe'
+    SELECTION_4:
+        TargetFilename: '*\AppData\Local\Temp\system32\winmm.dll'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: file_event_uac_bypass_winsat.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_uac_bypass_wmp.yml b/rules/Sigma/file_event_uac_bypass_wmp.yml
new file mode 100644
index 00000000..e83d5e57
--- /dev/null
+++ b/rules/Sigma/file_event_uac_bypass_wmp.yml
@@ -0,0 +1,35 @@
+title: UAC Bypass Using Windows Media Player - File
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll
+    (UACMe 32)
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: C:\Users\\*
+    SELECTION_3:
+        TargetFilename: '*\AppData\Local\Temp\OskSupport.dll'
+    SELECTION_4:
+        Image: C:\Windows\system32\DllHost.exe
+    SELECTION_5:
+        TargetFilename: C:\Program Files\Windows Media Player\osk.exe
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5)))
+falsepositives:
+- Unknown
+id: 68578b43-65df-4f81-9a9b-92f32711a951
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: file_event_uac_bypass_wmp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_winrm_awl_bypass.yml b/rules/Sigma/file_event_winrm_awl_bypass.yml
new file mode 100644
index 00000000..85070523
--- /dev/null
+++ b/rules/Sigma/file_event_winrm_awl_bypass.yml
@@ -0,0 +1,38 @@
+title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
+author: Julia Fomina, oscd.community
+date: 2020/10/06
+description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via
+    winrm.vbs and copied cscript.exe (can be renamed)
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*WsmPty.xsl'
+    SELECTION_3:
+        TargetFilename: '*WsmTxt.xsl'
+    SELECTION_4:
+        TargetFilename: C:\Windows\System32\\*
+    SELECTION_5:
+        TargetFilename: C:\Windows\SysWOW64\\*
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5)))
+falsepositives:
+- Unlikely
+id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
+level: medium
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/19
+references:
+- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
+related:
+-   id: 074e0ded-6ced-4ebd-8b4d-53f55908119
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
+yml_filename: file_event_winrm_awl_bypass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/file_event_wmiprvse_wbemcomn_dll_hijack.yml b/rules/Sigma/file_event_wmiprvse_wbemcomn_dll_hijack.yml
new file mode 100644
index 00000000..25ac4158
--- /dev/null
+++ b/rules/Sigma/file_event_wmiprvse_wbemcomn_dll_hijack.yml
@@ -0,0 +1,32 @@
+title: Wmiprvse Wbemcomn DLL Hijack
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
+    directory over the network and loading it for a WMI DLL Hijack scenario.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: System
+    SELECTION_3:
+        TargetFilename: '*\wbem\wbemcomn.dll'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
+level: critical
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/09
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1021.002
+yml_filename: file_event_wmiprvse_wbemcomn_dll_hijack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/image_load_pingback_backdoor.yml b/rules/Sigma/image_load_pingback_backdoor.yml
new file mode 100644
index 00000000..943f51d5
--- /dev/null
+++ b/rules/Sigma/image_load_pingback_backdoor.yml
@@ -0,0 +1,31 @@
+title: Pingback Backdoor
+author: Bhabesh Raj
+date: 2021/05/05
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
+    as described in the trustwave report
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*msdtc.exe'
+    SELECTION_3:
+        ImageLoaded: C:\Windows\oci.dll
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Very unlikely
+id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2021/09/09
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+status: experimental
+tags:
+- attack.persistence
+- attack.t1574.001
+yml_filename: image_load_pingback_backdoor.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/image_load_silenttrinity_stage_use.yml b/rules/Sigma/image_load_silenttrinity_stage_use.yml
new file mode 100644
index 00000000..8d2011f2
--- /dev/null
+++ b/rules/Sigma/image_load_silenttrinity_stage_use.yml
@@ -0,0 +1,29 @@
+title: SILENTTRINITY Stager Execution
+author: Aleksey Potapov, oscd.community
+date: 2019/10/22
+description: Detects SILENTTRINITY stager use
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Description: '*st2stager*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2021/10/04
+references:
+- https://github.com/byt3bl33d3r/SILENTTRINITY
+related:
+-   id: 03552375-cc2c-4883-bbe4-7958d5a980be
+    type: derived
+status: experimental
+tags:
+- attack.command_and_control
+yml_filename: image_load_silenttrinity_stage_use.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/Sigma/image_load_wmiprvse_wbemcomn_dll_hijack.yml
new file mode 100644
index 00000000..bb21cf8f
--- /dev/null
+++ b/rules/Sigma/image_load_wmiprvse_wbemcomn_dll_hijack.yml
@@ -0,0 +1,32 @@
+title: Wmiprvse Wbemcomn DLL Hijack
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
+    directory over the network and loading it for a WMI DLL Hijack scenario.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\wmiprvse.exe'
+    SELECTION_3:
+        ImageLoaded: '*\wbem\wbemcomn.dll'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7707a579-e0d8-4886-a853-ce47e4575aaa
+level: critical
+logsource:
+    category: image_load
+    product: windows
+modified: 2021/09/09
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1021.002
+yml_filename: image_load_wmiprvse_wbemcomn_dll_hijack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/pipe_created_tool_psexec.yml b/rules/Sigma/pipe_created_tool_psexec.yml
new file mode 100644
index 00000000..6f5acabd
--- /dev/null
+++ b/rules/Sigma/pipe_created_tool_psexec.yml
@@ -0,0 +1,50 @@
+title: PsExec Tool Execution
+author: Thomas Patzke
+date: 2017/06/12
+description: Detects PsExec service installation and execution events (service and
+    Sysmon)
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_2:
+        EventID: 18
+    SELECTION_3:
+        PipeName: \PSEXESVC
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- ServiceName
+- ServiceFileName
+- TargetFilename
+- PipeName
+id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
+level: low
+logsource:
+    category: pipe_created
+    definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+        config (Event ID 17 and Event ID 18). The basic configuration is in popular
+        sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
+        it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+        https://github.com/olafhartong/sysmon-modular. How to test detection? You
+        can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+    product: windows
+modified: 2021/09/21
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+related:
+-   id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+- attack.s0029
+yml_filename: pipe_created_tool_psexec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/powershell_accessing_win_api.yml b/rules/Sigma/powershell_accessing_win_api.yml
new file mode 100644
index 00000000..848b7b7b
--- /dev/null
+++ b/rules/Sigma/powershell_accessing_win_api.yml
@@ -0,0 +1,128 @@
+title: Accessing WinAPI in PowerShell
+author: Nikita Nazarov, oscd.community
+date: 2020/10/06
+description: Detecting use WinAPI Functions in PowerShell
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*WaitForSingleObject*'
+    SELECTION_10:
+        ScriptBlockText: '*GetDelegateForFunctionPointer*'
+    SELECTION_11:
+        ScriptBlockText: '*CreateThread*'
+    SELECTION_12:
+        ScriptBlockText: '*memcpy*'
+    SELECTION_13:
+        ScriptBlockText: '*LoadLibrary*'
+    SELECTION_14:
+        ScriptBlockText: '*GetModuleHandle*'
+    SELECTION_15:
+        ScriptBlockText: '*GetProcAddress*'
+    SELECTION_16:
+        ScriptBlockText: '*VirtualProtect*'
+    SELECTION_17:
+        ScriptBlockText: '*FreeLibrary*'
+    SELECTION_18:
+        ScriptBlockText: '*ReadProcessMemory*'
+    SELECTION_19:
+        ScriptBlockText: '*CreateRemoteThread*'
+    SELECTION_2:
+        ScriptBlockText: '*QueueUserApc*'
+    SELECTION_20:
+        ScriptBlockText: '*AdjustTokenPrivileges*'
+    SELECTION_21:
+        ScriptBlockText: '*WriteByte*'
+    SELECTION_22:
+        ScriptBlockText: '*WriteInt32*'
+    SELECTION_23:
+        ScriptBlockText: '*OpenThreadToken*'
+    SELECTION_24:
+        ScriptBlockText: '*PtrToString*'
+    SELECTION_25:
+        ScriptBlockText: '*FreeHGlobal*'
+    SELECTION_26:
+        ScriptBlockText: '*ZeroFreeGlobalAllocUnicode*'
+    SELECTION_27:
+        ScriptBlockText: '*OpenProcessToken*'
+    SELECTION_28:
+        ScriptBlockText: '*GetTokenInformation*'
+    SELECTION_29:
+        ScriptBlockText: '*SetThreadToken*'
+    SELECTION_3:
+        ScriptBlockText: '*RtlCreateUserThread*'
+    SELECTION_30:
+        ScriptBlockText: '*ImpersonateLoggedOnUser*'
+    SELECTION_31:
+        ScriptBlockText: '*RevertToSelf*'
+    SELECTION_32:
+        ScriptBlockText: '*GetLogonSessionData*'
+    SELECTION_33:
+        ScriptBlockText: '*CreateProcessWithToken*'
+    SELECTION_34:
+        ScriptBlockText: '*DuplicateTokenEx*'
+    SELECTION_35:
+        ScriptBlockText: '*OpenWindowStation*'
+    SELECTION_36:
+        ScriptBlockText: '*OpenDesktop*'
+    SELECTION_37:
+        ScriptBlockText: '*MiniDumpWriteDump*'
+    SELECTION_38:
+        ScriptBlockText: '*AddSecurityPackage*'
+    SELECTION_39:
+        ScriptBlockText: '*EnumerateSecurityPackages*'
+    SELECTION_4:
+        ScriptBlockText: '*OpenProcess*'
+    SELECTION_40:
+        ScriptBlockText: '*GetProcessHandle*'
+    SELECTION_41:
+        ScriptBlockText: '*DangerousGetHandle*'
+    SELECTION_42:
+        ScriptBlockText: '*kernel32*'
+    SELECTION_43:
+        ScriptBlockText: '*Advapi32*'
+    SELECTION_44:
+        ScriptBlockText: '*msvcrt*'
+    SELECTION_45:
+        ScriptBlockText: '*ntdll*'
+    SELECTION_46:
+        ScriptBlockText: '*user32*'
+    SELECTION_47:
+        ScriptBlockText: '*secur32*'
+    SELECTION_5:
+        ScriptBlockText: '*VirtualAlloc*'
+    SELECTION_6:
+        ScriptBlockText: '*VirtualFree*'
+    SELECTION_7:
+        ScriptBlockText: '*WriteProcessMemory*'
+    SELECTION_8:
+        ScriptBlockText: '*CreateUserThread*'
+    SELECTION_9:
+        ScriptBlockText: '*CloseHandle*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
+        or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
+        or SELECTION_46 or SELECTION_47)
+falsepositives:
+- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
+id: 03d83090-8cba-44a0-b02f-0b756a050306
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1106
+yml_filename: powershell_accessing_win_api.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_adrecon_execution.yml b/rules/Sigma/powershell_adrecon_execution.yml
new file mode 100644
index 00000000..033a5ad5
--- /dev/null
+++ b/rules/Sigma/powershell_adrecon_execution.yml
@@ -0,0 +1,31 @@
+title: PowerShell ADRecon Execution
+author: Bhabesh Raj
+date: 2021/07/16
+description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been
+    reported to be actively used by FIN7
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Function Get-ADRExcelComOb*'
+    SELECTION_2:
+        ScriptBlockText: '*ADRecon-Report.xlsx*'
+    condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unknown
+id: bf72941a-cba0-41ea-b18c-9aca3925690d
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/sense-of-security/ADRecon
+- https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
+status: experimental
+tags:
+- attack.discovery
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_adrecon_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_alternate_powershell_hosts.yml b/rules/Sigma/powershell_alternate_powershell_hosts.yml
new file mode 100644
index 00000000..46f47c38
--- /dev/null
+++ b/rules/Sigma/powershell_alternate_powershell_hosts.yml
@@ -0,0 +1,32 @@
+title: Alternate PowerShell Hosts
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/11
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+    for powershell.exe
+detection:
+    SELECTION_1:
+        ContextInfo: '*'
+    SELECTION_2:
+        ContextInfo: '*powershell.exe*'
+    condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- Programs using PowerShell directly without invocation of a dedicated interpreter
+- MSP Detection Searcher
+- Citrix ConfigSync.ps1
+id: 64e8e417-c19a-475a-8d19-98ea705394cc
+level: medium
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_alternate_powershell_hosts.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_automated_collection.yml b/rules/Sigma/powershell_automated_collection.yml
new file mode 100644
index 00000000..712a5a95
--- /dev/null
+++ b/rules/Sigma/powershell_automated_collection.yml
@@ -0,0 +1,51 @@
+title: Automated Collection Command PowerShell
+author: frack113
+date: 2021/07/28
+description: Once established within a system or network, an adversary may use automated
+    techniques for collecting internal data.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*.doc*'
+    SELECTION_10:
+        ScriptBlockText: '*Get-ChildItem*'
+    SELECTION_11:
+        ScriptBlockText: '* -Recurse *'
+    SELECTION_12:
+        ScriptBlockText: '* -Include *'
+    SELECTION_2:
+        ScriptBlockText: '*.docx*'
+    SELECTION_3:
+        ScriptBlockText: '*.xls*'
+    SELECTION_4:
+        ScriptBlockText: '*.xlsx*'
+    SELECTION_5:
+        ScriptBlockText: '*.ppt*'
+    SELECTION_6:
+        ScriptBlockText: '*.pptx*'
+    SELECTION_7:
+        ScriptBlockText: '*.rtf*'
+    SELECTION_8:
+        ScriptBlockText: '*.pdf*'
+    SELECTION_9:
+        ScriptBlockText: '*.txt*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10
+        and SELECTION_11 and SELECTION_12)
+falsepositives:
+- Unknown
+id: c1dda054-d638-4c16-afc8-53e007f3fbc5
+level: medium
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1119
+yml_filename: powershell_automated_collection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_azurehound_commands.yml b/rules/Sigma/powershell_azurehound_commands.yml
new file mode 100644
index 00000000..5c4245d7
--- /dev/null
+++ b/rules/Sigma/powershell_azurehound_commands.yml
@@ -0,0 +1,32 @@
+title: AzureHound PowerShell Commands
+author: Austin Songer (@austinsonger)
+date: 2021/10/23
+description: null
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Invoke-AzureHound*'
+    condition: (SELECTION_1)
+falsepositives:
+- Penetration testing
+id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
+level: high
+logsource:
+    category: ps_script
+    definition: Script Block Logging must be enable
+    product: windows
+references:
+- https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1
+- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
+- attack.t1087
+- attack.t1087.001
+- attack.t1087.002
+- attack.t1069.001
+- attack.t1069.002
+- attack.t1069
+yml_filename: powershell_azurehound_commands.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_bad_opsec_artifacts.yml b/rules/Sigma/powershell_bad_opsec_artifacts.yml
new file mode 100644
index 00000000..f2dc7995
--- /dev/null
+++ b/rules/Sigma/powershell_bad_opsec_artifacts.yml
@@ -0,0 +1,47 @@
+title: Bad Opsec Powershell Code Artifacts
+author: ok @securonix invrep_de, oscd.community
+date: 2020/10/09
+description: Focuses on trivial artifacts observed in variants of prevalent offensive
+    ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,
+    Powersploit, and other attack payloads that often undergo minimal changes by attackers
+    due to bad opsec.
+detection:
+    SELECTION_1:
+        Payload: '*$DoIt*'
+    SELECTION_2:
+        Payload: '*harmj0y*'
+    SELECTION_3:
+        Payload: '*mattifestation*'
+    SELECTION_4:
+        Payload: '*_RastaMouse*'
+    SELECTION_5:
+        Payload: '*tifkin_*'
+    SELECTION_6:
+        Payload: '*0xdeadbeef*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6)
+falsepositives:
+- Moderate-to-low; Despite the shorter length/lower entropy for some of these, because
+    of high specificity, fp appears to be fairly limited in many environments.
+id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
+level: critical
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
+- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
+- https://www.mdeditor.tw/pl/pgRt
+related:
+-   id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_bad_opsec_artifacts.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_cl_invocation_lolscript.yml b/rules/Sigma/powershell_cl_invocation_lolscript.yml
new file mode 100644
index 00000000..7af51b96
--- /dev/null
+++ b/rules/Sigma/powershell_cl_invocation_lolscript.yml
@@ -0,0 +1,29 @@
+title: Execution via CL_Invocation.ps1
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*CL_Invocation.ps1*'
+    SELECTION_2:
+        ScriptBlockText: '*SyncInvoke*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 4cd29327-685a-460e-9dac-c3ab96e549dc
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+- https://twitter.com/bohops/status/948061991012327424
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
+yml_filename: powershell_cl_invocation_lolscript.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_cl_invocation_lolscript_count.yml b/rules/Sigma/powershell_cl_invocation_lolscript_count.yml
new file mode 100644
index 00000000..4c16332f
--- /dev/null
+++ b/rules/Sigma/powershell_cl_invocation_lolscript_count.yml
@@ -0,0 +1,30 @@
+title: Execution via CL_Invocation.ps1 (2 Lines)
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*CL_Invocation.ps1*'
+    SELECTION_2:
+        ScriptBlockText: '*SyncInvoke*'
+    condition: (SELECTION_1 or SELECTION_2)| count(ScriptBlockText) by Computer >
+        2
+falsepositives:
+- Unknown
+id: f588e69b-0750-46bb-8f87-0e9320d57536
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+- https://twitter.com/bohops/status/948061991012327424
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
+yml_filename: powershell_cl_invocation_lolscript_count.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_cl_mutexverifiers_lolscript.yml b/rules/Sigma/powershell_cl_mutexverifiers_lolscript.yml
new file mode 100644
index 00000000..37e1d28a
--- /dev/null
+++ b/rules/Sigma/powershell_cl_mutexverifiers_lolscript.yml
@@ -0,0 +1,30 @@
+title: Execution via CL_Mutexverifiers.ps1
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
+    module
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*CL_Mutexverifiers.ps1*'
+    SELECTION_2:
+        ScriptBlockText: '*runAfterCancelProcess*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+- https://twitter.com/pabraeken/status/995111125447577600
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
+yml_filename: powershell_cl_mutexverifiers_lolscript.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/Sigma/powershell_cl_mutexverifiers_lolscript_count.yml
new file mode 100644
index 00000000..64989927
--- /dev/null
+++ b/rules/Sigma/powershell_cl_mutexverifiers_lolscript_count.yml
@@ -0,0 +1,31 @@
+title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
+    module
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*CL_Mutexverifiers.ps1*'
+    SELECTION_2:
+        ScriptBlockText: '*runAfterCancelProcess*'
+    condition: (SELECTION_1 or SELECTION_2)| count(ScriptBlockText) by Computer >
+        2
+falsepositives:
+- Unknown
+id: 6609c444-9670-4eab-9636-fe4755a851ce
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+- https://twitter.com/pabraeken/status/995111125447577600
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
+yml_filename: powershell_cl_mutexverifiers_lolscript_count.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_classic_alternate_powershell_hosts.yml b/rules/Sigma/powershell_classic_alternate_powershell_hosts.yml
new file mode 100644
index 00000000..504373f3
--- /dev/null
+++ b/rules/Sigma/powershell_classic_alternate_powershell_hosts.yml
@@ -0,0 +1,35 @@
+title: Alternate PowerShell Hosts
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/11
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+    for powershell.exe
+detection:
+    SELECTION_1:
+        HostApplication: '*'
+    SELECTION_2:
+        HostApplication: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
+    condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- Programs using PowerShell directly without invocation of a dedicated interpreter
+- MSP Detection Searcher
+- Citrix ConfigSync.ps1
+id: d7326048-328b-4d5e-98af-86e84b17c765
+level: medium
+logsource:
+    category: ps_classic_start
+    definition: fields have to be extract from event
+    product: windows
+modified: 2021/10/16
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+related:
+-   id: 64e8e417-c19a-475a-8d19-98ea705394cc
+    type: derived
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_classic_alternate_powershell_hosts.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_classic_powercat.yml b/rules/Sigma/powershell_classic_powercat.yml
new file mode 100644
index 00000000..da27307a
--- /dev/null
+++ b/rules/Sigma/powershell_classic_powercat.yml
@@ -0,0 +1,34 @@
+title: Netcat The Powershell Version
+author: frack113
+date: 2021/07/21
+description: Adversaries may use a non-application layer protocol for communication
+    between host and C2 server or among infected hosts within a network
+detection:
+    SELECTION_1:
+        HostApplication: '*powercat *'
+    SELECTION_2:
+        HostApplication: '*powercat.ps1*'
+    condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unknown
+id: c5b20776-639a-49bf-94c7-84f912b91c15
+level: medium
+logsource:
+    category: ps_classic_start
+    definition: fields have to be extract from event
+    product: windows
+modified: 2021/10/16
+references:
+- https://nmap.org/ncat/
+- https://github.com/besimorhino/powercat
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
+related:
+-   id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
+    type: derived
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1095
+yml_filename: powershell_classic_powercat.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_classic_remote_powershell_session.yml b/rules/Sigma/powershell_classic_remote_powershell_session.yml
new file mode 100644
index 00000000..af094c9b
--- /dev/null
+++ b/rules/Sigma/powershell_classic_remote_powershell_session.yml
@@ -0,0 +1,35 @@
+title: Remote PowerShell Session
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects remote PowerShell sessions
+detection:
+    SELECTION_1:
+        HostName: ServerRemoteHost
+    SELECTION_2:
+        HostApplication: '*wsmprovhost.exe*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use remote PowerShell sessions
+id: 60167e5c-84b2-4c95-a7ac-86281f27c445
+level: high
+logsource:
+    category: ps_classic_start
+    definition: fields have to be extract from event
+    product: windows
+modified: 2021/10/16
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+related:
+-   id: 96b9f619-aa91-478f-bacb-c3e50f8df575
+    type: derived
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
+yml_filename: powershell_classic_remote_powershell_session.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_classic_susp_athremotefxvgpudisablementcommand.yml b/rules/Sigma/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
new file mode 100644
index 00000000..76dcf008
--- /dev/null
+++ b/rules/Sigma/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
@@ -0,0 +1,44 @@
+title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
+author: frack113
+date: 2021/07/13
+description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
+    that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
+detection:
+    SELECTION_1:
+        HostApplication: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
+    SELECTION_2:
+        HostApplication: '*-ModuleName *'
+    SELECTION_3:
+        HostApplication: '*-ModulePath *'
+    SELECTION_4:
+        HostApplication: '*-ScriptBlock *'
+    SELECTION_5:
+        HostApplication: '*-RemoteFXvGPUDisablementFilePath*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: f65e22f9-819e-4f96-9c7b-498364ae7a25
+level: medium
+logsource:
+    definition: fields have to be extract from event
+    product: windows
+    service: powershell-classic
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+related:
+-   id: 38a7625e-b2cb-485d-b83d-aff137d859f4
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: powershell_classic_susp_athremotefxvgpudisablementcommand.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_classic_susp_zip_compress.yml b/rules/Sigma/powershell_classic_susp_zip_compress.yml
new file mode 100644
index 00000000..b0f2efef
--- /dev/null
+++ b/rules/Sigma/powershell_classic_susp_zip_compress.yml
@@ -0,0 +1,36 @@
+title: Zip A Folder With PowerShell For Staging In Temp
+author: frack113
+date: 2021/07/20
+description: Use living off the land tools to zip a file and stage it in the Windows
+    temporary folder for later exfiltration
+detection:
+    SELECTION_1:
+        HostApplication: '*Compress-Archive *'
+    SELECTION_2:
+        HostApplication: '* -Path *'
+    SELECTION_3:
+        HostApplication: '* -DestinationPath *'
+    SELECTION_4:
+        HostApplication: '*$env:TEMP\\*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 71ff406e-b633-4989-96ec-bc49d825a412
+level: medium
+logsource:
+    definition: fields have to be extract from event
+    product: windows
+    service: powershell-classic
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+related:
+-   id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+    type: derived
+status: experimental
+tags:
+- attack.collection
+- attack.t1074.001
+yml_filename: powershell_classic_susp_zip_compress.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_classic_suspicious_download.yml b/rules/Sigma/powershell_classic_suspicious_download.yml
new file mode 100644
index 00000000..c3689974
--- /dev/null
+++ b/rules/Sigma/powershell_classic_suspicious_download.yml
@@ -0,0 +1,32 @@
+title: Suspicious PowerShell Download
+author: Florian Roth
+date: 2017/03/05
+description: Detects suspicious PowerShell download command
+detection:
+    SELECTION_1:
+        HostApplication: '*System.Net.WebClient*'
+    SELECTION_2:
+        HostApplication: '*.DownloadFile(*'
+    SELECTION_3:
+        HostApplication: '*.DownloadString(*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- PowerShell scripts that download content from the Internet
+id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
+level: medium
+logsource:
+    category: ps_classic_start
+    definition: fields have to be extract from event
+    product: windows
+modified: 2021/10/16
+related:
+-   id: 65531a81-a694-4e31-ae04-f8ba5bc33759
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_classic_suspicious_download.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_clear_powershell_history.yml b/rules/Sigma/powershell_clear_powershell_history.yml
new file mode 100644
index 00000000..98c8487c
--- /dev/null
+++ b/rules/Sigma/powershell_clear_powershell_history.yml
@@ -0,0 +1,43 @@
+title: Clear PowerShell History
+author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/25
+description: Detects keywords that could indicate clearing PowerShell history
+detection:
+    SELECTION_1:
+        Payload: '*del*'
+    SELECTION_2:
+        Payload: '*Remove-Item*'
+    SELECTION_3:
+        Payload: '*rm*'
+    SELECTION_4:
+        Payload: '*(Get-PSReadlineOption).HistorySavePath*'
+    SELECTION_5:
+        Payload: '*Set-PSReadlineOption*'
+    SELECTION_6:
+        Payload: "*\u2013HistorySaveStyle*"
+    SELECTION_7:
+        Payload: '*SaveNothing*'
+    condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4) or (SELECTION_5
+        and SELECTION_6 and SELECTION_7))
+falsepositives:
+- Legitimate PowerShell scripts
+id: f99276ad-d122-4989-a09a-d00904a5f9d2
+level: medium
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
+related:
+-   id: dfba4ce1-e0ea-495f-986e-97140f31af2d
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.003
+- attack.t1146
+yml_filename: powershell_clear_powershell_history.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_create_local_user.yml b/rules/Sigma/powershell_create_local_user.yml
new file mode 100644
index 00000000..2229601b
--- /dev/null
+++ b/rules/Sigma/powershell_create_local_user.yml
@@ -0,0 +1,30 @@
+title: PowerShell Create Local User
+author: '@ROxPinTeddy'
+date: 2020/04/11
+description: Detects creation of a local user via PowerShell
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*New-LocalUser*'
+    condition: SELECTION_1
+falsepositives:
+- Legitimate user creation
+id: 243de76f-4725-4f2e-8225-a8a69b15ad61
+level: medium
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.persistence
+- attack.t1136.001
+- attack.t1136
+yml_filename: powershell_create_local_user.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_data_compressed.yml b/rules/Sigma/powershell_data_compressed.yml
new file mode 100644
index 00000000..ce04734d
--- /dev/null
+++ b/rules/Sigma/powershell_data_compressed.yml
@@ -0,0 +1,33 @@
+title: Data Compressed - PowerShell
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: An adversary may compress data (e.g., sensitive documents) that is collected
+    prior to exfiltration in order to make it portable and minimize the amount of
+    data sent over the network.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*-Recurse*'
+    SELECTION_2:
+        ScriptBlockText: '*|*'
+    SELECTION_3:
+        ScriptBlockText: '*Compress-Archive*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Highly likely if archive operations are done via PowerShell.
+id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
+level: low
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1560
+- attack.t1002
+yml_filename: powershell_data_compressed.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_decompress_commands.yml b/rules/Sigma/powershell_decompress_commands.yml
new file mode 100644
index 00000000..98431249
--- /dev/null
+++ b/rules/Sigma/powershell_decompress_commands.yml
@@ -0,0 +1,31 @@
+title: PowerShell Decompress Commands
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for specific decompress commands in PowerShell logs.
+    This could be an adversary decompressing files.
+detection:
+    SELECTION_1:
+        Payload: '*Expand-Archive*'
+    condition: SELECTION_1
+falsepositives:
+- unknown
+id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
+level: informational
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/8
+- https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html
+related:
+-   id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+yml_filename: powershell_decompress_commands.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_delete_volume_shadow_copies.yml b/rules/Sigma/powershell_delete_volume_shadow_copies.yml
new file mode 100644
index 00000000..01c0c02c
--- /dev/null
+++ b/rules/Sigma/powershell_delete_volume_shadow_copies.yml
@@ -0,0 +1,37 @@
+title: Delete Volume Shadow Copies Via WMI With PowerShell
+author: frack113
+date: 2021/06/03
+description: Shadow Copies deletion using operating systems utilities via PowerShell
+detection:
+    SELECTION_1:
+        HostApplication: '*Get-WmiObject*'
+    SELECTION_2:
+        HostApplication: '* Win32_Shadowcopy*'
+    SELECTION_3:
+        HostApplication: '*Delete()*'
+    SELECTION_4:
+        HostApplication: '*Remove-WmiObject*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Legitimate Administrator deletes Shadow Copies using operating systems utilities
+    for legitimate reason
+fields:
+- HostApplication
+id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
+level: critical
+logsource:
+    category: ps_classic_start
+    definition: fields have to be extract from event
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
+- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
+- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
+status: experimental
+tags:
+- attack.impact
+- attack.t1490
+yml_filename: powershell_delete_volume_shadow_copies.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_detect_vm_env.yml b/rules/Sigma/powershell_detect_vm_env.yml
new file mode 100644
index 00000000..7dbc4d06
--- /dev/null
+++ b/rules/Sigma/powershell_detect_vm_env.yml
@@ -0,0 +1,34 @@
+title: Powershell Detect Virtualization Environment
+author: frack113
+date: 2021/08/03
+description: Adversaries may employ various system checks to detect and avoid virtualization
+    and analysis environments. This may include changing behaviors based on the results
+    of checks for the presence of artifacts indicative of a virtual machine environment
+    (VME) or sandbox
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Get-WmiObject*'
+    SELECTION_2:
+        ScriptBlockText: '*MSAcpi_ThermalZoneTemperature*'
+    SELECTION_3:
+        ScriptBlockText: '*Win32_ComputerSystem*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: d93129cd-1ee0-479f-bc03-ca6f129882e3
+level: medium
+logsource:
+    category: ps_script
+    definition: EnableScriptBlockLogging must be set to enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
+- https://techgenix.com/malicious-powershell-scripts-evade-detection/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1497.001
+yml_filename: powershell_detect_vm_env.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_dnscat_execution.yml b/rules/Sigma/powershell_dnscat_execution.yml
new file mode 100644
index 00000000..6c28f97d
--- /dev/null
+++ b/rules/Sigma/powershell_dnscat_execution.yml
@@ -0,0 +1,27 @@
+title: Dnscat Execution
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+description: Dnscat exfiltration tool execution
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Start-Dnscat2*'
+    condition: SELECTION_1
+falsepositives:
+- "Legitimate usage of PowerShell Dnscat2 \u2014 DNS Exfiltration tool (unlikely)"
+id: a6d67db4-6220-436d-8afc-f3842fe05d43
+level: critical
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_dnscat_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_downgrade_attack.yml b/rules/Sigma/powershell_downgrade_attack.yml
new file mode 100644
index 00000000..34949587
--- /dev/null
+++ b/rules/Sigma/powershell_downgrade_attack.yml
@@ -0,0 +1,32 @@
+title: PowerShell Downgrade Attack
+author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
+date: 2017/03/22
+description: Detects PowerShell downgrade attack by comparing the host versions with
+    the actually used engine version 2.0
+detection:
+    SELECTION_1:
+        EngineVersion: 2.*
+    SELECTION_2:
+        HostVersion: 2.*
+    condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- Penetration Test
+- Unknown
+id: 6331d09b-4785-4c13-980f-f96661356249
+level: medium
+logsource:
+    category: ps_classic_start
+    definition: fields have to be extract from event
+    product: windows
+modified: 2021/10/16
+references:
+- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_downgrade_attack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_exe_calling_ps.yml b/rules/Sigma/powershell_exe_calling_ps.yml
new file mode 100644
index 00000000..6758d2bc
--- /dev/null
+++ b/rules/Sigma/powershell_exe_calling_ps.yml
@@ -0,0 +1,36 @@
+title: PowerShell Called from an Executable Version Mismatch
+author: Sean Metcalf (source), Florian Roth (rule)
+date: 2017/03/05
+description: Detects PowerShell called from an executable by the version mismatch
+    method
+detection:
+    SELECTION_1:
+        EngineVersion: 2.*
+    SELECTION_2:
+        EngineVersion: 4.*
+    SELECTION_3:
+        EngineVersion: 5.*
+    SELECTION_4:
+        HostVersion: 3.*
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Penetration Tests
+- Unknown
+id: c70e019b-1479-4b65-b0cc-cd0c6093a599
+level: high
+logsource:
+    category: ps_classic_start
+    definition: fields have to be extract from event
+    product: windows
+modified: 2021/10/16
+references:
+- https://adsecurity.org/?p=2921
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_exe_calling_ps.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_get_clipboard.yml b/rules/Sigma/powershell_get_clipboard.yml
new file mode 100644
index 00000000..9e5bc34f
--- /dev/null
+++ b/rules/Sigma/powershell_get_clipboard.yml
@@ -0,0 +1,31 @@
+title: PowerShell Get Clipboard
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for the Get-Clipboard commands in PowerShell logs.
+    This could be an adversary capturing clipboard contents.
+detection:
+    SELECTION_1:
+        Payload: '*Get-Clipboard*'
+    condition: SELECTION_1
+falsepositives:
+- unknown
+id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
+level: medium
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/16
+- https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
+related:
+-   id: 5486f63a-aa4c-488d-9a61-c9192853099f
+    type: derived
+status: experimental
+tags:
+- attack.collection
+- attack.t1115
+yml_filename: powershell_get_clipboard.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_icmp_exfiltration.yml b/rules/Sigma/powershell_icmp_exfiltration.yml
new file mode 100644
index 00000000..98e90478
--- /dev/null
+++ b/rules/Sigma/powershell_icmp_exfiltration.yml
@@ -0,0 +1,32 @@
+title: PowerShell ICMP Exfiltration
+author: Bartlomiej Czyz @bczyz1, oscd.community
+date: 2020/10/10
+description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may
+    steal data by exfiltrating it over an un-encrypted network protocol other than
+    that of the existing command and control channel.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*New-Object*'
+    SELECTION_2:
+        ScriptBlockText: '*System.Net.NetworkInformation.Ping*'
+    SELECTION_3:
+        ScriptBlockText: '*.Send(*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate usage of System.Net.NetworkInformation.Ping class
+id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
+level: medium
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048.003
+yml_filename: powershell_icmp_exfiltration.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_nightmare.yml b/rules/Sigma/powershell_invoke_nightmare.yml
new file mode 100644
index 00000000..45af2c7c
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_nightmare.yml
@@ -0,0 +1,25 @@
+title: PrintNightmare Powershell Exploitation
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects Commandlet name for PrintNightmare exploitation.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Invoke-Nightmare*'
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
+level: high
+logsource:
+    category: ps_script
+    definition: Script Block Logging must be enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/calebstewart/CVE-2021-1675
+status: test
+tags:
+- attack.privilege_escalation
+yml_filename: powershell_invoke_nightmare.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_clip.yml b/rules/Sigma/powershell_invoke_obfuscation_clip.yml
new file mode 100644
index 00000000..5f0639e8
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_clip.yml
@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+    SELECTION_1:
+        Payload|re: .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
+level: high
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 73e67340-0d25-11eb-adc1-0242ac120002
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_clip.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/Sigma/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
new file mode 100644
index 00000000..f210c0a5
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+    SELECTION_1:
+        ScriptBlockText|re: .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 73e67340-0d25-11eb-adc1-0242ac120002
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/Sigma/powershell_invoke_obfuscation_obfuscated_iex.yml
new file mode 100644
index 00000000..1a8efc0f
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_obfuscated_iex.yml
@@ -0,0 +1,45 @@
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: "Detects all variations of obfuscated powershell IEX invocation code\
+    \ generated by Invoke-Obfuscation framework from the following code block \u2014\
+    \ https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+detection:
+    SELECTION_1:
+        Payload|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+    SELECTION_2:
+        Payload|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+    SELECTION_3:
+        Payload|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+    SELECTION_4:
+        Payload|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+    SELECTION_5:
+        Payload|re: \\\\*mdr\\\\*\W\s*\)\.Name
+    SELECTION_6:
+        Payload|re: \$VerbosePreference\.ToString\(
+    SELECTION_7:
+        Payload|re: \String\]\s*\$VerbosePreference
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7)
+falsepositives:
+- Unknown
+id: 2f211361-7dce-442d-b78a-c04039677378
+level: high
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+related:
+-   id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_invoke_obfuscation_obfuscated_iex.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/Sigma/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
new file mode 100644
index 00000000..5cf8147d
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
@@ -0,0 +1,42 @@
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: "Detects all variations of obfuscated powershell IEX invocation code\
+    \ generated by Invoke-Obfuscation framework from the following code block \u2014\
+    \ https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+detection:
+    SELECTION_1:
+        ScriptBlockText|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+    SELECTION_2:
+        ScriptBlockText|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+    SELECTION_3:
+        ScriptBlockText|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+    SELECTION_4:
+        ScriptBlockText|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+    SELECTION_5:
+        ScriptBlockText|re: \\\\*mdr\\\\*\W\s*\)\.Name
+    SELECTION_6:
+        ScriptBlockText|re: \$VerbosePreference\.ToString\(
+    SELECTION_7:
+        ScriptBlockText|re: \String\]\s*\$VerbosePreference
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7)
+falsepositives:
+- Unknown
+id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_stdin.yml b/rules/Sigma/powershell_invoke_obfuscation_stdin.yml
new file mode 100644
index 00000000..7a414116
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_stdin.yml
@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+    SELECTION_1:
+        Payload|re: .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
+level: high
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 779c8c12-0eb1-11eb-adc1-0242ac120002
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_stdin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/Sigma/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
new file mode 100644
index 00000000..c9d55d6b
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+    SELECTION_1:
+        ScriptBlockText|re: .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 779c8c12-0eb1-11eb-adc1-0242ac120002
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_var.yml b/rules/Sigma/powershell_invoke_obfuscation_var.yml
new file mode 100644
index 00000000..ffc537f6
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_var.yml
@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation VAR+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+    SELECTION_1:
+        Payload|re: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
+level: high
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_var.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/Sigma/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
new file mode 100644
index 00000000..857c540d
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation VAR+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+    SELECTION_1:
+        ScriptBlockText|re: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_var_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_compress.yml b/rules/Sigma/powershell_invoke_obfuscation_via_compress.yml
new file mode 100644
index 00000000..278d7d3b
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_compress.yml
@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+    SELECTION_1:
+        Payload|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+    condition: SELECTION_1
+falsepositives:
+- unknown
+id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
+level: medium
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_compress.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/Sigma/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
new file mode 100644
index 00000000..1f32ddc1
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+    SELECTION_1:
+        ScriptBlockText|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+    condition: SELECTION_1
+falsepositives:
+- unknown
+id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
+level: medium
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_rundll.yml b/rules/Sigma/powershell_invoke_obfuscation_via_rundll.yml
new file mode 100644
index 00000000..ac22c48f
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_rundll.yml
@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+    SELECTION_1:
+        Payload|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: a23791fe-8846-485a-b16b-ca691e1b03d4
+level: medium
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_rundll.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/Sigma/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
new file mode 100644
index 00000000..ef0a7e1c
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+    SELECTION_1:
+        ScriptBlockText|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
+level: medium
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_stdin.yml b/rules/Sigma/powershell_invoke_obfuscation_via_stdin.yml
new file mode 100644
index 00000000..743bc3ae
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_stdin.yml
@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation Via Stdin
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+    SELECTION_1:
+        Payload|re: (?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
+level: high
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_stdin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/Sigma/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
new file mode 100644
index 00000000..fcf1d15b
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation Via Stdin
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+    SELECTION_1:
+        ScriptBlockText|re: (?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_clip.yml b/rules/Sigma/powershell_invoke_obfuscation_via_use_clip.yml
new file mode 100644
index 00000000..962c8b96
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_use_clip.yml
@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation Via Use Clip
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+    SELECTION_1:
+        Payload|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
+level: high
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_use_clip.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/Sigma/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
new file mode 100644
index 00000000..2f99abf5
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation Via Use Clip
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+    SELECTION_1:
+        ScriptBlockText|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/Sigma/powershell_invoke_obfuscation_via_use_mhsta.yml
new file mode 100644
index 00000000..42140d36
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_use_mhsta.yml
@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation Via Use MSHTA
+author: Nikita Nazarov, oscd.community
+date: 2020/10/08
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+    SELECTION_1:
+        Payload|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
+level: high
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabledd
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: e55a5195-4724-480e-a77e-3ebe64bd3759
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_use_mhsta.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/Sigma/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
new file mode 100644
index 00000000..50845bd3
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation Via Use MSHTA
+author: Nikita Nazarov, oscd.community
+date: 2020/10/08
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+    SELECTION_1:
+        ScriptBlockText|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: e55a5195-4724-480e-a77e-3ebe64bd3759
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/Sigma/powershell_invoke_obfuscation_via_use_rundll32.yml
new file mode 100644
index 00000000..debbde46
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_use_rundll32.yml
@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation Via Use Rundll32
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+    SELECTION_1:
+        Payload|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
+level: high
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_use_rundll32.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/Sigma/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
new file mode 100644
index 00000000..972e42ae
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation Via Use Rundll32
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+    SELECTION_1:
+        ScriptBlockText|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_var.yml b/rules/Sigma/powershell_invoke_obfuscation_via_var.yml
new file mode 100644
index 00000000..b834a0a2
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_var.yml
@@ -0,0 +1,31 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+    SELECTION_1:
+        Payload|re: (?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
+level: high
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabledd
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: e54f5149-6ba3-49cf-b153-070d24679126
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_var.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/Sigma/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
new file mode 100644
index 00000000..d9d213d5
--- /dev/null
+++ b/rules/Sigma/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+    SELECTION_1:
+        ScriptBlockText|re: (?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: e54f5149-6ba3-49cf-b153-070d24679126
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_keylogging.yml b/rules/Sigma/powershell_keylogging.yml
new file mode 100644
index 00000000..8d021052
--- /dev/null
+++ b/rules/Sigma/powershell_keylogging.yml
@@ -0,0 +1,32 @@
+title: Powershell Keylogging
+author: frack113
+date: 2021/07/30
+description: Adversaries may log user keystrokes to intercept credentials as the user
+    types them.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Get-Keystrokes*'
+    SELECTION_2:
+        ScriptBlockText: '*Get-ProcAddress user32.dll GetAsyncKeyState*'
+    SELECTION_3:
+        ScriptBlockText: '*Get-ProcAddress user32.dll GetForegroundWindow*'
+    condition: (SELECTION_1 or (SELECTION_2 and SELECTION_3))
+falsepositives:
+- Unknown
+id: 34f90d3c-c297-49e9-b26d-911b05a4866c
+level: medium
+logsource:
+    category: ps_script
+    definition: EnableScriptBlockLogging must be set to enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1
+status: experimental
+tags:
+- attack.collection
+- attack.t1056.001
+yml_filename: powershell_keylogging.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_malicious_commandlets.yml b/rules/Sigma/powershell_malicious_commandlets.yml
new file mode 100644
index 00000000..36f32def
--- /dev/null
+++ b/rules/Sigma/powershell_malicious_commandlets.yml
@@ -0,0 +1,237 @@
+title: Malicious PowerShell Commandlets
+author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update),
+    oscd.community (update)
+date: 2017/03/05
+description: Detects Commandlet names from well-known PowerShell exploitation frameworks
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Invoke-DllInjection*'
+    SELECTION_10:
+        ScriptBlockText: '*Invoke-NinjaCopy*'
+    SELECTION_11:
+        ScriptBlockText: '*Invoke-TokenManipulation*'
+    SELECTION_12:
+        ScriptBlockText: '*Out-Minidump*'
+    SELECTION_13:
+        ScriptBlockText: '*VolumeShadowCopyTools*'
+    SELECTION_14:
+        ScriptBlockText: '*Invoke-ReflectivePEInjection*'
+    SELECTION_15:
+        ScriptBlockText: '*Invoke-UserHunter*'
+    SELECTION_16:
+        ScriptBlockText: '*Find-GPOLocation*'
+    SELECTION_17:
+        ScriptBlockText: '*Invoke-ACLScanner*'
+    SELECTION_18:
+        ScriptBlockText: '*Invoke-DowngradeAccount*'
+    SELECTION_19:
+        ScriptBlockText: '*Get-ServiceUnquoted*'
+    SELECTION_2:
+        ScriptBlockText: '*Invoke-Shellcode*'
+    SELECTION_20:
+        ScriptBlockText: '*Get-ServiceFilePermission*'
+    SELECTION_21:
+        ScriptBlockText: '*Get-ServicePermission*'
+    SELECTION_22:
+        ScriptBlockText: '*Invoke-ServiceAbuse*'
+    SELECTION_23:
+        ScriptBlockText: '*Install-ServiceBinary*'
+    SELECTION_24:
+        ScriptBlockText: '*Get-RegAutoLogon*'
+    SELECTION_25:
+        ScriptBlockText: '*Get-VulnAutoRun*'
+    SELECTION_26:
+        ScriptBlockText: '*Get-VulnSchTask*'
+    SELECTION_27:
+        ScriptBlockText: '*Get-UnattendedInstallFile*'
+    SELECTION_28:
+        ScriptBlockText: '*Get-ApplicationHost*'
+    SELECTION_29:
+        ScriptBlockText: '*Get-RegAlwaysInstallElevated*'
+    SELECTION_3:
+        ScriptBlockText: '*Invoke-WmiCommand*'
+    SELECTION_30:
+        ScriptBlockText: '*Get-Unconstrained*'
+    SELECTION_31:
+        ScriptBlockText: '*Add-RegBackdoor*'
+    SELECTION_32:
+        ScriptBlockText: '*Add-ScrnSaveBackdoor*'
+    SELECTION_33:
+        ScriptBlockText: '*Gupt-Backdoor*'
+    SELECTION_34:
+        ScriptBlockText: '*Invoke-ADSBackdoor*'
+    SELECTION_35:
+        ScriptBlockText: '*Enabled-DuplicateToken*'
+    SELECTION_36:
+        ScriptBlockText: '*Invoke-PsUaCme*'
+    SELECTION_37:
+        ScriptBlockText: '*Remove-Update*'
+    SELECTION_38:
+        ScriptBlockText: '*Check-VM*'
+    SELECTION_39:
+        ScriptBlockText: '*Get-LSASecret*'
+    SELECTION_4:
+        ScriptBlockText: '*Get-GPPPassword*'
+    SELECTION_40:
+        ScriptBlockText: '*Get-PassHashes*'
+    SELECTION_41:
+        ScriptBlockText: '*Show-TargetScreen*'
+    SELECTION_42:
+        ScriptBlockText: '*Port-Scan*'
+    SELECTION_43:
+        ScriptBlockText: '*Invoke-PoshRatHttp*'
+    SELECTION_44:
+        ScriptBlockText: '*Invoke-PowerShellTCP*'
+    SELECTION_45:
+        ScriptBlockText: '*Invoke-PowerShellWMI*'
+    SELECTION_46:
+        ScriptBlockText: '*Add-Exfiltration*'
+    SELECTION_47:
+        ScriptBlockText: '*Add-Persistence*'
+    SELECTION_48:
+        ScriptBlockText: '*Do-Exfiltration*'
+    SELECTION_49:
+        ScriptBlockText: '*Start-CaptureServer*'
+    SELECTION_5:
+        ScriptBlockText: '*Get-Keystrokes*'
+    SELECTION_50:
+        ScriptBlockText: '*Get-ChromeDump*'
+    SELECTION_51:
+        ScriptBlockText: '*Get-ClipboardContents*'
+    SELECTION_52:
+        ScriptBlockText: '*Get-FoxDump*'
+    SELECTION_53:
+        ScriptBlockText: '*Get-IndexedItem*'
+    SELECTION_54:
+        ScriptBlockText: '*Get-Screenshot*'
+    SELECTION_55:
+        ScriptBlockText: '*Invoke-Inveigh*'
+    SELECTION_56:
+        ScriptBlockText: '*Invoke-NetRipper*'
+    SELECTION_57:
+        ScriptBlockText: '*Invoke-EgressCheck*'
+    SELECTION_58:
+        ScriptBlockText: '*Invoke-PostExfil*'
+    SELECTION_59:
+        ScriptBlockText: '*Invoke-PSInject*'
+    SELECTION_6:
+        ScriptBlockText: '*Get-TimedScreenshot*'
+    SELECTION_60:
+        ScriptBlockText: '*Invoke-RunAs*'
+    SELECTION_61:
+        ScriptBlockText: '*MailRaider*'
+    SELECTION_62:
+        ScriptBlockText: '*New-HoneyHash*'
+    SELECTION_63:
+        ScriptBlockText: '*Set-MacAttribute*'
+    SELECTION_64:
+        ScriptBlockText: '*Invoke-DCSync*'
+    SELECTION_65:
+        ScriptBlockText: '*Invoke-PowerDump*'
+    SELECTION_66:
+        ScriptBlockText: '*Exploit-Jboss*'
+    SELECTION_67:
+        ScriptBlockText: '*Invoke-ThunderStruck*'
+    SELECTION_68:
+        ScriptBlockText: '*Invoke-VoiceTroll*'
+    SELECTION_69:
+        ScriptBlockText: '*Set-Wallpaper*'
+    SELECTION_7:
+        ScriptBlockText: '*Get-VaultCredential*'
+    SELECTION_70:
+        ScriptBlockText: '*Invoke-InveighRelay*'
+    SELECTION_71:
+        ScriptBlockText: '*Invoke-PsExec*'
+    SELECTION_72:
+        ScriptBlockText: '*Invoke-SSHCommand*'
+    SELECTION_73:
+        ScriptBlockText: '*Get-SecurityPackages*'
+    SELECTION_74:
+        ScriptBlockText: '*Install-SSP*'
+    SELECTION_75:
+        ScriptBlockText: '*Invoke-BackdoorLNK*'
+    SELECTION_76:
+        ScriptBlockText: '*PowerBreach*'
+    SELECTION_77:
+        ScriptBlockText: '*Get-SiteListPassword*'
+    SELECTION_78:
+        ScriptBlockText: '*Get-System*'
+    SELECTION_79:
+        ScriptBlockText: '*Invoke-BypassUAC*'
+    SELECTION_8:
+        ScriptBlockText: '*Invoke-CredentialInjection*'
+    SELECTION_80:
+        ScriptBlockText: '*Invoke-Tater*'
+    SELECTION_81:
+        ScriptBlockText: '*Invoke-WScriptBypassUAC*'
+    SELECTION_82:
+        ScriptBlockText: '*PowerUp*'
+    SELECTION_83:
+        ScriptBlockText: '*PowerView*'
+    SELECTION_84:
+        ScriptBlockText: '*Get-RickAstley*'
+    SELECTION_85:
+        ScriptBlockText: '*Find-Fruit*'
+    SELECTION_86:
+        ScriptBlockText: '*HTTP-Login*'
+    SELECTION_87:
+        ScriptBlockText: '*Find-TrustedDocuments*'
+    SELECTION_88:
+        ScriptBlockText: '*Invoke-Paranoia*'
+    SELECTION_89:
+        ScriptBlockText: '*Invoke-WinEnum*'
+    SELECTION_9:
+        ScriptBlockText: '*Invoke-Mimikatz*'
+    SELECTION_90:
+        ScriptBlockText: '*Invoke-ARPScan*'
+    SELECTION_91:
+        ScriptBlockText: '*Invoke-PortScan*'
+    SELECTION_92:
+        ScriptBlockText: '*Invoke-ReverseDNSLookup*'
+    SELECTION_93:
+        ScriptBlockText: '*Invoke-SMBScanner*'
+    SELECTION_94:
+        ScriptBlockText: '*Invoke-Mimikittenz*'
+    SELECTION_95:
+        ScriptBlockText: '*Invoke-AllChecks*'
+    SELECTION_96:
+        ScriptBlockText: '*Get-SystemDriveInfo*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
+        or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
+        or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
+        or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55
+        or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60
+        or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65
+        or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70
+        or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75
+        or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80
+        or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85
+        or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90
+        or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95)
+        and  not (SELECTION_96))
+falsepositives:
+- Penetration testing
+id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+level: high
+logsource:
+    category: ps_script
+    definition: Script Block Logging must be enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://adsecurity.org/?p=2921
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_malicious_commandlets.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_malicious_keywords.yml b/rules/Sigma/powershell_malicious_keywords.yml
new file mode 100644
index 00000000..4e49684a
--- /dev/null
+++ b/rules/Sigma/powershell_malicious_keywords.yml
@@ -0,0 +1,69 @@
+title: Malicious PowerShell Keywords
+author: Sean Metcalf (source), Florian Roth (rule)
+date: 2017/03/05
+description: Detects keywords from well-known PowerShell exploitation frameworks
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*AdjustTokenPrivileges*'
+    SELECTION_10:
+        ScriptBlockText: '*TOKEN_ADJUST_PRIVILEGES*'
+    SELECTION_11:
+        ScriptBlockText: '*TOKEN_ALL_ACCESS*'
+    SELECTION_12:
+        ScriptBlockText: '*TOKEN_ASSIGN_PRIMARY*'
+    SELECTION_13:
+        ScriptBlockText: '*TOKEN_DUPLICATE*'
+    SELECTION_14:
+        ScriptBlockText: '*TOKEN_ELEVATION*'
+    SELECTION_15:
+        ScriptBlockText: '*TOKEN_IMPERSONATE*'
+    SELECTION_16:
+        ScriptBlockText: '*TOKEN_INFORMATION_CLASS*'
+    SELECTION_17:
+        ScriptBlockText: '*TOKEN_PRIVILEGES*'
+    SELECTION_18:
+        ScriptBlockText: '*TOKEN_QUERY*'
+    SELECTION_19:
+        ScriptBlockText: '*Metasploit*'
+    SELECTION_2:
+        ScriptBlockText: '*IMAGE_NT_OPTIONAL_HDR64_MAGIC*'
+    SELECTION_20:
+        ScriptBlockText: '*Mimikatz*'
+    SELECTION_3:
+        ScriptBlockText: '*Microsoft.Win32.UnsafeNativeMethods*'
+    SELECTION_4:
+        ScriptBlockText: '*ReadProcessMemory.Invoke*'
+    SELECTION_5:
+        ScriptBlockText: '*SE_PRIVILEGE_ENABLED*'
+    SELECTION_6:
+        ScriptBlockText: '*LSA_UNICODE_STRING*'
+    SELECTION_7:
+        ScriptBlockText: '*MiniDumpWriteDump*'
+    SELECTION_8:
+        ScriptBlockText: '*PAGE_EXECUTE_READ*'
+    SELECTION_9:
+        ScriptBlockText: '*SECURITY_DELEGATION*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20)
+falsepositives:
+- Penetration tests
+id: f62176f3-8128-4faa-bf6c-83261322e5eb
+level: high
+logsource:
+    category: ps_script
+    definition: It is recommended to use the new "Script Block Logging" of PowerShell
+        v5 https://adsecurity.org/?p=2277
+    product: windows
+modified: 2021/10/16
+references:
+- https://adsecurity.org/?p=2921
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_malicious_keywords.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/Sigma/powershell_memorydump_getstoragediagnosticinfo.yml
new file mode 100644
index 00000000..e6894026
--- /dev/null
+++ b/rules/Sigma/powershell_memorydump_getstoragediagnosticinfo.yml
@@ -0,0 +1,28 @@
+title: Live Memory Dump Using Powershell
+author: Max Altgelt
+date: 2021/09/21
+description: Detects usage of a PowerShell command to dump the live memory of a Windows
+    machine
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Get-StorageDiagnosticInfo*'
+    SELECTION_2:
+        ScriptBlockText: '*-IncludeLiveDump*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Diagnostics
+id: cd185561-4760-45d6-a63e-a51325112cae
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo
+status: experimental
+tags:
+- attack.t1003
+yml_filename: powershell_memorydump_getstoragediagnosticinfo.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_nishang_malicious_commandlets.yml b/rules/Sigma/powershell_nishang_malicious_commandlets.yml
new file mode 100644
index 00000000..3deb4678
--- /dev/null
+++ b/rules/Sigma/powershell_nishang_malicious_commandlets.yml
@@ -0,0 +1,179 @@
+title: Malicious Nishang PowerShell Commandlets
+author: Alec Costello
+date: 2019/05/16
+description: Detects Commandlet names and arguments from the Nishang exploitation
+    framework
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Add-ConstrainedDelegationBackdoor*'
+    SELECTION_10:
+        ScriptBlockText: '*Out-HTA*'
+    SELECTION_11:
+        ScriptBlockText: '*Out-SCF*'
+    SELECTION_12:
+        ScriptBlockText: '*Out-SCT*'
+    SELECTION_13:
+        ScriptBlockText: '*Out-Shortcut*'
+    SELECTION_14:
+        ScriptBlockText: '*Out-WebQuery*'
+    SELECTION_15:
+        ScriptBlockText: '*Out-Word*'
+    SELECTION_16:
+        ScriptBlockText: '*Enable-Duplication*'
+    SELECTION_17:
+        ScriptBlockText: '*Remove-Update*'
+    SELECTION_18:
+        ScriptBlockText: '*Download-Execute-PS*'
+    SELECTION_19:
+        ScriptBlockText: '*Download_Execute*'
+    SELECTION_2:
+        ScriptBlockText: '*Set-DCShadowPermissions*'
+    SELECTION_20:
+        ScriptBlockText: '*Execute-Command-MSSQL*'
+    SELECTION_21:
+        ScriptBlockText: '*Execute-DNSTXT-Code*'
+    SELECTION_22:
+        ScriptBlockText: '*Out-RundllCommand*'
+    SELECTION_23:
+        ScriptBlockText: '*Copy-VSS*'
+    SELECTION_24:
+        ScriptBlockText: '*FireBuster*'
+    SELECTION_25:
+        ScriptBlockText: '*FireListener*'
+    SELECTION_26:
+        ScriptBlockText: '*Get-Information*'
+    SELECTION_27:
+        ScriptBlockText: '*Get-PassHints*'
+    SELECTION_28:
+        ScriptBlockText: '*Get-WLAN-Keys*'
+    SELECTION_29:
+        ScriptBlockText: '*Get-Web-Credentials*'
+    SELECTION_3:
+        ScriptBlockText: '*DNS_TXT_Pwnage*'
+    SELECTION_30:
+        ScriptBlockText: '*Invoke-CredentialsPhish*'
+    SELECTION_31:
+        ScriptBlockText: '*Invoke-MimikatzWDigestDowngrade*'
+    SELECTION_32:
+        ScriptBlockText: '*Invoke-SSIDExfil*'
+    SELECTION_33:
+        ScriptBlockText: '*Invoke-SessionGopher*'
+    SELECTION_34:
+        ScriptBlockText: '*Keylogger*'
+    SELECTION_35:
+        ScriptBlockText: '*Invoke-Interceptor*'
+    SELECTION_36:
+        ScriptBlockText: '*Create-MultipleSessions*'
+    SELECTION_37:
+        ScriptBlockText: '*Invoke-NetworkRelay*'
+    SELECTION_38:
+        ScriptBlockText: '*Run-EXEonRemote*'
+    SELECTION_39:
+        ScriptBlockText: '*Invoke-Prasadhak*'
+    SELECTION_4:
+        ScriptBlockText: '*Execute-OnTime*'
+    SELECTION_40:
+        ScriptBlockText: '*Invoke-BruteForce*'
+    SELECTION_41:
+        ScriptBlockText: '*Password-List*'
+    SELECTION_42:
+        ScriptBlockText: '*Invoke-JSRatRegsvr*'
+    SELECTION_43:
+        ScriptBlockText: '*Invoke-JSRatRundll*'
+    SELECTION_44:
+        ScriptBlockText: '*Invoke-PoshRatHttps*'
+    SELECTION_45:
+        ScriptBlockText: '*Invoke-PowerShellIcmp*'
+    SELECTION_46:
+        ScriptBlockText: '*Invoke-PowerShellUdp*'
+    SELECTION_47:
+        ScriptBlockText: '*Invoke-PSGcat*'
+    SELECTION_48:
+        ScriptBlockText: '*Invoke-PsGcatAgent*'
+    SELECTION_49:
+        ScriptBlockText: '*Remove-PoshRat*'
+    SELECTION_5:
+        ScriptBlockText: '*HTTP-Backdoor*'
+    SELECTION_50:
+        ScriptBlockText: '*Add-Persistance*'
+    SELECTION_51:
+        ScriptBlockText: '*ExetoText*'
+    SELECTION_52:
+        ScriptBlockText: '*Invoke-Decode*'
+    SELECTION_53:
+        ScriptBlockText: '*Invoke-Encode*'
+    SELECTION_54:
+        ScriptBlockText: '*Parse_Keys*'
+    SELECTION_55:
+        ScriptBlockText: '*Remove-Persistence*'
+    SELECTION_56:
+        ScriptBlockText: '*StringtoBase64*'
+    SELECTION_57:
+        ScriptBlockText: '*TexttoExe*'
+    SELECTION_58:
+        ScriptBlockText: '*Powerpreter*'
+    SELECTION_59:
+        ScriptBlockText: '*Nishang*'
+    SELECTION_6:
+        ScriptBlockText: '*Set-RemotePSRemoting*'
+    SELECTION_60:
+        ScriptBlockText: '*DataToEncode*'
+    SELECTION_61:
+        ScriptBlockText: '*LoggedKeys*'
+    SELECTION_62:
+        ScriptBlockText: '*OUT-DNSTXT*'
+    SELECTION_63:
+        ScriptBlockText: '*ExfilOption*'
+    SELECTION_64:
+        ScriptBlockText: '*DumpCerts*'
+    SELECTION_65:
+        ScriptBlockText: '*DumpCreds*'
+    SELECTION_66:
+        ScriptBlockText: '*Shellcode32*'
+    SELECTION_67:
+        ScriptBlockText: '*Shellcode64*'
+    SELECTION_68:
+        ScriptBlockText: '*NotAllNameSpaces*'
+    SELECTION_69:
+        ScriptBlockText: '*exfill*'
+    SELECTION_7:
+        ScriptBlockText: '*Set-RemoteWMI*'
+    SELECTION_70:
+        ScriptBlockText: '*FakeDC*'
+    SELECTION_8:
+        ScriptBlockText: '*Invoke-AmsiBypass*'
+    SELECTION_9:
+        ScriptBlockText: '*Out-CHM*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
+        or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
+        or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
+        or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55
+        or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60
+        or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65
+        or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70)
+falsepositives:
+- Penetration testing
+id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/samratashok/nishang
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_nishang_malicious_commandlets.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_ntfs_ads_access.yml b/rules/Sigma/powershell_ntfs_ads_access.yml
new file mode 100644
index 00000000..6733bd4c
--- /dev/null
+++ b/rules/Sigma/powershell_ntfs_ads_access.yml
@@ -0,0 +1,36 @@
+title: NTFS Alternate Data Stream
+author: Sami Ruohonen
+date: 2018/07/24
+description: Detects writing data into NTFS alternate data streams from powershell.
+    Needs Script Block Logging.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*set-content*'
+    SELECTION_2:
+        ScriptBlockText: '*add-content*'
+    SELECTION_3:
+        ScriptBlockText: '*-stream*'
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3))
+falsepositives:
+- unknown
+id: 8c521530-5169-495d-a199-0a3a881ad24e
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- http://www.powertheshell.com/ntfsstreams/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.004
+- attack.t1096
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_ntfs_ads_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_powercat.yml b/rules/Sigma/powershell_powercat.yml
new file mode 100644
index 00000000..136566ed
--- /dev/null
+++ b/rules/Sigma/powershell_powercat.yml
@@ -0,0 +1,31 @@
+title: Netcat The Powershell Version
+author: frack113
+date: 2021/07/21
+description: Adversaries may use a non-application layer protocol for communication
+    between host and C2 server or among infected hosts within a network
+detection:
+    SELECTION_1:
+        ContextInfo: '*powercat *'
+    SELECTION_2:
+        ContextInfo: '*powercat.ps1*'
+    condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unknown
+id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
+level: medium
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://nmap.org/ncat/
+- https://github.com/besimorhino/powercat
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1095
+yml_filename: powershell_powercat.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_powerview_malicious_commandlets.yml b/rules/Sigma/powershell_powerview_malicious_commandlets.yml
new file mode 100644
index 00000000..88476b84
--- /dev/null
+++ b/rules/Sigma/powershell_powerview_malicious_commandlets.yml
@@ -0,0 +1,295 @@
+title: Malicious PowerView PowerShell Commandlets
+author: Bhabesh Raj
+date: 2021/05/18
+description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Export-PowerViewCSV*'
+    SELECTION_10:
+        ScriptBlockText: '*Invoke-UserImpersonation*'
+    SELECTION_100:
+        ScriptBlockText: '*Invoke-UserHunter*'
+    SELECTION_101:
+        ScriptBlockText: '*Find-DomainUserLocation*'
+    SELECTION_102:
+        ScriptBlockText: '*Invoke-ProcessHunter*'
+    SELECTION_103:
+        ScriptBlockText: '*Find-DomainProcess*'
+    SELECTION_104:
+        ScriptBlockText: '*Invoke-EventHunter*'
+    SELECTION_105:
+        ScriptBlockText: '*Find-DomainUserEvent*'
+    SELECTION_106:
+        ScriptBlockText: '*Invoke-ShareFinder*'
+    SELECTION_107:
+        ScriptBlockText: '*Find-DomainShare*'
+    SELECTION_108:
+        ScriptBlockText: '*Invoke-FileFinder*'
+    SELECTION_109:
+        ScriptBlockText: '*Find-InterestingDomainShareFile*'
+    SELECTION_11:
+        ScriptBlockText: '*Invoke-RevertToSelf*'
+    SELECTION_110:
+        ScriptBlockText: '*Find-LocalAdminAccess*'
+    SELECTION_111:
+        ScriptBlockText: '*Invoke-EnumerateLocalAdmin*'
+    SELECTION_112:
+        ScriptBlockText: '*Find-DomainLocalGroupMember*'
+    SELECTION_113:
+        ScriptBlockText: '*Get-NetDomainTrust*'
+    SELECTION_114:
+        ScriptBlockText: '*Get-DomainTrust*'
+    SELECTION_115:
+        ScriptBlockText: '*Get-NetForestTrust*'
+    SELECTION_116:
+        ScriptBlockText: '*Get-ForestTrust*'
+    SELECTION_117:
+        ScriptBlockText: '*Find-ForeignUser*'
+    SELECTION_118:
+        ScriptBlockText: '*Get-DomainForeignUser*'
+    SELECTION_119:
+        ScriptBlockText: '*Find-ForeignGroup*'
+    SELECTION_12:
+        ScriptBlockText: '*Request-SPNTicket*'
+    SELECTION_120:
+        ScriptBlockText: '*Get-DomainForeignGroupMember*'
+    SELECTION_121:
+        ScriptBlockText: '*Invoke-MapDomainTrust*'
+    SELECTION_122:
+        ScriptBlockText: '*Get-DomainTrustMapping*'
+    SELECTION_13:
+        ScriptBlockText: '*Get-DomainSPNTicket*'
+    SELECTION_14:
+        ScriptBlockText: '*Invoke-Kerberoast*'
+    SELECTION_15:
+        ScriptBlockText: '*Get-PathAcl*'
+    SELECTION_16:
+        ScriptBlockText: '*Get-DNSZone*'
+    SELECTION_17:
+        ScriptBlockText: '*Get-DomainDNSZone*'
+    SELECTION_18:
+        ScriptBlockText: '*Get-DNSRecord*'
+    SELECTION_19:
+        ScriptBlockText: '*Get-DomainDNSRecord*'
+    SELECTION_2:
+        ScriptBlockText: '*Get-IPAddress*'
+    SELECTION_20:
+        ScriptBlockText: '*Get-NetDomain*'
+    SELECTION_21:
+        ScriptBlockText: '*Get-Domain*'
+    SELECTION_22:
+        ScriptBlockText: '*Get-NetDomainController*'
+    SELECTION_23:
+        ScriptBlockText: '*Get-DomainController*'
+    SELECTION_24:
+        ScriptBlockText: '*Get-NetForest*'
+    SELECTION_25:
+        ScriptBlockText: '*Get-Forest*'
+    SELECTION_26:
+        ScriptBlockText: '*Get-NetForestDomain*'
+    SELECTION_27:
+        ScriptBlockText: '*Get-ForestDomain*'
+    SELECTION_28:
+        ScriptBlockText: '*Get-NetForestCatalog*'
+    SELECTION_29:
+        ScriptBlockText: '*Get-ForestGlobalCatalog*'
+    SELECTION_3:
+        ScriptBlockText: '*Resolve-IPAddress*'
+    SELECTION_30:
+        ScriptBlockText: '*Find-DomainObjectPropertyOutlier*'
+    SELECTION_31:
+        ScriptBlockText: '*Get-NetUser*'
+    SELECTION_32:
+        ScriptBlockText: '*Get-DomainUser*'
+    SELECTION_33:
+        ScriptBlockText: '*New-DomainUser*'
+    SELECTION_34:
+        ScriptBlockText: '*Set-DomainUserPassword*'
+    SELECTION_35:
+        ScriptBlockText: '*Get-UserEvent*'
+    SELECTION_36:
+        ScriptBlockText: '*Get-DomainUserEvent*'
+    SELECTION_37:
+        ScriptBlockText: '*Get-NetComputer*'
+    SELECTION_38:
+        ScriptBlockText: '*Get-DomainComputer*'
+    SELECTION_39:
+        ScriptBlockText: '*Get-ADObject*'
+    SELECTION_4:
+        ScriptBlockText: '*Convert-NameToSid*'
+    SELECTION_40:
+        ScriptBlockText: '*Get-DomainObject*'
+    SELECTION_41:
+        ScriptBlockText: '*Set-ADObject*'
+    SELECTION_42:
+        ScriptBlockText: '*Set-DomainObject*'
+    SELECTION_43:
+        ScriptBlockText: '*Get-ObjectAcl*'
+    SELECTION_44:
+        ScriptBlockText: '*Get-DomainObjectAcl*'
+    SELECTION_45:
+        ScriptBlockText: '*Add-ObjectAcl*'
+    SELECTION_46:
+        ScriptBlockText: '*Add-DomainObjectAcl*'
+    SELECTION_47:
+        ScriptBlockText: '*Invoke-ACLScanner*'
+    SELECTION_48:
+        ScriptBlockText: '*Find-InterestingDomainAcl*'
+    SELECTION_49:
+        ScriptBlockText: '*Get-NetOU*'
+    SELECTION_5:
+        ScriptBlockText: '*ConvertTo-SID*'
+    SELECTION_50:
+        ScriptBlockText: '*Get-DomainOU*'
+    SELECTION_51:
+        ScriptBlockText: '*Get-NetSite*'
+    SELECTION_52:
+        ScriptBlockText: '*Get-DomainSite*'
+    SELECTION_53:
+        ScriptBlockText: '*Get-NetSubnet*'
+    SELECTION_54:
+        ScriptBlockText: '*Get-DomainSubnet*'
+    SELECTION_55:
+        ScriptBlockText: '*Get-DomainSID*'
+    SELECTION_56:
+        ScriptBlockText: '*Get-NetGroup*'
+    SELECTION_57:
+        ScriptBlockText: '*Get-DomainGroup*'
+    SELECTION_58:
+        ScriptBlockText: '*New-DomainGroup*'
+    SELECTION_59:
+        ScriptBlockText: '*Find-ManagedSecurityGroups*'
+    SELECTION_6:
+        ScriptBlockText: '*Convert-ADName*'
+    SELECTION_60:
+        ScriptBlockText: '*Get-DomainManagedSecurityGroup*'
+    SELECTION_61:
+        ScriptBlockText: '*Get-NetGroupMember*'
+    SELECTION_62:
+        ScriptBlockText: '*Get-DomainGroupMember*'
+    SELECTION_63:
+        ScriptBlockText: '*Add-DomainGroupMember*'
+    SELECTION_64:
+        ScriptBlockText: '*Get-NetFileServer*'
+    SELECTION_65:
+        ScriptBlockText: '*Get-DomainFileServer*'
+    SELECTION_66:
+        ScriptBlockText: '*Get-DFSshare*'
+    SELECTION_67:
+        ScriptBlockText: '*Get-DomainDFSShare*'
+    SELECTION_68:
+        ScriptBlockText: '*Get-NetGPO*'
+    SELECTION_69:
+        ScriptBlockText: '*Get-DomainGPO*'
+    SELECTION_7:
+        ScriptBlockText: '*ConvertFrom-UACValue*'
+    SELECTION_70:
+        ScriptBlockText: '*Get-NetGPOGroup*'
+    SELECTION_71:
+        ScriptBlockText: '*Get-DomainGPOLocalGroup*'
+    SELECTION_72:
+        ScriptBlockText: '*Find-GPOLocation*'
+    SELECTION_73:
+        ScriptBlockText: '*Get-DomainGPOUserLocalGroupMapping*'
+    SELECTION_74:
+        ScriptBlockText: '*Find-GPOComputerAdmin*'
+    SELECTION_75:
+        ScriptBlockText: '*Get-DomainGPOComputerLocalGroupMapping*'
+    SELECTION_76:
+        ScriptBlockText: '*Get-DomainPolicy*'
+    SELECTION_77:
+        ScriptBlockText: '*Get-NetLocalGroup*'
+    SELECTION_78:
+        ScriptBlockText: '*Get-NetLocalGroupMember*'
+    SELECTION_79:
+        ScriptBlockText: '*Get-NetShare*'
+    SELECTION_8:
+        ScriptBlockText: '*Add-RemoteConnection*'
+    SELECTION_80:
+        ScriptBlockText: '*Get-NetLoggedon*'
+    SELECTION_81:
+        ScriptBlockText: '*Get-NetSession*'
+    SELECTION_82:
+        ScriptBlockText: '*Get-LoggedOnLocal*'
+    SELECTION_83:
+        ScriptBlockText: '*Get-RegLoggedOn*'
+    SELECTION_84:
+        ScriptBlockText: '*Get-NetRDPSession*'
+    SELECTION_85:
+        ScriptBlockText: '*Invoke-CheckLocalAdminAccess*'
+    SELECTION_86:
+        ScriptBlockText: '*Test-AdminAccess*'
+    SELECTION_87:
+        ScriptBlockText: '*Get-SiteName*'
+    SELECTION_88:
+        ScriptBlockText: '*Get-NetComputerSiteName*'
+    SELECTION_89:
+        ScriptBlockText: '*Get-Proxy*'
+    SELECTION_9:
+        ScriptBlockText: '*Remove-RemoteConnection*'
+    SELECTION_90:
+        ScriptBlockText: '*Get-WMIRegProxy*'
+    SELECTION_91:
+        ScriptBlockText: '*Get-LastLoggedOn*'
+    SELECTION_92:
+        ScriptBlockText: '*Get-WMIRegLastLoggedOn*'
+    SELECTION_93:
+        ScriptBlockText: '*Get-CachedRDPConnection*'
+    SELECTION_94:
+        ScriptBlockText: '*Get-WMIRegCachedRDPConnection*'
+    SELECTION_95:
+        ScriptBlockText: '*Get-RegistryMountedDrive*'
+    SELECTION_96:
+        ScriptBlockText: '*Get-WMIRegMountedDrive*'
+    SELECTION_97:
+        ScriptBlockText: '*Get-NetProcess*'
+    SELECTION_98:
+        ScriptBlockText: '*Get-WMIProcess*'
+    SELECTION_99:
+        ScriptBlockText: '*Find-InterestingFile*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
+        or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
+        or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
+        or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55
+        or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60
+        or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65
+        or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70
+        or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75
+        or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80
+        or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85
+        or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90
+        or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95
+        or SELECTION_96 or SELECTION_97 or SELECTION_98 or SELECTION_99 or SELECTION_100
+        or SELECTION_101 or SELECTION_102 or SELECTION_103 or SELECTION_104 or SELECTION_105
+        or SELECTION_106 or SELECTION_107 or SELECTION_108 or SELECTION_109 or SELECTION_110
+        or SELECTION_111 or SELECTION_112 or SELECTION_113 or SELECTION_114 or SELECTION_115
+        or SELECTION_116 or SELECTION_117 or SELECTION_118 or SELECTION_119 or SELECTION_120
+        or SELECTION_121 or SELECTION_122)
+falsepositives:
+- Should not be any as administrators do not use this tool
+id: dcd74b95-3f36-4ed9-9598-0490951643aa
+level: high
+logsource:
+    category: ps_script
+    definition: Script Block Logging must be enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://powersploit.readthedocs.io/en/stable/Recon/README
+- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
+- https://thedfirreport.com/2020/10/08/ryuks-return
+- https://adsecurity.org/?p=2277
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_powerview_malicious_commandlets.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_prompt_credentials.yml b/rules/Sigma/powershell_prompt_credentials.yml
new file mode 100644
index 00000000..f3d8882c
--- /dev/null
+++ b/rules/Sigma/powershell_prompt_credentials.yml
@@ -0,0 +1,29 @@
+title: PowerShell Credential Prompt
+author: John Lambert (idea), Florian Roth (rule)
+date: 2017/04/09
+description: Detects PowerShell calling a credential prompt
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*PromptForCredential*'
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: ca8b77a9-d499-4095-b793-5d5f330d450e
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://twitter.com/JohnLaTwC/status/850381440629981184
+- https://t.co/ezOTGy1a1G
+status: experimental
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_prompt_credentials.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_psattack.yml b/rules/Sigma/powershell_psattack.yml
new file mode 100644
index 00000000..d5db3980
--- /dev/null
+++ b/rules/Sigma/powershell_psattack.yml
@@ -0,0 +1,27 @@
+title: PowerShell PSAttack
+author: Sean Metcalf (source), Florian Roth (rule)
+date: 2017/03/05
+description: Detects the use of PSAttack PowerShell hack tool
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*PS ATTACK!!!*'
+    condition: SELECTION_1
+falsepositives:
+- Pentesters
+id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://adsecurity.org/?p=2921
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_psattack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_remote_powershell_session.yml b/rules/Sigma/powershell_remote_powershell_session.yml
new file mode 100644
index 00000000..5a83d0d1
--- /dev/null
+++ b/rules/Sigma/powershell_remote_powershell_session.yml
@@ -0,0 +1,32 @@
+title: Remote PowerShell Session
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects remote PowerShell sessions
+detection:
+    SELECTION_1:
+        ContextInfo: '* = ServerRemoteHost *'
+    SELECTION_2:
+        ContextInfo: '*wsmprovhost.exe*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use remote PowerShell sessions
+id: 96b9f619-aa91-478f-bacb-c3e50f8df575
+level: high
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
+yml_filename: powershell_remote_powershell_session.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_renamed_powershell.yml b/rules/Sigma/powershell_renamed_powershell.yml
new file mode 100644
index 00000000..a858e3c9
--- /dev/null
+++ b/rules/Sigma/powershell_renamed_powershell.yml
@@ -0,0 +1,31 @@
+title: Renamed Powershell Under Powershell Channel
+author: Harish Segar, frack113
+date: 2020/06/29
+description: Detects renamed powershell
+detection:
+    SELECTION_1:
+        HostName: ConsoleHost
+    SELECTION_2:
+        HostApplication: powershell.exe*
+    SELECTION_3:
+        HostApplication: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
+    condition: (SELECTION_1 and  not ((SELECTION_2 or SELECTION_3)))
+falsepositives:
+- unknown
+id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
+level: low
+logsource:
+    category: ps_classic_start
+    definition: fields have to be extract from event
+    product: windows
+modified: 2021/10/16
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: test
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+yml_filename: powershell_renamed_powershell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_set_policies_to_unsecure_level.yml b/rules/Sigma/powershell_set_policies_to_unsecure_level.yml
new file mode 100644
index 00000000..4c5f2195
--- /dev/null
+++ b/rules/Sigma/powershell_set_policies_to_unsecure_level.yml
@@ -0,0 +1,31 @@
+title: Change PowerShell Policies to a Unsecure Level
+author: frack113
+date: 2021/10/20
+description: Detects use of Set-ExecutionPolicy to set a unsecure policies
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Set-ExecutionPolicy*'
+    SELECTION_2:
+        ScriptBlockText: '*Unrestricted*'
+    SELECTION_3:
+        ScriptBlockText: '*bypass*'
+    SELECTION_4:
+        ScriptBlockText: '*RemoteSigned*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Administrator script
+id: 61d0475c-173f-4844-86f7-f3eebae1c66b
+level: high
+logsource:
+    category: ps_script
+    product: windows
+references:
+- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
+- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
+- https://adsecurity.org/?p=2604
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_set_policies_to_unsecure_level.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_shellcode_b64.yml b/rules/Sigma/powershell_shellcode_b64.yml
new file mode 100644
index 00000000..36d66a2f
--- /dev/null
+++ b/rules/Sigma/powershell_shellcode_b64.yml
@@ -0,0 +1,34 @@
+title: PowerShell ShellCode
+author: David Ledbetter (shellcode), Florian Roth (rule)
+date: 2018/11/17
+description: Detects Base64 encoded Shellcode
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*AAAAYInlM*'
+    SELECTION_2:
+        ScriptBlockText: '*OiCAAAAYInlM*'
+    SELECTION_3:
+        ScriptBlockText: '*OiJAAAAYInlM*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
+level: critical
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://twitter.com/cyb3rops/status/1063072865992523776
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_shellcode_b64.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_shellintel_malicious_commandlets.yml b/rules/Sigma/powershell_shellintel_malicious_commandlets.yml
new file mode 100644
index 00000000..ad4f29df
--- /dev/null
+++ b/rules/Sigma/powershell_shellintel_malicious_commandlets.yml
@@ -0,0 +1,32 @@
+title: Malicious ShellIntel PowerShell Commandlets
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects Commandlet names from ShellIntel exploitation scripts.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Invoke-SMBAutoBrute*'
+    SELECTION_2:
+        ScriptBlockText: '*Invoke-GPOLinks*'
+    SELECTION_3:
+        ScriptBlockText: '*Out-Minidump*'
+    SELECTION_4:
+        ScriptBlockText: '*Invoke-Potato*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
+falsepositives:
+- Unknown
+id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
+level: high
+logsource:
+    category: ps_script
+    definition: Script Block Logging must be enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Shellntel/scripts/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_shellintel_malicious_commandlets.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_software_discovery.yml b/rules/Sigma/powershell_software_discovery.yml
new file mode 100644
index 00000000..169eccae
--- /dev/null
+++ b/rules/Sigma/powershell_software_discovery.yml
@@ -0,0 +1,35 @@
+title: Detected Windows Software Discovery
+author: Nikita Nazarov, oscd.community
+date: 2020/10/16
+description: Adversaries may attempt to enumerate software for a variety of reasons,
+    such as figuring out what security measures are present or if the compromised
+    system has a version of software that is vulnerable.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*get-itemProperty*'
+    SELECTION_2:
+        ScriptBlockText: '*\software\\*'
+    SELECTION_3:
+        ScriptBlockText: '*select-object*'
+    SELECTION_4:
+        ScriptBlockText: '*format-table*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate administration activities
+id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
+level: medium
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/11/12
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
+- https://github.com/harleyQu1nn/AggressorScripts
+status: experimental
+tags:
+- attack.discovery
+- attack.t1518
+yml_filename: powershell_software_discovery.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_store_file_in_alternate_data_stream.yml b/rules/Sigma/powershell_store_file_in_alternate_data_stream.yml
new file mode 100644
index 00000000..6b67de11
--- /dev/null
+++ b/rules/Sigma/powershell_store_file_in_alternate_data_stream.yml
@@ -0,0 +1,32 @@
+title: Powershell Store File In Alternate Data Stream
+author: frack113
+date: 2021/09/02
+description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Start-Process*'
+    SELECTION_2:
+        ScriptBlockText: '*-FilePath "$env:comspec" *'
+    SELECTION_3:
+        ScriptBlockText: '*-ArgumentList *'
+    SELECTION_4:
+        ScriptBlockText: '*>*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
+level: medium
+logsource:
+    category: ps_script
+    definition: EnableScriptBlockLogging must be set to enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.004
+yml_filename: powershell_store_file_in_alternate_data_stream.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/Sigma/powershell_susp_athremotefxvgpudisablementcommand.yml
new file mode 100644
index 00000000..30a9be07
--- /dev/null
+++ b/rules/Sigma/powershell_susp_athremotefxvgpudisablementcommand.yml
@@ -0,0 +1,41 @@
+title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
+author: frack113
+date: 2021/07/13
+description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
+    that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
+detection:
+    SELECTION_1:
+        ContextInfo: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
+    SELECTION_2:
+        ContextInfo: '*-ModuleName *'
+    SELECTION_3:
+        ContextInfo: '*-ModulePath *'
+    SELECTION_4:
+        ContextInfo: '*-ScriptBlock *'
+    SELECTION_5:
+        ContextInfo: '*-RemoteFXvGPUDisablementFilePath*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 38a7625e-b2cb-485d-b83d-aff137d859f4
+level: medium
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabledd
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: powershell_susp_athremotefxvgpudisablementcommand.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_susp_zip_compress.yml b/rules/Sigma/powershell_susp_zip_compress.yml
new file mode 100644
index 00000000..520c9ec3
--- /dev/null
+++ b/rules/Sigma/powershell_susp_zip_compress.yml
@@ -0,0 +1,36 @@
+title: Zip A Folder With PowerShell For Staging In Temp
+author: frack113
+date: 2021/07/20
+description: Use living off the land tools to zip a file and stage it in the Windows
+    temporary folder for later exfiltration
+detection:
+    SELECTION_1:
+        ContextInfo: '*Compress-Archive *'
+    SELECTION_2:
+        ContextInfo: '* -Path *'
+    SELECTION_3:
+        ContextInfo: '* -DestinationPath *'
+    SELECTION_4:
+        ContextInfo: '*$env:TEMP\\*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: daf7eb81-35fd-410d-9d7a-657837e602bb
+level: medium
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabledd
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+related:
+-   id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+    type: derived
+status: experimental
+tags:
+- attack.collection
+- attack.t1074.001
+yml_filename: powershell_susp_zip_compress.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/Sigma/powershell_susp_zip_compress_in_scriptblocktext.yml
new file mode 100644
index 00000000..d377b6fc
--- /dev/null
+++ b/rules/Sigma/powershell_susp_zip_compress_in_scriptblocktext.yml
@@ -0,0 +1,33 @@
+title: Zip A Folder With PowerShell For Staging In Temp
+author: frack113
+date: 2021/07/20
+description: Use living off the land tools to zip a file and stage it in the Windows
+    temporary folder for later exfiltration
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Compress-Archive *'
+    SELECTION_2:
+        ScriptBlockText: '* -Path *'
+    SELECTION_3:
+        ScriptBlockText: '* -DestinationPath *'
+    SELECTION_4:
+        ScriptBlockText: '*$env:TEMP\\*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+level: medium
+logsource:
+    category: ps_script
+    definition: Script Block Logging must be enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1074.001
+yml_filename: powershell_susp_zip_compress_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_suspicious_download.yml b/rules/Sigma/powershell_suspicious_download.yml
new file mode 100644
index 00000000..150555f4
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_download.yml
@@ -0,0 +1,22 @@
+title: Suspicious PowerShell Download
+author: Florian Roth
+date: 2017/03/05
+description: Detects suspicious PowerShell download command
+detection:
+    condition: (System.Net.WebClient and (.DownloadFile( or .DownloadString())
+falsepositives:
+- PowerShell scripts that download content from the Internet
+id: 65531a81-a694-4e31-ae04-f8ba5bc33759
+level: medium
+logsource:
+    product: windows
+    service: powershell
+modified: 2021/09/21
+status: deprecated
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_suspicious_download.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
+
diff --git a/rules/Sigma/powershell_suspicious_download_in_contextinfo.yml b/rules/Sigma/powershell_suspicious_download_in_contextinfo.yml
new file mode 100644
index 00000000..1af7503b
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_download_in_contextinfo.yml
@@ -0,0 +1,31 @@
+title: Suspicious PowerShell Download
+author: Florian Roth
+date: 2017/03/05
+description: Detects suspicious PowerShell download command
+detection:
+    SELECTION_1:
+        ContextInfo: '*System.Net.WebClient*'
+    SELECTION_2:
+        ContextInfo: '*.DownloadFile(*'
+    SELECTION_3:
+        ContextInfo: '*.DownloadString(*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- PowerShell scripts that download content from the Internet
+id: de41232e-12e8-49fa-86bc-c05c7e722df9
+level: medium
+logsource:
+    category: ps_module
+    product: windows
+modified: 2021/10/18
+related:
+-   id: 65531a81-a694-4e31-ae04-f8ba5bc33759
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_suspicious_download_in_contextinfo.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_suspicious_download_in_scriptblocktext.yml b/rules/Sigma/powershell_suspicious_download_in_scriptblocktext.yml
new file mode 100644
index 00000000..60a1ca75
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_download_in_scriptblocktext.yml
@@ -0,0 +1,31 @@
+title: Suspicious PowerShell Download
+author: Florian Roth
+date: 2017/03/05
+description: Detects suspicious PowerShell download command
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*System.Net.WebClient*'
+    SELECTION_2:
+        ScriptBlockText: '*.DownloadFile(*'
+    SELECTION_3:
+        ScriptBlockText: '*.DownloadString(*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- PowerShell scripts that download content from the Internet
+id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
+level: medium
+logsource:
+    category: ps_script
+    product: windows
+modified: 2021/10/18
+related:
+-   id: 65531a81-a694-4e31-ae04-f8ba5bc33759
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_suspicious_download_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_suspicious_export_pfxcertificate.yml b/rules/Sigma/powershell_suspicious_export_pfxcertificate.yml
new file mode 100644
index 00000000..72f51c99
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_export_pfxcertificate.yml
@@ -0,0 +1,30 @@
+title: Suspicious Export-PfxCertificate
+author: Florian Roth
+date: 2021/04/23
+description: Detects Commandlet that is used to export certificates from the local
+    certificate store and sometimes used by threat actors to steal private keys from
+    compromised machines
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Export-PfxCertificate*'
+    condition: SELECTION_1
+falsepositives:
+- Legitimate certificate exports invoked by administrators or users (depends on processes
+    in the environment - filter if unusable)
+id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
+level: high
+logsource:
+    category: ps_script
+    definition: Script Block Logging must be enable
+    product: windows
+modified: 2021/08/04
+references:
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
+- https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.004
+yml_filename: powershell_suspicious_export_pfxcertificate.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_suspicious_getprocess_lsass.yml b/rules/Sigma/powershell_suspicious_getprocess_lsass.yml
new file mode 100644
index 00000000..26746634
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_getprocess_lsass.yml
@@ -0,0 +1,28 @@
+title: PowerShell Get-Process LSASS in ScriptBlock
+author: Florian Roth
+date: 2021/04/23
+description: Detects a Get-Process command on lsass process, which is in almost all
+    cases a sign of malicious activity
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Get-Process lsass*'
+    condition: SELECTION_1
+falsepositives:
+- Legitimate certificate exports invoked by administrators or users (depends on processes
+    in the environment - filter if unusable)
+id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
+level: high
+logsource:
+    category: ps_script
+    definition: Script Block Logging must be enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://twitter.com/PythonResponder/status/1385064506049630211
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+yml_filename: powershell_suspicious_getprocess_lsass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_suspicious_invocation_generic.yml b/rules/Sigma/powershell_suspicious_invocation_generic.yml
new file mode 100644
index 00000000..41f295c0
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_invocation_generic.yml
@@ -0,0 +1,23 @@
+title: Suspicious PowerShell Invocations - Generic
+author: Florian Roth (rule)
+date: 2017/03/12
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+    condition: (( -enc  or  -EncodedCommand ) and ( -w hidden  or  -window hidden  or  -windowstyle
+        hidden ) and ( -noni  or  -noninteractive ))
+falsepositives:
+- Penetration tests
+- Very special / sneaky PowerShell scripts
+id: 3d304fda-78aa-43ed-975c-d740798a49c1
+level: high
+logsource:
+    product: windows
+    service: powershell
+status: deprecated
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_suspicious_invocation_generic.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
+
diff --git a/rules/Sigma/powershell_suspicious_invocation_generic_in_contextinfo.yml b/rules/Sigma/powershell_suspicious_invocation_generic_in_contextinfo.yml
new file mode 100644
index 00000000..0ec8c3e4
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_invocation_generic_in_contextinfo.yml
@@ -0,0 +1,41 @@
+title: Suspicious PowerShell Invocations - Generic
+author: Florian Roth (rule)
+date: 2017/03/12
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+    SELECTION_1:
+        ContextInfo: '* -enc *'
+    SELECTION_2:
+        ContextInfo: '* -EncodedCommand *'
+    SELECTION_3:
+        ContextInfo: '* -w hidden *'
+    SELECTION_4:
+        ContextInfo: '* -window hidden *'
+    SELECTION_5:
+        ContextInfo: '* -windowstyle hidden *'
+    SELECTION_6:
+        ContextInfo: '* -noni *'
+    SELECTION_7:
+        ContextInfo: '* -noninteractive *'
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7))
+falsepositives:
+- Penetration tests
+- Very special / sneaky PowerShell scripts
+id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
+level: high
+logsource:
+    category: ps_module
+    product: windows
+modified: 2021/10/18
+related:
+-   id: 3d304fda-78aa-43ed-975c-d740798a49c1
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_suspicious_invocation_generic_in_contextinfo.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_suspicious_invocation_generic_in_scriptblocktext.yml b/rules/Sigma/powershell_suspicious_invocation_generic_in_scriptblocktext.yml
new file mode 100644
index 00000000..54e3b596
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_invocation_generic_in_scriptblocktext.yml
@@ -0,0 +1,41 @@
+title: Suspicious PowerShell Invocations - Generic
+author: Florian Roth (rule)
+date: 2017/03/12
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+    SELECTION_1:
+        ScriptBlockText: '* -enc *'
+    SELECTION_2:
+        ScriptBlockText: '* -EncodedCommand *'
+    SELECTION_3:
+        ScriptBlockText: '* -w hidden *'
+    SELECTION_4:
+        ScriptBlockText: '* -window hidden *'
+    SELECTION_5:
+        ScriptBlockText: '* -windowstyle hidden *'
+    SELECTION_6:
+        ScriptBlockText: '* -noni *'
+    SELECTION_7:
+        ScriptBlockText: '* -noninteractive *'
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7))
+falsepositives:
+- Penetration tests
+- Very special / sneaky PowerShell scripts
+id: ed965133-513f-41d9-a441-e38076a0798f
+level: high
+logsource:
+    category: ps_script
+    product: windows
+modified: 2021/10/18
+related:
+-   id: 3d304fda-78aa-43ed-975c-d740798a49c1
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_suspicious_invocation_generic_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_suspicious_invocation_specific.yml b/rules/Sigma/powershell_suspicious_invocation_specific.yml
new file mode 100644
index 00000000..8e69e8dd
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_invocation_specific.yml
@@ -0,0 +1,27 @@
+title: Suspicious PowerShell Invocations - Specific
+author: Florian Roth (rule), Jonhnathan Ribeiro
+date: 2017/03/05
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+    condition: (((( -w  and hidden and ((-nop and  -c  and ([Convert]::FromBase64String
+        or (-noni and iex and New-Object))) or (-ep and bypass and -Enc))) or (powershell
+        and reg and add and HKCU\software\microsoft\windows\currentversion\run)) or
+        (bypass and -noprofile and -windowstyle and hidden and new-object and system.net.webclient
+        and .download)) or (iex and New-Object and Net.WebClient and .Download))
+falsepositives:
+- Penetration tests
+id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
+level: high
+logsource:
+    definition: Script block logging must be enabled for 4104, Module Logging must
+        be enabled for 4103
+    product: windows
+    service: powershell
+status: deprecated
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_suspicious_invocation_specific.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
+
diff --git a/rules/Sigma/powershell_suspicious_invocation_specific_in_contextinfo.yml b/rules/Sigma/powershell_suspicious_invocation_specific_in_contextinfo.yml
new file mode 100644
index 00000000..cb5677d7
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_invocation_specific_in_contextinfo.yml
@@ -0,0 +1,96 @@
+title: Suspicious PowerShell Invocations - Specific
+author: Florian Roth (rule), Jonhnathan Ribeiro
+date: 2017/03/05
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+    SELECTION_1:
+        ContextInfo: '*-nop*'
+    SELECTION_10:
+        ContextInfo: '* -c *'
+    SELECTION_11:
+        ContextInfo: '*iex*'
+    SELECTION_12:
+        ContextInfo: '*New-Object*'
+    SELECTION_13:
+        ContextInfo: '* -w *'
+    SELECTION_14:
+        ContextInfo: '*hidden*'
+    SELECTION_15:
+        ContextInfo: '*-ep*'
+    SELECTION_16:
+        ContextInfo: '*bypass*'
+    SELECTION_17:
+        ContextInfo: '*-Enc*'
+    SELECTION_18:
+        ContextInfo: '*powershell*'
+    SELECTION_19:
+        ContextInfo: '*reg*'
+    SELECTION_2:
+        ContextInfo: '* -w *'
+    SELECTION_20:
+        ContextInfo: '*add*'
+    SELECTION_21:
+        ContextInfo: '*HKCU\software\microsoft\windows\currentversion\run*'
+    SELECTION_22:
+        ContextInfo: '*bypass*'
+    SELECTION_23:
+        ContextInfo: '*-noprofile*'
+    SELECTION_24:
+        ContextInfo: '*-windowstyle*'
+    SELECTION_25:
+        ContextInfo: '*hidden*'
+    SELECTION_26:
+        ContextInfo: '*new-object*'
+    SELECTION_27:
+        ContextInfo: '*system.net.webclient*'
+    SELECTION_28:
+        ContextInfo: '*.download*'
+    SELECTION_29:
+        ContextInfo: '*iex*'
+    SELECTION_3:
+        ContextInfo: '*hidden*'
+    SELECTION_30:
+        ContextInfo: '*New-Object*'
+    SELECTION_31:
+        ContextInfo: '*Net.WebClient*'
+    SELECTION_32:
+        ContextInfo: '*.Download*'
+    SELECTION_4:
+        ContextInfo: '* -c *'
+    SELECTION_5:
+        ContextInfo: '*[Convert]::FromBase64String*'
+    SELECTION_6:
+        ContextInfo: '* -w *'
+    SELECTION_7:
+        ContextInfo: '*hidden*'
+    SELECTION_8:
+        ContextInfo: '*-noni*'
+    SELECTION_9:
+        ContextInfo: '*-nop*'
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+        or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10
+        and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15
+        and SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19 and SELECTION_20
+        and SELECTION_21) or (SELECTION_22 and SELECTION_23 and SELECTION_24 and SELECTION_25
+        and SELECTION_26 and SELECTION_27 and SELECTION_28) or (SELECTION_29 and SELECTION_30
+        and SELECTION_31 and SELECTION_32))
+falsepositives:
+- Penetration tests
+id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
+level: high
+logsource:
+    category: ps_module
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/18
+related:
+-   id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_suspicious_invocation_specific_in_contextinfo.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_suspicious_invocation_specific_in_scripblocktext.yml b/rules/Sigma/powershell_suspicious_invocation_specific_in_scripblocktext.yml
new file mode 100644
index 00000000..f55eb70a
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_invocation_specific_in_scripblocktext.yml
@@ -0,0 +1,96 @@
+title: Suspicious PowerShell Invocations - Specific
+author: Florian Roth (rule), Jonhnathan Ribeiro
+date: 2017/03/05
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*-nop*'
+    SELECTION_10:
+        ScriptBlockText: '* -c *'
+    SELECTION_11:
+        ScriptBlockText: '*iex*'
+    SELECTION_12:
+        ScriptBlockText: '*New-Object*'
+    SELECTION_13:
+        ScriptBlockText: '* -w *'
+    SELECTION_14:
+        ScriptBlockText: '*hidden*'
+    SELECTION_15:
+        ScriptBlockText: '*-ep*'
+    SELECTION_16:
+        ScriptBlockText: '*bypass*'
+    SELECTION_17:
+        ScriptBlockText: '*-Enc*'
+    SELECTION_18:
+        ScriptBlockText: '*powershell*'
+    SELECTION_19:
+        ScriptBlockText: '*reg*'
+    SELECTION_2:
+        ScriptBlockText: '* -w *'
+    SELECTION_20:
+        ScriptBlockText: '*add*'
+    SELECTION_21:
+        ScriptBlockText: '*HKCU\software\microsoft\windows\currentversion\run*'
+    SELECTION_22:
+        ScriptBlockText: '*bypass*'
+    SELECTION_23:
+        ScriptBlockText: '*-noprofile*'
+    SELECTION_24:
+        ScriptBlockText: '*-windowstyle*'
+    SELECTION_25:
+        ScriptBlockText: '*hidden*'
+    SELECTION_26:
+        ScriptBlockText: '*new-object*'
+    SELECTION_27:
+        ScriptBlockText: '*system.net.webclient*'
+    SELECTION_28:
+        ScriptBlockText: '*.download*'
+    SELECTION_29:
+        ScriptBlockText: '*iex*'
+    SELECTION_3:
+        ScriptBlockText: '*hidden*'
+    SELECTION_30:
+        ScriptBlockText: '*New-Object*'
+    SELECTION_31:
+        ScriptBlockText: '*Net.WebClient*'
+    SELECTION_32:
+        ScriptBlockText: '*.Download*'
+    SELECTION_4:
+        ScriptBlockText: '* -c *'
+    SELECTION_5:
+        ScriptBlockText: '*[Convert]::FromBase64String*'
+    SELECTION_6:
+        ScriptBlockText: '* -w *'
+    SELECTION_7:
+        ScriptBlockText: '*hidden*'
+    SELECTION_8:
+        ScriptBlockText: '*-noni*'
+    SELECTION_9:
+        ScriptBlockText: '*-nop*'
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+        or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10
+        and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15
+        and SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19 and SELECTION_20
+        and SELECTION_21) or (SELECTION_22 and SELECTION_23 and SELECTION_24 and SELECTION_25
+        and SELECTION_26 and SELECTION_27 and SELECTION_28) or (SELECTION_29 and SELECTION_30
+        and SELECTION_31 and SELECTION_32))
+falsepositives:
+- Penetration tests
+id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/18
+related:
+-   id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_suspicious_invocation_specific_in_scripblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_suspicious_keywords.yml b/rules/Sigma/powershell_suspicious_keywords.yml
new file mode 100644
index 00000000..bf942639
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_keywords.yml
@@ -0,0 +1,50 @@
+title: Suspicious PowerShell Keywords
+author: Florian Roth, Perez Diego (@darkquassar)
+date: 2019/02/11
+description: Detects keywords that could indicate the use of some PowerShell exploitation
+    framework
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*System.Reflection.Assembly.Load($*'
+    SELECTION_10:
+        ScriptBlockText: '*http://127.0.0.1*'
+    SELECTION_2:
+        ScriptBlockText: '*[System.Reflection.Assembly]::Load($*'
+    SELECTION_3:
+        ScriptBlockText: '*[Reflection.Assembly]::Load($*'
+    SELECTION_4:
+        ScriptBlockText: '*System.Reflection.AssemblyName*'
+    SELECTION_5:
+        ScriptBlockText: '*Reflection.Emit.AssemblyBuilderAccess*'
+    SELECTION_6:
+        ScriptBlockText: '*Runtime.InteropServices.DllImportAttribute*'
+    SELECTION_7:
+        ScriptBlockText: '*SuspendThread*'
+    SELECTION_8:
+        ScriptBlockText: '*rundll32*'
+    SELECTION_9:
+        ScriptBlockText: '*Invoke-WMIMethod*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+falsepositives:
+- Penetration tests
+id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled for 4104
+    product: windows
+modified: 2021/10/16
+references:
+- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
+- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
+- https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
+- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_suspicious_keywords.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_suspicious_mail_acces.yml b/rules/Sigma/powershell_suspicious_mail_acces.yml
new file mode 100644
index 00000000..34ffd7e7
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_mail_acces.yml
@@ -0,0 +1,34 @@
+title: Powershell Local Email Collection
+author: frack113
+date: 2021/07/21
+description: "Adversaries may target user email on local systems to collect sensitive\
+    \ information. Files containing email data can be acquired from a user\u2019s\
+    \ local system, such as Outlook storage or cache files."
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Get-Inbox.ps1*'
+    SELECTION_2:
+        ScriptBlockText: '*Microsoft.Office.Interop.Outlook*'
+    SELECTION_3:
+        ScriptBlockText: '*Microsoft.Office.Interop.Outlook.olDefaultFolders*'
+    SELECTION_4:
+        ScriptBlockText: '*-comobject outlook.application*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
+falsepositives:
+- Unknown
+id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
+level: medium
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1114.001
+yml_filename: powershell_suspicious_mail_acces.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_suspicious_mounted_share_deletion.yml b/rules/Sigma/powershell_suspicious_mounted_share_deletion.yml
new file mode 100644
index 00000000..fe895397
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_mounted_share_deletion.yml
@@ -0,0 +1,30 @@
+title: PowerShell Deleted Mounted Share
+author: oscd.community, @redcanary, Zach Stanford @svch0st
+date: 2020/10/08
+description: Detects when when a mounted share is removed. Adversaries may remove
+    share connections that are no longer useful in order to clean up traces of their
+    operation
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Remove-SmbShare*'
+    SELECTION_2:
+        ScriptBlockText: '*Remove-FileShare*'
+    condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Administrators or Power users may remove their shares via cmd line
+id: 66a4d409-451b-4151-94f4-a55d559c49b0
+level: medium
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.005
+yml_filename: powershell_suspicious_mounted_share_deletion.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_suspicious_recon.yml b/rules/Sigma/powershell_suspicious_recon.yml
new file mode 100644
index 00000000..f8660dc3
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_recon.yml
@@ -0,0 +1,33 @@
+title: Recon Information for Export with PowerShell
+author: frack113
+date: 2021/07/30
+description: Once established within a system or network, an adversary may use automated
+    techniques for collecting internal data
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Get-Service *'
+    SELECTION_2:
+        ScriptBlockText: '*Get-ChildItem *'
+    SELECTION_3:
+        ScriptBlockText: '*Get-Process *'
+    SELECTION_4:
+        ScriptBlockText: '*> $env:TEMP\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: a9723fcc-881c-424c-8709-fd61442ab3c3
+level: medium
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1119
+yml_filename: powershell_suspicious_recon.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_suspicious_win32_pnpentity.yml b/rules/Sigma/powershell_suspicious_win32_pnpentity.yml
new file mode 100644
index 00000000..794f2380
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_win32_pnpentity.yml
@@ -0,0 +1,27 @@
+title: Powershell Suspicious Win32_PnPEntity
+author: frack113
+date: 2021/08/23
+description: Adversaries may attempt to gather information about attached peripheral
+    devices and components connected to a computer system.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Win32_PnPEntity*'
+    condition: SELECTION_1
+falsepositives:
+- admin script
+id: b26647de-4feb-4283-af6b-6117661283c5
+level: low
+logsource:
+    category: ps_script
+    definition: EnableScriptBlockLogging must be set to enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
+status: experimental
+tags:
+- attack.discovery
+- attack.t1120
+yml_filename: powershell_suspicious_win32_pnpentity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_suspicious_windowstyle.yml b/rules/Sigma/powershell_suspicious_windowstyle.yml
new file mode 100644
index 00000000..f1aadd3c
--- /dev/null
+++ b/rules/Sigma/powershell_suspicious_windowstyle.yml
@@ -0,0 +1,30 @@
+title: Suspicious PowerShell WindowStyle Option
+author: frack113
+date: 2021/10/20
+description: Adversaries may use hidden windows to conceal malicious activity from
+    the plain sight of users. In some cases, windows that would typically be displayed
+    when an application carries out an operation can be hidden
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*powershell*'
+    SELECTION_2:
+        ScriptBlockText: '*WindowStyle*'
+    SELECTION_3:
+        ScriptBlockText: '*Hidden*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
+level: medium
+logsource:
+    category: ps_script
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.003
+yml_filename: powershell_suspicious_windowstyle.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_syncappvpublishingserver_exe.yml b/rules/Sigma/powershell_syncappvpublishingserver_exe.yml
new file mode 100644
index 00000000..1cc66e82
--- /dev/null
+++ b/rules/Sigma/powershell_syncappvpublishingserver_exe.yml
@@ -0,0 +1,27 @@
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community"
+date: 2020/10/05
+description: Detects SyncAppvPublishingServer process execution which usually utilized
+    by adversaries to bypass PowerShell execution restrictions.
+detection:
+    condition: SyncAppvPublishingServer.exe
+falsepositives:
+- App-V clients
+id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
+level: medium
+logsource:
+    product: windows
+    service: powershell
+modified: 2021/09/11
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+related:
+-   id: fde7929d-8beb-4a4c-b922-be9974671667
+    type: derived
+status: deprecated
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: powershell_syncappvpublishingserver_exe.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
+
diff --git a/rules/Sigma/powershell_syncappvpublishingserver_exe_in_contextinfo.yml b/rules/Sigma/powershell_syncappvpublishingserver_exe_in_contextinfo.yml
new file mode 100644
index 00000000..36c7e913
--- /dev/null
+++ b/rules/Sigma/powershell_syncappvpublishingserver_exe_in_contextinfo.yml
@@ -0,0 +1,30 @@
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community"
+date: 2020/10/05
+description: Detects SyncAppvPublishingServer process execution which usually utilized
+    by adversaries to bypass PowerShell execution restrictions.
+detection:
+    SELECTION_1:
+        ContextInfo: '*SyncAppvPublishingServer.exe*'
+    condition: SELECTION_1
+falsepositives:
+- App-V clients
+id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a
+level: medium
+logsource:
+    category: ps_module
+    product: windows
+modified: 2021/10/18
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+related:
+-   id: fde7929d-8beb-4a4c-b922-be9974671667
+    type: derived
+-   id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
+    type: derived
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: powershell_syncappvpublishingserver_exe_in_contextinfo.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+
diff --git a/rules/Sigma/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml b/rules/Sigma/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
new file mode 100644
index 00000000..3d9f4198
--- /dev/null
+++ b/rules/Sigma/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
@@ -0,0 +1,30 @@
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community"
+date: 2020/10/05
+description: Detects SyncAppvPublishingServer process execution which usually utilized
+    by adversaries to bypass PowerShell execution restrictions.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*SyncAppvPublishingServer.exe*'
+    condition: SELECTION_1
+falsepositives:
+- App-V clients
+id: dddfebae-c46f-439c-af7a-fdb6bde90218
+level: medium
+logsource:
+    category: ps_script
+    product: windows
+modified: 2021/10/18
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+related:
+-   id: fde7929d-8beb-4a4c-b922-be9974671667
+    type: derived
+-   id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
+    type: derived
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_tamper_with_windows_defender.yml b/rules/Sigma/powershell_tamper_with_windows_defender.yml
new file mode 100644
index 00000000..1ad63744
--- /dev/null
+++ b/rules/Sigma/powershell_tamper_with_windows_defender.yml
@@ -0,0 +1,35 @@
+title: Tamper Windows Defender
+author: frack113
+date: 2021/06/07
+description: Attempting to disable scheduled scanning and other parts of windows defender
+    atp.
+detection:
+    SELECTION_1:
+        HostApplication: '*Set-MpPreference*'
+    SELECTION_2:
+        HostApplication: '*-DisableRealtimeMonitoring 1*'
+    SELECTION_3:
+        HostApplication: '*-DisableBehaviorMonitoring 1*'
+    SELECTION_4:
+        HostApplication: '*-DisableScriptScanning 1*'
+    SELECTION_5:
+        HostApplication: '*-DisableBlockAtFirstSeen 1*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: ec19ebab-72dc-40e1-9728-4c0b805d722c
+level: high
+logsource:
+    category: ps_classic_provider_start
+    definition: fields have to be extract from event
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: powershell_tamper_with_windows_defender.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_timestomp.yml b/rules/Sigma/powershell_timestomp.yml
new file mode 100644
index 00000000..9904748e
--- /dev/null
+++ b/rules/Sigma/powershell_timestomp.yml
@@ -0,0 +1,41 @@
+title: Powershell Timestomp
+author: frack113
+date: 2021/08/03
+description: Adversaries may modify file time attributes to hide new or changes to
+    existing files. Timestomping is a technique that modifies the timestamps of a
+    file (the modify, access, create, and change times), often to mimic files that
+    are in the same folder.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*.CreationTime =*'
+    SELECTION_2:
+        ScriptBlockText: '*.LastWriteTime =*'
+    SELECTION_3:
+        ScriptBlockText: '*.LastAccessTime =*'
+    SELECTION_4:
+        ScriptBlockText: '*[IO.File]::SetCreationTime*'
+    SELECTION_5:
+        ScriptBlockText: '*[IO.File]::SetLastAccessTime*'
+    SELECTION_6:
+        ScriptBlockText: '*[IO.File]::SetLastWriteTime*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6)
+falsepositives:
+- legitime admin script
+id: c6438007-e081-42ce-9483-b067fbef33c3
+level: medium
+logsource:
+    category: ps_script
+    definition: EnableScriptBlockLogging must be set to enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+- https://www.offensive-security.com/metasploit-unleashed/timestomp/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.006
+yml_filename: powershell_timestomp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_trigger_profiles.yml b/rules/Sigma/powershell_trigger_profiles.yml
new file mode 100644
index 00000000..65698263
--- /dev/null
+++ b/rules/Sigma/powershell_trigger_profiles.yml
@@ -0,0 +1,35 @@
+title: Powershell Trigger Profiles by Add_Content
+author: frack113
+date: 2021/08/18
+description: Adversaries may gain persistence and elevate privileges by executing
+    malicious content triggered by PowerShell profiles.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Add-Content*'
+    SELECTION_2:
+        ScriptBlockText: '*$profile*'
+    SELECTION_3:
+        ScriptBlockText: '*-Value*'
+    SELECTION_4:
+        ScriptBlockText: '*Start-Process*'
+    SELECTION_5:
+        ScriptBlockText: '*""*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
+level: medium
+logsource:
+    category: ps_script
+    definition: EnableScriptBlockLogging must be set to enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1546.013
+yml_filename: powershell_trigger_profiles.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_web_request.yml b/rules/Sigma/powershell_web_request.yml
new file mode 100644
index 00000000..06eedc0a
--- /dev/null
+++ b/rules/Sigma/powershell_web_request.yml
@@ -0,0 +1,43 @@
+title: Windows PowerShell Web Request
+author: James Pemberton / @4A616D6573
+date: 2019/10/24
+description: Detects the use of various web request methods (including aliases) via
+    Windows PowerShell command
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Invoke-WebRequest*'
+    SELECTION_2:
+        ScriptBlockText: '*iwr *'
+    SELECTION_3:
+        ScriptBlockText: '*wget *'
+    SELECTION_4:
+        ScriptBlockText: '*curl *'
+    SELECTION_5:
+        ScriptBlockText: '*Net.WebClient*'
+    SELECTION_6:
+        ScriptBlockText: '*Start-BitsTransfer*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6)
+falsepositives:
+- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
+id: 1139d2e2-84b1-4226-b445-354492eba8ba
+level: medium
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
+- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
+related:
+-   id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_web_request.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_windows_firewall_profile_disabled.yml b/rules/Sigma/powershell_windows_firewall_profile_disabled.yml
new file mode 100644
index 00000000..6232d97f
--- /dev/null
+++ b/rules/Sigma/powershell_windows_firewall_profile_disabled.yml
@@ -0,0 +1,34 @@
+title: Windows Firewall Profile Disabled
+author: Austin Songer @austinsonger
+date: 2021/10/12
+description: Detects when a user disables the Windows Firewall via a Profile to help
+    evade defense.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Set-NetFirewallProfile*'
+    SELECTION_2:
+        ScriptBlockText: '*-Profile*'
+    SELECTION_3:
+        ScriptBlockText: '*-Enabled*'
+    SELECTION_4:
+        ScriptBlockText: '*False*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 488b44e7-3781-4a71-888d-c95abfacf44d
+level: high
+logsource:
+    category: ps_script
+    product: windows
+modified: 2021/10/16
+references:
+- https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
+- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
+- http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
+- http://woshub.com/manage-windows-firewall-powershell/
+status: experimental
+tags:
+- attack.defense_evasion
+yml_filename: powershell_windows_firewall_profile_disabled.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_winlogon_helper_dll.yml b/rules/Sigma/powershell_winlogon_helper_dll.yml
new file mode 100644
index 00000000..83af6cdb
--- /dev/null
+++ b/rules/Sigma/powershell_winlogon_helper_dll.yml
@@ -0,0 +1,37 @@
+title: Winlogon Helper DLL
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: Winlogon.exe is a Windows component responsible for actions at logon/logoff
+    as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry
+    entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\
+    and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage
+    additional helper programs and functionalities that support Winlogon. Malicious
+    modifications to these Registry keys may cause Winlogon to load and execute malicious
+    DLLs and/or executables.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*CurrentVersion\Winlogon*'
+    SELECTION_2:
+        ScriptBlockText: '*Set-ItemProperty*'
+    SELECTION_3:
+        ScriptBlockText: '*New-Item*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 851c506b-6b7c-4ce2-8802-c703009d03c0
+level: medium
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.004
+- attack.t1004
+yml_filename: powershell_winlogon_helper_dll.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_wmi_persistence.yml b/rules/Sigma/powershell_wmi_persistence.yml
new file mode 100644
index 00000000..92091a2d
--- /dev/null
+++ b/rules/Sigma/powershell_wmi_persistence.yml
@@ -0,0 +1,37 @@
+title: Powershell WMI Persistence
+author: frack113
+date: 2021/08/19
+description: Adversaries may establish persistence and elevate privileges by executing
+    malicious content triggered by a Windows Management Instrumentation (WMI) event
+    subscription.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*New-CimInstance *'
+    SELECTION_2:
+        ScriptBlockText: '*-Namespace root/subscription *'
+    SELECTION_3:
+        ScriptBlockText: '*-Property *'
+    SELECTION_4:
+        ScriptBlockText: '*-ClassName __EventFilter *'
+    SELECTION_5:
+        ScriptBlockText: '*-ClassName CommandLineEventConsumer *'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
+level: medium
+logsource:
+    category: ps_script
+    definition: EnableScriptBlockLogging must be set to enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
+- https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1546.003
+yml_filename: powershell_wmi_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_wmimplant.yml b/rules/Sigma/powershell_wmimplant.yml
new file mode 100644
index 00000000..8810c9f5
--- /dev/null
+++ b/rules/Sigma/powershell_wmimplant.yml
@@ -0,0 +1,65 @@
+title: WMImplant Hack Tool
+author: NVISO
+date: 2020/03/26
+description: Detects parameters used by WMImplant
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*WMImplant*'
+    SELECTION_10:
+        ScriptBlockText: '* remote_posh *'
+    SELECTION_11:
+        ScriptBlockText: '* sched_job *'
+    SELECTION_12:
+        ScriptBlockText: '* service_mod *'
+    SELECTION_13:
+        ScriptBlockText: '* process_kill *'
+    SELECTION_14:
+        ScriptBlockText: '* active_users *'
+    SELECTION_15:
+        ScriptBlockText: '* basic_info *'
+    SELECTION_16:
+        ScriptBlockText: '* power_off *'
+    SELECTION_17:
+        ScriptBlockText: '* vacant_system *'
+    SELECTION_18:
+        ScriptBlockText: '* logon_events *'
+    SELECTION_2:
+        ScriptBlockText: '* change_user *'
+    SELECTION_3:
+        ScriptBlockText: '* gen_cli *'
+    SELECTION_4:
+        ScriptBlockText: '* command_exec *'
+    SELECTION_5:
+        ScriptBlockText: '* disable_wdigest *'
+    SELECTION_6:
+        ScriptBlockText: '* disable_winrm *'
+    SELECTION_7:
+        ScriptBlockText: '* enable_wdigest *'
+    SELECTION_8:
+        ScriptBlockText: '* enable_winrm *'
+    SELECTION_9:
+        ScriptBlockText: '* registry_mod *'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18)
+falsepositives:
+- Administrative scripts that use the same keywords.
+id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
+level: high
+logsource:
+    category: ps_script
+    definition: Script block logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/FortyNorthSecurity/WMImplant
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_wmimplant.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+
diff --git a/rules/Sigma/powershell_wsman_com_provider_no_powershell.yml b/rules/Sigma/powershell_wsman_com_provider_no_powershell.yml
new file mode 100644
index 00000000..1730e3c9
--- /dev/null
+++ b/rules/Sigma/powershell_wsman_com_provider_no_powershell.yml
@@ -0,0 +1,33 @@
+title: Suspicious Non PowerShell WSMAN COM Provider
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/24
+description: Detects suspicious use of the WSMAN provider without PowerShell.exe as
+    the host application.
+detection:
+    SELECTION_1:
+        ProviderName: WSMan
+    SELECTION_2:
+        HostApplication: '*powershell*'
+    condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- Unknown
+id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
+level: medium
+logsource:
+    definition: fields have to be extract from event
+    product: windows
+    service: powershell-classic
+modified: 2021/08/30
+references:
+- https://twitter.com/chadtilbury/status/1275851297770610688
+- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
+- https://github.com/bohops/WSMan-WinRM
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.lateral_movement
+- attack.t1021.003
+yml_filename: powershell_wsman_com_provider_no_powershell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/powershell_xor_commandline.yml b/rules/Sigma/powershell_xor_commandline.yml
new file mode 100644
index 00000000..18a2a222
--- /dev/null
+++ b/rules/Sigma/powershell_xor_commandline.yml
@@ -0,0 +1,32 @@
+title: Suspicious XOR Encoded PowerShell Command Line
+author: Teymur Kheirkhabarov, Harish Segar (rule)
+date: 2020/06/29
+description: Detects suspicious powershell process which includes bxor command, alternative
+    obfuscation method to b64 encoded commands.
+detection:
+    SELECTION_1:
+        HostName: ConsoleHost
+    SELECTION_2:
+        HostApplication: '*bxor*'
+    SELECTION_3:
+        HostApplication: '*join*'
+    SELECTION_4:
+        HostApplication: '*char*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
+level: medium
+logsource:
+    category: ps_classic_start
+    definition: fields have to be extract from event
+    product: windows
+modified: 2021/10/16
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_xor_commandline.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+
diff --git a/rules/Sigma/process_creation_abusing_windows_telemetry_for_persistence.yml b/rules/Sigma/process_creation_abusing_windows_telemetry_for_persistence.yml
new file mode 100644
index 00000000..770b6e54
--- /dev/null
+++ b/rules/Sigma/process_creation_abusing_windows_telemetry_for_persistence.yml
@@ -0,0 +1,39 @@
+title: Abusing Windows Telemetry For Persistence
+author: Sreeman
+date: 2020/09/29
+description: Windows telemetry makes use of the binary CompatTelRunner.exe to run
+    a variety of commands and perform the actual telemetry collections. This binary
+    was created to be easily extensible, and to that end, it relies on the registry
+    to instruct on which commands to run. The problem is, it will run any arbitrary
+    command without restriction of location or type.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i).*schtasks.*(-|\/)r.*\\\\Application Experience\\\\Microsoft
+            Compatibility Appraiser.*
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- none
+fields:
+- EventID
+- CommandLine
+- TargetObject
+- Details
+id: f548a603-c9f2-4c89-b511-b089f7e94549
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/09
+references:
+- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.persistence
+- attack.t1112
+- attack.t1053
+yml_filename: process_creation_abusing_windows_telemetry_for_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_advanced_ip_scanner.yml b/rules/Sigma/process_creation_advanced_ip_scanner.yml
new file mode 100644
index 00000000..9f510cc5
--- /dev/null
+++ b/rules/Sigma/process_creation_advanced_ip_scanner.yml
@@ -0,0 +1,32 @@
+title: Advanced IP Scanner
+author: '@ROxPinTeddy'
+date: 2020/05/12
+description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for
+    ransomware groups.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\advanced_ip_scanner*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate administrative use
+id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/12
+references:
+- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
+- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
+- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
+- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
+status: experimental
+tags:
+- attack.discovery
+- attack.t1046
+yml_filename: process_creation_advanced_ip_scanner.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_alternate_data_streams.yml b/rules/Sigma/process_creation_alternate_data_streams.yml
new file mode 100644
index 00000000..cbb345ea
--- /dev/null
+++ b/rules/Sigma/process_creation_alternate_data_streams.yml
@@ -0,0 +1,53 @@
+title: Execute From Alternate Data Streams
+author: frack113
+date: 2021/09/01
+description: Adversaries may use NTFS file attributes to hide their malicious data
+    in order to evade detection
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '* /E *'
+    SELECTION_11:
+        CommandLine: '*esentutl *'
+    SELECTION_12:
+        CommandLine: '* /y *'
+    SELECTION_13:
+        CommandLine: '* /d *'
+    SELECTION_14:
+        CommandLine: '* /o *'
+    SELECTION_2:
+        CommandLine: '*txt:*'
+    SELECTION_3:
+        CommandLine: '*type *'
+    SELECTION_4:
+        CommandLine: '* > *'
+    SELECTION_5:
+        CommandLine: '*makecab *'
+    SELECTION_6:
+        CommandLine: '*.cab*'
+    SELECTION_7:
+        CommandLine: '*reg *'
+    SELECTION_8:
+        CommandLine: '* export *'
+    SELECTION_9:
+        CommandLine: '*regedit *'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9
+        and SELECTION_10) or (SELECTION_11 and SELECTION_12 and SELECTION_13 and SELECTION_14)))
+falsepositives:
+- Unknown
+id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.004
+yml_filename: process_creation_alternate_data_streams.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_apt_gallium.yml b/rules/Sigma/process_creation_apt_gallium.yml
new file mode 100644
index 00000000..a95be10b
--- /dev/null
+++ b/rules/Sigma/process_creation_apt_gallium.yml
@@ -0,0 +1,36 @@
+title: GALLIUM Artefacts
+author: Tim Burrell
+date: 2020/02/07
+description: Detects artefacts associated with activity group GALLIUM - Microsoft
+    Threat Intelligence Center indicators released in December 2019.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        sha1: e570585edc69f9074cb5e8a790708336bd45ca0f
+    SELECTION_3:
+        Image: '*:\Program Files(x86)\\*'
+    SELECTION_4:
+        Image: '*:\Program Files\\*'
+    condition: (SELECTION_1 and (SELECTION_2) and  not ((SELECTION_3 or SELECTION_4)))
+falsepositives:
+- unknown
+id: 18739897-21b1-41da-8ee4-5b786915a676
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+related:
+-   id: 440a56bf-7873-4439-940a-1c8a671073c2
+    type: derived
+status: experimental
+tags:
+- attack.credential_access
+- attack.command_and_control
+yml_filename: process_creation_apt_gallium.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_apt_gallium_sha1.yml b/rules/Sigma/process_creation_apt_gallium_sha1.yml
new file mode 100644
index 00000000..10b599bf
--- /dev/null
+++ b/rules/Sigma/process_creation_apt_gallium_sha1.yml
@@ -0,0 +1,68 @@
+title: GALLIUM Artefacts
+author: Tim Burrell
+date: 2020/02/07
+description: Detects artefacts associated with activity group GALLIUM - Microsoft
+    Threat Intelligence Center indicators released in December 2019.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        sha1: 2e94b305d6812a9f96e6781c888e48c7fb157b6b
+    SELECTION_11:
+        sha1: dd44133716b8a241957b912fa6a02efde3ce3025
+    SELECTION_12:
+        sha1: 8793bf166cb89eb55f0593404e4e933ab605e803
+    SELECTION_13:
+        sha1: a39b57032dbb2335499a51e13470a7cd5d86b138
+    SELECTION_14:
+        sha1: 41cc2b15c662bc001c0eb92f6cc222934f0beeea
+    SELECTION_15:
+        sha1: d209430d6af54792371174e70e27dd11d3def7a7
+    SELECTION_16:
+        sha1: 1c6452026c56efd2c94cea7e0f671eb55515edb0
+    SELECTION_17:
+        sha1: c6b41d3afdcdcaf9f442bbe772f5da871801fd5a
+    SELECTION_18:
+        sha1: 4923d460e22fbbf165bbbaba168e5a46b8157d9f
+    SELECTION_19:
+        sha1: f201504bd96e81d0d350c3a8332593ee1c9e09de
+    SELECTION_2:
+        sha1: 53a44c2396d15c3a03723fa5e5db54cafd527635
+    SELECTION_20:
+        sha1: ddd2db1127632a2a52943a2fe516a2e7d05d70d2
+    SELECTION_3:
+        sha1: 9c5e496921e3bc882dc40694f1dcc3746a75db19
+    SELECTION_4:
+        sha1: aeb573accfd95758550cf30bf04f389a92922844
+    SELECTION_5:
+        sha1: 79ef78a797403a4ed1a616c68e07fff868a8650a
+    SELECTION_6:
+        sha1: 4f6f38b4cec35e895d91c052b1f5a83d665c2196
+    SELECTION_7:
+        sha1: 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d
+    SELECTION_8:
+        sha1: e841a63e47361a572db9a7334af459ddca11347a
+    SELECTION_9:
+        sha1: c28f606df28a9bc8df75a4d5e5837fc5522dd34d
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20))
+falsepositives:
+- unknown
+id: 440a56bf-7873-4439-940a-1c8a671073c2
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+status: experimental
+tags:
+- attack.credential_access
+- attack.command_and_control
+yml_filename: process_creation_apt_gallium_sha1.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_apt_pandemic.yml b/rules/Sigma/process_creation_apt_pandemic.yml
new file mode 100644
index 00000000..0c1c0681
--- /dev/null
+++ b/rules/Sigma/process_creation_apt_pandemic.yml
@@ -0,0 +1,38 @@
+title: Pandemic Registry Key
+author: Florian Roth
+date: 2017/06/01
+description: Detects Pandemic Windows Implant
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*loaddll -a *'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- Image
+- User
+- TargetObject
+id: 9fefd33c-339d-4495-9cba-b96ca006f512
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/12
+references:
+- https://wikileaks.org/vault7/#Pandemic
+- https://twitter.com/MalwareJake/status/870349480356454401
+related:
+-   id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
+    type: derived
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1105
+yml_filename: process_creation_apt_pandemic.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_apt_slingshot.yml b/rules/Sigma/process_creation_apt_slingshot.yml
new file mode 100644
index 00000000..b30d5ae9
--- /dev/null
+++ b/rules/Sigma/process_creation_apt_slingshot.yml
@@ -0,0 +1,36 @@
+title: Defrag Deactivation
+author: Florian Roth, Bartlomiej Czyz (@bczyz1)
+date: 2019/03/04
+description: Detects the deactivation and disabling of the Scheduled defragmentation
+    task as seen by Slingshot APT group
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\schtasks.exe'
+    SELECTION_3:
+        CommandLine: '*/delete*'
+    SELECTION_4:
+        CommandLine: '*/change*'
+    SELECTION_5:
+        CommandLine: '*/TN*'
+    SELECTION_6:
+        CommandLine: '*\Microsoft\Windows\Defrag\ScheduledDefrag*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4) and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Unknown
+id: 958d81aa-8566-4cea-a565-59ccd4df27b0
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://securelist.com/apt-slingshot/84312/
+tags:
+- attack.persistence
+- attack.s0111
+yml_filename: process_creation_apt_slingshot.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_apt_turla_commands_critical.yml b/rules/Sigma/process_creation_apt_turla_commands_critical.yml
new file mode 100644
index 00000000..82b68834
--- /dev/null
+++ b/rules/Sigma/process_creation_apt_turla_commands_critical.yml
@@ -0,0 +1,38 @@
+title: Turla Group Lateral Movement
+author: Markus Neis
+date: 2017/11/07
+description: Detects automated lateral movement by Turla group
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: net use \\%DomainController%\C$ "P@ssw0rd" *
+    SELECTION_3:
+        CommandLine: dir c:\\*.doc* /s
+    SELECTION_4:
+        CommandLine: dir %TEMP%\\*.exe
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://securelist.com/the-epic-turla-operation/65545/
+status: experimental
+tags:
+- attack.g0010
+- attack.execution
+- attack.t1059
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
+- attack.discovery
+- attack.t1083
+- attack.t1135
+yml_filename: process_creation_apt_turla_commands_critical.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_apt_wocao.yml b/rules/Sigma/process_creation_apt_wocao.yml
new file mode 100644
index 00000000..2f3b0213
--- /dev/null
+++ b/rules/Sigma/process_creation_apt_wocao.yml
@@ -0,0 +1,60 @@
+title: Operation Wocao Activity
+author: Florian Roth, frack113
+date: 2019/12/20
+description: Detects activity mentioned in Operation Wocao report
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*iie.exe iie.txt*'
+    SELECTION_11:
+        CommandLine: '*reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\\*'
+    SELECTION_2:
+        CommandLine: '*checkadmin.exe 127.0.0.1 -all*'
+    SELECTION_3:
+        CommandLine: '*netsh advfirewall firewall add rule name=powershell dir=in*'
+    SELECTION_4:
+        CommandLine: '*cmd /c powershell.exe -ep bypass -file c:\s.ps1*'
+    SELECTION_5:
+        CommandLine: '*/tn win32times /f*'
+    SELECTION_6:
+        CommandLine: '*create win32times binPath=*'
+    SELECTION_7:
+        CommandLine: '*\c$\windows\system32\devmgr.dll*'
+    SELECTION_8:
+        CommandLine: '* -exec bypass -enc JgAg*'
+    SELECTION_9:
+        CommandLine: '*type *keepass\KeePass.config.xml*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11))
+falsepositives:
+- Administrators that use checkadmin.exe tool to enumerate local administrators
+id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
+- https://twitter.com/SBousseaden/status/1207671369963646976
+related:
+-   id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
+    type: derived
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+- attack.defense_evasion
+- attack.t1036.004
+- attack.t1036
+- attack.t1027
+- attack.execution
+- attack.t1053.005
+- attack.t1053
+- attack.t1059.001
+- attack.t1086
+yml_filename: process_creation_apt_wocao.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_automated_collection.yml b/rules/Sigma/process_creation_automated_collection.yml
new file mode 100644
index 00000000..6639a0a8
--- /dev/null
+++ b/rules/Sigma/process_creation_automated_collection.yml
@@ -0,0 +1,56 @@
+title: Automated Collection Command Prompt
+author: frack113
+date: 2021/07/28
+description: Once established within a system or network, an adversary may use automated
+    techniques for collecting internal data.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*.txt*'
+    SELECTION_11:
+        CommandLine: '*dir *'
+    SELECTION_12:
+        CommandLine: '* /b *'
+    SELECTION_13:
+        CommandLine: '* /s *'
+    SELECTION_14:
+        OriginalFileName: FINDSTR.EXE
+    SELECTION_15:
+        CommandLine: '* /e *'
+    SELECTION_2:
+        CommandLine: '*.doc*'
+    SELECTION_3:
+        CommandLine: '*.docx*'
+    SELECTION_4:
+        CommandLine: '*.xls*'
+    SELECTION_5:
+        CommandLine: '*.xlsx*'
+    SELECTION_6:
+        CommandLine: '*.ppt*'
+    SELECTION_7:
+        CommandLine: '*.pptx*'
+    SELECTION_8:
+        CommandLine: '*.rtf*'
+    SELECTION_9:
+        CommandLine: '*.pdf*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+        and ((SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14 and
+        SELECTION_15)))
+falsepositives:
+- Unknown
+id: f576a613-2392-4067-9d1a-9345fb58d8d1
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1119
+yml_filename: process_creation_automated_collection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_c3_load_by_rundll32.yml b/rules/Sigma/process_creation_c3_load_by_rundll32.yml
new file mode 100644
index 00000000..e19aef1c
--- /dev/null
+++ b/rules/Sigma/process_creation_c3_load_by_rundll32.yml
@@ -0,0 +1,30 @@
+title: F-Secure C3 Load by Rundll32
+author: Alfie Champion (ajpc500)
+date: 2021/06/02
+description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*rundll32.exe*'
+    SELECTION_3:
+        CommandLine: '*.dll*'
+    SELECTION_4:
+        CommandLine: '*StartNodeRelay*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/FSecureLABS/C3/blob/master/Src/NodeRelayDll/NodeRelayDll.cpp#L12
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+yml_filename: process_creation_c3_load_by_rundll32.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_certoc_execution.yml b/rules/Sigma/process_creation_certoc_execution.yml
new file mode 100644
index 00000000..6e4faa02
--- /dev/null
+++ b/rules/Sigma/process_creation_certoc_execution.yml
@@ -0,0 +1,34 @@
+title: Suspicious Load DLL via CertOC.exe
+author: Austin Songer @austinsonger
+date: 2021/10/23
+description: Detects when a user installs certificates by using CertOC.exe to loads
+    the target DLL file.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\certoc.exe'
+    SELECTION_3:
+        CommandLine: '*-LoadDLL*'
+    SELECTION_4:
+        CommandLine: '*.dll*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- None
+fields:
+- CommandLine
+- ParentCommandLine
+id: 242301bc-f92f-4476-8718-78004a6efd9f
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: process_creation_certoc_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_clip.yml b/rules/Sigma/process_creation_clip.yml
new file mode 100644
index 00000000..7f29ebe4
--- /dev/null
+++ b/rules/Sigma/process_creation_clip.yml
@@ -0,0 +1,28 @@
+title: Use of CLIP
+author: frack113
+date: 2021/07/27
+description: Adversaries may collect data stored in the clipboard from users copying
+    information within or between applications.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        OriginalFileName: clip.exe
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: ddeff553-5233-4ae9-bbab-d64d2bd634be
+level: low
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1115
+yml_filename: process_creation_clip.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/Sigma/process_creation_cobaltstrike_load_by_rundll32.yml
new file mode 100644
index 00000000..49852b2f
--- /dev/null
+++ b/rules/Sigma/process_creation_cobaltstrike_load_by_rundll32.yml
@@ -0,0 +1,33 @@
+title: CobaltStrike Load by Rundll32
+author: Wojciech Lesicki
+date: 2021/06/01
+description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs
+    from the command line.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*rundll32.exe*'
+    SELECTION_3:
+        CommandLine: '*.dll*'
+    SELECTION_4:
+        CommandLine: '*StartW*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.cobaltstrike.com/help-windows-executable
+- https://redcanary.com/threat-detection-report/
+- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+yml_filename: process_creation_cobaltstrike_load_by_rundll32.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_conti_cmd_ransomware.yml b/rules/Sigma/process_creation_conti_cmd_ransomware.yml
new file mode 100644
index 00000000..68417243
--- /dev/null
+++ b/rules/Sigma/process_creation_conti_cmd_ransomware.yml
@@ -0,0 +1,39 @@
+title: Conti Ransomware Execution
+author: frack113
+date: 2021/10/12
+description: Conti ransomware command line ioc
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*-m *'
+    SELECTION_3:
+        CommandLine: '*-net *'
+    SELECTION_4:
+        CommandLine: '*-size *'
+    SELECTION_5:
+        CommandLine: '*-nomutex *'
+    SELECTION_6:
+        CommandLine: '*-p \\\*'
+    SELECTION_7:
+        CommandLine: '*$*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown should be low
+id: 689308fc-cfba-4f72-9897-796c1dc61487
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
+- https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
+status: experimental
+tags:
+- attack.impact
+- attack.s0575
+- attack.t1486
+yml_filename: process_creation_conti_cmd_ransomware.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_coti_sqlcmd.yml b/rules/Sigma/process_creation_coti_sqlcmd.yml
new file mode 100644
index 00000000..ebea53d8
--- /dev/null
+++ b/rules/Sigma/process_creation_coti_sqlcmd.yml
@@ -0,0 +1,38 @@
+title: Conti Backup Database
+author: frack113
+date: 2021/08/16
+description: Detects a command used by conti to dump database
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*sqlcmd *'
+    SELECTION_3:
+        CommandLine: '*sqlcmd.exe*'
+    SELECTION_4:
+        CommandLine: '* -S localhost *'
+    SELECTION_5:
+        CommandLine: '*sys.sysprocesses*'
+    SELECTION_6:
+        CommandLine: '*master.dbo.sysdatabases*'
+    SELECTION_7:
+        CommandLine: '*BACKUP DATABASE*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unknown
+id: 2f47f1fd-0901-466e-a770-3b7092834a1b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816?s=20
+- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
+- https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
+status: experimental
+tags:
+- attack.collection
+yml_filename: process_creation_coti_sqlcmd.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_discover_private_keys.yml b/rules/Sigma/process_creation_discover_private_keys.yml
new file mode 100644
index 00000000..37fe8de1
--- /dev/null
+++ b/rules/Sigma/process_creation_discover_private_keys.yml
@@ -0,0 +1,56 @@
+title: Discover Private Keys
+author: frack113
+date: 2021/07/20
+description: Adversaries may search for private key certificate files on compromised
+    systems for insecurely stored credential
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*.pfx*'
+    SELECTION_11:
+        CommandLine: '*.cer*'
+    SELECTION_12:
+        CommandLine: '*.p7b*'
+    SELECTION_13:
+        CommandLine: '*.asc*'
+    SELECTION_2:
+        CommandLine: '*dir *'
+    SELECTION_3:
+        CommandLine: '*findstr *'
+    SELECTION_4:
+        CommandLine: '*.key*'
+    SELECTION_5:
+        CommandLine: '*.pgp*'
+    SELECTION_6:
+        CommandLine: '*.gpg*'
+    SELECTION_7:
+        CommandLine: '*.ppk*'
+    SELECTION_8:
+        CommandLine: '*.p12*'
+    SELECTION_9:
+        CommandLine: '*.pem*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.004
+yml_filename: process_creation_discover_private_keys.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_dns_serverlevelplugindll.yml b/rules/Sigma/process_creation_dns_serverlevelplugindll.yml
new file mode 100644
index 00000000..3618052c
--- /dev/null
+++ b/rules/Sigma/process_creation_dns_serverlevelplugindll.yml
@@ -0,0 +1,45 @@
+title: DNS ServerLevelPluginDll Install
+author: Florian Roth
+date: 2017/05/08
+description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter
+    in Registry, which can be used to execute code in context of the DNS server (restart
+    required)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\dnscmd.exe'
+    SELECTION_3:
+        CommandLine: '*/config*'
+    SELECTION_4:
+        CommandLine: '*/serverlevelplugindll*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- Image
+- User
+- TargetObject
+id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/12
+references:
+- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+related:
+-   id: e61e8a88-59a9-451c-874e-70fcc9740d67
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+- attack.t1112
+yml_filename: process_creation_dns_serverlevelplugindll.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_dotnet.yml b/rules/Sigma/process_creation_dotnet.yml
new file mode 100644
index 00000000..876b2f6e
--- /dev/null
+++ b/rules/Sigma/process_creation_dotnet.yml
@@ -0,0 +1,38 @@
+title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
+author: Beyu Denis, oscd.community
+date: 2020/10/18
+description: dotnet.exe will execute any DLL and execute unsigned code
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*.dll'
+    SELECTION_3:
+        CommandLine: '*.csproj'
+    SELECTION_4:
+        Image: '*\dotnet.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4))
+falsepositives:
+- System administrator Usage
+- Penetration test
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml
+- https://twitter.com/_felamos/status/1204705548668555264
+- https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
+status: experimental
+tags:
+- attack.execution
+- attack.t1218
+yml_filename: process_creation_dotnet.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_hack_dumpert.yml b/rules/Sigma/process_creation_hack_dumpert.yml
new file mode 100644
index 00000000..2047d019
--- /dev/null
+++ b/rules/Sigma/process_creation_hack_dumpert.yml
@@ -0,0 +1,30 @@
+title: Dumpert Process Dumper
+author: Florian Roth
+date: 2020/02/04
+description: Detects the use of Dumpert process dumper, which dumps the lsass.exe
+    process memory
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Imphash: 09D278F9DE118EF09163C6140255C690
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Very unlikely
+id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/21
+references:
+- https://github.com/outflanknl/Dumpert
+- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+yml_filename: process_creation_hack_dumpert.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_infdefaultinstall.yml b/rules/Sigma/process_creation_infdefaultinstall.yml
new file mode 100644
index 00000000..c725f557
--- /dev/null
+++ b/rules/Sigma/process_creation_infdefaultinstall.yml
@@ -0,0 +1,35 @@
+title: InfDefaultInstall.exe .inf Execution
+author: frack113
+date: 2021/07/13
+description: Executes SCT script using scrobj.dll from a command in entered into a
+    specially prepared INF file.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*InfDefaultInstall.exe *'
+    SELECTION_3:
+        CommandLine: '*.inf*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: ce7cf472-6fcc-490a-9481-3786840b5d9b
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: process_creation_infdefaultinstall.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/Sigma/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
new file mode 100644
index 00000000..f0d4c15f
--- /dev/null
+++ b/rules/Sigma/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
@@ -0,0 +1,43 @@
+title: LOLBAS Data Exfiltration by DataSvcUtil.exe
+author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
+date: 2021/09/30
+description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*/in:*'
+    SELECTION_3:
+        CommandLine: '*/out:*'
+    SELECTION_4:
+        Image: '*\DataSvcUtil.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4))
+falsepositives:
+- DataSvcUtil.exe being used may be performed by a system administrator.
+- Verify whether the user identity, user agent, and/or hostname should be making changes
+    in your environment.
+- DataSvcUtil.exe being executed from unfamiliar users should be investigated. If
+    known behavior is causing false positives, it can be exempted from the rule.
+- Penetration Testing
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: e290b10b-1023-4452-a4a9-eb31a9013b3a
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
+- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
+- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
+- https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567
+yml_filename: process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_lolbins_by_office_applications.yml b/rules/Sigma/process_creation_lolbins_by_office_applications.yml
new file mode 100644
index 00000000..f551aab3
--- /dev/null
+++ b/rules/Sigma/process_creation_lolbins_by_office_applications.yml
@@ -0,0 +1,46 @@
+title: New Lolbin Process by Office Applications
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: This rule will monitor any office apps that spins up a new LOLBin process.
+    This activity is pretty suspicious and should be investigated.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*regsvr32'
+    SELECTION_3:
+        Image: '*rundll32'
+    SELECTION_4:
+        Image: '*msiexec'
+    SELECTION_5:
+        Image: '*mshta'
+    SELECTION_6:
+        Image: '*verclsid'
+    SELECTION_7:
+        ParentImage: '*winword.exe'
+    SELECTION_8:
+        ParentImage: '*excel.exe'
+    SELECTION_9:
+        ParentImage: '*powerpnt.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6) and (SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- Unknown
+id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
+yml_filename: process_creation_lolbins_by_office_applications.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/Sigma/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
new file mode 100644
index 00000000..ba35e8e9
--- /dev/null
+++ b/rules/Sigma/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
@@ -0,0 +1,50 @@
+title: Suspicious Driver Install by pnputil.exe
+author: Hai Vaknin @LuxNoBulIshit, Avihay eldad  @aloneliassaf, Austin Songer @austinsonger
+date: 2021/09/30
+description: Detects when a possible suspicious driver is being installed via pnputil.exe
+    lolbin
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*-i*'
+    SELECTION_3:
+        CommandLine: '*/install*'
+    SELECTION_4:
+        CommandLine: '*-a*'
+    SELECTION_5:
+        CommandLine: '*/add-driver*'
+    SELECTION_6:
+        CommandLine: '*.inf*'
+    SELECTION_7:
+        Image: '*\pnputil.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6) and (SELECTION_7))
+falsepositives:
+- Pnputil.exe being used may be performed by a system administrator.
+- Verify whether the user identity, user agent, and/or hostname should be making changes
+    in your environment.
+- Pnputil.exe being executed from unfamiliar users should be investigated. If known
+    behavior is causing false positives, it can be exempted from the rule.
+- Penetration Testing
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
+- https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547
+- attack.t1547.006
+yml_filename: process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_lolbins_with_wmiprvse_parent_process.yml b/rules/Sigma/process_creation_lolbins_with_wmiprvse_parent_process.yml
new file mode 100644
index 00000000..d4691aee
--- /dev/null
+++ b/rules/Sigma/process_creation_lolbins_with_wmiprvse_parent_process.yml
@@ -0,0 +1,42 @@
+title: Lolbins Process Creation with WmiPrvse
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: This rule will monitor LOLBin process creations by wmiprvse. Add more
+    LOLBins to rule logic if needed.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*regsvr32'
+    SELECTION_3:
+        Image: '*rundll32'
+    SELECTION_4:
+        Image: '*msiexec'
+    SELECTION_5:
+        Image: '*mshta'
+    SELECTION_6:
+        Image: '*verclsid'
+    SELECTION_7:
+        ParentImage: '*\wbem\WmiPrvSE.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6) and SELECTION_7)
+falsepositives:
+- Unknown
+id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
+yml_filename: process_creation_lolbins_with_wmiprvse_parent_process.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_mal_blue_mockingbird.yml b/rules/Sigma/process_creation_mal_blue_mockingbird.yml
new file mode 100644
index 00000000..341f33f4
--- /dev/null
+++ b/rules/Sigma/process_creation_mal_blue_mockingbird.yml
@@ -0,0 +1,40 @@
+title: Blue Mockingbird
+author: Trent Liffick (@tliffick)
+date: 2020/05/14
+description: Attempts to detect system changes made by Blue Mockingbird
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\cmd.exe'
+    SELECTION_3:
+        CommandLine: '*sc config*'
+    SELECTION_4:
+        CommandLine: '*wercplsupporte.dll*'
+    SELECTION_5:
+        Image: '*\wmic.exe'
+    SELECTION_6:
+        CommandLine: '*COR_PROFILER'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6)))
+falsepositives:
+- unknown
+id: c3198a27-23a0-4c2c-af19-e5328d49680e
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/11
+references:
+- https://redcanary.com/blog/blue-mockingbird-cryptominer/
+related:
+-   id: ce239692-aa94-41b3-b32f-9cab259c96ea
+    type: merged
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
+- attack.t1047
+yml_filename: process_creation_mal_blue_mockingbird.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/process_creation_mal_darkside_ransomware.yml b/rules/Sigma/process_creation_mal_darkside_ransomware.yml
new file mode 100644
index 00000000..0ff0fa3d
--- /dev/null
+++ b/rules/Sigma/process_creation_mal_darkside_ransomware.yml
@@ -0,0 +1,36 @@
+title: DarkSide Ransomware Pattern
+author: Florian Roth
+date: 2021/05/14
+description: Detects DarkSide Ransomware and helpers
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*=[char][byte](''0x''+*'
+    SELECTION_3:
+        CommandLine: '* -work worker0 -path *'
+    SELECTION_4:
+        ParentCommandLine: '*DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*'
+    SELECTION_5:
+        Image: '*\AppData\Local\Temp\\*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or ((SELECTION_4) and
+        (SELECTION_5))))
+falsepositives:
+- Unknown
+- UAC bypass method used by other malware
+id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+- https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
+- https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+yml_filename: process_creation_mal_darkside_ransomware.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/process_creation_mal_lockergoga_ransomware.yml b/rules/Sigma/process_creation_mal_lockergoga_ransomware.yml
new file mode 100644
index 00000000..f00d3531
--- /dev/null
+++ b/rules/Sigma/process_creation_mal_lockergoga_ransomware.yml
@@ -0,0 +1,28 @@
+title: LockerGoga Ransomware
+author: Vasiliy Burov, oscd.community
+date: 2020/10/18
+description: Detects LockerGoga Ransomware command line.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*-i SM-tgytutrc -s*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 74db3488-fd28-480a-95aa-b7af626de068
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
+- https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
+- https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
+status: experimental
+tags:
+- attack.impact
+- attack.t1486
+yml_filename: process_creation_mal_lockergoga_ransomware.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/process_creation_mal_ryuk.yml b/rules/Sigma/process_creation_mal_ryuk.yml
new file mode 100644
index 00000000..9738c948
--- /dev/null
+++ b/rules/Sigma/process_creation_mal_ryuk.yml
@@ -0,0 +1,37 @@
+title: Ryuk Ransomware
+author: Vasiliy Burov
+date: 2019/08/06
+description: Detects Ryuk Ransomware command lines
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\net.exe'
+    SELECTION_3:
+        Image: '*\net1.exe'
+    SELECTION_4:
+        CommandLine: '*stop*'
+    SELECTION_5:
+        CommandLine: '*samss*'
+    SELECTION_6:
+        CommandLine: '*audioendpointbuilder*'
+    SELECTION_7:
+        CommandLine: '*unistoresvc_?????*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unlikely
+id: 0acaad27-9f02-4136-a243-c357202edd74
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+yml_filename: process_creation_mal_ryuk.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/process_creation_msdeploy.yml b/rules/Sigma/process_creation_msdeploy.yml
new file mode 100644
index 00000000..5747a46b
--- /dev/null
+++ b/rules/Sigma/process_creation_msdeploy.yml
@@ -0,0 +1,40 @@
+title: Execute Files with Msdeploy.exe
+author: Beyu Denis, oscd.community
+date: 2020/10/18
+description: Detects file execution using the msdeploy.exe lolbin
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*verb:sync*'
+    SELECTION_3:
+        CommandLine: '*-source:RunCommand*'
+    SELECTION_4:
+        CommandLine: '*-dest:runCommand*'
+    SELECTION_5:
+        Image: '*\msdeploy.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5))
+falsepositives:
+- System administrator Usage
+- Penetration test
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml
+- https://twitter.com/pabraeken/status/995837734379032576
+- https://twitter.com/pabraeken/status/999090532839313408
+status: experimental
+tags:
+- attack.execution
+- attack.t1218
+yml_filename: process_creation_msdeploy.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_office_applications_spawning_wmi_commandline.yml b/rules/Sigma/process_creation_office_applications_spawning_wmi_commandline.yml
new file mode 100644
index 00000000..eaeb737e
--- /dev/null
+++ b/rules/Sigma/process_creation_office_applications_spawning_wmi_commandline.yml
@@ -0,0 +1,45 @@
+title: Office Applications Spawning Wmi Cli
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: Initial execution of malicious document calls wmic to execute the file
+    with regsvr32
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: \wbem\WMIC.exe
+    SELECTION_3:
+        CommandLine: '*wmic *'
+    SELECTION_4:
+        OriginalFileName: wmic.exe
+    SELECTION_5:
+        Description: WMI Commandline Utility
+    SELECTION_6:
+        ParentImage: '*winword.exe'
+    SELECTION_7:
+        ParentImage: '*excel.exe'
+    SELECTION_8:
+        ParentImage: '*powerpnt.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/11/10
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
+yml_filename: process_creation_office_applications_spawning_wmi_commandline.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/Sigma/process_creation_office_from_proxy_executing_regsvr32_payload.yml
new file mode 100644
index 00000000..c0500b28
--- /dev/null
+++ b/rules/Sigma/process_creation_office_from_proxy_executing_regsvr32_payload.yml
@@ -0,0 +1,66 @@
+title: Excel Proxy Executing Regsvr32 With Payload
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: Excel called wmic to finally proxy execute regsvr32 with the payload.
+    An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But
+    we have command-line in the event which allow us to "restore" this suspicious
+    parent-child chain and detect it. Monitor process creation with "wmic process
+    call create" and LOLBins in command-line with parent Office application processes.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*verclsid*'
+    SELECTION_11:
+        ParentImage: '*winword.exe'
+    SELECTION_12:
+        ParentImage: '*excel.exe'
+    SELECTION_13:
+        ParentImage: '*powerpnt.exe'
+    SELECTION_14:
+        ParentCommandLine: '*process*'
+    SELECTION_15:
+        ParentCommandLine: '*create*'
+    SELECTION_16:
+        ParentCommandLine: '*call*'
+    SELECTION_2:
+        Image: '*\wbem\WMIC.exe'
+    SELECTION_3:
+        ParentCommandLine: '*wmic *'
+    SELECTION_4:
+        OriginalFileName: wmic.exe
+    SELECTION_5:
+        Description: WMI Commandline Utility
+    SELECTION_6:
+        CommandLine: '*regsvr32*'
+    SELECTION_7:
+        CommandLine: '*rundll32*'
+    SELECTION_8:
+        CommandLine: '*msiexec*'
+    SELECTION_9:
+        CommandLine: '*mshta*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+        and (SELECTION_11 or SELECTION_12 or SELECTION_13) and SELECTION_14 and SELECTION_15
+        and SELECTION_16)
+falsepositives:
+- Unknown
+id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/11/09
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
+yml_filename: process_creation_office_from_proxy_executing_regsvr32_payload.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/Sigma/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
new file mode 100644
index 00000000..6f2f1a98
--- /dev/null
+++ b/rules/Sigma/process_creation_office_from_proxy_executing_regsvr32_payload2.yml
@@ -0,0 +1,61 @@
+title: Excel Proxy Executing Regsvr32 With Payload
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: Excel called wmic to finally proxy execute regsvr32 with the payload.
+    An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But
+    we have command-line in the event which allow us to "restore" this suspicious
+    parent-child chain and detect it. Monitor process creation with "wmic process
+    call create" and LOLBins in command-line with parent Office application processes.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        ParentImage: '*excel.exe'
+    SELECTION_11:
+        ParentImage: '*powerpnt.exe'
+    SELECTION_12:
+        ParentCommandLine: '*process*'
+    SELECTION_13:
+        ParentCommandLine: '*create*'
+    SELECTION_14:
+        ParentCommandLine: '*call*'
+    SELECTION_2:
+        ParentCommandLine: '*regsvr32*'
+    SELECTION_3:
+        ParentCommandLine: '*rundll32*'
+    SELECTION_4:
+        ParentCommandLine: '*msiexec*'
+    SELECTION_5:
+        ParentCommandLine: '*mshta*'
+    SELECTION_6:
+        ParentCommandLine: '*verclsid*'
+    SELECTION_7:
+        Image: '*\wbem\WMIC.exe'
+    SELECTION_8:
+        ParentCommandLine: '*wmic *'
+    SELECTION_9:
+        ParentImage: '*winword.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6) and (SELECTION_7 or SELECTION_8) and (SELECTION_9 or SELECTION_10
+        or SELECTION_11) and SELECTION_12 and SELECTION_13 and SELECTION_14)
+falsepositives:
+- Unknown
+id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/11/09
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
+yml_filename: process_creation_office_from_proxy_executing_regsvr32_payload2.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_office_spawning_wmi_commandline.yml b/rules/Sigma/process_creation_office_spawning_wmi_commandline.yml
new file mode 100644
index 00000000..c5b829ed
--- /dev/null
+++ b/rules/Sigma/process_creation_office_spawning_wmi_commandline.yml
@@ -0,0 +1,41 @@
+title: Office Applications Spawning Wmi Cli
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)
+date: 2021/08/23
+description: Initial execution of malicious document calls wmic to execute the file
+    with regsvr32
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\wbem\WMIC.exe'
+    SELECTION_3:
+        ParentCommandLine: '*wmic *'
+    SELECTION_4:
+        ParentImage: winword.exe
+    SELECTION_5:
+        ParentImage: excel.exe
+    SELECTION_6:
+        ParentImage: powerpnt.exe
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Unknown
+id: 04f5363a-6bca-42ff-be70-0d28bf629ead
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/11/09
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+status: experimental
+tags:
+- attack.t1204.002
+- attack.t1047
+- attack.t1218.010
+- attack.execution
+- attack.defense_evasion
+yml_filename: process_creation_office_spawning_wmi_commandline.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_pingback_backdoor.yml b/rules/Sigma/process_creation_pingback_backdoor.yml
new file mode 100644
index 00000000..3cb4986f
--- /dev/null
+++ b/rules/Sigma/process_creation_pingback_backdoor.yml
@@ -0,0 +1,38 @@
+title: Pingback Backdoor
+author: Bhabesh Raj
+date: 2021/05/05
+description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2
+    as described in the trustwave report
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*updata.exe'
+    SELECTION_3:
+        CommandLine: '*config*'
+    SELECTION_4:
+        CommandLine: '*msdtc*'
+    SELECTION_5:
+        CommandLine: '*start*'
+    SELECTION_6:
+        CommandLine: '*auto*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Very unlikely
+id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/09
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
+- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+status: experimental
+tags:
+- attack.persistence
+- attack.t1574.001
+yml_filename: process_creation_pingback_backdoor.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_protocolhandler_suspicious_file.yml b/rules/Sigma/process_creation_protocolhandler_suspicious_file.yml
new file mode 100644
index 00000000..f7797b44
--- /dev/null
+++ b/rules/Sigma/process_creation_protocolhandler_suspicious_file.yml
@@ -0,0 +1,36 @@
+title: ProtocolHandler.exe Downloaded Suspicious File
+author: frack113
+date: 2021/07/13
+description: Emulates attack via documents through protocol handler in Microsoft Office.
+    On successful execution you should see Microsoft Word launch a blank file.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\protocolhandler.exe'
+    SELECTION_3:
+        CommandLine: '*"ms-word*'
+    SELECTION_4:
+        CommandLine: '*.docx"*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: process_creation_protocolhandler_suspicious_file.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_root_certificate_installed.yml b/rules/Sigma/process_creation_root_certificate_installed.yml
new file mode 100644
index 00000000..51a385a8
--- /dev/null
+++ b/rules/Sigma/process_creation_root_certificate_installed.yml
@@ -0,0 +1,41 @@
+title: Root Certificate Installed
+author: oscd.community, @redcanary, Zach Stanford @svch0st
+date: 2020/10/10
+description: Adversaries may install a root certificate on a compromised system to
+    avoid warnings when connecting to adversary controlled web servers.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*root*'
+    SELECTION_3:
+        Image: '*\certutil.exe'
+    SELECTION_4:
+        CommandLine: '*-addstore*'
+    SELECTION_5:
+        Image: '*\CertMgr.exe'
+    SELECTION_6:
+        CommandLine: '*/add*'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6)))
+falsepositives:
+- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to
+    test if GPO push doesn't trigger FP
+id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/21
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+related:
+-   id: 42821614-9264-4761-acfc-5772c3286f76
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1553.004
+yml_filename: process_creation_root_certificate_installed.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_sdelete.yml b/rules/Sigma/process_creation_sdelete.yml
new file mode 100644
index 00000000..3788326f
--- /dev/null
+++ b/rules/Sigma/process_creation_sdelete.yml
@@ -0,0 +1,40 @@
+title: Sysinternals SDelete Delete File
+author: frack113
+date: 2021/06/03
+description: Use of SDelete to erase a file not the free space
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        OriginalFileName: sdelete.exe
+    SELECTION_3:
+        CommandLine: '* -h*'
+    SELECTION_4:
+        CommandLine: '* -c*'
+    SELECTION_5:
+        CommandLine: '* -z*'
+    SELECTION_6:
+        CommandLine: '* /?*'
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5 or SELECTION_6)))
+falsepositives:
+- System administrator Usage
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: a4824fca-976f-4964-b334-0621379e84c4
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md
+status: experimental
+tags:
+- attack.impact
+- attack.t1485
+yml_filename: process_creation_sdelete.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_software_discovery.yml b/rules/Sigma/process_creation_software_discovery.yml
new file mode 100644
index 00000000..6559241f
--- /dev/null
+++ b/rules/Sigma/process_creation_software_discovery.yml
@@ -0,0 +1,42 @@
+title: Detected Windows Software Discovery
+author: Nikita Nazarov, oscd.community
+date: 2020/10/16
+description: Adversaries may attempt to enumerate software for a variety of reasons,
+    such as figuring out what security measures are present or if the compromised
+    system has a version of software that is vulnerable.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\reg.exe'
+    SELECTION_3:
+        CommandLine: '*query*'
+    SELECTION_4:
+        CommandLine: '*\software\\*'
+    SELECTION_5:
+        CommandLine: '*/v*'
+    SELECTION_6:
+        CommandLine: '*svcversion*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Legitimate administration activities
+id: e13f668e-7f95-443d-98d2-1816a7648a7b
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/21
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
+- https://github.com/harleyQu1nn/AggressorScripts
+related:
+-   id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
+    type: derived
+status: experimental
+tags:
+- attack.discovery
+- attack.t1518
+yml_filename: process_creation_software_discovery.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_stickykey_like_backdoor.yml b/rules/Sigma/process_creation_stickykey_like_backdoor.yml
new file mode 100644
index 00000000..cc38d7f9
--- /dev/null
+++ b/rules/Sigma/process_creation_stickykey_like_backdoor.yml
@@ -0,0 +1,50 @@
+title: Sticky Key Like Backdoor Usage
+author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
+date: 2018/03/15
+description: Detects the usage and installation of a backdoor that uses an option
+    to register a malicious debugger for built-in tools that are accessible in the
+    login screen
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\winlogon.exe'
+    SELECTION_3:
+        Image: '*\cmd.exe'
+    SELECTION_4:
+        CommandLine: '*sethc.exe*'
+    SELECTION_5:
+        CommandLine: '*utilman.exe*'
+    SELECTION_6:
+        CommandLine: '*osk.exe*'
+    SELECTION_7:
+        CommandLine: '*Magnify.exe*'
+    SELECTION_8:
+        CommandLine: '*Narrator.exe*'
+    SELECTION_9:
+        CommandLine: '*DisplaySwitch.exe*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- Unlikely
+id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/12
+references:
+- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+related:
+-   id: baca5663-583c-45f9-b5dc-ea96a22ce542
+    type: derived
+tags:
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1015
+- attack.t1546.008
+- car.2014-11-003
+- car.2014-11-008
+yml_filename: process_creation_stickykey_like_backdoor.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_stordiag_execution.yml b/rules/Sigma/process_creation_stordiag_execution.yml
new file mode 100644
index 00000000..11248cf4
--- /dev/null
+++ b/rules/Sigma/process_creation_stordiag_execution.yml
@@ -0,0 +1,39 @@
+title: Execution via stordiag.exe
+author: Austin Songer (@austinsonger)
+date: 2021/10/21
+description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe
+    and fltmc.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\stordiag.exe'
+    SELECTION_3:
+        Image: '*\schtasks.exe'
+    SELECTION_4:
+        Image: '*\systeminfo.exe'
+    SELECTION_5:
+        Image: '*\fltmc.exe'
+    SELECTION_6:
+        ParentImage: c:\windows\system32\\*
+    SELECTION_7:
+        ParentImage: c:\windows\syswow64\\*
+    condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+        and  not ((SELECTION_6 or SELECTION_7)))
+falsepositives:
+- Legitimate usage of stordiag.exe.
+id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
+- https://twitter.com/eral4m/status/1451112385041911809
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: process_creation_stordiag_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_susp_7z.yml b/rules/Sigma/process_creation_susp_7z.yml
new file mode 100644
index 00000000..b5a666f5
--- /dev/null
+++ b/rules/Sigma/process_creation_susp_7z.yml
@@ -0,0 +1,40 @@
+title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
+author: frack113
+date: 2021/07/27
+description: An adversary may compress or encrypt data that is collected prior to
+    exfiltration using 3rd party utilities
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*7z.exe*'
+    SELECTION_3:
+        CommandLine: '*7za.exe*'
+    SELECTION_4:
+        CommandLine: '* -p*'
+    SELECTION_5:
+        CommandLine: '* a *'
+    SELECTION_6:
+        CommandLine: '* u *'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Command line parameter combinations that contain all included strings
+fields:
+- CommandLine
+- ParentCommandLine
+- CurrentDirectory
+id: 9fbf5927-5261-4284-a71d-f681029ea574
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1560.001
+yml_filename: process_creation_susp_7z.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_susp_athremotefxvgpudisablementcommand.yml b/rules/Sigma/process_creation_susp_athremotefxvgpudisablementcommand.yml
new file mode 100644
index 00000000..86cd58d6
--- /dev/null
+++ b/rules/Sigma/process_creation_susp_athremotefxvgpudisablementcommand.yml
@@ -0,0 +1,46 @@
+title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
+author: frack113
+date: 2021/07/13
+description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
+    that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
+    SELECTION_3:
+        CommandLine: '*-ModuleName *'
+    SELECTION_4:
+        CommandLine: '*-ModulePath *'
+    SELECTION_5:
+        CommandLine: '*-ScriptBlock *'
+    SELECTION_6:
+        CommandLine: '*-RemoteFXvGPUDisablementFilePath*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+related:
+-   id: 38a7625e-b2cb-485d-b83d-aff137d859f4
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: process_creation_susp_athremotefxvgpudisablementcommand.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_susp_del.yml b/rules/Sigma/process_creation_susp_del.yml
new file mode 100644
index 00000000..316e326b
--- /dev/null
+++ b/rules/Sigma/process_creation_susp_del.yml
@@ -0,0 +1,37 @@
+title: Suspicious Del in CommandLine
+author: frack113
+date: 2021/10/26
+description: suspicious command line to remove exe or dll
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*del *'
+    SELECTION_3:
+        CommandLine: '*/f *'
+    SELECTION_4:
+        CommandLine: '*/q *'
+    SELECTION_5:
+        CommandLine: '*.exe*'
+    SELECTION_6:
+        CommandLine: '*C:\ProgramData\\*'
+    SELECTION_7:
+        CommandLine: '*.dll*'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- unknown
+id: 204b17ae-4007-471b-917b-b917b315c5db
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.004
+yml_filename: process_creation_susp_del.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_susp_recon.yml b/rules/Sigma/process_creation_susp_recon.yml
new file mode 100644
index 00000000..0d33e312
--- /dev/null
+++ b/rules/Sigma/process_creation_susp_recon.yml
@@ -0,0 +1,36 @@
+title: Recon Information for Export with Command Prompt
+author: frack113
+date: 2021/07/30
+description: Once established within a system or network, an adversary may use automated
+    techniques for collecting internal data.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\tree.com'
+    SELECTION_3:
+        Image: '*\WMIC.exe'
+    SELECTION_4:
+        Image: '*\doskey.exe'
+    SELECTION_5:
+        Image: '*\sc.exe'
+    SELECTION_6:
+        ParentCommandLine: '* > %TEMP%\\*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and SELECTION_6)
+falsepositives:
+- Unknown
+id: aa2efee7-34dd-446e-8a37-40790a66efd7
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1119
+yml_filename: process_creation_susp_recon.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_susp_web_request_cmd.yml b/rules/Sigma/process_creation_susp_web_request_cmd.yml
new file mode 100644
index 00000000..760b4791
--- /dev/null
+++ b/rules/Sigma/process_creation_susp_web_request_cmd.yml
@@ -0,0 +1,41 @@
+title: Windows Suspicious Use Of Web Request in CommandLine
+author: James Pemberton / @4A616D6573
+date: 2019/10/24
+description: Detects the use of various web request with commandline tools or Windows
+    PowerShell command,methods (including aliases)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*Invoke-WebRequest*'
+    SELECTION_3:
+        CommandLine: '*iwr *'
+    SELECTION_4:
+        CommandLine: '*wget *'
+    SELECTION_5:
+        CommandLine: '*curl *'
+    SELECTION_6:
+        CommandLine: '*Net.WebClient*'
+    SELECTION_7:
+        CommandLine: '*Start-BitsTransfer*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
+id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/21
+references:
+- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
+- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: process_creation_susp_web_request_cmd.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_susp_winzip.yml b/rules/Sigma/process_creation_susp_winzip.yml
new file mode 100644
index 00000000..f0c1fc91
--- /dev/null
+++ b/rules/Sigma/process_creation_susp_winzip.yml
@@ -0,0 +1,36 @@
+title: Compress Data and Lock With Password for Exfiltration With WINZIP
+author: frack113
+date: 2021/07/27
+description: An adversary may compress or encrypt data that is collected prior to
+    exfiltration using 3rd party utilities
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*winzip.exe*'
+    SELECTION_3:
+        CommandLine: '*winzip64.exe*'
+    SELECTION_4:
+        CommandLine: '*-s"*'
+    SELECTION_5:
+        CommandLine: '* -min *'
+    SELECTION_6:
+        CommandLine: '* -a *'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4) and
+        (SELECTION_5 or SELECTION_6))
+falsepositives:
+- Unknown
+id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1560.001
+yml_filename: process_creation_susp_winzip.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_susp_zip_compress.yml b/rules/Sigma/process_creation_susp_zip_compress.yml
new file mode 100644
index 00000000..912357c0
--- /dev/null
+++ b/rules/Sigma/process_creation_susp_zip_compress.yml
@@ -0,0 +1,37 @@
+title: Zip A Folder With PowerShell For Staging In Temp
+author: frack113
+date: 2021/07/20
+description: Use living off the land tools to zip a file and stage it in the Windows
+    temporary folder for later exfiltration
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*Compress-Archive *'
+    SELECTION_3:
+        CommandLine: '* -Path *'
+    SELECTION_4:
+        CommandLine: '* -DestinationPath *'
+    SELECTION_5:
+        CommandLine: '*$env:TEMP\\*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+related:
+-   id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+    type: derived
+status: experimental
+tags:
+- attack.collection
+- attack.t1074.001
+yml_filename: process_creation_susp_zip_compress.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_syncappvpublishingserver_exe.yml b/rules/Sigma/process_creation_syncappvpublishingserver_exe.yml
new file mode 100644
index 00000000..f8202914
--- /dev/null
+++ b/rules/Sigma/process_creation_syncappvpublishingserver_exe.yml
@@ -0,0 +1,28 @@
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community"
+date: 2020/10/05
+description: Detects SyncAppvPublishingServer process execution which usually utilized
+    by adversaries to bypass PowerShell execution restrictions.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\SyncAppvPublishingServer.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- App-V clients
+id: fde7929d-8beb-4a4c-b922-be9974671667
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/11
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+status: deprecated
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: process_creation_syncappvpublishingserver_exe.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
+
diff --git a/rules/Sigma/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml b/rules/Sigma/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
new file mode 100644
index 00000000..ea701a51
--- /dev/null
+++ b/rules/Sigma/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
@@ -0,0 +1,38 @@
+title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code
+author: frack113
+date: 2021/07/12
+description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\SyncAppvPublishingServer.exe'
+    SELECTION_3:
+        CommandLine: '*"n; *'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- App-V clients
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: fbd7c32d-db2a-4418-b92c-566eb8911133
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/12
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+related:
+-   id: fde7929d-8beb-4a4c-b922-be9974671667
+    type: obsoletes
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/Sigma/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
new file mode 100644
index 00000000..6e69cacb
--- /dev/null
+++ b/rules/Sigma/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
@@ -0,0 +1,36 @@
+title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
+author: frack113
+date: 2021/07/16
+description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\SyncAppvPublishingServer.vbs*'
+    SELECTION_3:
+        CommandLine: '*"n;*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/12
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.t1216
+yml_filename: process_creation_syncappvpublishingserver_vbs_execute_powershell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_sysinternals_eula_accepted.yml b/rules/Sigma/process_creation_sysinternals_eula_accepted.yml
new file mode 100644
index 00000000..8633931b
--- /dev/null
+++ b/rules/Sigma/process_creation_sysinternals_eula_accepted.yml
@@ -0,0 +1,32 @@
+title: Usage of Sysinternals Tools
+author: Markus Neis
+date: 2017/08/28
+description: Detects the usage of Sysinternals Tools due to accepteula key being added
+    to Registry
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* -accepteula*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of SysInternals tools
+- Programs that use the same Registry Key
+id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/12
+references:
+- https://twitter.com/Moti_B/status/1008587936735035392
+related:
+-   id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
+    type: derived
+status: experimental
+tags:
+- attack.resource_development
+- attack.t1588.002
+yml_filename: process_creation_sysinternals_eula_accepted.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_sysmon_uac_bypass_eventvwr.yml b/rules/Sigma/process_creation_sysmon_uac_bypass_eventvwr.yml
new file mode 100644
index 00000000..45f10a9a
--- /dev/null
+++ b/rules/Sigma/process_creation_sysmon_uac_bypass_eventvwr.yml
@@ -0,0 +1,39 @@
+title: UAC Bypass via Event Viewer
+author: Florian Roth
+date: 2017/03/19
+description: Detects UAC bypass method using Windows event viewer
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\eventvwr.exe'
+    SELECTION_3:
+        Image: '*\mmc.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: be344333-921d-4c4d-8bb8-e584cf584780
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/12
+references:
+- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
+- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
+related:
+-   id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1088
+- attack.t1548.002
+- car.2019-04-001
+yml_filename: process_creation_sysmon_uac_bypass_eventvwr.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_tool_psexec.yml b/rules/Sigma/process_creation_tool_psexec.yml
new file mode 100644
index 00000000..211ae88b
--- /dev/null
+++ b/rules/Sigma/process_creation_tool_psexec.yml
@@ -0,0 +1,44 @@
+title: PsExec Tool Execution
+author: Thomas Patzke
+date: 2017/06/12
+description: Detects PsExec service installation and execution events (service and
+    Sysmon)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\PSEXESVC.exe'
+    SELECTION_3:
+        User: NT AUTHORITY\SYSTEM*
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- ServiceName
+- ServiceFileName
+- TargetFilename
+- PipeName
+id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/21
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+related:
+-   id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+- attack.s0029
+yml_filename: process_creation_tool_psexec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creation_tttracer_mod_load.yml b/rules/Sigma/process_creation_tttracer_mod_load.yml
new file mode 100644
index 00000000..f716acce
--- /dev/null
+++ b/rules/Sigma/process_creation_tttracer_mod_load.yml
@@ -0,0 +1,35 @@
+title: Time Travel Debugging Utility Usage
+author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative"
+date: 2020/10/06
+description: Detects usage of Time Travel Debugging Utility. Adversaries can execute
+    malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\tttracer.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate usage by software developers/testers
+id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/21
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
+- https://twitter.com/mattifestation/status/1196390321783025666
+- https://twitter.com/oulusoyum/status/1191329746069655553
+related:
+-   id: e76c8240-d68f-4773-8880-5c6f63595aaf
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.credential_access
+- attack.t1218
+- attack.t1003.001
+yml_filename: process_creation_tttracer_mod_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/process_creation_win_exchange_transportagent.yml b/rules/Sigma/process_creation_win_exchange_transportagent.yml
new file mode 100644
index 00000000..e318f8bc
--- /dev/null
+++ b/rules/Sigma/process_creation_win_exchange_transportagent.yml
@@ -0,0 +1,30 @@
+title: MSExchange Transport Agent Installation
+author: Tobias Michalski
+date: 2021/06/08
+description: Detects the Installation of a Exchange Transport Agent
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*Install-TransportAgent*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator
+    for this.
+fields:
+- AssemblyPath
+id: 83809e84-4475-4b69-bc3e-4aad8568612f
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.002
+yml_filename: process_creation_win_exchange_transportagent.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_creationn_apt_chafer_mar18.yml b/rules/Sigma/process_creationn_apt_chafer_mar18.yml
new file mode 100644
index 00000000..a5408a61
--- /dev/null
+++ b/rules/Sigma/process_creationn_apt_chafer_mar18.yml
@@ -0,0 +1,60 @@
+title: Chafer Activity
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
+    in March 2018
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*-q=TXT*'
+    SELECTION_11:
+        ParentImage: '*\Autoit*'
+    SELECTION_2:
+        CommandLine: '*\Service.exe*'
+    SELECTION_3:
+        CommandLine: '*i'
+    SELECTION_4:
+        CommandLine: '*u'
+    SELECTION_5:
+        CommandLine: '*\microsoft\Taskbar\autoit3.exe'
+    SELECTION_6:
+        CommandLine: C:\wsc.exe*
+    SELECTION_7:
+        Image: '*\Windows\Temp\DB\\*'
+    SELECTION_8:
+        Image: '*.exe'
+    SELECTION_9:
+        CommandLine: '*\nslookup.exe*'
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4)) or
+        (SELECTION_5 or SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9
+        and SELECTION_10 and SELECTION_11)))
+falsepositives:
+- Unknown
+id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+related:
+-   id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+    type: derived
+tags:
+- attack.persistence
+- attack.g0049
+- attack.t1053
+- attack.t1053.005
+- attack.s0111
+- attack.t1050
+- attack.t1543.003
+- attack.defense_evasion
+- attack.t1112
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
+yml_filename: process_creationn_apt_chafer_mar18.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_mailboxexport_share.yml b/rules/Sigma/process_mailboxexport_share.yml
new file mode 100644
index 00000000..cf36e8cd
--- /dev/null
+++ b/rules/Sigma/process_mailboxexport_share.yml
@@ -0,0 +1,38 @@
+title: Suspicious PowerShell Mailbox Export to Share
+author: Florian Roth
+date: 2021/08/07
+description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox
+    to a local share, as used in ProxyShell exploitations
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*New-MailboxExport*'
+    SELECTION_3:
+        CommandLine: '* -Mailbox *'
+    SELECTION_4:
+        CommandLine: '* -FilePath \\127.0.0.1\C$*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 889719ef-dd62-43df-86c3-768fb08dc7c0
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://youtu.be/5mqid-7zp8k?t=2481
+- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
+- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.resource_development
+- attack.t1584.006
+yml_filename: process_mailboxexport_share.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/process_susp_esentutl_params.yml b/rules/Sigma/process_susp_esentutl_params.yml
new file mode 100644
index 00000000..953d3e71
--- /dev/null
+++ b/rules/Sigma/process_susp_esentutl_params.yml
@@ -0,0 +1,38 @@
+title: Esentutl Gather Credentials
+author: sam0x90
+date: 2021/08/06
+description: Conti recommendation to its affiliates to use esentult to access NTDS
+    dumped file. Trickbot also uses this utilities to get MSEdge info via its module
+    pwgrab.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*esentutl*'
+    SELECTION_3:
+        CommandLine: '* /p*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- To be determined
+fields:
+- User
+- CommandLine
+- ParentCommandLine
+- CurrentDirectory
+id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816
+- https://attack.mitre.org/software/S0404/
+- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.003
+yml_filename: process_susp_esentutl_params.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/Sigma/registry_event_abusing_windows_telemetry_for_persistence.yml
new file mode 100644
index 00000000..e12e7430
--- /dev/null
+++ b/rules/Sigma/registry_event_abusing_windows_telemetry_for_persistence.yml
@@ -0,0 +1,71 @@
+title: Abusing Windows Telemetry For Persistence
+author: Sreeman
+date: 2020/09/29
+description: Windows telemetry makes use of the binary CompatTelRunner.exe to run
+    a variety of commands and perform the actual telemetry collections. This binary
+    was created to be easily extensible, and to that end, it relies on the registry
+    to instruct on which commands to run. The problem is, it will run any arbitrary
+    command without restriction of location or type.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        Details: '*.cmd'
+    SELECTION_11:
+        Details: '*.js'
+    SELECTION_12:
+        Details: '*.ps'
+    SELECTION_13:
+        Details: '*.vb'
+    SELECTION_14:
+        Details: '*.jar'
+    SELECTION_15:
+        Details: '*.hta'
+    SELECTION_16:
+        Details: '*.msi'
+    SELECTION_17:
+        Details: '*.vbs'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\\*'
+    SELECTION_5:
+        Details: '*.sh'
+    SELECTION_6:
+        Details: '*.exe'
+    SELECTION_7:
+        Details: '*.dll'
+    SELECTION_8:
+        Details: '*.bin'
+    SELECTION_9:
+        Details: '*.bat'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17))
+falsepositives:
+- none
+fields:
+- EventID
+- CommandLine
+- TargetObject
+- Details
+id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/24
+references:
+- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.persistence
+- attack.t1112
+- attack.t1053
+yml_filename: registry_event_abusing_windows_telemetry_for_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_apt_chafer_mar18.yml b/rules/Sigma/registry_event_apt_chafer_mar18.yml
new file mode 100644
index 00000000..dc9fc1a8
--- /dev/null
+++ b/rules/Sigma/registry_event_apt_chafer_mar18.yml
@@ -0,0 +1,46 @@
+title: Chafer Activity
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
+    in March 2018
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+    SELECTION_5:
+        TargetObject: '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/19
+references:
+- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+related:
+-   id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+    type: derived
+tags:
+- attack.persistence
+- attack.g0049
+- attack.t1053
+- attack.t1053.005
+- attack.s0111
+- attack.t1050
+- attack.t1543.003
+- attack.defense_evasion
+- attack.t1112
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
+yml_filename: registry_event_apt_chafer_mar18.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_apt_pandemic.yml b/rules/Sigma/registry_event_apt_pandemic.yml
new file mode 100644
index 00000000..c47925a6
--- /dev/null
+++ b/rules/Sigma/registry_event_apt_pandemic.yml
@@ -0,0 +1,39 @@
+title: Pandemic Registry Key
+author: Florian Roth
+date: 2017/06/01
+description: Detects Pandemic Windows Implant
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\SYSTEM\CurrentControlSet\services\null\Instance*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- Image
+- User
+- TargetObject
+id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/12
+references:
+- https://wikileaks.org/vault7/#Pandemic
+- https://twitter.com/MalwareJake/status/870349480356454401
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1105
+yml_filename: registry_event_apt_pandemic.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/Sigma/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
new file mode 100644
index 00000000..af6ee755
--- /dev/null
+++ b/rules/Sigma/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -0,0 +1,39 @@
+title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
+author: Sittikorn S
+date: 2021/07/16
+description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979
+    CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32*'
+    SELECTION_5:
+        TargetObject: '*\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
+        and IMJPUEXP.DLL)
+falsepositives:
+- Unlikely
+id: 32b5db62-cb5f-4266-9639-0fa48376ac00
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/09
+references:
+- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
+- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1566
+- attack.t1203
+- cve.2021.33771
+- cve.2021.31979
+yml_filename: registry_event_cve_2021_31979_cve_2021_33771_exploits.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_defender_disabled.yml b/rules/Sigma/registry_event_defender_disabled.yml
new file mode 100644
index 00000000..15ec1e9d
--- /dev/null
+++ b/rules/Sigma/registry_event_defender_disabled.yml
@@ -0,0 +1,50 @@
+title: Windows Defender Threat Detection Disabled
+author: "J\xE1n Tren\u010Dansk\xFD, frack113, AlertIQ"
+date: 2020/07/28
+description: Detects disabling Windows Defender threat protection
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        Details: DWORD (0x00000001)
+    SELECTION_5:
+        EventType: SetValue
+    SELECTION_6:
+        TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
+    SELECTION_7:
+        TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
+    SELECTION_8:
+        TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend
+    SELECTION_9:
+        TargetObject: HKLM\SOFTWARE\Microsoft\Windows Defender
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and ((SELECTION_5
+        and (SELECTION_6 or SELECTION_7)) or (SELECTION_8 or SELECTION_9 or SELECTION_10)))
+falsepositives:
+- Administrator actions
+id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/10/18
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+related:
+-   id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+yml_filename: registry_event_defender_disabled.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_defender_exclusions.yml b/rules/Sigma/registry_event_defender_exclusions.yml
new file mode 100644
index 00000000..6024d048
--- /dev/null
+++ b/rules/Sigma/registry_event_defender_exclusions.yml
@@ -0,0 +1,37 @@
+title: Windows Defender Exclusions Added
+author: Christian Burkard
+date: 2021/07/06
+description: Detects the Setting of Windows Defender Exclusions
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: SetValue
+    SELECTION_5:
+        TargetObject: '*\Microsoft\Windows Defender\Exclusions*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Administrator actions
+id: a982fc9c-6333-4ffb-a51d-addb04e8b529
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/21
+references:
+- https://twitter.com/_nullbind/status/1204923340810543109
+related:
+-   id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
+    type: derived
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+yml_filename: registry_event_defender_exclusions.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_defender_realtime_protection_disabled.yml b/rules/Sigma/registry_event_defender_realtime_protection_disabled.yml
new file mode 100644
index 00000000..a8dc12e1
--- /dev/null
+++ b/rules/Sigma/registry_event_defender_realtime_protection_disabled.yml
@@ -0,0 +1,59 @@
+title: Windows Defender Real-Time Protection Disabled
+author: AlertIQ
+date: 2021/10/18
+description: Detects disabling Windows Defender Real-Time Protection by modifying
+    registry
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen
+    SELECTION_11:
+        Details: DWORD (0x00000001)
+    SELECTION_12:
+        TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting
+    SELECTION_13:
+        TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent
+    SELECTION_14:
+        Details: DWORD (0x00000000)
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: SetValue
+    SELECTION_5:
+        TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time
+            Protection\DisableBehaviorMonitoring
+    SELECTION_6:
+        TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time
+            Protection\DisableIOAVProtection
+    SELECTION_7:
+        TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time
+            Protection\DisableOnAccessProtection
+    SELECTION_8:
+        TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time
+            Protection\DisableRealtimeMonitoring
+    SELECTION_9:
+        TargetObject: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time
+            Protection\DisableScanOnRealtimeEnable
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and (((SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+        and SELECTION_11) or ((SELECTION_12 or SELECTION_13) and SELECTION_14)))
+falsepositives:
+- Administrator actions
+id: fd115e64-97c7-491f-951c-fc8da7e042fa
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+- https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: registry_event_defender_realtime_protection_disabled.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_dns_serverlevelplugindll.yml b/rules/Sigma/registry_event_dns_serverlevelplugindll.yml
new file mode 100644
index 00000000..dce5fccf
--- /dev/null
+++ b/rules/Sigma/registry_event_dns_serverlevelplugindll.yml
@@ -0,0 +1,42 @@
+title: DNS ServerLevelPluginDll Install
+author: Florian Roth
+date: 2017/05/08
+description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter
+    in Registry, which can be used to execute code in context of the DNS server (restart
+    required)
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- Image
+- User
+- TargetObject
+id: e61e8a88-59a9-451c-874e-70fcc9740d67
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/12
+references:
+- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+- attack.t1112
+yml_filename: registry_event_dns_serverlevelplugindll.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_mal_adwind.yml b/rules/Sigma/registry_event_mal_adwind.yml
new file mode 100644
index 00000000..a09ac413
--- /dev/null
+++ b/rules/Sigma/registry_event_mal_adwind.yml
@@ -0,0 +1,37 @@
+title: Adwind RAT / JRAT
+author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
+date: 2017/11/10
+description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
+    SELECTION_5:
+        Details: '%AppData%\Roaming\Oracle\bin\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+id: 42f0e038-767e-4b85-9d96-2c6335bad0b5
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/19
+references:
+- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
+- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
+related:
+-   id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064
+yml_filename: registry_event_mal_adwind.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_mal_azorult.yml b/rules/Sigma/registry_event_mal_azorult.yml
new file mode 100644
index 00000000..7e90f151
--- /dev/null
+++ b/rules/Sigma/registry_event_mal_azorult.yml
@@ -0,0 +1,41 @@
+title: Registry Entries For Azorult Malware
+author: Trent Liffick
+date: 2020/05/08
+description: Detects the presence of a registry key created during Azorult execution
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventID: 12
+    SELECTION_5:
+        EventID: 13
+    SELECTION_6:
+        TargetObject: '*SYSTEM\\*'
+    SELECTION_7:
+        TargetObject: '*\services\localNETService'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
+        and SELECTION_6 and SELECTION_7)
+falsepositives:
+- unknown
+fields:
+- Image
+- TargetObject
+- TargetDetails
+id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
+yml_filename: registry_event_mal_azorult.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/registry_event_mal_blue_mockingbird.yml b/rules/Sigma/registry_event_mal_blue_mockingbird.yml
new file mode 100644
index 00000000..5ac84705
--- /dev/null
+++ b/rules/Sigma/registry_event_mal_blue_mockingbird.yml
@@ -0,0 +1,35 @@
+title: Blue Mockingbird
+author: Trent Liffick (@tliffick)
+date: 2020/05/14
+description: Attempts to detect system changes made by Blue Mockingbird
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+id: 92b0b372-a939-44ed-a11b-5136cf680e27
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/11
+references:
+- https://redcanary.com/blog/blue-mockingbird-cryptominer/
+related:
+-   id: c3198a27-23a0-4c2c-af19-e5328d49680e
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
+- attack.t1047
+yml_filename: registry_event_mal_blue_mockingbird.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/registry_event_mal_flowcloud.yml b/rules/Sigma/registry_event_mal_flowcloud.yml
new file mode 100644
index 00000000..2efc74a7
--- /dev/null
+++ b/rules/Sigma/registry_event_mal_flowcloud.yml
@@ -0,0 +1,38 @@
+title: FlowCloud Malware
+author: NVISO
+date: 2020/06/09
+description: Detects FlowCloud malware from threat group TA410.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}
+    SELECTION_5:
+        TargetObject: HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}
+    SELECTION_6:
+        TargetObject: HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}
+    SELECTION_7:
+        TargetObject: HKLM\SYSTEM\Setup\PrintResponsor\\*
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or SELECTION_5
+        or SELECTION_6) or (SELECTION_7)))
+falsepositives:
+- Unknown
+id: 5118765f-6657-4ddb-a487-d7bd673abbf1
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/07/22
+references:
+- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
+status: experimental
+tags:
+- attack.persistence
+- attack.t1112
+yml_filename: registry_event_mal_flowcloud.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/registry_event_mal_netwire.yml b/rules/Sigma/registry_event_mal_netwire.yml
new file mode 100644
index 00000000..cc1b1bd4
--- /dev/null
+++ b/rules/Sigma/registry_event_mal_netwire.yml
@@ -0,0 +1,39 @@
+title: NetWire RAT Registry Key
+Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity
+    "Because Sysmon runs as a service, it has no filtering ability for, or concept
+    of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this
+    limitation" Therefore I set <TargetObject condition="contains">netwire</TargetObjecct>
+    in my configuration.
+author: Christopher Peacock
+date: 2021/10/07
+description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\software\NetWire*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- No known false positives
+id: 1d218616-71b0-4c40-855b-9dbe75510f7f
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing
+- https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/
+- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
+- https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line
+- https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: registry_event_mal_netwire.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/registry_event_mal_ursnif.yml b/rules/Sigma/registry_event_mal_ursnif.yml
new file mode 100644
index 00000000..85992436
--- /dev/null
+++ b/rules/Sigma/registry_event_mal_ursnif.yml
@@ -0,0 +1,39 @@
+title: Ursnif
+author: megan201296
+date: 2019/02/13
+description: Detects new registry key created by Ursnif malware.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*'
+    SELECTION_5:
+        TargetObject: '*\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\\*'
+    SELECTION_6:
+        TargetObject: '*\SOFTWARE\AppDataLow\Software\Microsoft\RepService\\*'
+    SELECTION_7:
+        TargetObject: '*\SOFTWARE\AppDataLow\Software\Microsoft\IME\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
+        ((SELECTION_5 or SELECTION_6 or SELECTION_7)))
+falsepositives:
+- Unknown
+id: 21f17060-b282-4249-ade0-589ea3591558
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/10/28
+references:
+- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
+- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+status: experimental
+tags:
+- attack.execution
+- attack.t1112
+yml_filename: registry_event_mal_ursnif.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
+
diff --git a/rules/Sigma/registry_event_mstsc_history_cleared.yml b/rules/Sigma/registry_event_mstsc_history_cleared.yml
new file mode 100644
index 00000000..931cc857
--- /dev/null
+++ b/rules/Sigma/registry_event_mstsc_history_cleared.yml
@@ -0,0 +1,40 @@
+title: Terminal Server Client Connection History Cleared
+author: Christian Burkard
+date: 2021/10/19
+description: Detects the deletion of registry keys containing the MSTSC connection
+    history
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: DeleteValue
+    SELECTION_5:
+        TargetObject: '*\Microsoft\Terminal Server Client\Default\MRU*'
+    SELECTION_6:
+        EventType: DeleteKey
+    SELECTION_7:
+        TargetObject: '*\Microsoft\Terminal Server Client\Servers\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- unknown
+id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
+- http://woshub.com/how-to-clear-rdp-connections-history/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.t1112
+yml_filename: registry_event_mstsc_history_cleared.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_net_ntlm_downgrade.yml b/rules/Sigma/registry_event_net_ntlm_downgrade.yml
new file mode 100644
index 00000000..df4116b9
--- /dev/null
+++ b/rules/Sigma/registry_event_net_ntlm_downgrade.yml
@@ -0,0 +1,43 @@
+title: NetNTLM Downgrade Attack
+author: Florian Roth, wagga
+date: 2018/03/20
+description: Detects NetNTLM downgrade attack
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*SYSTEM\\*'
+    SELECTION_5:
+        TargetObject: '*ControlSet*'
+    SELECTION_6:
+        TargetObject: '*\Control\Lsa*'
+    SELECTION_7:
+        TargetObject: '*\lmcompatibilitylevel'
+    SELECTION_8:
+        TargetObject: '*\NtlmMinClientSec'
+    SELECTION_9:
+        TargetObject: '*\RestrictSendingNTLMTraffic'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and SELECTION_6 and (SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- Unknown
+id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/21
+references:
+- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+- attack.t1112
+yml_filename: registry_event_net_ntlm_downgrade.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_stickykey_like_backdoor.yml b/rules/Sigma/registry_event_stickykey_like_backdoor.yml
new file mode 100644
index 00000000..9a9a1605
--- /dev/null
+++ b/rules/Sigma/registry_event_stickykey_like_backdoor.yml
@@ -0,0 +1,53 @@
+title: Sticky Key Like Backdoor Usage
+author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
+date: 2018/03/15
+description: Detects the usage and installation of a backdoor that uses an option
+    to register a malicious debugger for built-in tools that are accessible in the
+    login screen
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+            Options\sethc.exe\Debugger'
+    SELECTION_5:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+            Options\utilman.exe\Debugger'
+    SELECTION_6:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+            Options\osk.exe\Debugger'
+    SELECTION_7:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+            Options\Magnify.exe\Debugger'
+    SELECTION_8:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+            Options\Narrator.exe\Debugger'
+    SELECTION_9:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+            Options\DisplaySwitch.exe\Debugger'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- Unlikely
+id: baca5663-583c-45f9-b5dc-ea96a22ce542
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/12
+references:
+- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+tags:
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1015
+- attack.t1546.008
+- car.2014-11-003
+- car.2014-11-008
+yml_filename: registry_event_stickykey_like_backdoor.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_sysinternals_eula_accepted.yml b/rules/Sigma/registry_event_sysinternals_eula_accepted.yml
new file mode 100644
index 00000000..566637c5
--- /dev/null
+++ b/rules/Sigma/registry_event_sysinternals_eula_accepted.yml
@@ -0,0 +1,33 @@
+title: Usage of Sysinternals Tools
+author: Markus Neis
+date: 2017/08/28
+description: Detects the usage of Sysinternals Tools due to accepteula key being added
+    to Registry
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\EulaAccepted'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate use of SysInternals tools
+- Programs that use the same Registry Key
+id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
+level: low
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/12
+references:
+- https://twitter.com/Moti_B/status/1008587936735035392
+status: experimental
+tags:
+- attack.resource_development
+- attack.t1588.002
+yml_filename: registry_event_sysinternals_eula_accepted.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_uac_bypass_eventvwr.yml b/rules/Sigma/registry_event_uac_bypass_eventvwr.yml
new file mode 100644
index 00000000..f8601d33
--- /dev/null
+++ b/rules/Sigma/registry_event_uac_bypass_eventvwr.yml
@@ -0,0 +1,37 @@
+title: UAC Bypass via Event Viewer
+author: Florian Roth
+date: 2017/03/19
+description: Detects UAC bypass method using Windows event viewer
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKCU\\*
+    SELECTION_5:
+        TargetObject: '*\mscfile\shell\open\command'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- unknown
+id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/12
+references:
+- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
+- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1088
+- attack.t1548.002
+- car.2019-04-001
+yml_filename: registry_event_uac_bypass_eventvwr.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_uac_bypass_winsat.yml b/rules/Sigma/registry_event_uac_bypass_winsat.yml
new file mode 100644
index 00000000..41e7811b
--- /dev/null
+++ b/rules/Sigma/registry_event_uac_bypass_winsat.yml
@@ -0,0 +1,39 @@
+title: UAC Bypass Abusing Winsat Path Parsing - Registry
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe
+    (UACMe 52)
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Root\InventoryApplicationFile\winsat.exe|*'
+    SELECTION_5:
+        TargetObject: '*\LowerCaseLongPath'
+    SELECTION_6:
+        Details: c:\users\\*
+    SELECTION_7:
+        Details: '*\appdata\local\temp\system32\winsat.exe'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown
+id: 6597be7b-ac61-4ac8-bef4-d3ec88174853
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: registry_event_uac_bypass_winsat.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/registry_event_uac_bypass_wmp.yml b/rules/Sigma/registry_event_uac_bypass_wmp.yml
new file mode 100644
index 00000000..e02b9190
--- /dev/null
+++ b/rules/Sigma/registry_event_uac_bypass_wmp.yml
@@ -0,0 +1,35 @@
+title: UAC Bypass Using Windows Media Player - Registry
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll
+    (UACMe 32)
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility
+            Assistant\Store\C:\Program Files\Windows Media Player\osk.exe'
+    SELECTION_5:
+        Details: Binary Data
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: registry_event_uac_bypass_wmp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/silenttrinity_stager_msbuild_activity.yml b/rules/Sigma/silenttrinity_stager_msbuild_activity.yml
new file mode 100644
index 00000000..4d9187d0
--- /dev/null
+++ b/rules/Sigma/silenttrinity_stager_msbuild_activity.yml
@@ -0,0 +1,32 @@
+title: Silenttrinity Stager Msbuild Activity
+author: Kiran kumar s, oscd.community
+date: 2020/10/11
+description: Detects a possible remote connections to Silenttrinity c2
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_2:
+        Image: '*\msbuild.exe'
+    SELECTION_3:
+        DestinationPort: '80'
+    SELECTION_4:
+        DestinationPort: '443'
+    SELECTION_5:
+        Initiated: 'true'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- unknown
+id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
+level: high
+logsource:
+    category: network_connection
+    product: windows
+references:
+- https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
+status: experimental
+tags:
+- attack.execution
+- attack.t1127.001
+yml_filename: silenttrinity_stager_msbuild_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_abusing_azure_browser_sso.yml b/rules/Sigma/sysmon_abusing_azure_browser_sso.yml
new file mode 100644
index 00000000..831dcd32
--- /dev/null
+++ b/rules/Sigma/sysmon_abusing_azure_browser_sso.yml
@@ -0,0 +1,42 @@
+title: Abusing Azure Browser SSO
+author: Den Iuzvyk
+date: 2020/07/15
+description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens
+    for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure
+    AD and a user logs in with their Azure AD account) wanting to perform SSO authentication
+    in the browser. An attacker can use this to authenticate to Azure AD in a browser
+    as that user.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        ImageLoaded: '*MicrosoftAccountTokenProvider.dll'
+    SELECTION_3:
+        Image: '*BackgroundTaskHost.exe'
+    SELECTION_4:
+        Image: '*devenv.exe'
+    SELECTION_5:
+        Image: '*iexplore.exe'
+    SELECTION_6:
+        Image: '*MicrosoftEdge.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5 or SELECTION_6)))
+falsepositives:
+- unknown
+id: 50f852e6-af22-4c78-9ede-42ef36aa3453
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/12/23
+references:
+- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1073
+- attack.t1574.002
+yml_filename: sysmon_abusing_azure_browser_sso.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_abusing_debug_privilege.yml b/rules/Sigma/sysmon_abusing_debug_privilege.yml
new file mode 100644
index 00000000..80ebcf10
--- /dev/null
+++ b/rules/Sigma/sysmon_abusing_debug_privilege.yml
@@ -0,0 +1,60 @@
+title: Abused Debug Privilege by Arbitrary Parent Processes
+author: Semanur Guneysu @semanurtg, oscd.community
+date: 2020/10/28
+description: Detection of unusual child processes by different system processes
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\powershell.exe'
+    SELECTION_11:
+        Image: '*\cmd.exe'
+    SELECTION_12:
+        User: NT AUTHORITY\SYSTEM*
+    SELECTION_13:
+        User: AUTORITE NT\Sys*
+    SELECTION_14:
+        CommandLine: '* route *'
+    SELECTION_15:
+        CommandLine: '* ADD *'
+    SELECTION_2:
+        ParentImage: '*\winlogon.exe'
+    SELECTION_3:
+        ParentImage: '*\services.exe'
+    SELECTION_4:
+        ParentImage: '*\lsass.exe'
+    SELECTION_5:
+        ParentImage: '*\csrss.exe'
+    SELECTION_6:
+        ParentImage: '*\smss.exe'
+    SELECTION_7:
+        ParentImage: '*\wininit.exe'
+    SELECTION_8:
+        ParentImage: '*\spoolsv.exe'
+    SELECTION_9:
+        ParentImage: '*\searchindexer.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and (SELECTION_10
+        or SELECTION_11) and (SELECTION_12 or SELECTION_13)) and  not (SELECTION_14
+        and SELECTION_15))
+falsepositives:
+- unknown
+fields:
+- ParentImage
+- Image
+- User
+- CommandLine
+id: d522eca2-2973-4391-a3e0-ef0374321dae
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548
+yml_filename: sysmon_abusing_debug_privilege.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/Sigma/sysmon_accesschk_usage_after_priv_escalation.yml
new file mode 100644
index 00000000..d9ca2554
--- /dev/null
+++ b/rules/Sigma/sysmon_accesschk_usage_after_priv_escalation.yml
@@ -0,0 +1,37 @@
+title: Accesschk Usage After Privilege Escalation
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+description: Accesschk is an access and privilege audit tool developed by SysInternal
+    and often being used by attacker to verify if a privilege escalation process successful
+    or not
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        IntegrityLevel: Medium
+    SELECTION_3:
+        Product: '*AccessChk'
+    SELECTION_4:
+        Description: '*Reports effective permissions*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- System administrator Usage
+- Penetration test
+fields:
+- IntegrityLevel
+- Product
+- Description
+id: c625d754-6a3d-4f65-9c9a-536aea960d37
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg
+status: experimental
+tags:
+- attack.discovery
+- attack.t1069.001
+yml_filename: sysmon_accesschk_usage_after_priv_escalation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/Sigma/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
new file mode 100644
index 00000000..4d8d7f47
--- /dev/null
+++ b/rules/Sigma/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
@@ -0,0 +1,31 @@
+title: Accessing WinAPI in PowerShell for Credentials Dumping
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects Accessing to lsass.exe by Powershell
+detection:
+    SELECTION_1:
+        EventID: 8
+    SELECTION_2:
+        EventID: 10
+    SELECTION_3:
+        SourceImage: '*\powershell.exe'
+    SELECTION_4:
+        TargetImage: '*\lsass.exe'
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 3f07b9d1-2082-4c56-9277-613a621983cc
+level: high
+logsource:
+    product: windows
+    service: sysmon
+modified: 2021/05/24
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+yml_filename: sysmon_accessing_winapi_in_powershell_credentials_dumping.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/sysmon
+
diff --git a/rules/Sigma/sysmon_ads_executable.yml b/rules/Sigma/sysmon_ads_executable.yml
new file mode 100644
index 00000000..8a7f594b
--- /dev/null
+++ b/rules/Sigma/sysmon_ads_executable.yml
@@ -0,0 +1,36 @@
+title: Executable in ADS
+author: Florian Roth, @0xrawsec
+date: 2018/06/03
+description: Detects the creation of an ADS data stream that contains an executable
+    (non-empty imphash)
+detection:
+    SELECTION_1:
+        EventID: 15
+    SELECTION_2:
+        Imphash: '00000000000000000000000000000000'
+    SELECTION_3:
+        Imphash|re: ^$
+    condition: (SELECTION_1 and  not ((SELECTION_2) or (SELECTION_3)))
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+- Image
+id: b69888d4-380c-45ce-9cf9-d9ce46e67821
+level: critical
+logsource:
+    category: create_stream_hash
+    definition: 'Requirements: Sysmon config with Imphash logging activated'
+    product: windows
+modified: 2020/08/26
+references:
+- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.s0139
+- attack.t1564.004
+yml_filename: sysmon_ads_executable.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_stream_hash
+
diff --git a/rules/Sigma/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/Sigma/sysmon_alternate_powershell_hosts_moduleload.yml
new file mode 100644
index 00000000..8082143e
--- /dev/null
+++ b/rules/Sigma/sysmon_alternate_powershell_hosts_moduleload.yml
@@ -0,0 +1,32 @@
+title: Alternate PowerShell Hosts
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/09/12
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+    for powershell.exe
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Description: System.Management.Automation
+    SELECTION_3:
+        ImageLoaded: '*System.Management.Automation*'
+    SELECTION_4:
+        Image: '*\powershell.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: fe6e002f-f244-4278-9263-20e4b593827f
+level: medium
+logsource:
+    category: image_load
+    product: windows
+modified: 2021/05/12
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: sysmon_alternate_powershell_hosts_moduleload.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_alternate_powershell_hosts_pipe.yml b/rules/Sigma/sysmon_alternate_powershell_hosts_pipe.yml
new file mode 100644
index 00000000..879231e4
--- /dev/null
+++ b/rules/Sigma/sysmon_alternate_powershell_hosts_pipe.yml
@@ -0,0 +1,41 @@
+title: Alternate PowerShell Hosts Pipe
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects alternate PowerShell hosts potentially bypassing detections looking
+    for powershell.exe
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_2:
+        EventID: 18
+    SELECTION_3:
+        PipeName: \PSHost*
+    SELECTION_4:
+        Image: '*\powershell.exe'
+    SELECTION_5:
+        Image: '*\powershell_ise.exe'
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and  not ((SELECTION_4
+        or SELECTION_5)))
+falsepositives:
+- Programs using PowerShell directly without invocation of a dedicated interpreter.
+fields:
+- ComputerName
+- User
+- Image
+- PipeName
+id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
+level: medium
+logsource:
+    category: pipe_created
+    product: windows
+modified: 2019/11/10
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+yml_filename: sysmon_alternate_powershell_hosts_pipe.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/Sigma/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
new file mode 100644
index 00000000..446239d2
--- /dev/null
+++ b/rules/Sigma/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
@@ -0,0 +1,39 @@
+title: Always Install Elevated MSI Spawned Cmd And Powershell
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+description: This rule will looks for Windows Installer service (msiexec.exe) spawned
+    command line and/or powershell
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\cmd.exe'
+    SELECTION_3:
+        Image: '*\powershell.exe'
+    SELECTION_4:
+        ParentImage: '*\Windows\Installer\\*'
+    SELECTION_5:
+        ParentImage: '*msi*'
+    SELECTION_6:
+        ParentImage: '*tmp'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and (SELECTION_6))
+falsepositives:
+- Penetration test
+fields:
+- Image
+- ParentImage
+id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_always_install_elevated_windows_installer.yml b/rules/Sigma/sysmon_always_install_elevated_windows_installer.yml
new file mode 100644
index 00000000..7763aedf
--- /dev/null
+++ b/rules/Sigma/sysmon_always_install_elevated_windows_installer.yml
@@ -0,0 +1,46 @@
+title: Always Install Elevated Windows Installer
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+description: This rule will looks for Windows Installer service (msiexec.exe) when
+    it tries to install MSI packages with SYSTEM privilege
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        User: NT AUTHORITY\SYSTEM*
+    SELECTION_3:
+        User: AUTORITE NT\Sys*
+    SELECTION_4:
+        Image: '*\Windows\Installer\\*'
+    SELECTION_5:
+        Image: '*msi*'
+    SELECTION_6:
+        Image: '*tmp'
+    SELECTION_7:
+        Image: '*\msiexec.exe'
+    SELECTION_8:
+        IntegrityLevel: System
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and ((SELECTION_4 and
+        SELECTION_5 and (SELECTION_6)) or ((SELECTION_7) and SELECTION_8)))
+falsepositives:
+- System administrator Usage
+- Penetration test
+fields:
+- IntegrityLevel
+- User
+- Image
+id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/26
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_always_install_elevated_windows_installer.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_apt_leviathan.yml b/rules/Sigma/sysmon_apt_leviathan.yml
new file mode 100644
index 00000000..2b7dcc7d
--- /dev/null
+++ b/rules/Sigma/sysmon_apt_leviathan.yml
@@ -0,0 +1,30 @@
+title: Leviathan Registry Key Activity
+author: Aidan Bracher
+date: 2020/07/07
+description: Detects registry key used by Leviathan APT in Malaysian focused campaign
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntkd
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+id: 70d43542-cd2d-483c-8f30-f16b436fd7db
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/13
+references:
+- https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
+status: experimental
+tags:
+- attack.persistence
+- attack.t1060
+- attack.t1547.001
+yml_filename: sysmon_apt_leviathan.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_apt_muddywater_dnstunnel.yml b/rules/Sigma/sysmon_apt_muddywater_dnstunnel.yml
new file mode 100644
index 00000000..11447140
--- /dev/null
+++ b/rules/Sigma/sysmon_apt_muddywater_dnstunnel.yml
@@ -0,0 +1,32 @@
+title: DNS Tunnel Technique from MuddyWater
+author: '@caliskanfurkan_'
+date: 2020/06/04
+description: Detecting DNS tunnel activity for Muddywater actor
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        ParentImage: '*\excel.exe'
+    SELECTION_4:
+        CommandLine: '*DataExchange.dll*'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3) and (SELECTION_4))
+falsepositives:
+- Unknown
+id: 36222790-0d43-4fe8-86e4-674b27809543
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/
+- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
+yml_filename: sysmon_apt_muddywater_dnstunnel.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_apt_oceanlotus_registry.yml b/rules/Sigma/sysmon_apt_oceanlotus_registry.yml
new file mode 100644
index 00000000..13a3e82a
--- /dev/null
+++ b/rules/Sigma/sysmon_apt_oceanlotus_registry.yml
@@ -0,0 +1,59 @@
+title: OceanLotus Registry Activity
+author: megan201296, Jonhnathan Ribeiro
+date: 2019/04/14
+description: Detects registry keys created in OceanLotus (also known as APT32) attacks
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        TargetObject: '*Application'
+    SELECTION_11:
+        TargetObject: '*DefaultIcon'
+    SELECTION_12:
+        TargetObject: HKCU\\*
+    SELECTION_13:
+        TargetObject: '*Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*'
+    SELECTION_14:
+        TargetObject: '*Classes\AppX3bbba44c6cae4d9695755183472171e2\\*'
+    SELECTION_15:
+        TargetObject: '*Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*'
+    SELECTION_16:
+        TargetObject: '*Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model*'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKCU\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model
+    SELECTION_5:
+        TargetObject: HKCU\SOFTWARE\App\\*
+    SELECTION_6:
+        TargetObject: HKLM\SOFTWARE\App\\*
+    SELECTION_7:
+        TargetObject: '*AppXbf13d4ea2945444d8b13e2121cb6b663\\*'
+    SELECTION_8:
+        TargetObject: '*AppX70162486c7554f7f80f481985d67586d\\*'
+    SELECTION_9:
+        TargetObject: '*AppX37cc7fdccd644b4f85f4b22d5a3f105a\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or ((SELECTION_5
+        or SELECTION_6) and (SELECTION_7 or SELECTION_8 or SELECTION_9) and (SELECTION_10
+        or SELECTION_11))) or ((SELECTION_12) and (SELECTION_13 or SELECTION_14 or
+        SELECTION_15 or SELECTION_16))))
+falsepositives:
+- Unknown
+id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/17
+references:
+- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
+- https://github.com/eset/malware-ioc/tree/master/oceanlotus
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: sysmon_apt_oceanlotus_registry.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_apt_sourgrum.yml b/rules/Sigma/sysmon_apt_sourgrum.yml
new file mode 100644
index 00000000..47735b3f
--- /dev/null
+++ b/rules/Sigma/sysmon_apt_sourgrum.yml
@@ -0,0 +1,51 @@
+title: SOURGUM Actor Behaviours
+author: MSTIC, FPT.EagleEye
+date: 2021/06/15
+description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32*'
+    SELECTION_11:
+        CommandLine: '*HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32*'
+    SELECTION_2:
+        Image: '*windows\system32\Physmem.sys*'
+    SELECTION_3:
+        Image: '*Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
+    SELECTION_4:
+        Image: '*Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
+    SELECTION_5:
+        Image: '*Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
+    SELECTION_6:
+        EventID: 1
+    SELECTION_7:
+        Image: '*windows\system32\filepath2*'
+    SELECTION_8:
+        Image: '*windows\system32\ime*'
+    SELECTION_9:
+        CommandLine: '*reg add*'
+    condition: (SELECTION_1 and ((SELECTION_2 or (SELECTION_3 or SELECTION_4 or SELECTION_5))
+        or (SELECTION_6 and (SELECTION_7 or SELECTION_8) and (SELECTION_9) and (SELECTION_10
+        or SELECTION_11))))
+falsepositives:
+- Unknown
+id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/30
+references:
+- https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
+- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml
+- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
+status: experimental
+tags:
+- attack.t1546
+- attack.t1546.015
+- attack.persistence
+- attack.privilege_escalation
+yml_filename: sysmon_apt_sourgrum.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_apt_turla_namedpipes.yml b/rules/Sigma/sysmon_apt_turla_namedpipes.yml
new file mode 100644
index 00000000..1c33360c
--- /dev/null
+++ b/rules/Sigma/sysmon_apt_turla_namedpipes.yml
@@ -0,0 +1,42 @@
+title: Turla Group Named Pipes
+author: Markus Neis
+date: 2017/11/06
+description: Detects a named pipe used by Turla group samples
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_2:
+        EventID: 18
+    SELECTION_3:
+        PipeName: \atctl
+    SELECTION_4:
+        PipeName: \userpipe
+    SELECTION_5:
+        PipeName: \iehelper
+    SELECTION_6:
+        PipeName: \sdlrpc
+    SELECTION_7:
+        PipeName: \comnap
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unknown
+id: 739915e4-1e70-4778-8b8a-17db02f66db1
+level: critical
+logsource:
+    category: pipe_created
+    definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+        config (Event ID 17 and Event ID 18). The basic configuration is in popular
+        sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
+        it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+        https://github.com/olafhartong/sysmon-modular. How to test detection? You
+        can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+    product: windows
+references:
+- Internal Research
+status: experimental
+tags:
+- attack.g0010
+yml_filename: sysmon_apt_turla_namedpipes.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_asep_reg_keys_modification.yml b/rules/Sigma/sysmon_asep_reg_keys_modification.yml
new file mode 100644
index 00000000..8eae5e70
--- /dev/null
+++ b/rules/Sigma/sysmon_asep_reg_keys_modification.yml
@@ -0,0 +1,347 @@
+title: Autorun Keys Modification
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin,
+    oscd.community, Tim Shelton
+date: 2019/10/25
+description: Detects modification of autostart extensibility point (ASEP) in registry.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        TargetObject: '*\Software\Microsoft\Ctf\LangBarAddin*'
+    SELECTION_100:
+        TargetObject: '*\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance*'
+    SELECTION_101:
+        TargetObject: '*\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance*'
+    SELECTION_102:
+        TargetObject: '*\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance*'
+    SELECTION_103:
+        TargetObject: '*\AllFileSystemObjects\ShellEx\DragDropHandlers*'
+    SELECTION_104:
+        TargetObject: '*\ShellEx\PropertySheetHandlers*'
+    SELECTION_105:
+        TargetObject: '*\ShellEx\ContextMenuHandlers*'
+    SELECTION_106:
+        TargetObject: '*\Software\Classes*'
+    SELECTION_107:
+        TargetObject: '*\Folder\ShellEx\ExtShellFolderViews*'
+    SELECTION_108:
+        TargetObject: '*\Folder\ShellEx\DragDropHandlers*'
+    SELECTION_109:
+        TargetObject: '*\Folder\Shellex\ColumnHandlers*'
+    SELECTION_11:
+        TargetObject: '*\Software\Microsoft\Command Processor\Autorun*'
+    SELECTION_110:
+        TargetObject: '*\Filter*'
+    SELECTION_111:
+        TargetObject: '*\Exefile\Shell\Open\Command\(Default)*'
+    SELECTION_112:
+        TargetObject: '*\Directory\Shellex\DragDropHandlers*'
+    SELECTION_113:
+        TargetObject: '*\Directory\Shellex\CopyHookHandlers*'
+    SELECTION_114:
+        TargetObject: '*\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance*'
+    SELECTION_115:
+        TargetObject: '*\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance*'
+    SELECTION_116:
+        TargetObject: '*\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance*'
+    SELECTION_117:
+        TargetObject: '*\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance*'
+    SELECTION_118:
+        TargetObject: '*\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers*'
+    SELECTION_119:
+        TargetObject: '*\.exe*'
+    SELECTION_12:
+        TargetObject: '*\SOFTWARE\Microsoft\Active Setup\Installed Components*'
+    SELECTION_120:
+        TargetObject: '*\.cmd*'
+    SELECTION_121:
+        TargetObject: '*\ShellEx\PropertySheetHandlers*'
+    SELECTION_122:
+        TargetObject: '*\ShellEx\ContextMenuHandlers*'
+    SELECTION_123:
+        TargetObject: '*\Software\Policies\Microsoft\Windows\System\Scripts*'
+    SELECTION_124:
+        TargetObject: '*\Startup*'
+    SELECTION_125:
+        TargetObject: '*\Shutdown*'
+    SELECTION_126:
+        TargetObject: '*\Logon*'
+    SELECTION_127:
+        TargetObject: '*\Logoff*'
+    SELECTION_128:
+        TargetObject: '*\System\CurrentControlSet\Services\WinSock2\Parameters*'
+    SELECTION_129:
+        TargetObject: '*\Protocol_Catalog9\Catalog_Entries*'
+    SELECTION_13:
+        TargetObject: '*\SOFTWARE\Classes\Protocols\Handler*'
+    SELECTION_130:
+        TargetObject: '*\NameSpace_Catalog5\Catalog_Entries*'
+    SELECTION_131:
+        TargetObject: '*\SYSTEM\CurrentControlSet\Control*'
+    SELECTION_132:
+        TargetObject: '*\Terminal Server\WinStations\RDP-Tcp\InitialProgram*'
+    SELECTION_133:
+        TargetObject: '*\Terminal Server\Wds\rdpwd\StartupPrograms*'
+    SELECTION_134:
+        TargetObject: '*\SecurityProviders\SecurityProviders*'
+    SELECTION_135:
+        TargetObject: '*\SafeBoot\AlternateShell*'
+    SELECTION_136:
+        TargetObject: '*\Print\Providers*'
+    SELECTION_137:
+        TargetObject: '*\Print\Monitors*'
+    SELECTION_138:
+        TargetObject: '*\NetworkProvider\Order*'
+    SELECTION_139:
+        TargetObject: '*\Lsa\Notification Packages*'
+    SELECTION_14:
+        TargetObject: '*\SOFTWARE\Classes\Protocols\Filter*'
+    SELECTION_140:
+        TargetObject: '*\Lsa\Authentication Packages*'
+    SELECTION_141:
+        TargetObject: '*\BootVerificationProgram\ImagePath*'
+    SELECTION_142:
+        Details: (Empty)
+    SELECTION_15:
+        TargetObject: '*\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)*'
+    SELECTION_16:
+        TargetObject: '*\Environment\UserInitMprLogonScript*'
+    SELECTION_17:
+        TargetObject: '*\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe*'
+    SELECTION_18:
+        TargetObject: '*\Software\Microsoft\Internet Explorer\UrlSearchHooks*'
+    SELECTION_19:
+        TargetObject: '*\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components*'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_20:
+        TargetObject: '*\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32*'
+    SELECTION_21:
+        TargetObject: '*\Control Panel\Desktop\Scrnsave.exe*'
+    SELECTION_22:
+        TargetObject: '*\System\CurrentControlSet\Control\Session Manager*'
+    SELECTION_23:
+        TargetObject: '*\SetupExecute*'
+    SELECTION_24:
+        TargetObject: '*\S0InitialCommand*'
+    SELECTION_25:
+        TargetObject: '*\KnownDlls*'
+    SELECTION_26:
+        TargetObject: '*\Execute*'
+    SELECTION_27:
+        TargetObject: '*\BootExecute*'
+    SELECTION_28:
+        TargetObject: '*\AppCertDlls*'
+    SELECTION_29:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion*'
+    SELECTION_3:
+        EventID: 14
+    SELECTION_30:
+        TargetObject: '*\ShellServiceObjectDelayLoad*'
+    SELECTION_31:
+        TargetObject: '*\Run*'
+    SELECTION_32:
+        TargetObject: '*\Policies\System\Shell*'
+    SELECTION_33:
+        TargetObject: '*\Policies\Explorer\Run*'
+    SELECTION_34:
+        TargetObject: '*\Group Policy\Scripts\Startup*'
+    SELECTION_35:
+        TargetObject: '*\Group Policy\Scripts\Shutdown*'
+    SELECTION_36:
+        TargetObject: '*\Group Policy\Scripts\Logon*'
+    SELECTION_37:
+        TargetObject: '*\Group Policy\Scripts\Logoff*'
+    SELECTION_38:
+        TargetObject: '*\Explorer\ShellServiceObjects*'
+    SELECTION_39:
+        TargetObject: '*\Explorer\ShellIconOverlayIdentifiers*'
+    SELECTION_4:
+        TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart*'
+    SELECTION_40:
+        TargetObject: '*\Explorer\ShellExecuteHooks*'
+    SELECTION_41:
+        TargetObject: '*\Explorer\SharedTaskScheduler*'
+    SELECTION_42:
+        TargetObject: '*\Explorer\Browser Helper Objects*'
+    SELECTION_43:
+        TargetObject: '*\Authentication\PLAP Providers*'
+    SELECTION_44:
+        TargetObject: '*\Authentication\Credential Providers*'
+    SELECTION_45:
+        TargetObject: '*\Authentication\Credential Provider Filters*'
+    SELECTION_46:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion*'
+    SELECTION_47:
+        TargetObject: '*\Winlogon\VmApplet*'
+    SELECTION_48:
+        TargetObject: '*\Winlogon\Userinit*'
+    SELECTION_49:
+        TargetObject: '*\Winlogon\Taskman*'
+    SELECTION_5:
+        TargetObject: '*\Software\Wow6432Node\Microsoft\Command Processor\Autorun*'
+    SELECTION_50:
+        TargetObject: '*\Winlogon\Shell*'
+    SELECTION_51:
+        TargetObject: '*\Winlogon\GpExtensions*'
+    SELECTION_52:
+        TargetObject: '*\Winlogon\AppSetup*'
+    SELECTION_53:
+        TargetObject: '*\Winlogon\AlternateShells\AvailableShells*'
+    SELECTION_54:
+        TargetObject: '*\Windows\IconServiceLib*'
+    SELECTION_55:
+        TargetObject: '*\Windows\Appinit_Dlls*'
+    SELECTION_56:
+        TargetObject: '*\Image File Execution Options*'
+    SELECTION_57:
+        TargetObject: '*\Font Drivers*'
+    SELECTION_58:
+        TargetObject: '*\Drivers32*'
+    SELECTION_59:
+        TargetObject: '*\Windows\Run*'
+    SELECTION_6:
+        TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components*'
+    SELECTION_60:
+        TargetObject: '*\Windows\Load*'
+    SELECTION_61:
+        TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion*'
+    SELECTION_62:
+        TargetObject: '*\ShellServiceObjectDelayLoad*'
+    SELECTION_63:
+        TargetObject: '*\Run*'
+    SELECTION_64:
+        TargetObject: '*\Explorer\ShellServiceObjects*'
+    SELECTION_65:
+        TargetObject: '*\Explorer\ShellIconOverlayIdentifiers*'
+    SELECTION_66:
+        TargetObject: '*\Explorer\ShellExecuteHooks*'
+    SELECTION_67:
+        TargetObject: '*\Explorer\SharedTaskScheduler*'
+    SELECTION_68:
+        TargetObject: '*\Explorer\Browser Helper Objects*'
+    SELECTION_69:
+        TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion*'
+    SELECTION_7:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect*'
+    SELECTION_70:
+        TargetObject: '*\Windows\Appinit_Dlls*'
+    SELECTION_71:
+        TargetObject: '*\Image File Execution Options*'
+    SELECTION_72:
+        TargetObject: '*\Drivers32*'
+    SELECTION_73:
+        EventID: 12
+    SELECTION_74:
+        EventID: 13
+    SELECTION_75:
+        EventID: 14
+    SELECTION_76:
+        TargetObject: '*\Software\Wow6432Node\Microsoft\Office*'
+    SELECTION_77:
+        TargetObject: '*\Software\Microsoft\Office*'
+    SELECTION_78:
+        TargetObject: '*\Word\Addins*'
+    SELECTION_79:
+        TargetObject: '*\PowerPoint\Addins*'
+    SELECTION_8:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect*'
+    SELECTION_80:
+        TargetObject: '*\Outlook\Addins*'
+    SELECTION_81:
+        TargetObject: '*\Onenote\Addins*'
+    SELECTION_82:
+        TargetObject: '*\Excel\Addins*'
+    SELECTION_83:
+        TargetObject: '*\Access\Addins*'
+    SELECTION_84:
+        TargetObject: '*test\Special\Perf*'
+    SELECTION_85:
+        EventID: 12
+    SELECTION_86:
+        EventID: 13
+    SELECTION_87:
+        EventID: 14
+    SELECTION_88:
+        TargetObject: '*\Software\Wow6432Node\Microsoft\Internet Explorer*'
+    SELECTION_89:
+        TargetObject: '*\Software\Microsoft\Internet Explorer*'
+    SELECTION_9:
+        TargetObject: '*\SYSTEM\Setup\CmdLine*'
+    SELECTION_90:
+        TargetObject: '*\Toolbar*'
+    SELECTION_91:
+        TargetObject: '*\Extensions*'
+    SELECTION_92:
+        TargetObject: '*\Explorer Bars*'
+    SELECTION_93:
+        TargetObject: '*\Software\Wow6432Node\Classes*'
+    SELECTION_94:
+        TargetObject: '*\Folder\ShellEx\ExtShellFolderViews*'
+    SELECTION_95:
+        TargetObject: '*\Folder\ShellEx\DragDropHandlers*'
+    SELECTION_96:
+        TargetObject: '*\Folder\ShellEx\ColumnHandlers*'
+    SELECTION_97:
+        TargetObject: '*\Directory\Shellex\DragDropHandlers*'
+    SELECTION_98:
+        TargetObject: '*\Directory\Shellex\CopyHookHandlers*'
+    SELECTION_99:
+        TargetObject: '*\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((((((((((((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21) or (SELECTION_22 and (SELECTION_23 or SELECTION_24
+        or SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28))) or (SELECTION_29
+        and (SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34
+        or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39
+        or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44
+        or SELECTION_45))) or (SELECTION_46 and (SELECTION_47 or SELECTION_48 or SELECTION_49
+        or SELECTION_50 or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54
+        or SELECTION_55 or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59
+        or SELECTION_60))) or (SELECTION_61 and (SELECTION_62 or SELECTION_63 or SELECTION_64
+        or SELECTION_65 or SELECTION_66 or SELECTION_67 or SELECTION_68))) or (SELECTION_69
+        and (SELECTION_70 or SELECTION_71 or SELECTION_72))) or ((SELECTION_73 or
+        SELECTION_74 or SELECTION_75) and (SELECTION_76 or SELECTION_77) and (SELECTION_78
+        or SELECTION_79 or SELECTION_80 or SELECTION_81 or SELECTION_82 or SELECTION_83
+        or SELECTION_84))) or ((SELECTION_85 or SELECTION_86 or SELECTION_87) and
+        (SELECTION_88 or SELECTION_89) and (SELECTION_90 or SELECTION_91 or SELECTION_92)))
+        or (SELECTION_93 and (SELECTION_94 or SELECTION_95 or SELECTION_96 or SELECTION_97
+        or SELECTION_98 or SELECTION_99 or SELECTION_100 or SELECTION_101 or SELECTION_102
+        or SELECTION_103 or SELECTION_104 or SELECTION_105))) or (SELECTION_106 and
+        (SELECTION_107 or SELECTION_108 or SELECTION_109 or SELECTION_110 or SELECTION_111
+        or SELECTION_112 or SELECTION_113 or SELECTION_114 or SELECTION_115 or SELECTION_116
+        or SELECTION_117 or SELECTION_118 or SELECTION_119 or SELECTION_120 or SELECTION_121
+        or SELECTION_122))) or (SELECTION_123 and (SELECTION_124 or SELECTION_125
+        or SELECTION_126 or SELECTION_127))) or (SELECTION_128 and (SELECTION_129
+        or SELECTION_130))) or ((SELECTION_131 and (SELECTION_132 or SELECTION_133
+        or SELECTION_134 or SELECTION_135 or SELECTION_136 or SELECTION_137 or SELECTION_138
+        or SELECTION_139 or SELECTION_140 or SELECTION_141)) and  not (SELECTION_142))))
+falsepositives:
+- Legitimate software automatically (mostly, during installation) sets up autorun
+    keys for legitimate reason
+- Legitimate administrator sets up autorun keys for legitimate reason
+fields:
+- SecurityID
+- ObjectName
+- OldValueType
+- NewValueType
+id: 17f878b8-9968-4578-b814-c4217fc5768c
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
+- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
+- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
+- attack.t1060
+yml_filename: sysmon_asep_reg_keys_modification.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml b/rules/Sigma/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
new file mode 100644
index 00000000..55f087cf
--- /dev/null
+++ b/rules/Sigma/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
@@ -0,0 +1,46 @@
+title: Atlassian Confluence CVE-2021-26084
+author: Bhabesh Raj
+date: 2021/09/08
+description: Detects spawning of suspicious child processes by Atlassian Confluence
+    server which may indicate successful exploitation of CVE-2021-26084
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\Atlassian\Confluence\jre\bin\java.exe'
+    SELECTION_3:
+        CommandLine: '*cmd /c*'
+    SELECTION_4:
+        CommandLine: '*cmd /k*'
+    SELECTION_5:
+        CommandLine: '*powershell*'
+    SELECTION_6:
+        CommandLine: '*certutil*'
+    SELECTION_7:
+        CommandLine: '*curl*'
+    SELECTION_8:
+        CommandLine: '*whoami*'
+    SELECTION_9:
+        CommandLine: '*ipconfig*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- Unknown
+id: 245f92e3-c4da-45f1-9070-bc552e06db11
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
+- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
+- https://github.com/h3v0x/CVE-2021-26084_Confluence
+status: experimental
+tags:
+- attack.initial_access
+- attack.execution
+- attack.t1190
+- attack.t1059
+yml_filename: sysmon_atlassian_confluence_cve_2021_26084_exploit.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_bypass_via_wsreset.yml b/rules/Sigma/sysmon_bypass_via_wsreset.yml
new file mode 100644
index 00000000..e7e4c995
--- /dev/null
+++ b/rules/Sigma/sysmon_bypass_via_wsreset.yml
@@ -0,0 +1,39 @@
+title: UAC Bypass Via Wsreset
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated
+    with the Windows Store. It will run a binary file contained in a low-privilege
+    registry.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4))
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- Image
+- EventType
+- TargetObject
+id: 6ea3bf32-9680-422d-9f50-e90716b12a66
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
+- https://lolbas-project.github.io/lolbas/Binaries/Wsreset
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_bypass_via_wsreset.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_cactustorch.yml b/rules/Sigma/sysmon_cactustorch.yml
new file mode 100644
index 00000000..b7865606
--- /dev/null
+++ b/rules/Sigma/sysmon_cactustorch.yml
@@ -0,0 +1,47 @@
+title: CACTUSTORCH Remote Thread Creation
+author: '@SBousseaden (detection), Thomas Patzke (rule)'
+date: 2019/02/01
+description: Detects remote thread creation from CACTUSTORCH as described in references.
+detection:
+    SELECTION_1:
+        EventID: 8
+    SELECTION_2:
+        SourceImage: '*\System32\cscript.exe'
+    SELECTION_3:
+        SourceImage: '*\System32\wscript.exe'
+    SELECTION_4:
+        SourceImage: '*\System32\mshta.exe'
+    SELECTION_5:
+        SourceImage: '*\winword.exe'
+    SELECTION_6:
+        SourceImage: '*\excel.exe'
+    SELECTION_7:
+        TargetImage: '*\SysWOW64\\*'
+    SELECTION_8:
+        StartModule|re: ^$
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6) and SELECTION_7 and SELECTION_8)
+falsepositives:
+- unknown
+id: 2e4e488a-6164-4811-9ea1-f960c7359c40
+level: high
+logsource:
+    category: create_remote_thread
+    product: windows
+modified: 2021/11/12
+references:
+- https://twitter.com/SBousseaden/status/1090588499517079552
+- https://github.com/mdsecactivebreach/CACTUSTORCH
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1093
+- attack.t1055.012
+- attack.execution
+- attack.t1064
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1218.005
+yml_filename: sysmon_cactustorch.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
+
diff --git a/rules/Sigma/sysmon_cmstp_execution_by_access.yml b/rules/Sigma/sysmon_cmstp_execution_by_access.yml
new file mode 100644
index 00000000..16470042
--- /dev/null
+++ b/rules/Sigma/sysmon_cmstp_execution_by_access.yml
@@ -0,0 +1,39 @@
+title: CMSTP Execution Process Access
+author: Nik Seetharaman
+date: 2018/07/16
+description: Detects various indicators of Microsoft Connection Manager Profile Installer
+    execution
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        CallTrace: '*cmlua.dll*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: 3b4b232a-af90-427c-a22f-30b0c0837b95
+level: high
+logsource:
+    category: process_access
+    product: windows
+modified: 2021/06/27
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1218.003
+- attack.t1191
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.g0069
+- attack.g0080
+- car.2019-04-001
+yml_filename: sysmon_cmstp_execution_by_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_cmstp_execution_by_creation.yml b/rules/Sigma/sysmon_cmstp_execution_by_creation.yml
new file mode 100644
index 00000000..b4432db1
--- /dev/null
+++ b/rules/Sigma/sysmon_cmstp_execution_by_creation.yml
@@ -0,0 +1,36 @@
+title: CMSTP Execution Process Creation
+author: Nik Seetharaman
+date: 2018/07/16
+description: Detects various indicators of Microsoft Connection Manager Profile Installer
+    execution
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\cmstp.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/12/23
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+status: stable
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1191
+- attack.t1218.003
+- attack.g0069
+- car.2019-04-001
+yml_filename: sysmon_cmstp_execution_by_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_cmstp_execution_by_registry.yml b/rules/Sigma/sysmon_cmstp_execution_by_registry.yml
new file mode 100644
index 00000000..2c4ae592
--- /dev/null
+++ b/rules/Sigma/sysmon_cmstp_execution_by_registry.yml
@@ -0,0 +1,40 @@
+title: CMSTP Execution Registry Event
+author: Nik Seetharaman
+date: 2018/07/16
+description: Detects various indicators of Microsoft Connection Manager Profile Installer
+    execution
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\cmmgr32.exe*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: b6d235fc-1d38-4b12-adbe-325f06728f37
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/12/23
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+status: stable
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1191
+- attack.t1218.003
+- attack.g0069
+- car.2019-04-001
+yml_filename: sysmon_cmstp_execution_by_registry.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_cobaltstrike_bof_injection_pattern.yml b/rules/Sigma/sysmon_cobaltstrike_bof_injection_pattern.yml
new file mode 100644
index 00000000..c51ce71e
--- /dev/null
+++ b/rules/Sigma/sysmon_cobaltstrike_bof_injection_pattern.yml
@@ -0,0 +1,34 @@
+title: CobaltStrike BOF Injection Pattern
+author: Christian Burkard
+date: 2021/08/04
+description: Detects a typical pattern of a CobaltStrike BOF which inject into other
+    processes
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        CallTrace|re: ^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$
+    SELECTION_3:
+        GrantedAccess: '0x1028'
+    SELECTION_4:
+        GrantedAccess: '0x1fffff'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 09706624-b7f6-455d-9d02-adee024cee1d
+level: high
+logsource:
+    category: process_access
+    product: windows
+references:
+- https://github.com/boku7/injectAmsiBypass
+- https://github.com/boku7/spawn
+status: experimental
+tags:
+- attack.execution
+- attack.t1106
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: sysmon_cobaltstrike_bof_injection_pattern.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_cobaltstrike_process_injection.yml b/rules/Sigma/sysmon_cobaltstrike_process_injection.yml
new file mode 100644
index 00000000..6132b798
--- /dev/null
+++ b/rules/Sigma/sysmon_cobaltstrike_process_injection.yml
@@ -0,0 +1,34 @@
+title: CobaltStrike Process Injection
+author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
+date: 2018/11/30
+description: Detects a possible remote threat creation with certain characteristics
+    which are typical for Cobalt Strike beacons
+detection:
+    SELECTION_1:
+        EventID: 8
+    SELECTION_2:
+        TargetProcessAddress: '*0B80'
+    SELECTION_3:
+        TargetProcessAddress: '*0C7C'
+    SELECTION_4:
+        TargetProcessAddress: '*0C88'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
+level: high
+logsource:
+    category: create_remote_thread
+    product: windows
+modified: 2020/08/28
+references:
+- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
+- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055
+- attack.t1055.001
+yml_filename: sysmon_cobaltstrike_process_injection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
+
diff --git a/rules/Sigma/sysmon_cobaltstrike_service_installs.yml b/rules/Sigma/sysmon_cobaltstrike_service_installs.yml
new file mode 100644
index 00000000..2ffff381
--- /dev/null
+++ b/rules/Sigma/sysmon_cobaltstrike_service_installs.yml
@@ -0,0 +1,52 @@
+title: CobaltStrike Service Installations in Registry
+author: Wojciech Lesicki
+date: 2021/06/29
+description: Detects known malicious service installs that appear in cases in which
+    a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch
+    this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)
+    In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services
+    or HKLM\System\ControlSet002\Services, however, this rule is based on a regular
+    sysmon's events.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        Details: '*powershell*'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: SetValue
+    SELECTION_5:
+        TargetObject: '*HKLM\System\CurrentControlSet\Services*'
+    SELECTION_6:
+        Details: '*ADMIN$*'
+    SELECTION_7:
+        Details: '*.exe*'
+    SELECTION_8:
+        Details: '*%COMSPEC%*'
+    SELECTION_9:
+        Details: '*start*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and ((SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
+falsepositives:
+- unknown
+id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1543.003
+- attack.t1569.002
+yml_filename: sysmon_cobaltstrike_service_installs.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_comhijack_sdclt.yml b/rules/Sigma/sysmon_comhijack_sdclt.yml
new file mode 100644
index 00000000..f3e42962
--- /dev/null
+++ b/rules/Sigma/sysmon_comhijack_sdclt.yml
@@ -0,0 +1,32 @@
+title: COM Hijack via Sdclt
+author: Omkar Gudhate
+date: 2020/09/27
+description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4))
+falsepositives:
+- unknown
+id: 07743f65-7ec9-404a-a519-913db7118a8d
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
+- https://www.exploit-db.com/exploits/47696
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1546
+- attack.t1548
+yml_filename: sysmon_comhijack_sdclt.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_config_modification_error.yml b/rules/Sigma/sysmon_config_modification_error.yml
new file mode 100644
index 00000000..333d9582
--- /dev/null
+++ b/rules/Sigma/sysmon_config_modification_error.yml
@@ -0,0 +1,30 @@
+title: Sysmon Configuration Error
+author: frack113
+date: 2021/06/04
+description: Someone try to hide from Sysmon
+detection:
+    SELECTION_1:
+        EventID: 255
+    SELECTION_2:
+        Description: '*Failed to open service configuration with error*'
+    SELECTION_3:
+        Description: '*Failed to connect to the driver to update configuration*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- legitimate administrative action
+id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
+level: high
+logsource:
+    category: sysmon_error
+    product: windows
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564
+yml_filename: sysmon_config_modification_error.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/sysmon
+
diff --git a/rules/Sigma/sysmon_config_modification_status.yml b/rules/Sigma/sysmon_config_modification_status.yml
new file mode 100644
index 00000000..7358bae7
--- /dev/null
+++ b/rules/Sigma/sysmon_config_modification_status.yml
@@ -0,0 +1,31 @@
+title: Sysmon Configuration Modification
+author: frack113
+date: 2021/06/04
+description: Someone try to hide from Sysmon
+detection:
+    SELECTION_1:
+        EventID: 4
+    SELECTION_2:
+        EventID: 16
+    SELECTION_3:
+        State: Stopped
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or Sysmon config state
+        changed))
+falsepositives:
+- legitimate administrative action
+id: 1f2b5353-573f-4880-8e33-7d04dcf97744
+level: high
+logsource:
+    category: sysmon_status
+    product: windows
+modified: 2021/09/07
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564
+yml_filename: sysmon_config_modification_status.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/sysmon
+
diff --git a/rules/Sigma/sysmon_createremotethread_loadlibrary.yml b/rules/Sigma/sysmon_createremotethread_loadlibrary.yml
new file mode 100644
index 00000000..0471f3fd
--- /dev/null
+++ b/rules/Sigma/sysmon_createremotethread_loadlibrary.yml
@@ -0,0 +1,31 @@
+title: CreateRemoteThread API and LoadLibrary
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/11
+description: Detects potential use of CreateRemoteThread api and LoadLibrary function
+    to inject DLL into a process
+detection:
+    SELECTION_1:
+        EventID: 8
+    SELECTION_2:
+        StartModule: '*\kernel32.dll'
+    SELECTION_3:
+        StartFunction: LoadLibraryA
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 052ec6f6-1adc-41e6-907a-f1c813478bee
+level: critical
+logsource:
+    category: create_remote_thread
+    product: windows
+modified: 2020/08/28
+references:
+- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055
+- attack.t1055.001
+yml_filename: sysmon_createremotethread_loadlibrary.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
+
diff --git a/rules/Sigma/sysmon_creation_mavinject_dll.yml b/rules/Sigma/sysmon_creation_mavinject_dll.yml
new file mode 100644
index 00000000..901fae11
--- /dev/null
+++ b/rules/Sigma/sysmon_creation_mavinject_dll.yml
@@ -0,0 +1,39 @@
+title: Mavinject Inject DLL Into Running Process
+author: frack113
+date: 2021/07/12
+description: Injects arbitrary DLL into running process specified by process ID. Requires
+    Windows 10.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* /INJECTRUNNING*'
+    SELECTION_3:
+        CommandLine: '*.dll*'
+    SELECTION_4:
+        OriginalFileName: '*mavinject*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.collection
+- attack.t1218
+- attack.t1056.004
+yml_filename: sysmon_creation_mavinject_dll.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_creation_system_file.yml b/rules/Sigma/sysmon_creation_system_file.yml
new file mode 100644
index 00000000..04bebbb5
--- /dev/null
+++ b/rules/Sigma/sysmon_creation_system_file.yml
@@ -0,0 +1,102 @@
+title: File Created with System Process Name
+author: Sander Wiebing
+date: 2020/05/26
+description: Detects the creation of an executable with a system process name in a
+    suspicious folder
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_10:
+        TargetFilename: '*\csrss.exe'
+    SELECTION_11:
+        TargetFilename: '*\conhost.exe'
+    SELECTION_12:
+        TargetFilename: '*\wininit.exe'
+    SELECTION_13:
+        TargetFilename: '*\lsm.exe'
+    SELECTION_14:
+        TargetFilename: '*\winlogon.exe'
+    SELECTION_15:
+        TargetFilename: '*\explorer.exe'
+    SELECTION_16:
+        TargetFilename: '*\taskhost.exe'
+    SELECTION_17:
+        TargetFilename: '*\Taskmgr.exe'
+    SELECTION_18:
+        TargetFilename: '*\taskmgr.exe'
+    SELECTION_19:
+        TargetFilename: '*\sihost.exe'
+    SELECTION_2:
+        TargetFilename: '*\svchost.exe'
+    SELECTION_20:
+        TargetFilename: '*\RuntimeBroker.exe'
+    SELECTION_21:
+        TargetFilename: '*\runtimebroker.exe'
+    SELECTION_22:
+        TargetFilename: '*\smartscreen.exe'
+    SELECTION_23:
+        TargetFilename: '*\dllhost.exe'
+    SELECTION_24:
+        TargetFilename: '*\audiodg.exe'
+    SELECTION_25:
+        TargetFilename: '*\wlanext.exe'
+    SELECTION_26:
+        TargetFilename: C:\Windows\System32\\*
+    SELECTION_27:
+        TargetFilename: C:\Windows\system32\\*
+    SELECTION_28:
+        TargetFilename: C:\Windows\SysWow64\\*
+    SELECTION_29:
+        TargetFilename: C:\Windows\SysWOW64\\*
+    SELECTION_3:
+        TargetFilename: '*\rundll32.exe'
+    SELECTION_30:
+        TargetFilename: C:\Windows\winsxs\\*
+    SELECTION_31:
+        TargetFilename: C:\Windows\WinSxS\\*
+    SELECTION_32:
+        TargetFilename: \SystemRoot\System32\\*
+    SELECTION_33:
+        Image: '*\Windows\System32\dism.exe'
+    SELECTION_34:
+        TargetFilename: C:\$WINDOWS.~BT\\*
+    SELECTION_35:
+        Image: C:\$WINDOWS.~BT\Sources\SetupHost.exe
+    SELECTION_4:
+        TargetFilename: '*\services.exe'
+    SELECTION_5:
+        TargetFilename: '*\powershell.exe'
+    SELECTION_6:
+        TargetFilename: '*\regsvr32.exe'
+    SELECTION_7:
+        TargetFilename: '*\spoolsv.exe'
+    SELECTION_8:
+        TargetFilename: '*\lsass.exe'
+    SELECTION_9:
+        TargetFilename: '*\smss.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25)
+        and  not ((SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or
+        SELECTION_30 or SELECTION_31 or SELECTION_32) and SELECTION_33)) and  not
+        (SELECTION_34 and SELECTION_35))
+falsepositives:
+- System processes copied outside the default folder
+fields:
+- Image
+id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/10/28
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.005
+yml_filename: sysmon_creation_system_file.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_cred_dump_lsass_access.yml b/rules/Sigma/sysmon_cred_dump_lsass_access.yml
new file mode 100644
index 00000000..6370bb80
--- /dev/null
+++ b/rules/Sigma/sysmon_cred_dump_lsass_access.yml
@@ -0,0 +1,89 @@
+title: Credentials Dumping Tools Accessing LSASS Memory
+author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas
+    Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
+    oscd.community (update)
+date: 2017/02/16
+description: Detects process access LSASS memory which is typical for credentials
+    dumping tools
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_10:
+        GrantedAccess: '*0x143a*'
+    SELECTION_11:
+        GrantedAccess: '*0x1418*'
+    SELECTION_12:
+        GrantedAccess: '*0x1f0fff*'
+    SELECTION_13:
+        GrantedAccess: '*0x1f1fff*'
+    SELECTION_14:
+        GrantedAccess: '*0x1f2fff*'
+    SELECTION_15:
+        GrantedAccess: '*0x1f3fff*'
+    SELECTION_16:
+        SourceImage: '*\wmiprvse.exe'
+    SELECTION_17:
+        SourceImage: '*\taskmgr.exe'
+    SELECTION_18:
+        SourceImage: '*\procexp64.exe'
+    SELECTION_19:
+        SourceImage: '*\procexp.exe'
+    SELECTION_2:
+        TargetImage: '*\lsass.exe'
+    SELECTION_20:
+        SourceImage: '*\lsm.exe'
+    SELECTION_21:
+        SourceImage: '*\MsMpEng.exe'
+    SELECTION_22:
+        SourceImage: '*\csrss.exe'
+    SELECTION_23:
+        SourceImage: '*\wininit.exe'
+    SELECTION_24:
+        SourceImage: '*\vmtoolsd.exe'
+    SELECTION_3:
+        GrantedAccess: '*0x40*'
+    SELECTION_4:
+        GrantedAccess: '*0x1000*'
+    SELECTION_5:
+        GrantedAccess: '*0x1400*'
+    SELECTION_6:
+        GrantedAccess: '*0x100000*'
+    SELECTION_7:
+        GrantedAccess: '*0x1410*'
+    SELECTION_8:
+        GrantedAccess: '*0x1010*'
+    SELECTION_9:
+        GrantedAccess: '*0x1438*'
+    condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15))
+        and  not ((SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or
+        SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24)))
+falsepositives:
+- Legitimate software accessing LSASS process for legitimate reason; update the whitelist
+    with it
+fields:
+- ComputerName
+- User
+- SourceImage
+id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
+level: high
+logsource:
+    category: process_access
+    product: windows
+modified: 2021/10/20
+references:
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002
+- car.2019-04-004
+yml_filename: sysmon_cred_dump_lsass_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_cred_dump_tools_dropped_files.yml b/rules/Sigma/sysmon_cred_dump_tools_dropped_files.yml
new file mode 100644
index 00000000..64481cf5
--- /dev/null
+++ b/rules/Sigma/sysmon_cred_dump_tools_dropped_files.yml
@@ -0,0 +1,83 @@
+title: Cred Dump Tools Dropped Files
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/11/01
+description: Files with well-known filenames (parts of credential dump software or
+    files produced by them) creation
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_10:
+        TargetFilename: '*\lsremora.dll'
+    SELECTION_11:
+        TargetFilename: '*\fgexec.exe'
+    SELECTION_12:
+        TargetFilename: '*\wceaux.dll'
+    SELECTION_13:
+        TargetFilename: '*\SAM.out'
+    SELECTION_14:
+        TargetFilename: '*\SECURITY.out'
+    SELECTION_15:
+        TargetFilename: '*\SYSTEM.out'
+    SELECTION_16:
+        TargetFilename: '*\NTDS.out'
+    SELECTION_17:
+        TargetFilename: '*\DumpExt.dll'
+    SELECTION_18:
+        TargetFilename: '*\DumpSvc.exe'
+    SELECTION_19:
+        TargetFilename: '*\cachedump64.exe'
+    SELECTION_2:
+        TargetFilename: '*\pwdump*'
+    SELECTION_20:
+        TargetFilename: '*\cachedump.exe'
+    SELECTION_21:
+        TargetFilename: '*\pstgdump.exe'
+    SELECTION_22:
+        TargetFilename: '*\servpw.exe'
+    SELECTION_23:
+        TargetFilename: '*\servpw64.exe'
+    SELECTION_24:
+        TargetFilename: '*\pwdump.exe'
+    SELECTION_25:
+        TargetFilename: '*\procdump64.exe'
+    SELECTION_3:
+        TargetFilename: '*\kirbi*'
+    SELECTION_4:
+        TargetFilename: '*\pwhashes*'
+    SELECTION_5:
+        TargetFilename: '*\wce_ccache*'
+    SELECTION_6:
+        TargetFilename: '*\wce_krbtkts*'
+    SELECTION_7:
+        TargetFilename: '*\fgdump-log*'
+    SELECTION_8:
+        TargetFilename: '*\test.pwd'
+    SELECTION_9:
+        TargetFilename: '*\lsremora64.dll'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7) and (SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25))
+falsepositives:
+- Legitimate Administrator using tool for password recovery
+id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2020/08/23
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.003
+- attack.t1003.004
+- attack.t1003.005
+yml_filename: sysmon_cred_dump_tools_dropped_files.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_cred_dump_tools_named_pipes.yml b/rules/Sigma/sysmon_cred_dump_tools_named_pipes.yml
new file mode 100644
index 00000000..da76ee62
--- /dev/null
+++ b/rules/Sigma/sysmon_cred_dump_tools_named_pipes.yml
@@ -0,0 +1,44 @@
+title: Cred Dump-Tools Named Pipes
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/11/01
+description: Detects well-known credential dumping tools execution via specific named
+    pipes
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_2:
+        EventID: 18
+    SELECTION_3:
+        PipeName: '*\lsadump*'
+    SELECTION_4:
+        PipeName: '*\cachedump*'
+    SELECTION_5:
+        PipeName: '*\wceservicepipe*'
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- Legitimate Administrator using tool for password recovery
+id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
+level: critical
+logsource:
+    category: pipe_created
+    definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+        config (Event ID 17 and Event ID 18). The basic configuration is in popular
+        sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
+        it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+        https://github.com/olafhartong/sysmon-modular. How to test detection? You
+        can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+    product: windows
+modified: 2020/08/28
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+yml_filename: sysmon_cred_dump_tools_named_pipes.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_cve_2020_1048.yml b/rules/Sigma/sysmon_cve_2020_1048.yml
new file mode 100644
index 00000000..36b1b5e7
--- /dev/null
+++ b/rules/Sigma/sysmon_cve_2020_1048.yml
@@ -0,0 +1,45 @@
+title: Suspicious New Printer Ports in Registry (CVE-2020-1048)
+author: EagleEye Team, Florian Roth, NVISO
+date: 2020/05/13
+description: Detects a new and suspicious printer port creation in Registry that could
+    be an attempt to exploit CVE-2020-1048
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports*
+    SELECTION_5:
+        Details: '*.dll*'
+    SELECTION_6:
+        Details: '*.exe*'
+    SELECTION_7:
+        Details: '*.bat*'
+    SELECTION_8:
+        Details: '*.com*'
+    SELECTION_9:
+        Details: '*C:*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- New printer port install on host
+id: 7ec912f2-5175-4868-b811-ec13ad0f8567
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/09/06
+references:
+- https://windows-internals.com/printdemon-cve-2020-1048/
+status: experimental
+tags:
+- attack.persistence
+- attack.execution
+- attack.defense_evasion
+- attack.t1112
+yml_filename: sysmon_cve_2020_1048.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_cve_2021_26857_msexchange.yml b/rules/Sigma/sysmon_cve_2021_26857_msexchange.yml
new file mode 100644
index 00000000..5e4e867b
--- /dev/null
+++ b/rules/Sigma/sysmon_cve_2021_26857_msexchange.yml
@@ -0,0 +1,33 @@
+title: CVE-2021-26857 Exchange Exploitation
+author: Bhabesh Raj
+date: 2021/03/03
+description: "Detects possible successful exploitation for vulnerability described\
+    \ in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange\
+    \ Server\u2019s Unified Messaging service"
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*UMWorkerProcess.exe'
+    SELECTION_3:
+        Image: '*wermgr.exe'
+    SELECTION_4:
+        Image: '*WerFault.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 or SELECTION_4)))
+falsepositives:
+- Unknown
+id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+status: experimental
+tags:
+- attack.t1203
+- attack.execution
+- cve.2021.26857
+yml_filename: sysmon_cve_2021_26857_msexchange.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_cve_2021_26858_msexchange.yml b/rules/Sigma/sysmon_cve_2021_26858_msexchange.yml
new file mode 100644
index 00000000..b53de3d5
--- /dev/null
+++ b/rules/Sigma/sysmon_cve_2021_26858_msexchange.yml
@@ -0,0 +1,44 @@
+title: CVE-2021-26858 Exchange Exploitation
+author: Bhabesh Raj
+date: 2021/03/03
+description: "Detects possible successful exploitation for vulnerability described\
+    \ in CVE-2021-26858 by looking for | creation of non-standard files on disk by\
+    \ Exchange Server\u2019s Unified Messaging service | which could indicate dropping\
+    \ web shells or other malicious content"
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: '*UMWorkerProcess.exe'
+    SELECTION_3:
+        TargetFilename: '*CacheCleanup.bin'
+    SELECTION_4:
+        TargetFilename: '*.txt'
+    SELECTION_5:
+        TargetFilename: '*.LOG'
+    SELECTION_6:
+        TargetFilename: '*.cfg'
+    SELECTION_7:
+        TargetFilename: '*cleanup.bin'
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7)))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- TargetFilename
+id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
+level: critical
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+status: experimental
+tags:
+- attack.t1203
+- attack.execution
+- cve.2021.26858
+yml_filename: sysmon_cve_2021_26858_msexchange.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_dcom_iertutil_dll_hijack.yml b/rules/Sigma/sysmon_dcom_iertutil_dll_hijack.yml
new file mode 100644
index 00000000..41f8177e
--- /dev/null
+++ b/rules/Sigma/sysmon_dcom_iertutil_dll_hijack.yml
@@ -0,0 +1,39 @@
+title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
+date: 2020/10/12
+description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program
+    Files\Internet Explorer\` directory over the network and loading it for a DCOM
+    InternetExplorer DLL Hijack scenario.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: System
+    SELECTION_3:
+        TargetFilename: '*\Internet Explorer\iertutil.dll'
+    SELECTION_4:
+        EventID: 7
+    SELECTION_5:
+        Image: '*\Internet Explorer\iexplore.exe'
+    SELECTION_6:
+        ImageLoaded: '*\Internet Explorer\iertutil.dll'
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5 and SELECTION_6))
+falsepositives:
+- Unknown
+id: e554f142-5cf3-4e55-ace9-a1b59e0def65
+level: critical
+logsource:
+    product: windows
+    service: sysmon
+modified: 2021/06/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1021.003
+yml_filename: sysmon_dcom_iertutil_dll_hijack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/sysmon
+
diff --git a/rules/Sigma/sysmon_delete_prefetch.yml b/rules/Sigma/sysmon_delete_prefetch.yml
new file mode 100644
index 00000000..6c7876fb
--- /dev/null
+++ b/rules/Sigma/sysmon_delete_prefetch.yml
@@ -0,0 +1,33 @@
+title: Prefetch File Deletion
+author: Cedric MAURUGEON
+date: 2021/09/29
+description: Detects the deletion of a prefetch file (AntiForensic)
+detection:
+    SELECTION_1:
+        EventID: 23
+    SELECTION_2:
+        EventID: 26
+    SELECTION_3:
+        TargetFilename: C:\Windows\Prefetch\\*
+    SELECTION_4:
+        TargetFilename: '*.pf'
+    SELECTION_5:
+        Image: C:\windows\system32\svchost.exe
+    SELECTION_6:
+        User: NT AUTHORITY\SYSTEM
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 and SELECTION_4) and  not
+        (SELECTION_5 and SELECTION_6))
+falsepositives:
+- Unknown
+id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
+level: high
+logsource:
+    category: file_delete
+    product: windows
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.004
+yml_filename: sysmon_delete_prefetch.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_delete
+
diff --git a/rules/Sigma/sysmon_detect_powerup_dllhijacking.yml b/rules/Sigma/sysmon_detect_powerup_dllhijacking.yml
new file mode 100644
index 00000000..04768f72
--- /dev/null
+++ b/rules/Sigma/sysmon_detect_powerup_dllhijacking.yml
@@ -0,0 +1,34 @@
+title: Powerup Write Hijack DLL
+author: Subhash Popuri (@pbssubhash)
+date: 2021/08/21
+description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege
+    escalation. In it's default mode, it builds a self deleting .bat file which executes
+    malicious command. The detection rule relies on creation of the malicious bat
+    file (debug.bat by default).
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        TargetFilename: '*.bat'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Pentest
+- Any powershell script that creates bat files
+id: 602a1f13-c640-4d73-b053-be9a2fa58b96
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1574.001
+yml_filename: sysmon_detect_powerup_dllhijacking.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_dhcp_calloutdll.yml b/rules/Sigma/sysmon_dhcp_calloutdll.yml
new file mode 100644
index 00000000..7663965b
--- /dev/null
+++ b/rules/Sigma/sysmon_dhcp_calloutdll.yml
@@ -0,0 +1,38 @@
+title: DHCP Callout DLL Installation
+author: Dimitrios Slamaris
+date: 2017/05/15
+description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled
+    parameter in Registry, which can be used to execute code in context of the DHCP
+    server (restart required)
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Services\DHCPServer\Parameters\CalloutDlls'
+    SELECTION_5:
+        TargetObject: '*\Services\DHCPServer\Parameters\CalloutEnabled'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- unknown
+id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
+- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
+- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+- attack.t1112
+yml_filename: sysmon_dhcp_calloutdll.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_direct_syscall_ntopenprocess.yml b/rules/Sigma/sysmon_direct_syscall_ntopenprocess.yml
new file mode 100644
index 00000000..df5ea157
--- /dev/null
+++ b/rules/Sigma/sysmon_direct_syscall_ntopenprocess.yml
@@ -0,0 +1,27 @@
+title: Direct Syscall of NtOpenProcess
+author: Christian Burkard
+date: 2021/07/28
+description: Detects the usage of the direct syscall of NtOpenProcess which might
+    be done from a CobaltStrike BOF.
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        CallTrace: UNKNOWN*
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
+level: critical
+logsource:
+    category: process_access
+    product: windows
+references:
+- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
+status: experimental
+tags:
+- attack.execution
+- attack.t1106
+yml_filename: sysmon_direct_syscall_ntopenprocess.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_disable_microsoft_office_security_features.yml b/rules/Sigma/sysmon_disable_microsoft_office_security_features.yml
new file mode 100644
index 00000000..697fadaf
--- /dev/null
+++ b/rules/Sigma/sysmon_disable_microsoft_office_security_features.yml
@@ -0,0 +1,46 @@
+title: Disable Microsoft Office Security Features
+author: frack113
+date: 2021/06/08
+description: Disable Microsoft Office Security Features by registry
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        Details: DWORD (0x00000001)
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: SetValue
+    SELECTION_5:
+        TargetObject: '*\SOFTWARE\Microsoft\Office\\*'
+    SELECTION_6:
+        TargetObject: '*VBAWarnings'
+    SELECTION_7:
+        TargetObject: '*DisableInternetFilesInPV'
+    SELECTION_8:
+        TargetObject: '*DisableUnsafeLocationsInPV'
+    SELECTION_9:
+        TargetObject: '*DisableAttachementsInPV'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10)
+falsepositives:
+- unknown
+id: 7c637634-c95d-4bbf-b26c-a82510874b34
+level: high
+logsource:
+    category: registry_event
+    definition: key must be add to the sysmon configuration to works
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
+- https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: sysmon_disable_microsoft_office_security_features.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/Sigma/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
new file mode 100644
index 00000000..d6948ea0
--- /dev/null
+++ b/rules/Sigma/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
@@ -0,0 +1,44 @@
+title: Disable Security Events Logging Adding Reg Key MiniNt
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot,
+    Windows Event Log service will stopped write events.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt
+    SELECTION_5:
+        EventType: CreateKey
+    SELECTION_6:
+        NewName: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and
+        SELECTION_5) or SELECTION_6))
+falsepositives:
+- Unknown
+fields:
+- EventID
+- Image
+- TargetObject
+- NewName
+id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2019/11/13
+references:
+- https://twitter.com/0gtweet/status/1182516740955226112
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+- attack.t1112
+yml_filename: sysmon_disable_security_events_logging_adding_reg_key_minint.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_disable_wdigest_credential_guard.yml b/rules/Sigma/sysmon_disable_wdigest_credential_guard.yml
new file mode 100644
index 00000000..cae4db02
--- /dev/null
+++ b/rules/Sigma/sysmon_disable_wdigest_credential_guard.yml
@@ -0,0 +1,33 @@
+title: Wdigest CredGuard Registry Modification
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/08/25
+description: Detects potential malicious modification of the property value of IsCredGuardEnabled
+    from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable
+    Cred Guard on a system. This is usually used with UseLogonCredential to manipulate
+    the caching credentials.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\IsCredGuardEnabled'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: sysmon_disable_wdigest_credential_guard.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml b/rules/Sigma/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
new file mode 100644
index 00000000..efba522c
--- /dev/null
+++ b/rules/Sigma/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
@@ -0,0 +1,36 @@
+title: Disable Exploit Guard Network Protection on Windows Defender
+author: Austin Songer @austinsonger
+date: 2021/08/04
+description: Detects disabling Windows Defender Exploit Guard Network Protection
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: SetValue
+    SELECTION_5:
+        TargetObject: '*HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security
+            Center\App and Browser protection\DisallowExploitProtectionOverride*'
+    SELECTION_6:
+        Details: DWORD (00000001)
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Unknown
+id: bf9e1387-b040-4393-9851-1598f8ecfae9
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/Sigma/sysmon_disabled_pua_protection_on_microsoft_defender.yml
new file mode 100644
index 00000000..b8f6296e
--- /dev/null
+++ b/rules/Sigma/sysmon_disabled_pua_protection_on_microsoft_defender.yml
@@ -0,0 +1,35 @@
+title: Disable PUA Protection on Windows Defender
+author: Austin Songer @austinsonger
+date: 2021/08/04
+description: Detects disabling Windows Defender PUA protection
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: SetValue
+    SELECTION_5:
+        TargetObject: '*HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection*'
+    SELECTION_6:
+        Details: DWORD (0x00000000)
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Unknown
+id: 8ffc5407-52e3-478f-9596-0a7371eafe13
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: sysmon_disabled_pua_protection_on_microsoft_defender.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_disabled_tamper_protection_on_microsoft_defender.yml b/rules/Sigma/sysmon_disabled_tamper_protection_on_microsoft_defender.yml
new file mode 100644
index 00000000..5f6311c2
--- /dev/null
+++ b/rules/Sigma/sysmon_disabled_tamper_protection_on_microsoft_defender.yml
@@ -0,0 +1,35 @@
+title: Disable Tamper Protection on Windows Defender
+author: Austin Songer @austinsonger
+date: 2021/08/04
+description: Detects disabling Windows Defender Tamper Protection
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: SetValue
+    SELECTION_5:
+        TargetObject: '*HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection*'
+    SELECTION_6:
+        Details: DWORD (0)
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Unknown
+id: 93d298a1-d28f-47f1-a468-d971e7796679
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: sysmon_disabled_tamper_protection_on_microsoft_defender.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_dllhost_net_connections.yml b/rules/Sigma/sysmon_dllhost_net_connections.yml
new file mode 100644
index 00000000..9e8b3a13
--- /dev/null
+++ b/rules/Sigma/sysmon_dllhost_net_connections.yml
@@ -0,0 +1,75 @@
+title: Dllhost Internet Connection
+author: bartblaze
+date: 2020/07/13
+description: Detects Dllhost that communicates with public IP addresses
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_10:
+        DestinationIp: 172.20.*
+    SELECTION_11:
+        DestinationIp: 172.21.*
+    SELECTION_12:
+        DestinationIp: 172.22.*
+    SELECTION_13:
+        DestinationIp: 172.23.*
+    SELECTION_14:
+        DestinationIp: 172.24.*
+    SELECTION_15:
+        DestinationIp: 172.25.*
+    SELECTION_16:
+        DestinationIp: 172.26.*
+    SELECTION_17:
+        DestinationIp: 172.27.*
+    SELECTION_18:
+        DestinationIp: 172.28.*
+    SELECTION_19:
+        DestinationIp: 172.29.*
+    SELECTION_2:
+        Image: '*\dllhost.exe'
+    SELECTION_20:
+        DestinationIp: 172.30.*
+    SELECTION_21:
+        DestinationIp: 172.31.*
+    SELECTION_22:
+        DestinationIp: 127.*
+    SELECTION_3:
+        Initiated: 'true'
+    SELECTION_4:
+        DestinationIp: 10.*
+    SELECTION_5:
+        DestinationIp: 192.168.*
+    SELECTION_6:
+        DestinationIp: 172.16.*
+    SELECTION_7:
+        DestinationIp: 172.17.*
+    SELECTION_8:
+        DestinationIp: 172.18.*
+    SELECTION_9:
+        DestinationIp: 172.19.*
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22)))
+falsepositives:
+- Communication to other corporate systems that use IP addresses from public address
+    spaces
+id: cfed2f44-16df-4bf3-833a-79405198b277
+level: medium
+logsource:
+    category: network_connection
+    product: windows
+modified: 2020/08/24
+references:
+- https://github.com/Neo23x0/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+yml_filename: sysmon_dllhost_net_connections.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_dns_over_https_enabled.yml b/rules/Sigma/sysmon_dns_over_https_enabled.yml
new file mode 100644
index 00000000..1bfed2fd
--- /dev/null
+++ b/rules/Sigma/sysmon_dns_over_https_enabled.yml
@@ -0,0 +1,49 @@
+title: DNS-over-HTTPS Enabled by Registry
+author: Austin Songer
+date: 2021/07/22
+description: Detects when a user enables DNS-over-HTTPS. This can be used to hide
+    internet activity or be used to hide the process of exfiltrating data. With this
+    enabled organization will lose visibility into data such as query type, response
+    and originating IP that are used to determine bad actors.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
+    SELECTION_5:
+        Details: DWORD (1)
+    SELECTION_6:
+        TargetObject: '*\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
+    SELECTION_7:
+        Details: DWORD (secure)
+    SELECTION_8:
+        TargetObject: '*\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
+    SELECTION_9:
+        Details: DWORD (1)
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Unlikely
+id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/08
+references:
+- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
+- https://github.com/elastic/detection-rules/issues/1371
+- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
+- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.t1112
+yml_filename: sysmon_dns_over_https_enabled.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_efspotato_namedpipe.yml b/rules/Sigma/sysmon_efspotato_namedpipe.yml
new file mode 100644
index 00000000..5c507448
--- /dev/null
+++ b/rules/Sigma/sysmon_efspotato_namedpipe.yml
@@ -0,0 +1,38 @@
+title: EfsPotato Named Pipe
+author: Florian Roth
+date: 2021/08/23
+description: Detects the pattern of a pipe name as used by the tool EfsPotato
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_2:
+        EventID: 18
+    SELECTION_3:
+        PipeName: '*\pipe\\*'
+    SELECTION_4:
+        PipeName: '*\pipe\srvsvc*'
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2
+level: critical
+logsource:
+    category: pipe_created
+    definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+        config (Event ID 17 and Event ID 18). The basic configuration is in popular
+        sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
+        it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+        https://github.com/olafhartong/sysmon-modular. How to test detection? You
+        can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+    product: windows
+references:
+- https://twitter.com/SBousseaden/status/1429530155291193354?s=20
+- https://github.com/zcgonvh/EfsPotato
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+yml_filename: sysmon_efspotato_namedpipe.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_enabling_cor_profiler_env_variables.yml b/rules/Sigma/sysmon_enabling_cor_profiler_env_variables.yml
new file mode 100644
index 00000000..d5849315
--- /dev/null
+++ b/rules/Sigma/sysmon_enabling_cor_profiler_env_variables.yml
@@ -0,0 +1,35 @@
+title: Enabling COR Profiler Environment Variables
+author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
+date: 2020/09/10
+description: This rule detects cor_enable_profiling and cor_profiler environment variables
+    being set and configured.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\COR_ENABLE_PROFILING'
+    SELECTION_5:
+        TargetObject: '*\COR_PROFILER'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+id: ad89044a-8f49-4673-9a55-cbd88a1b374f
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://twitter.com/jamieantisocial/status/1304520651248668673
+- https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
+- https://www.sans.org/cyber-security-summit/archives
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1574.012
+yml_filename: sysmon_enabling_cor_profiler_env_variables.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_etw_disabled.yml b/rules/Sigma/sysmon_etw_disabled.yml
new file mode 100644
index 00000000..2655cef4
--- /dev/null
+++ b/rules/Sigma/sysmon_etw_disabled.yml
@@ -0,0 +1,40 @@
+title: COMPlus_ETWEnabled Registry Modification
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/05
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
+    SELECTION_5:
+        Details: DWORD (0x00000000)
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- unknown
+id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://twitter.com/_xpn_/status/1268712093928378368
+- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+- https://bunnyinside.com/?term=f71e8cb9c76a
+- http://managed670.rssing.com/chan-5590147/all_p1.html
+- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: sysmon_etw_disabled.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_excel_outbound_network_connection.yml b/rules/Sigma/sysmon_excel_outbound_network_connection.yml
new file mode 100644
index 00000000..8590f3d9
--- /dev/null
+++ b/rules/Sigma/sysmon_excel_outbound_network_connection.yml
@@ -0,0 +1,82 @@
+title: Excel Network Connections
+author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0"
+date: 2021/11/10
+description: Detects an Excel process that opens suspicious network connections to
+    non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely
+    have to tune this rule for your organization, but it is certainly something you
+    should look for and could have applications for malicious activity beyond CVE-2021-42292.
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_10:
+        DestinationIp: 172.19.*
+    SELECTION_11:
+        DestinationIp: 172.20.*
+    SELECTION_12:
+        DestinationIp: 172.21.*
+    SELECTION_13:
+        DestinationIp: 172.22.*
+    SELECTION_14:
+        DestinationIp: 172.23.*
+    SELECTION_15:
+        DestinationIp: 172.24.*
+    SELECTION_16:
+        DestinationIp: 172.25.*
+    SELECTION_17:
+        DestinationIp: 172.26.*
+    SELECTION_18:
+        DestinationIp: 172.27.*
+    SELECTION_19:
+        DestinationIp: 172.28.*
+    SELECTION_2:
+        Image: '*\excel.exe'
+    SELECTION_20:
+        DestinationIp: 172.29.*
+    SELECTION_21:
+        DestinationIp: 172.30.*
+    SELECTION_22:
+        DestinationIp: 172.31.*
+    SELECTION_23:
+        DestinationIp: 127.0.0.1*
+    SELECTION_24:
+        DestinationIsIpv6: 'false'
+    SELECTION_3:
+        Initiated: 'true'
+    SELECTION_4:
+        DestinationIsIpv6: 'false'
+    SELECTION_5:
+        DestinationIp: 10.*
+    SELECTION_6:
+        DestinationIp: 192.168.*
+    SELECTION_7:
+        DestinationIp: 172.16.*
+    SELECTION_8:
+        DestinationIp: 172.17.*
+    SELECTION_9:
+        DestinationIp: 172.18.*
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+        ((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23) and SELECTION_24))
+falsepositives:
+- You may have to tune certain domains out that Excel may call out to, such as microsoft
+    or other business use case domains.
+- Office documents commonly have templates that refer to external addresses, like
+    sharepoint.ourcompany.com may have to be tuned.
+- It is highly recomended to baseline your activity and tune out common business use
+    cases.
+id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
+level: medium
+logsource:
+    category: network_connection
+    product: windows
+references:
+- https://corelight.com/blog/detecting-cve-2021-42292
+status: experimental
+tags:
+- attack.execution
+- attack.t1203
+yml_filename: sysmon_excel_outbound_network_connection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_expand_cabinet_files.yml b/rules/Sigma/sysmon_expand_cabinet_files.yml
new file mode 100644
index 00000000..47472d53
--- /dev/null
+++ b/rules/Sigma/sysmon_expand_cabinet_files.yml
@@ -0,0 +1,49 @@
+title: Cabinet File Expansion
+author: Bhabesh Raj
+date: 2021/07/30
+description: Adversaries can use the inbuilt expand utility to decompress cab files
+    as seen in recent Iranian MeteorExpress attack
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\expand.exe'
+    SELECTION_3:
+        CommandLine: '*.cab*'
+    SELECTION_4:
+        CommandLine: '*/F:*'
+    SELECTION_5:
+        CommandLine: '*-F:*'
+    SELECTION_6:
+        CommandLine: '*C:\ProgramData\\*'
+    SELECTION_7:
+        CommandLine: '*C:\Public\\*'
+    SELECTION_8:
+        CommandLine: '*\AppData\Local\Temp\\*'
+    SELECTION_9:
+        CommandLine: '*\AppData\Roaming\Temp\\*'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- System administrator Usage
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 9f107a84-532c-41af-b005-8d12a607639f
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/31
+references:
+- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
+- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
+status: experimental
+tags:
+- attack.execution
+- attack.t1218
+yml_filename: sysmon_expand_cabinet_files.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_foggyweb_nobelium.yml b/rules/Sigma/sysmon_foggyweb_nobelium.yml
new file mode 100644
index 00000000..145cac4b
--- /dev/null
+++ b/rules/Sigma/sysmon_foggyweb_nobelium.yml
@@ -0,0 +1,23 @@
+title: FoggyWeb Backdoor DLL Loading
+author: Florian Roth
+date: 2021/09/27
+description: Detects DLL image load activity as used by FoggyWeb backdoor loader
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: C:\Windows\ADFS\version.dll
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
+level: critical
+logsource:
+    category: image_load
+    product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
+status: experimental
+yml_filename: sysmon_foggyweb_nobelium.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_ghostpack_safetykatz.yml b/rules/Sigma/sysmon_ghostpack_safetykatz.yml
new file mode 100644
index 00000000..f27d8af8
--- /dev/null
+++ b/rules/Sigma/sysmon_ghostpack_safetykatz.yml
@@ -0,0 +1,28 @@
+title: Detection of SafetyKatz
+author: Markus Neis
+date: 2018/07/24
+description: Detects possible SafetyKatz Behaviour
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\Temp\debug.bin'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e074832a-eada-4fd7-94a1-10642b130e16
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2020/08/23
+references:
+- https://github.com/GhostPack/SafetyKatz
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+yml_filename: sysmon_ghostpack_safetykatz.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_hack_wce.yml b/rules/Sigma/sysmon_hack_wce.yml
new file mode 100644
index 00000000..6740e6d3
--- /dev/null
+++ b/rules/Sigma/sysmon_hack_wce.yml
@@ -0,0 +1,39 @@
+title: Windows Credential Editor
+author: Florian Roth
+date: 2019/12/31
+description: Detects the use of Windows Credential Editor (WCE)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        Imphash: a53a02b997935fd8eedcb5f7abab9b9f
+    SELECTION_4:
+        Imphash: e96a73c7bf33a464c510ede582318bf2
+    SELECTION_5:
+        CommandLine: '*.exe -S'
+    SELECTION_6:
+        ParentImage: '*\services.exe'
+    SELECTION_7:
+        Image: '*\clussvc.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and ((SELECTION_3 or SELECTION_4) or
+        (SELECTION_5 and SELECTION_6))) and  not (SELECTION_7))
+falsepositives:
+- Another service that uses a single -s command line switch
+id: 7aa7009a-28b9-4344-8c1f-159489a390df
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/15
+references:
+- https://www.ampliasecurity.com/research/windows-credentials-editor/
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.s0005
+yml_filename: sysmon_hack_wce.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_hack_wce_reg.yml b/rules/Sigma/sysmon_hack_wce_reg.yml
new file mode 100644
index 00000000..9c039f1b
--- /dev/null
+++ b/rules/Sigma/sysmon_hack_wce_reg.yml
@@ -0,0 +1,32 @@
+title: Windows Credential Editor Registry
+author: Florian Roth
+date: 2019/12/31
+description: Detects the use of Windows Credential Editor (WCE)
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*Services\WCESERVICE\Start*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: a6b33c02-8305-488f-8585-03cb2a7763f2
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/09/06
+references:
+- https://www.ampliasecurity.com/research/windows-credentials-editor/
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.s0005
+yml_filename: sysmon_hack_wce_reg.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_high_integrity_sdclt.yml b/rules/Sigma/sysmon_high_integrity_sdclt.yml
new file mode 100644
index 00000000..4764785e
--- /dev/null
+++ b/rules/Sigma/sysmon_high_integrity_sdclt.yml
@@ -0,0 +1,31 @@
+title: High Integrity Sdclt Process
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for sdclt being spawned as an elevated process. This
+    could be an indicator of sdclt being used for bypass UAC techniques.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*sdclt.exe'
+    SELECTION_3:
+        IntegrityLevel: High
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 40f9af16-589d-4984-b78d-8c2aec023197
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/6
+- https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1548.002
+yml_filename: sysmon_high_integrity_sdclt.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/Sigma/sysmon_hybridconnectionmgr_svc_installation.yml
new file mode 100644
index 00000000..46517e2c
--- /dev/null
+++ b/rules/Sigma/sysmon_hybridconnectionmgr_svc_installation.yml
@@ -0,0 +1,32 @@
+title: HybridConnectionManager Service Installation
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Detects the installation of the Azure Hybrid Connection Manager service
+    to allow remote code execution from Azure function.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Services\HybridConnectionManager*'
+    SELECTION_5:
+        Details: '*Microsoft.HybridConnectionManager.Listener.exe*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: ac8866c7-ce44-46fd-8c17-b24acff96ca8
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
+yml_filename: sysmon_hybridconnectionmgr_svc_installation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_in_memory_assembly_execution.yml b/rules/Sigma/sysmon_in_memory_assembly_execution.yml
new file mode 100644
index 00000000..c956517f
--- /dev/null
+++ b/rules/Sigma/sysmon_in_memory_assembly_execution.yml
@@ -0,0 +1,80 @@
+title: Suspicious In-Memory Module Execution
+author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
+date: 2019/10/27
+description: Detects the access to processes by other suspicious processes which have
+    reflectively loaded libraries in their memory space. An example is SilentTrinity
+    C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack
+    call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as
+    the module name. Usually this means the stack call points to a module that was
+    reflectively loaded in memory. Adding to this, it is not common to see such few
+    calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially
+    means that most of the functions required by the process to execute certain routines
+    are already present in memory, not requiring any calls to external libraries.
+    The latter should also be considered suspicious.
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_10:
+        GrantedAccess: '0x1F0FFF'
+    SELECTION_11:
+        GrantedAccess: '0x1F1FFF'
+    SELECTION_12:
+        GrantedAccess: '0x143A'
+    SELECTION_13:
+        GrantedAccess: '0x1410'
+    SELECTION_14:
+        GrantedAccess: '0x1010'
+    SELECTION_15:
+        GrantedAccess: '0x1F2FFF'
+    SELECTION_16:
+        GrantedAccess: '0x1F3FFF'
+    SELECTION_17:
+        GrantedAccess: '0x1FFFFF'
+    SELECTION_18:
+        SourceImage: '*\Windows\System32\sdiagnhost.exe'
+    SELECTION_2:
+        CallTrace: '*C:\WINDOWS\SYSTEM32\ntdll.dll+*'
+    SELECTION_3:
+        CallTrace: '*|C:\WINDOWS\System32\KERNELBASE.dll+*'
+    SELECTION_4:
+        CallTrace: '*|UNKNOWN(*'
+    SELECTION_5:
+        CallTrace: '*)*'
+    SELECTION_6:
+        CallTrace: '*UNKNOWN(*'
+    SELECTION_7:
+        CallTrace: '*)|UNKNOWN(*'
+    SELECTION_8:
+        CallTrace: '*)'
+    SELECTION_9:
+        CallTrace: '*UNKNOWN*'
+    condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or ((SELECTION_9
+        and (SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17)) and  not ((SELECTION_18)))))
+falsepositives:
+- Low
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
+level: critical
+logsource:
+    category: process_access
+    product: windows
+modified: 2021/10/21
+references:
+- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1055.001
+- attack.t1055.002
+- attack.t1055
+yml_filename: sysmon_in_memory_assembly_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_in_memory_powershell.yml b/rules/Sigma/sysmon_in_memory_powershell.yml
new file mode 100644
index 00000000..da410a09
--- /dev/null
+++ b/rules/Sigma/sysmon_in_memory_powershell.yml
@@ -0,0 +1,66 @@
+title: In-memory PowerShell
+author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
+date: 2019/11/14
+description: Detects loading of essential DLL used by PowerShell, but not by the process
+    powershell.exe. Detects meterpreter's "load powershell" extension.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_10:
+        Image: '*\wsmprovhost.exe'
+    SELECTION_11:
+        Image: '*\winrshost.exe'
+    SELECTION_12:
+        Image: '*\syncappvpublishingserver.exe'
+    SELECTION_13:
+        Image: '*\runscripthelper.exe'
+    SELECTION_14:
+        Image: '*\ServerManager.exe'
+    SELECTION_15:
+        Image: '*\Microsoft SQL Server Management Studio *\Common*\IDE\Ssms.exe'
+    SELECTION_2:
+        ImageLoaded: '*\System.Management.Automation.Dll'
+    SELECTION_3:
+        ImageLoaded: '*\System.Management.Automation.ni.Dll'
+    SELECTION_4:
+        Image: '*\powershell.exe'
+    SELECTION_5:
+        Image: '*\powershell_ise.exe'
+    SELECTION_6:
+        Image: '*\WINDOWS\System32\sdiagnhost.exe'
+    SELECTION_7:
+        Image: '*\mscorsvw.exe'
+    SELECTION_8:
+        Image: '*\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
+    SELECTION_9:
+        Image: '*\sqlps.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15)))
+enrichment:
+- EN_0001_cache_sysmon_event_id_1_info
+- EN_0003_enrich_other_sysmon_events_with_event_id_1_data
+falsepositives:
+- Used by some .NET binaries, minimal on user workstation.
+- Used by Microsoft SQL Server Management Studio
+id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2021/11/11
+references:
+- https://adsecurity.org/?p=2921
+- https://github.com/p3nt4/PowerShdll
+related:
+-   id: 867613fb-fa60-4497-a017-a82df74a172c
+    type: obsoletes
+status: experimental
+tags:
+- attack.t1086
+- attack.t1059.001
+- attack.execution
+yml_filename: sysmon_in_memory_powershell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_invoke_phantom.yml b/rules/Sigma/sysmon_invoke_phantom.yml
new file mode 100644
index 00000000..0516ecf2
--- /dev/null
+++ b/rules/Sigma/sysmon_invoke_phantom.yml
@@ -0,0 +1,34 @@
+title: Suspect Svchost Memory Asccess
+author: Tim Burrell
+date: 2020/01/02
+description: Detects suspect access to svchost process memory such as that used by
+    Invoke-Phantom to kill the winRM windows event logging service.
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        TargetImage: '*\WINDOWS\System32\svchost.exe'
+    SELECTION_3:
+        GrantedAccess: '0x1F3FFF'
+    SELECTION_4:
+        CallTrace: '*UNKNOWN*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+level: high
+logsource:
+    category: process_access
+    product: windows
+modified: 2021/10/21
+references:
+- https://github.com/hlldz/Invoke-Phant0m
+- https://twitter.com/timbmsft/status/900724491076214784
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.002
+- attack.t1089
+yml_filename: sysmon_invoke_phantom.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/Sigma/sysmon_lazagne_cred_dump_lsass_access.yml
new file mode 100644
index 00000000..8ba75ce6
--- /dev/null
+++ b/rules/Sigma/sysmon_lazagne_cred_dump_lsass_access.yml
@@ -0,0 +1,38 @@
+title: Credential Dumping by LaZagne
+author: Bhabesh Raj, Jonhnathan Ribeiro
+date: 2020/09/09
+description: Detects LSASS process access by LaZagne for credential dumping.
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        TargetImage: '*\lsass.exe'
+    SELECTION_3:
+        CallTrace: '*C:\\Windows\\SYSTEM32\\ntdll.dll+*'
+    SELECTION_4:
+        CallTrace: '*|C:\\Windows\\System32\\KERNELBASE.dll+*'
+    SELECTION_5:
+        CallTrace: '*_ctypes.pyd+*'
+    SELECTION_6:
+        CallTrace: '*python27.dll+*'
+    SELECTION_7:
+        GrantedAccess: '0x1FFFFF'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Unknown
+id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
+level: critical
+logsource:
+    category: process_access
+    product: windows
+references:
+- https://twitter.com/bh4b3sh/status/1303674603819081728
+status: stable
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.s0349
+yml_filename: sysmon_lazagne_cred_dump_lsass_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_littlecorporal_generated_maldoc.yml b/rules/Sigma/sysmon_littlecorporal_generated_maldoc.yml
new file mode 100644
index 00000000..7fa76c84
--- /dev/null
+++ b/rules/Sigma/sysmon_littlecorporal_generated_maldoc.yml
@@ -0,0 +1,31 @@
+title: LittleCorporal Generated Maldoc Injection
+author: Christian Burkard
+date: 2021/08/09
+description: Detects the process injection of a LittleCorporal generated Maldoc.
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        SourceImage: '*winword.exe'
+    SELECTION_3:
+        CallTrace: '*:\Windows\Microsoft.NET\Framework64\v2.*'
+    SELECTION_4:
+        CallTrace: '*UNKNOWN*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
+level: high
+logsource:
+    category: process_access
+    product: windows
+references:
+- https://github.com/connormcgarr/LittleCorporal
+status: experimental
+tags:
+- attack.execution
+- attack.t1204.002
+- attack.t1055.003
+yml_filename: sysmon_littlecorporal_generated_maldoc.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/Sigma/sysmon_load_undocumented_autoelevated_com_interface.yml
new file mode 100644
index 00000000..c6562d03
--- /dev/null
+++ b/rules/Sigma/sysmon_load_undocumented_autoelevated_com_interface.yml
@@ -0,0 +1,34 @@
+title: Load Undocumented Autoelevated COM Interface
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/07
+description: COM interface (EditionUpgradeManager) that is not used by standard executables.
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        CallTrace: '*editionupgrademanagerobj.dll*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+- CallTrace
+id: fb3722e4-1a06-46b6-b772-253e2e7db933
+level: high
+logsource:
+    category: process_access
+    product: windows
+references:
+- https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
+- https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_load_undocumented_autoelevated_com_interface.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/Sigma/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
new file mode 100644
index 00000000..860bd884
--- /dev/null
+++ b/rules/Sigma/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
@@ -0,0 +1,40 @@
+title: Logon Scripts (UserInitMprLogonScript)
+author: Tom Ueltschi (@c_APT_ure)
+date: 2019/01/12
+description: Detects creation or execution of UserInitMprLogonScript persistence method
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        ParentImage: '*\userinit.exe'
+    SELECTION_4:
+        Image: '*\explorer.exe'
+    SELECTION_5:
+        CommandLine: '*netlogon.bat*'
+    SELECTION_6:
+        CommandLine: '*UsrLogon.cmd*'
+    SELECTION_7:
+        CommandLine: '*UserInitMprLogonScript*'
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 and  not (SELECTION_4))
+        and  not ((SELECTION_5 or SELECTION_6))) or SELECTION_7))
+falsepositives:
+- exclude legitimate logon scripts
+- penetration tests, red teaming
+id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/26
+references:
+- https://attack.mitre.org/techniques/T1037/
+status: experimental
+tags:
+- attack.t1037
+- attack.t1037.001
+- attack.persistence
+yml_filename: sysmon_logon_scripts_userinitmprlogonscript_proc.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/Sigma/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
new file mode 100644
index 00000000..1e5de4ca
--- /dev/null
+++ b/rules/Sigma/sysmon_logon_scripts_userinitmprlogonscript_reg.yml
@@ -0,0 +1,34 @@
+title: Logon Scripts (UserInitMprLogonScript) Registry
+author: Tom Ueltschi (@c_APT_ure)
+date: 2019/01/12
+description: Detects creation or execution of UserInitMprLogonScript persistence method
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*UserInitMprLogonScript*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- exclude legitimate logon scripts
+- penetration tests, red teaming
+id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/07/01
+references:
+- https://attack.mitre.org/techniques/T1037/
+status: experimental
+tags:
+- attack.t1037
+- attack.t1037.001
+- attack.persistence
+- attack.lateral_movement
+yml_filename: sysmon_logon_scripts_userinitmprlogonscript_reg.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_long_powershell_commandline.yml b/rules/Sigma/sysmon_long_powershell_commandline.yml
new file mode 100644
index 00000000..9b456010
--- /dev/null
+++ b/rules/Sigma/sysmon_long_powershell_commandline.yml
@@ -0,0 +1,36 @@
+title: Too Long PowerShell Commandlines
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects Too long PowerShell command lines
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*powershell*'
+    SELECTION_3:
+        CommandLine: '*pwsh*'
+    SELECTION_4:
+        Description: Windows Powershell
+    SELECTION_5:
+        Product: PowerShell Core 6
+    SELECTION_6:
+        CommandLine|re: .{1000,}
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or SELECTION_4 or SELECTION_5)
+        and SELECTION_6)
+falsepositives:
+- Unknown
+id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: sysmon_long_powershell_commandline.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_lsass_dump_comsvcs_dll.yml b/rules/Sigma/sysmon_lsass_dump_comsvcs_dll.yml
new file mode 100644
index 00000000..e43387d6
--- /dev/null
+++ b/rules/Sigma/sysmon_lsass_dump_comsvcs_dll.yml
@@ -0,0 +1,33 @@
+title: Lsass Memory Dump via Comsvcs DLL
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll
+    via rundll32 to perform a memory dump from lsass.
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        TargetImage: '*\lsass.exe'
+    SELECTION_3:
+        SourceImage: C:\Windows\System32\rundll32.exe
+    SELECTION_4:
+        CallTrace: '*comsvcs.dll*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: a49fa4d5-11db-418c-8473-1e014a8dd462
+level: critical
+logsource:
+    category: process_access
+    product: windows
+modified: 2021/06/21
+references:
+- https://twitter.com/shantanukhande/status/1229348874298388484
+- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+yml_filename: sysmon_lsass_dump_comsvcs_dll.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_lsass_memdump.yml b/rules/Sigma/sysmon_lsass_memdump.yml
new file mode 100644
index 00000000..7c9b9049
--- /dev/null
+++ b/rules/Sigma/sysmon_lsass_memdump.yml
@@ -0,0 +1,36 @@
+title: LSASS Memory Dump
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects process LSASS memory dump using procdump or taskmgr based on
+    the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        TargetImage: '*\lsass.exe'
+    SELECTION_3:
+        GrantedAccess: '0x1fffff'
+    SELECTION_4:
+        CallTrace: '*dbghelp.dll*'
+    SELECTION_5:
+        CallTrace: '*dbgcore.dll*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- unknown
+id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
+level: high
+logsource:
+    category: process_access
+    product: windows
+modified: 2021/06/21
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- attack.s0002
+yml_filename: sysmon_lsass_memdump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_lsass_memory_dump_file_creation.yml b/rules/Sigma/sysmon_lsass_memory_dump_file_creation.yml
new file mode 100644
index 00000000..091246e1
--- /dev/null
+++ b/rules/Sigma/sysmon_lsass_memory_dump_file_creation.yml
@@ -0,0 +1,36 @@
+title: LSASS Memory Dump File Creation
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: LSASS memory dump creation using operating systems utilities. Procdump
+    will use process name in output file if no name is specified
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*lsass*'
+    SELECTION_3:
+        TargetFilename: '*dmp'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Dumping lsass memory for forensic investigation purposes by legitimate incident
+    responder or forensic invetigator
+- Dumps of another process that contains lsass in its process name (substring)
+fields:
+- ComputerName
+- TargetFilename
+id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/08/16
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+yml_filename: sysmon_lsass_memory_dump_file_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_mal_cobaltstrike.yml b/rules/Sigma/sysmon_mal_cobaltstrike.yml
new file mode 100644
index 00000000..3f6962a0
--- /dev/null
+++ b/rules/Sigma/sysmon_mal_cobaltstrike.yml
@@ -0,0 +1,50 @@
+title: CobaltStrike Named Pipe
+author: Florian Roth, Wojciech Lesicki
+date: 2021/05/25
+description: Detects the creation of a named pipe as used by CobaltStrike
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_2:
+        EventID: 18
+    SELECTION_3:
+        PipeName: '*\MSSE-*'
+    SELECTION_4:
+        PipeName: '*-server*'
+    SELECTION_5:
+        PipeName: \postex_*
+    SELECTION_6:
+        PipeName: \postex_ssh_*
+    SELECTION_7:
+        PipeName: \status_*
+    SELECTION_8:
+        PipeName: \msagent_*
+    condition: ((SELECTION_1 or SELECTION_2) and ((SELECTION_3 and SELECTION_4) or
+        SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
+level: critical
+logsource:
+    category: pipe_created
+    definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+        config (Event ID 17 and Event ID 18). The basic configuration is in popular
+        sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
+        it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+        https://github.com/olafhartong/sysmon-modular. How to test detection? You
+        can always use Cobalt Strike, but also you can check powershell script from
+        this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+    product: windows
+references:
+- https://twitter.com/d4rksystem/status/1357010969264873472
+- https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
+- https://github.com/Neo23x0/sigma/issues/253
+- https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+yml_filename: sysmon_mal_cobaltstrike.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_mal_cobaltstrike_re.yml b/rules/Sigma/sysmon_mal_cobaltstrike_re.yml
new file mode 100644
index 00000000..a2927628
--- /dev/null
+++ b/rules/Sigma/sysmon_mal_cobaltstrike_re.yml
@@ -0,0 +1,80 @@
+title: CobaltStrike Named Pipe Pattern Regex
+author: Florian Roth
+date: 2021/07/30
+description: Detects the creation of a named pipe matching a pattern used by CobaltStrike
+    Malleable C2 profiles
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_10:
+        PipeName|re: \\\\ntsvcs_[0-9a-f]{2}
+    SELECTION_11:
+        PipeName|re: \\\\scerpc_?[0-9a-f]{2}
+    SELECTION_12:
+        PipeName|re: \\\\PGMessagePipe[0-9a-f]{2}
+    SELECTION_13:
+        PipeName|re: \\\\MsFteWds[0-9a-f]{2}
+    SELECTION_14:
+        PipeName|re: \\\\f4c3[0-9a-f]{2}
+    SELECTION_15:
+        PipeName|re: \\\\fullduplex_[0-9a-f]{2}
+    SELECTION_16:
+        PipeName|re: \\\\msrpc_[0-9a-f]{4}
+    SELECTION_17:
+        PipeName|re: \\\\win\\\\msrpc_[0-9a-f]{2}
+    SELECTION_18:
+        PipeName|re: \\\\f53f[0-9a-f]{2}
+    SELECTION_19:
+        PipeName|re: \\\\rpc_[0-9a-f]{2}
+    SELECTION_2:
+        EventID: 18
+    SELECTION_20:
+        PipeName|re: \\\\spoolss_[0-9a-f]{2}
+    SELECTION_21:
+        PipeName|re: \\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,
+    SELECTION_3:
+        PipeName|re: \\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}
+    SELECTION_4:
+        PipeName|re: \\\\wkssvc_?[0-9a-f]{2}
+    SELECTION_5:
+        PipeName|re: \\\\ntsvcs[0-9a-f]{2}
+    SELECTION_6:
+        PipeName|re: \\\\DserNamePipe[0-9a-f]{2}
+    SELECTION_7:
+        PipeName|re: \\\\SearchTextHarvester[0-9a-f]{2}
+    SELECTION_8:
+        PipeName|re: \\\\mypipe\-(?:f|h)[0-9a-f]{2}
+    SELECTION_9:
+        PipeName|re: \\\\windows\.update\.manager[0-9a-f]{2,3}
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21))
+falsepositives:
+- Unknown
+id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
+level: critical
+logsource:
+    category: pipe_created
+    definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+        config (Event ID 17 and Event ID 18). The basic configuration is in popular
+        sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
+        it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+        https://github.com/olafhartong/sysmon-modular You can also use other repo,
+        e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular.
+        How to test detection? You can always use Cobalt Strike, but also you can
+        check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+    product: windows
+modified: 2021/09/02
+references:
+- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+yml_filename: sysmon_mal_cobaltstrike_re.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_mal_namedpipes.yml b/rules/Sigma/sysmon_mal_namedpipes.yml
new file mode 100644
index 00000000..b0384e87
--- /dev/null
+++ b/rules/Sigma/sysmon_mal_namedpipes.yml
@@ -0,0 +1,101 @@
+title: Malicious Named Pipe
+author: Florian Roth, blueteam0ps, elhoim
+date: 2017/11/06
+description: Detects the creation of a named pipe used by known APT malware
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_10:
+        PipeName: \46a676ab7f179e511e30dd2dc41bd388
+    SELECTION_11:
+        PipeName: \9f81f59bc58452127884ce513865ed20
+    SELECTION_12:
+        PipeName: \e710f28d59aa529d6792ca6ff0ca1b34
+    SELECTION_13:
+        PipeName: \rpchlp_3
+    SELECTION_14:
+        PipeName: \NamePipe_MoreWindows
+    SELECTION_15:
+        PipeName: \pcheap_reuse
+    SELECTION_16:
+        PipeName: \gruntsvc
+    SELECTION_17:
+        PipeName: \583da945-62af-10e8-4902-a8f205c72b2e
+    SELECTION_18:
+        PipeName: \bizkaz
+    SELECTION_19:
+        PipeName: \svcctl
+    SELECTION_2:
+        EventID: 18
+    SELECTION_20:
+        PipeName: \Posh*
+    SELECTION_21:
+        PipeName: \jaccdpqnvbrrxlaf
+    SELECTION_22:
+        PipeName: \csexecsvc
+    SELECTION_23:
+        PipeName: \6e7645c4-32c5-4fe3-aabf-e94c2f4370e7
+    SELECTION_24:
+        PipeName: \adschemerpc
+    SELECTION_25:
+        PipeName: \AnonymousPipe
+    SELECTION_26:
+        PipeName: \bc367
+    SELECTION_27:
+        PipeName: \bc31a7
+    SELECTION_28:
+        PipeName: \testPipe
+    SELECTION_3:
+        PipeName: \isapi_http
+    SELECTION_4:
+        PipeName: \isapi_dg
+    SELECTION_5:
+        PipeName: \isapi_dg2
+    SELECTION_6:
+        PipeName: \sdlrpc
+    SELECTION_7:
+        PipeName: \ahexec
+    SELECTION_8:
+        PipeName: \winsession
+    SELECTION_9:
+        PipeName: \lsassw
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28))
+falsepositives:
+- Unknown
+id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
+level: critical
+logsource:
+    category: pipe_created
+    definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+        config (Event ID 17 and Event ID 18). The basic configuration is in popular
+        sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
+        it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+        https://github.com/olafhartong/sysmon-modular. How to test detection? You
+        can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+    product: windows
+modified: 2021/10/30
+references:
+- https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
+- https://securelist.com/faq-the-projectsauron-apt/75533/
+- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+- https://www.us-cert.gov/ncas/alerts/TA17-117A
+- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
+- https://thedfirreport.com/2020/06/21/snatch-ransomware/
+- https://github.com/RiccardoAncarani/LiquidSnake
+- https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
+- https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
+- https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+yml_filename: sysmon_mal_namedpipes.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_malware_backconnect_ports.yml b/rules/Sigma/sysmon_malware_backconnect_ports.yml
new file mode 100644
index 00000000..57acad65
--- /dev/null
+++ b/rules/Sigma/sysmon_malware_backconnect_ports.yml
@@ -0,0 +1,190 @@
+title: Suspicious Typical Malware Back Connect Ports
+author: Florian Roth
+date: 2017/03/19
+description: Detects programs that connect to typical malware back connect ports based
+    on statistical analysis from two different sandbox system databases
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_10:
+        DestinationPort: '13506'
+    SELECTION_11:
+        DestinationPort: '3360'
+    SELECTION_12:
+        DestinationPort: '200'
+    SELECTION_13:
+        DestinationPort: '198'
+    SELECTION_14:
+        DestinationPort: '49180'
+    SELECTION_15:
+        DestinationPort: '13507'
+    SELECTION_16:
+        DestinationPort: '6625'
+    SELECTION_17:
+        DestinationPort: '4444'
+    SELECTION_18:
+        DestinationPort: '4438'
+    SELECTION_19:
+        DestinationPort: '1904'
+    SELECTION_2:
+        Initiated: 'true'
+    SELECTION_20:
+        DestinationPort: '13505'
+    SELECTION_21:
+        DestinationPort: '13504'
+    SELECTION_22:
+        DestinationPort: '12102'
+    SELECTION_23:
+        DestinationPort: '9631'
+    SELECTION_24:
+        DestinationPort: '5445'
+    SELECTION_25:
+        DestinationPort: '2443'
+    SELECTION_26:
+        DestinationPort: '777'
+    SELECTION_27:
+        DestinationPort: '13394'
+    SELECTION_28:
+        DestinationPort: '13145'
+    SELECTION_29:
+        DestinationPort: '12103'
+    SELECTION_3:
+        DestinationPort: '4443'
+    SELECTION_30:
+        DestinationPort: '5552'
+    SELECTION_31:
+        DestinationPort: '3939'
+    SELECTION_32:
+        DestinationPort: '3675'
+    SELECTION_33:
+        DestinationPort: '666'
+    SELECTION_34:
+        DestinationPort: '473'
+    SELECTION_35:
+        DestinationPort: '5649'
+    SELECTION_36:
+        DestinationPort: '4455'
+    SELECTION_37:
+        DestinationPort: '4433'
+    SELECTION_38:
+        DestinationPort: '1817'
+    SELECTION_39:
+        DestinationPort: '100'
+    SELECTION_4:
+        DestinationPort: '2448'
+    SELECTION_40:
+        DestinationPort: '65520'
+    SELECTION_41:
+        DestinationPort: '1960'
+    SELECTION_42:
+        DestinationPort: '1515'
+    SELECTION_43:
+        DestinationPort: '743'
+    SELECTION_44:
+        DestinationPort: '700'
+    SELECTION_45:
+        DestinationPort: '14154'
+    SELECTION_46:
+        DestinationPort: '14103'
+    SELECTION_47:
+        DestinationPort: '14102'
+    SELECTION_48:
+        DestinationPort: '12322'
+    SELECTION_49:
+        DestinationPort: '10101'
+    SELECTION_5:
+        DestinationPort: '8143'
+    SELECTION_50:
+        DestinationPort: '7210'
+    SELECTION_51:
+        DestinationPort: '4040'
+    SELECTION_52:
+        DestinationPort: '9943'
+    SELECTION_53:
+        EventID: 3
+    SELECTION_54:
+        Image: '*\Program Files*'
+    SELECTION_55:
+        DestinationIp: 10.*
+    SELECTION_56:
+        DestinationIp: 192.168.*
+    SELECTION_57:
+        DestinationIp: 172.16.*
+    SELECTION_58:
+        DestinationIp: 172.17.*
+    SELECTION_59:
+        DestinationIp: 172.18.*
+    SELECTION_6:
+        DestinationPort: '1777'
+    SELECTION_60:
+        DestinationIp: 172.19.*
+    SELECTION_61:
+        DestinationIp: 172.20.*
+    SELECTION_62:
+        DestinationIp: 172.21.*
+    SELECTION_63:
+        DestinationIp: 172.22.*
+    SELECTION_64:
+        DestinationIp: 172.23.*
+    SELECTION_65:
+        DestinationIp: 172.24.*
+    SELECTION_66:
+        DestinationIp: 172.25.*
+    SELECTION_67:
+        DestinationIp: 172.26.*
+    SELECTION_68:
+        DestinationIp: 172.27.*
+    SELECTION_69:
+        DestinationIp: 172.28.*
+    SELECTION_7:
+        DestinationPort: '1443'
+    SELECTION_70:
+        DestinationIp: 172.29.*
+    SELECTION_71:
+        DestinationIp: 172.30.*
+    SELECTION_72:
+        DestinationIp: 172.31.*
+    SELECTION_73:
+        DestinationIp: 127.*
+    SELECTION_74:
+        DestinationIsIpv6: 'false'
+    SELECTION_8:
+        DestinationPort: '243'
+    SELECTION_9:
+        DestinationPort: '65535'
+    condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
+        or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
+        or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
+        or SELECTION_51 or SELECTION_52)) and  not ((SELECTION_53 and (SELECTION_54
+        or ((SELECTION_55 or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59
+        or SELECTION_60 or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64
+        or SELECTION_65 or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69
+        or SELECTION_70 or SELECTION_71 or SELECTION_72 or SELECTION_73) and SELECTION_74)))))
+falsepositives:
+- unknown
+id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
+level: medium
+logsource:
+    category: network_connection
+    definition: 'Use the following config to generate the necessary Event ID 10 Process
+        Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
+        onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+    product: windows
+modified: 2020/08/24
+references:
+- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1571
+- attack.t1043
+yml_filename: sysmon_malware_backconnect_ports.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_malware_verclsid_shellcode.yml b/rules/Sigma/sysmon_malware_verclsid_shellcode.yml
new file mode 100644
index 00000000..02aca63f
--- /dev/null
+++ b/rules/Sigma/sysmon_malware_verclsid_shellcode.yml
@@ -0,0 +1,42 @@
+title: Malware Shellcode in Verclsid Target Process
+author: John Lambert (tech), Florian Roth (rule)
+date: 2017/03/04
+description: Detects a process access to verclsid.exe that injects shellcode from
+    a Microsoft Office application / VBA macro
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        TargetImage: '*\verclsid.exe'
+    SELECTION_3:
+        GrantedAccess: '0x1FFFFF'
+    SELECTION_4:
+        CallTrace: '*|UNKNOWN(*'
+    SELECTION_5:
+        CallTrace: '*VBE7.DLL*'
+    SELECTION_6:
+        SourceImage: '*\Microsoft Office\\*'
+    SELECTION_7:
+        CallTrace: '*|UNKNOWN*'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- unknown
+id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
+level: high
+logsource:
+    category: process_access
+    definition: 'Use the following config to generate the necessary Event ID 10 Process
+        Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
+        onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+    product: windows
+references:
+- https://twitter.com/JohnLaTwC/status/837743453039534080
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+yml_filename: sysmon_malware_verclsid_shellcode.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_mimikatz_detection_lsass.yml b/rules/Sigma/sysmon_mimikatz_detection_lsass.yml
new file mode 100644
index 00000000..4ef7742b
--- /dev/null
+++ b/rules/Sigma/sysmon_mimikatz_detection_lsass.yml
@@ -0,0 +1,40 @@
+title: Mimikatz Detection LSASS Access
+author: Sherif Eldeeb
+date: 2017/10/18
+description: Detects process access to LSASS which is typical for Mimikatz (0x1000
+    PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
+    versions", 0x0010 PROCESS_VM_READ)
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        TargetImage: '*\lsass.exe'
+    SELECTION_3:
+        GrantedAccess: '0x1410'
+    SELECTION_4:
+        GrantedAccess: '0x1010'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Some security products access LSASS in this way.
+fields:
+- ComputerName
+- User
+- SourceImage
+id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
+level: high
+logsource:
+    category: process_access
+    product: windows
+modified: 2021/06/21
+references:
+- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+status: deprecated
+tags:
+- attack.t1003
+- attack.s0002
+- attack.credential_access
+- car.2019-04-004
+yml_filename: sysmon_mimikatz_detection_lsass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
+
diff --git a/rules/Sigma/sysmon_mimikatz_trough_winrm.yml b/rules/Sigma/sysmon_mimikatz_trough_winrm.yml
new file mode 100644
index 00000000..98ba206a
--- /dev/null
+++ b/rules/Sigma/sysmon_mimikatz_trough_winrm.yml
@@ -0,0 +1,38 @@
+title: Mimikatz through Windows Remote Management
+author: Patryk Prauze - ING Tech
+date: 2019/05/20
+description: Detects usage of mimikatz through WinRM protocol by monitoring access
+    to lsass process by wsmprovhost.exe.
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        TargetImage: '*\lsass.exe'
+    SELECTION_3:
+        SourceImage: C:\Windows\system32\wsmprovhost.exe
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- low
+id: aa35a627-33fb-4d04-a165-d33b4afca3e8
+level: high
+logsource:
+    category: process_access
+    product: windows
+modified: 2021/06/21
+references:
+- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
+status: stable
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003.001
+- attack.t1003
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
+- attack.s0002
+yml_filename: sysmon_mimikatz_trough_winrm.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_modify_screensaver_binary_path.yml b/rules/Sigma/sysmon_modify_screensaver_binary_path.yml
new file mode 100644
index 00000000..9710b857
--- /dev/null
+++ b/rules/Sigma/sysmon_modify_screensaver_binary_path.yml
@@ -0,0 +1,38 @@
+title: Path To Screensaver Binary Modified
+author: Bartlomiej Czyz @bczyz1, oscd.community
+date: 2020/10/11
+description: Detects value modification of registry key containing path to binary
+    used as screensaver.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Control Panel\Desktop\SCRNSAVE.EXE'
+    SELECTION_5:
+        Image: '*\rundll32.exe'
+    SELECTION_6:
+        Image: '*\explorer.exe'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
+        ((SELECTION_5 or SELECTION_6)))
+falsepositives:
+- Legitimate modification of screensaver.
+id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
+- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.002
+yml_filename: sysmon_modify_screensaver_binary_path.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_narrator_feedback_persistance.yml b/rules/Sigma/sysmon_narrator_feedback_persistance.yml
new file mode 100644
index 00000000..8590ff12
--- /dev/null
+++ b/rules/Sigma/sysmon_narrator_feedback_persistance.yml
@@ -0,0 +1,37 @@
+title: Narrator's Feedback-Hub Persistence
+author: Dmitriy Lifanov, oscd.community
+date: 2019/10/25
+description: Detects abusing Windows 10 Narrator's Feedback-Hub
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: DeleteValue
+    SELECTION_5:
+        TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
+    SELECTION_6:
+        TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and
+        SELECTION_5) or SELECTION_6))
+falsepositives:
+- unknown
+id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/09/06
+references:
+- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1060
+- attack.t1547.001
+yml_filename: sysmon_narrator_feedback_persistance.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_netcat_execution.yml b/rules/Sigma/sysmon_netcat_execution.yml
new file mode 100644
index 00000000..e725df02
--- /dev/null
+++ b/rules/Sigma/sysmon_netcat_execution.yml
@@ -0,0 +1,37 @@
+title: Ncat Execution
+author: frack113
+date: 2021/07/21
+description: Adversaries may use a non-application layer protocol for communication
+    between host and C2 server or among infected hosts within a network
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\ncat.exe'
+    SELECTION_3:
+        CommandLine: '* -lvp *'
+    SELECTION_4:
+        CommandLine: '* -l --proxy-type http *'
+    SELECTION_5:
+        CommandLine: '* --exec cmd.exe *'
+    SELECTION_6:
+        CommandLine: '* -vnl --exec *'
+    condition: (SELECTION_1 and ((SELECTION_2) or (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6)))
+falsepositives:
+- Legitimate ncat use
+id: e31033fc-33f0-4020-9a16-faf9b31cbf08
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://nmap.org/ncat/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1095
+yml_filename: sysmon_netcat_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_new_application_appcompat.yml b/rules/Sigma/sysmon_new_application_appcompat.yml
new file mode 100644
index 00000000..8e44edaf
--- /dev/null
+++ b/rules/Sigma/sysmon_new_application_appcompat.yml
@@ -0,0 +1,35 @@
+title: New Application in AppCompat
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for a new application in AppCompat. This indicates
+    an application executing for the first time on an endpoint.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\AppCompatFlags\Compatibility Assistant\Store\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- This rule is to explore new applications on an endpoint. False positives depends
+    on the organization.
+- Newly setup system.
+- Legitimate installation of new application.
+id: 60936b49-fca0-4f32-993d-7415edcf9a5d
+level: informational
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/1
+- https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1204.002
+yml_filename: sysmon_new_application_appcompat.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/Sigma/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
new file mode 100644
index 00000000..331947ea
--- /dev/null
+++ b/rules/Sigma/sysmon_new_dll_added_to_appcertdlls_registry_key.yml
@@ -0,0 +1,43 @@
+title: New DLL Added to AppCertDlls Registry Key
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value
+    in the Registry key can be abused to obtain persistence and privilege escalation
+    by causing a malicious DLL to be loaded and run in the context of separate processes
+    on the computer.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
+    SELECTION_5:
+        NewName: HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- EventID
+- Image
+- TargetObject
+- NewName
+id: 6aa1d992-5925-4e9f-a49b-845e51d1de01
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/09/06
+references:
+- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1182
+- attack.t1546.009
+yml_filename: sysmon_new_dll_added_to_appcertdlls_registry_key.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/Sigma/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
new file mode 100644
index 00000000..bfd38d2e
--- /dev/null
+++ b/rules/Sigma/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
@@ -0,0 +1,48 @@
+title: New DLL Added to AppInit_DLLs Registry Key
+author: Ilyas Ochkov, oscd.community, Tim Shelton
+date: 2019/10/25
+description: DLLs that are specified in the AppInit_DLLs value in the Registry key
+    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll
+    into every process that loads user32.dll
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+    SELECTION_5:
+        TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+    SELECTION_6:
+        NewName: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+    SELECTION_7:
+        NewName: '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+    SELECTION_8:
+        Details: (Empty)
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or SELECTION_5)
+        or (SELECTION_6 or SELECTION_7)) and  not (SELECTION_8))
+falsepositives:
+- Unknown
+fields:
+- EventID
+- Image
+- TargetObject
+- NewName
+id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1103
+- attack.t1546.010
+yml_filename: sysmon_new_dll_added_to_appinit_dlls_registry_key.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_notepad_network_connection.yml b/rules/Sigma/sysmon_notepad_network_connection.yml
new file mode 100644
index 00000000..0f4c3d9b
--- /dev/null
+++ b/rules/Sigma/sysmon_notepad_network_connection.yml
@@ -0,0 +1,32 @@
+title: Notepad Making Network Connection
+author: EagleEye Team
+date: 2020/05/14
+description: Detects suspicious network connection by Notepad
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_2:
+        Image: '*\notepad.exe'
+    SELECTION_3:
+        DestinationPort: '9100'
+    condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- None observed so far
+id: e81528db-fc02-45e8-8e98-4e84aba1f10b
+level: high
+logsource:
+    category: network_connection
+    product: windows
+modified: 2020/08/24
+references:
+- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
+- https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
+status: experimental
+tags:
+- attack.command_and_control
+- attack.execution
+- attack.defense_evasion
+- attack.t1055
+yml_filename: sysmon_notepad_network_connection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_office_persistence.yml b/rules/Sigma/sysmon_office_persistence.yml
new file mode 100644
index 00000000..3b26b38d
--- /dev/null
+++ b/rules/Sigma/sysmon_office_persistence.yml
@@ -0,0 +1,42 @@
+title: Microsoft Office Add-In Loading
+author: NVISO
+date: 2020/05/11
+description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll
+    are simply .dll fit for Word or Excel).
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\Microsoft\Word\Startup\\*'
+    SELECTION_3:
+        TargetFilename: '*.wll'
+    SELECTION_4:
+        TargetFilename: '*\Microsoft\Excel\Startup\\*'
+    SELECTION_5:
+        TargetFilename: '*.xll'
+    SELECTION_6:
+        TargetFilename: '*\Microsoft\Addins\\*'
+    SELECTION_7:
+        TargetFilename: '*.xlam'
+    SELECTION_8:
+        TargetFilename: '*.xla'
+    condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5)) or (SELECTION_6 and (SELECTION_7 or SELECTION_8))))
+falsepositives:
+- Legitimate add-ins
+id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2020/08/23
+references:
+- Internal Research
+status: experimental
+tags:
+- attack.persistence
+- attack.t1137
+- attack.t1137.006
+yml_filename: sysmon_office_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_office_test_regadd.yml b/rules/Sigma/sysmon_office_test_regadd.yml
new file mode 100644
index 00000000..7d1f4e2a
--- /dev/null
+++ b/rules/Sigma/sysmon_office_test_regadd.yml
@@ -0,0 +1,34 @@
+title: Office Application Startup - Office Test
+author: omkar72
+date: 2020/10/25
+description: Detects the addition of office test registry that allows a user to specify
+    an arbitrary DLL that will be executed every time an Office application is started
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKCU\Software\Microsoft\Office test\Special\Perf
+    SELECTION_5:
+        TargetObject: HKLM\Software\Microsoft\Office test\Special\Perf
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unlikely
+id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/13
+references:
+- https://attack.mitre.org/techniques/T1137/002/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1137.002
+yml_filename: sysmon_office_test_regadd.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_office_vsto_persistence.yml b/rules/Sigma/sysmon_office_vsto_persistence.yml
new file mode 100644
index 00000000..423aacd6
--- /dev/null
+++ b/rules/Sigma/sysmon_office_vsto_persistence.yml
@@ -0,0 +1,46 @@
+title: Stealthy VSTO Persistence
+author: Bhabesh Raj
+date: 2021/01/10
+description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins
+    in Office applications.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        Image: '*\msiexec.exe'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: SetValue
+    SELECTION_5:
+        TargetObject: '*\Software\Microsoft\Office\Outlook\Addins\\*'
+    SELECTION_6:
+        TargetObject: '*\Software\Microsoft\Office\Word\Addins\\*'
+    SELECTION_7:
+        TargetObject: '*\Software\Microsoft\Office\Excel\Addins\\*'
+    SELECTION_8:
+        TargetObject: '*\Software\Microsoft\Office\Powerpoint\Addins\\*'
+    SELECTION_9:
+        TargetObject: '*\Software\Microsoft\VSTO\Security\Inclusion\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and (SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9)) and  not (SELECTION_10))
+falsepositives:
+- Unknown
+id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/07/27
+references:
+- https://twitter.com/_vivami/status/1347925307643355138
+- https://vanmieghem.io/stealth-outlook-persistence/
+status: experimental
+tags:
+- attack.t1137.006
+- attack.persistence
+yml_filename: sysmon_office_vsto_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_outlook_newform.yml b/rules/Sigma/sysmon_outlook_newform.yml
new file mode 100644
index 00000000..5c7100ab
--- /dev/null
+++ b/rules/Sigma/sysmon_outlook_newform.yml
@@ -0,0 +1,31 @@
+title: Outlook Form Installation
+author: Tobias Michalski
+date: 2021/06/10
+description: Detects the creation of new Outlook form which can contain malicious
+    code
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: \outlook.exe
+    SELECTION_3:
+        TargetFilename: '*\appdata\local\microsoft\FORMS\\*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+id: c3edc6a5-d9d4-48d8-930e-aab518390917
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+status: experimental
+tags:
+- attack.persistence
+- attack.t1137.003
+yml_filename: sysmon_outlook_newform.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_password_dumper_lsass.yml b/rules/Sigma/sysmon_password_dumper_lsass.yml
new file mode 100644
index 00000000..9dbe207c
--- /dev/null
+++ b/rules/Sigma/sysmon_password_dumper_lsass.yml
@@ -0,0 +1,34 @@
+title: Password Dumper Remote Thread in LSASS
+author: Thomas Patzke
+date: 2017/02/19
+description: Detects password dumper activity by monitoring remote thread creation
+    EventID 8 in combination with the lsass.exe process as TargetImage. The process
+    in field Process is the malicious program. A single execution can lead to hundreds
+    of events.
+detection:
+    SELECTION_1:
+        EventID: 8
+    SELECTION_2:
+        TargetImage: '*\lsass.exe'
+    SELECTION_3:
+        StartModule: ''
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Antivirus products
+id: f239b326-2f41-4d6b-9dfa-c846a60ef505
+level: high
+logsource:
+    category: create_remote_thread
+    product: windows
+modified: 2021/06/21
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
+status: stable
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.s0005
+- attack.t1003.001
+yml_filename: sysmon_password_dumper_lsass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
+
diff --git a/rules/Sigma/sysmon_pcre_net_load.yml b/rules/Sigma/sysmon_pcre_net_load.yml
new file mode 100644
index 00000000..c5ba4c47
--- /dev/null
+++ b/rules/Sigma/sysmon_pcre_net_load.yml
@@ -0,0 +1,28 @@
+title: PCRE.NET Package Image Load
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/29
+description: Detects processes loading modules related to PCRE.NET package
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        ImageLoaded: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 84b0a8f3-680b-4096-a45b-e9a89221727c
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2021/08/14
+references:
+- https://twitter.com/rbmaslen/status/1321859647091970051
+- https://twitter.com/tifkin_/status/1321916444557365248
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
+yml_filename: sysmon_pcre_net_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_pcre_net_temp_file.yml b/rules/Sigma/sysmon_pcre_net_temp_file.yml
new file mode 100644
index 00000000..0d393136
--- /dev/null
+++ b/rules/Sigma/sysmon_pcre_net_temp_file.yml
@@ -0,0 +1,28 @@
+title: PCRE.NET Package Temp Files
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/29
+description: Detects processes creating temp files related to PCRE.NET package
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/08/14
+references:
+- https://twitter.com/rbmaslen/status/1321859647091970051
+- https://twitter.com/tifkin_/status/1321916444557365248
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
+yml_filename: sysmon_pcre_net_temp_file.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_powershell_as_service.yml b/rules/Sigma/sysmon_powershell_as_service.yml
new file mode 100644
index 00000000..43329713
--- /dev/null
+++ b/rules/Sigma/sysmon_powershell_as_service.yml
@@ -0,0 +1,38 @@
+title: PowerShell as a Service in Registry
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects that a powershell code is written to the registry as a service.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Services\\*'
+    SELECTION_5:
+        TargetObject: '*\ImagePath'
+    SELECTION_6:
+        Details: '*powershell*'
+    SELECTION_7:
+        Details: '*pwsh*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and (SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unknown
+id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/05/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
+yml_filename: sysmon_powershell_as_service.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_powershell_code_injection.yml b/rules/Sigma/sysmon_powershell_code_injection.yml
new file mode 100644
index 00000000..2c5b221b
--- /dev/null
+++ b/rules/Sigma/sysmon_powershell_code_injection.yml
@@ -0,0 +1,28 @@
+title: Accessing WinAPI in PowerShell. Code Injection.
+author: Nikita Nazarov, oscd.community
+date: 2020/10/06
+description: Detecting Code injection with PowerShell in another process
+detection:
+    SELECTION_1:
+        EventID: 8
+    SELECTION_2:
+        SourceImage: '*\powershell.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
+level: high
+logsource:
+    category: create_remote_thread
+    definition: Note that you have to configure logging for CreateRemoteThread in
+        Symson config
+    product: windows
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: sysmon_powershell_code_injection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
+
diff --git a/rules/Sigma/sysmon_powershell_execution_pipe.yml b/rules/Sigma/sysmon_powershell_execution_pipe.yml
new file mode 100644
index 00000000..b0e3b5c0
--- /dev/null
+++ b/rules/Sigma/sysmon_powershell_execution_pipe.yml
@@ -0,0 +1,28 @@
+title: T1086 PowerShell Execution
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/09/12
+description: Detects execution of PowerShell
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_2:
+        EventID: 18
+    SELECTION_3:
+        PipeName: \PSHost*
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
+level: informational
+logsource:
+    category: pipe_created
+    product: windows
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: sysmon_powershell_execution_pipe.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_powershell_exploit_scripts.yml b/rules/Sigma/sysmon_powershell_exploit_scripts.yml
new file mode 100644
index 00000000..9b45b94d
--- /dev/null
+++ b/rules/Sigma/sysmon_powershell_exploit_scripts.yml
@@ -0,0 +1,234 @@
+title: Malicious PowerShell Commandlet Names
+author: Markus Neis
+date: 2018/04/07
+description: Detects the creation of known powershell scripts for exploitation
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_10:
+        TargetFilename: '*\Invoke-TokenManipulation.ps1'
+    SELECTION_11:
+        TargetFilename: '*\Out-Minidump.ps1'
+    SELECTION_12:
+        TargetFilename: '*\VolumeShadowCopyTools.ps1'
+    SELECTION_13:
+        TargetFilename: '*\Invoke-ReflectivePEInjection.ps1'
+    SELECTION_14:
+        TargetFilename: '*\Get-TimedScreenshot.ps1'
+    SELECTION_15:
+        TargetFilename: '*\Invoke-UserHunter.ps1'
+    SELECTION_16:
+        TargetFilename: '*\Find-GPOLocation.ps1'
+    SELECTION_17:
+        TargetFilename: '*\Invoke-ACLScanner.ps1'
+    SELECTION_18:
+        TargetFilename: '*\Invoke-DowngradeAccount.ps1'
+    SELECTION_19:
+        TargetFilename: '*\Get-ServiceUnquoted.ps1'
+    SELECTION_2:
+        TargetFilename: '*\Invoke-DllInjection.ps1'
+    SELECTION_20:
+        TargetFilename: '*\Get-ServiceFilePermission.ps1'
+    SELECTION_21:
+        TargetFilename: '*\Get-ServicePermission.ps1'
+    SELECTION_22:
+        TargetFilename: '*\Invoke-ServiceAbuse.ps1'
+    SELECTION_23:
+        TargetFilename: '*\Install-ServiceBinary.ps1'
+    SELECTION_24:
+        TargetFilename: '*\Get-RegAutoLogon.ps1'
+    SELECTION_25:
+        TargetFilename: '*\Get-VulnAutoRun.ps1'
+    SELECTION_26:
+        TargetFilename: '*\Get-VulnSchTask.ps1'
+    SELECTION_27:
+        TargetFilename: '*\Get-UnattendedInstallFile.ps1'
+    SELECTION_28:
+        TargetFilename: '*\Get-WebConfig.ps1'
+    SELECTION_29:
+        TargetFilename: '*\Get-ApplicationHost.ps1'
+    SELECTION_3:
+        TargetFilename: '*\Invoke-WmiCommand.ps1'
+    SELECTION_30:
+        TargetFilename: '*\Get-RegAlwaysInstallElevated.ps1'
+    SELECTION_31:
+        TargetFilename: '*\Get-Unconstrained.ps1'
+    SELECTION_32:
+        TargetFilename: '*\Add-RegBackdoor.ps1'
+    SELECTION_33:
+        TargetFilename: '*\Add-ScrnSaveBackdoor.ps1'
+    SELECTION_34:
+        TargetFilename: '*\Gupt-Backdoor.ps1'
+    SELECTION_35:
+        TargetFilename: '*\Invoke-ADSBackdoor.ps1'
+    SELECTION_36:
+        TargetFilename: '*\Enabled-DuplicateToken.ps1'
+    SELECTION_37:
+        TargetFilename: '*\Invoke-PsUaCme.ps1'
+    SELECTION_38:
+        TargetFilename: '*\Remove-Update.ps1'
+    SELECTION_39:
+        TargetFilename: '*\Check-VM.ps1'
+    SELECTION_4:
+        TargetFilename: '*\Get-GPPPassword.ps1'
+    SELECTION_40:
+        TargetFilename: '*\Get-LSASecret.ps1'
+    SELECTION_41:
+        TargetFilename: '*\Get-PassHashes.ps1'
+    SELECTION_42:
+        TargetFilename: '*\Show-TargetScreen.ps1'
+    SELECTION_43:
+        TargetFilename: '*\Port-Scan.ps1'
+    SELECTION_44:
+        TargetFilename: '*\Invoke-PoshRatHttp.ps1'
+    SELECTION_45:
+        TargetFilename: '*\Invoke-PowerShellTCP.ps1'
+    SELECTION_46:
+        TargetFilename: '*\Invoke-PowerShellWMI.ps1'
+    SELECTION_47:
+        TargetFilename: '*\Add-Exfiltration.ps1'
+    SELECTION_48:
+        TargetFilename: '*\Add-Persistence.ps1'
+    SELECTION_49:
+        TargetFilename: '*\Do-Exfiltration.ps1'
+    SELECTION_5:
+        TargetFilename: '*\Get-Keystrokes.ps1'
+    SELECTION_50:
+        TargetFilename: '*\Start-CaptureServer.ps1'
+    SELECTION_51:
+        TargetFilename: '*\Invoke-ShellCode.ps1'
+    SELECTION_52:
+        TargetFilename: '*\Get-ChromeDump.ps1'
+    SELECTION_53:
+        TargetFilename: '*\Get-ClipboardContents.ps1'
+    SELECTION_54:
+        TargetFilename: '*\Get-FoxDump.ps1'
+    SELECTION_55:
+        TargetFilename: '*\Get-IndexedItem.ps1'
+    SELECTION_56:
+        TargetFilename: '*\Get-Screenshot.ps1'
+    SELECTION_57:
+        TargetFilename: '*\Invoke-Inveigh.ps1'
+    SELECTION_58:
+        TargetFilename: '*\Invoke-NetRipper.ps1'
+    SELECTION_59:
+        TargetFilename: '*\Invoke-EgressCheck.ps1'
+    SELECTION_6:
+        TargetFilename: '*\Get-VaultCredential.ps1'
+    SELECTION_60:
+        TargetFilename: '*\Invoke-PostExfil.ps1'
+    SELECTION_61:
+        TargetFilename: '*\Invoke-PSInject.ps1'
+    SELECTION_62:
+        TargetFilename: '*\Invoke-RunAs.ps1'
+    SELECTION_63:
+        TargetFilename: '*\MailRaider.ps1'
+    SELECTION_64:
+        TargetFilename: '*\New-HoneyHash.ps1'
+    SELECTION_65:
+        TargetFilename: '*\Set-MacAttribute.ps1'
+    SELECTION_66:
+        TargetFilename: '*\Invoke-DCSync.ps1'
+    SELECTION_67:
+        TargetFilename: '*\Invoke-PowerDump.ps1'
+    SELECTION_68:
+        TargetFilename: '*\Exploit-Jboss.ps1'
+    SELECTION_69:
+        TargetFilename: '*\Invoke-ThunderStruck.ps1'
+    SELECTION_7:
+        TargetFilename: '*\Invoke-CredentialInjection.ps1'
+    SELECTION_70:
+        TargetFilename: '*\Invoke-VoiceTroll.ps1'
+    SELECTION_71:
+        TargetFilename: '*\Set-Wallpaper.ps1'
+    SELECTION_72:
+        TargetFilename: '*\Invoke-InveighRelay.ps1'
+    SELECTION_73:
+        TargetFilename: '*\Invoke-PsExec.ps1'
+    SELECTION_74:
+        TargetFilename: '*\Invoke-SSHCommand.ps1'
+    SELECTION_75:
+        TargetFilename: '*\Get-SecurityPackages.ps1'
+    SELECTION_76:
+        TargetFilename: '*\Install-SSP.ps1'
+    SELECTION_77:
+        TargetFilename: '*\Invoke-BackdoorLNK.ps1'
+    SELECTION_78:
+        TargetFilename: '*\PowerBreach.ps1'
+    SELECTION_79:
+        TargetFilename: '*\Get-SiteListPassword.ps1'
+    SELECTION_8:
+        TargetFilename: '*\Invoke-Mimikatz.ps1'
+    SELECTION_80:
+        TargetFilename: '*\Get-System.ps1'
+    SELECTION_81:
+        TargetFilename: '*\Invoke-BypassUAC.ps1'
+    SELECTION_82:
+        TargetFilename: '*\Invoke-Tater.ps1'
+    SELECTION_83:
+        TargetFilename: '*\Invoke-WScriptBypassUAC.ps1'
+    SELECTION_84:
+        TargetFilename: '*\PowerUp.ps1'
+    SELECTION_85:
+        TargetFilename: '*\PowerView.ps1'
+    SELECTION_86:
+        TargetFilename: '*\Get-RickAstley.ps1'
+    SELECTION_87:
+        TargetFilename: '*\Find-Fruit.ps1'
+    SELECTION_88:
+        TargetFilename: '*\HTTP-Login.ps1'
+    SELECTION_89:
+        TargetFilename: '*\Find-TrustedDocuments.ps1'
+    SELECTION_9:
+        TargetFilename: '*\Invoke-NinjaCopy.ps1'
+    SELECTION_90:
+        TargetFilename: '*\Invoke-Paranoia.ps1'
+    SELECTION_91:
+        TargetFilename: '*\Invoke-WinEnum.ps1'
+    SELECTION_92:
+        TargetFilename: '*\Invoke-ARPScan.ps1'
+    SELECTION_93:
+        TargetFilename: '*\Invoke-PortScan.ps1'
+    SELECTION_94:
+        TargetFilename: '*\Invoke-ReverseDNSLookup.ps1'
+    SELECTION_95:
+        TargetFilename: '*\Invoke-SMBScanner.ps1'
+    SELECTION_96:
+        TargetFilename: '*\Invoke-Mimikittenz.ps1'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
+        or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
+        or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
+        or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55
+        or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60
+        or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65
+        or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70
+        or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75
+        or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80
+        or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85
+        or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90
+        or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95
+        or SELECTION_96))
+falsepositives:
+- Penetration Tests
+id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+yml_filename: sysmon_powershell_exploit_scripts.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_powershell_network_connection.yml b/rules/Sigma/sysmon_powershell_network_connection.yml
new file mode 100644
index 00000000..be69ea27
--- /dev/null
+++ b/rules/Sigma/sysmon_powershell_network_connection.yml
@@ -0,0 +1,85 @@
+title: PowerShell Network Connections
+author: Florian Roth
+date: 2017/03/13
+description: Detects a Powershell process that opens network connections - check for
+    suspicious target ports and target systems - adjust to your environment (e.g.
+    extend filters with company's ip range')
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_10:
+        DestinationIp: 172.19.*
+    SELECTION_11:
+        DestinationIp: 172.20.*
+    SELECTION_12:
+        DestinationIp: 172.21.*
+    SELECTION_13:
+        DestinationIp: 172.22.*
+    SELECTION_14:
+        DestinationIp: 172.23.*
+    SELECTION_15:
+        DestinationIp: 172.24.*
+    SELECTION_16:
+        DestinationIp: 172.25.*
+    SELECTION_17:
+        DestinationIp: 172.26.*
+    SELECTION_18:
+        DestinationIp: 172.27.*
+    SELECTION_19:
+        DestinationIp: 172.28.*
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_20:
+        DestinationIp: 172.29.*
+    SELECTION_21:
+        DestinationIp: 172.30.*
+    SELECTION_22:
+        DestinationIp: 172.31.*
+    SELECTION_23:
+        DestinationIp: 127.0.0.1*
+    SELECTION_24:
+        DestinationIsIpv6: 'false'
+    SELECTION_25:
+        User: NT AUTHORITY\SYSTEM
+    SELECTION_26:
+        User: '*AUT*'
+    SELECTION_27:
+        User: '* NT*'
+    SELECTION_3:
+        Initiated: 'true'
+    SELECTION_4:
+        DestinationIsIpv6: 'false'
+    SELECTION_5:
+        DestinationIp: 10.*
+    SELECTION_6:
+        DestinationIp: 192.168.*
+    SELECTION_7:
+        DestinationIp: 172.16.*
+    SELECTION_8:
+        DestinationIp: 172.17.*
+    SELECTION_9:
+        DestinationIp: 172.18.*
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+        ((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23) and SELECTION_24
+        and SELECTION_25 and SELECTION_26 and SELECTION_27))
+falsepositives:
+- Administrative scripts
+id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
+level: low
+logsource:
+    category: network_connection
+    product: windows
+modified: 2021/06/14
+references:
+- https://www.youtube.com/watch?v=DLtJTxMWZ2o
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: sysmon_powershell_network_connection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_powershell_startup_shortcuts.yml b/rules/Sigma/sysmon_powershell_startup_shortcuts.yml
new file mode 100644
index 00000000..8f531972
--- /dev/null
+++ b/rules/Sigma/sysmon_powershell_startup_shortcuts.yml
@@ -0,0 +1,39 @@
+title: PowerShell Writing Startup Shortcuts
+author: Christopher Peacock '@securepeacock', SCYTHE
+date: 2021/10/24
+description: Attempts to detect PowerShell writing startup shortcuts. This procedure
+    was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe
+    adversaries using PowerShell to write malicious .lnk files into the startup directory
+    to establish persistence. Accordingly, this detection opportunity is likely to
+    identify persistence mechanisms in multiple threats. In the context of Yellow
+    Cockatoo, this persistence mechanism eventually launches the command-line script
+    that leads to the installation of a malicious DLL"
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        TargetFilename: '*\start menu\programs\startup\\*'
+    SELECTION_4:
+        TargetFilename: '*.lnk'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+- Depending on your environment accepted applications may leverage this at times.
+    It is recomended to search for anomolies inidicative of malware.
+id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://redcanary.com/blog/intelligence-insights-october-2021/
+- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
+status: experimental
+tags:
+- attack.registry_run_keys_/_startup_folder
+- attack.t1547.001
+yml_filename: sysmon_powershell_startup_shortcuts.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_proxy_execution_wuauclt.yml b/rules/Sigma/sysmon_proxy_execution_wuauclt.yml
new file mode 100644
index 00000000..aab4b62e
--- /dev/null
+++ b/rules/Sigma/sysmon_proxy_execution_wuauclt.yml
@@ -0,0 +1,41 @@
+title: Proxy Execution via Wuauclt
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth
+date: 2020/10/12
+description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
+    proxy execute code.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*wuauclt*'
+    SELECTION_3:
+        OriginalFileName: wuauclt.exe
+    SELECTION_4:
+        CommandLine: '*UpdateDeploymentProvider*'
+    SELECTION_5:
+        CommandLine: '*.dll*'
+    SELECTION_6:
+        CommandLine: '*RunHandlerComServer*'
+    SELECTION_7:
+        CommandLine: '* /UpdateDeploymentProvider UpdateDeploymentProvider.dll *'
+    SELECTION_8:
+        CommandLine: '* wuaueng.dll *'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) and (SELECTION_4 and
+        SELECTION_5 and SELECTION_6)) and  not ((SELECTION_7 or SELECTION_8)))
+falsepositives:
+- Unknown
+id: af77cf95-c469-471c-b6a0-946c685c4798
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/10
+references:
+- https://dtm.uk/wuauclt/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: sysmon_proxy_execution_wuauclt.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_psexec_pipes_artifacts.yml b/rules/Sigma/sysmon_psexec_pipes_artifacts.yml
new file mode 100644
index 00000000..0fd870f4
--- /dev/null
+++ b/rules/Sigma/sysmon_psexec_pipes_artifacts.yml
@@ -0,0 +1,41 @@
+title: PsExec Pipes Artifacts
+author: Nikita Nazarov, oscd.community
+date: 2020/05/10
+description: Detecting use PsExec via Pipe Creation/Access to pipes
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_2:
+        EventID: 18
+    SELECTION_3:
+        PipeName: psexec*
+    SELECTION_4:
+        PipeName: paexec*
+    SELECTION_5:
+        PipeName: remcom*
+    SELECTION_6:
+        PipeName: csexec*
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Legitimate Administrator activity
+id: 9e77ed63-2ecf-4c7b-b09d-640834882028
+level: medium
+logsource:
+    category: pipe_created
+    definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+        config (Event ID 17 and Event ID 18). The basic configuration is in popular
+        sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
+        it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+        https://github.com/olafhartong/sysmon-modular. How to test detection? You
+        can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+    product: windows
+references:
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+yml_filename: sysmon_psexec_pipes_artifacts.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_pypykatz_cred_dump_lsass_access.yml b/rules/Sigma/sysmon_pypykatz_cred_dump_lsass_access.yml
new file mode 100644
index 00000000..5c9f3f51
--- /dev/null
+++ b/rules/Sigma/sysmon_pypykatz_cred_dump_lsass_access.yml
@@ -0,0 +1,39 @@
+title: Credential Dumping by Pypykatz
+author: Bhabesh Raj
+date: 2021/08/03
+description: Detects LSASS process access by pypykatz for credential dumping.
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        TargetImage: '*\lsass.exe'
+    SELECTION_3:
+        CallTrace: '*C:\Windows\SYSTEM32\ntdll.dll+*'
+    SELECTION_4:
+        CallTrace: '*C:\Windows\System32\KERNELBASE.dll+*'
+    SELECTION_5:
+        CallTrace: '*libffi-7.dll*'
+    SELECTION_6:
+        CallTrace: '*_ctypes.pyd+*'
+    SELECTION_7:
+        CallTrace: '*python3*.dll+*'
+    SELECTION_8:
+        GrantedAccess: '0x1FFFFF'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6 and SELECTION_7 and SELECTION_8)
+falsepositives:
+- Unknown
+id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
+level: critical
+logsource:
+    category: process_access
+    product: windows
+references:
+- https://github.com/skelsec/pypykatz
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+yml_filename: sysmon_pypykatz_cred_dump_lsass_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_quarkspw_filedump.yml b/rules/Sigma/sysmon_quarkspw_filedump.yml
new file mode 100644
index 00000000..8221a4e4
--- /dev/null
+++ b/rules/Sigma/sysmon_quarkspw_filedump.yml
@@ -0,0 +1,30 @@
+title: QuarksPwDump Dump File
+author: Florian Roth
+date: 2018/02/10
+description: Detects a dump file written by QuarksPwDump password dumper
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\AppData\Local\Temp\SAM-*'
+    SELECTION_3:
+        TargetFilename: '*.dmp*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 847def9e-924d-4e90-b7c4-5f581395a2b4
+level: critical
+logsource:
+    category: file_event
+    product: windows
+modified: 2020/08/23
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+yml_filename: sysmon_quarkspw_filedump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/Sigma/sysmon_raw_disk_access_using_illegitimate_tools.yml
new file mode 100644
index 00000000..0d91972d
--- /dev/null
+++ b/rules/Sigma/sysmon_raw_disk_access_using_illegitimate_tools.yml
@@ -0,0 +1,65 @@
+title: Raw Disk Access Using Illegitimate Tools
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Raw disk access using illegitimate tools, possible defence evasion
+detection:
+    SELECTION_1:
+        EventID: 9
+    SELECTION_10:
+        Image: '*\compattelrunner.exe'
+    SELECTION_11:
+        Image: '*\wininit.exe'
+    SELECTION_12:
+        Image: '*\autochk.exe'
+    SELECTION_13:
+        Image: '*\taskhost.exe'
+    SELECTION_14:
+        Image: '*\dfsrs.exe'
+    SELECTION_15:
+        Image: '*\vds.exe'
+    SELECTION_16:
+        Image: '*\lsass.exe'
+    SELECTION_17:
+        Image: '*\svchost.exe'
+    SELECTION_2:
+        Device: '*floppy*'
+    SELECTION_3:
+        Image: '*\wmiprvse.exe'
+    SELECTION_4:
+        Image: '*\sdiagnhost.exe'
+    SELECTION_5:
+        Image: '*\searchindexer.exe'
+    SELECTION_6:
+        Image: '*\csrss.exe'
+    SELECTION_7:
+        Image: '*\defrag.exe'
+    SELECTION_8:
+        Image: '*\smss.exe'
+    SELECTION_9:
+        Image: '*\vssvc.exe'
+    condition: (SELECTION_1 and  not (SELECTION_2) and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17)))
+falsepositives:
+- Legitimate Administrator using tool for raw access or ongoing forensic investigation
+fields:
+- ComputerName
+- Image
+- ProcessID
+- Device
+id: db809f10-56ce-4420-8c86-d6a7d793c79c
+level: medium
+logsource:
+    category: raw_access_thread
+    product: windows
+modified: 2021/11/09
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1006
+yml_filename: sysmon_raw_disk_access_using_illegitimate_tools.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/raw_access_thread
+
diff --git a/rules/Sigma/sysmon_rclone_execution.yml b/rules/Sigma/sysmon_rclone_execution.yml
new file mode 100644
index 00000000..a600f505
--- /dev/null
+++ b/rules/Sigma/sysmon_rclone_execution.yml
@@ -0,0 +1,61 @@
+title: RClone Execution
+author: Bhabesh Raj, Sittikorn S
+date: 2021/05/10
+description: Detects execution of RClone utility for exfiltration as used by various
+    ransomwares strains like REvil, Conti, FiveHands, etc
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*--progress*'
+    SELECTION_11:
+        CommandLine: '*--ignore-existing*'
+    SELECTION_12:
+        CommandLine: '*--auto-confirm*'
+    SELECTION_13:
+        CommandLine: '*--transfers*'
+    SELECTION_14:
+        CommandLine: '*--multi-thread-streams*'
+    SELECTION_2:
+        Description: Rsync for cloud storage
+    SELECTION_3:
+        CommandLine: '*--config *'
+    SELECTION_4:
+        CommandLine: '*--no-check-certificate *'
+    SELECTION_5:
+        CommandLine: '* copy *'
+    SELECTION_6:
+        Image: '*\rclone.exe'
+    SELECTION_7:
+        CommandLine: '*mega*'
+    SELECTION_8:
+        CommandLine: '*pcloud*'
+    SELECTION_9:
+        CommandLine: '*ftp*'
+    condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5)
+        or ((SELECTION_6) and (SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14))))
+falsepositives:
+- Legitimate RClone use
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: a0d63692-a531-4912-ad39-4393325b2a9c
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/29
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
+- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
+status: deprecated
+tags:
+- attack.exfiltration
+- attack.t1567.002
+yml_filename: sysmon_rclone_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
+
diff --git a/rules/Sigma/sysmon_rdp_registry_modification.yml b/rules/Sigma/sysmon_rdp_registry_modification.yml
new file mode 100644
index 00000000..175daa6b
--- /dev/null
+++ b/rules/Sigma/sysmon_rdp_registry_modification.yml
@@ -0,0 +1,42 @@
+title: RDP Registry Modification
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects potential malicious modification of the property value of fDenyTSConnections
+    and UserAuthentication to enable remote desktop connections.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication'
+    SELECTION_5:
+        TargetObject: '*\CurrentControlSet\Control\Terminal Server\fDenyTSConnections'
+    SELECTION_6:
+        Details: DWORD (0x00000000)
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
+        and SELECTION_6)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- Image
+- EventType
+- TargetObject
+id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2019/11/10
+references:
+- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: sysmon_rdp_registry_modification.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_rdp_reverse_tunnel.yml b/rules/Sigma/sysmon_rdp_reverse_tunnel.yml
new file mode 100644
index 00000000..271de8fc
--- /dev/null
+++ b/rules/Sigma/sysmon_rdp_reverse_tunnel.yml
@@ -0,0 +1,41 @@
+title: RDP Over Reverse SSH Tunnel
+author: Samir Bousseaden
+date: 2019/02/16
+description: Detects svchost hosting RDP termsvcs communicating with the loopback
+    address and on TCP port 3389
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_2:
+        Image: '*\svchost.exe'
+    SELECTION_3:
+        Initiated: 'true'
+    SELECTION_4:
+        SourcePort: 3389
+    SELECTION_5:
+        DestinationIp: 127.*
+    SELECTION_6:
+        DestinationIp: ::1
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and
+        ((SELECTION_5) or (SELECTION_6)))
+falsepositives:
+- unknown
+id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
+level: high
+logsource:
+    category: network_connection
+    product: windows
+modified: 2021/05/11
+references:
+- https://twitter.com/SBousseaden/status/1096148422984384514
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1572
+- attack.lateral_movement
+- attack.t1021.001
+- attack.t1076
+- car.2013-07-002
+yml_filename: sysmon_rdp_reverse_tunnel.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_rdp_settings_hijack.yml b/rules/Sigma/sysmon_rdp_settings_hijack.yml
new file mode 100644
index 00000000..fb62aefc
--- /dev/null
+++ b/rules/Sigma/sysmon_rdp_settings_hijack.yml
@@ -0,0 +1,35 @@
+title: RDP Sensitive Settings Changed
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects changes to RDP terminal service sensitive settings
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\services\TermService\Parameters\ServiceDll*'
+    SELECTION_5:
+        TargetObject: '*\Control\Terminal Server\fSingleSessionPerUser*'
+    SELECTION_6:
+        TargetObject: '*\Control\Terminal Server\fDenyTSConnections*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- unknown
+id: 171b67e1-74b4-460e-8d55-b331f3e32d67
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/09/06
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: sysmon_rdp_settings_hijack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_redmimicry_winnti_filedrop.yml b/rules/Sigma/sysmon_redmimicry_winnti_filedrop.yml
new file mode 100644
index 00000000..bd058c2a
--- /dev/null
+++ b/rules/Sigma/sysmon_redmimicry_winnti_filedrop.yml
@@ -0,0 +1,29 @@
+title: RedMimicry Winnti Playbook Dropped File
+author: Alexander Rausch
+date: 2020/06/24
+description: Detects actions caused by the RedMimicry Winnti playbook
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*gthread-3.6.dll*'
+    SELECTION_3:
+        TargetFilename: '*sigcmm-2.4.dll*'
+    SELECTION_4:
+        TargetFilename: '*\Windows\Temp\tmp.bat*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://redmimicry.com
+tags:
+- attack.defense_evasion
+- attack.t1027
+yml_filename: sysmon_redmimicry_winnti_filedrop.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_redmimicry_winnti_reg.yml b/rules/Sigma/sysmon_redmimicry_winnti_reg.yml
new file mode 100644
index 00000000..48b6dbf7
--- /dev/null
+++ b/rules/Sigma/sysmon_redmimicry_winnti_reg.yml
@@ -0,0 +1,29 @@
+title: RedMimicry Winnti Playbook Registry Manipulation
+author: Alexander Rausch
+date: 2020/06/24
+description: Detects actions caused by the RedMimicry Winnti playbook
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*HKLM\SOFTWARE\Microsoft\HTMLHelp\data*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://redmimicry.com
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: sysmon_redmimicry_winnti_reg.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_reg_office_security.yml b/rules/Sigma/sysmon_reg_office_security.yml
new file mode 100644
index 00000000..04b13947
--- /dev/null
+++ b/rules/Sigma/sysmon_reg_office_security.yml
@@ -0,0 +1,37 @@
+title: Office Security Settings Changed
+author: Trent Liffick (@tliffick)
+date: 2020/05/22
+description: Detects registry changes to Office macro settings
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Security\Trusted Documents\TrustRecords'
+    SELECTION_5:
+        TargetObject: '*\Security\AccessVBOM'
+    SELECTION_6:
+        TargetObject: '*\Security\VBAWarnings'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Valid Macros and/or internal documents
+id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/07/12
+references:
+- Internal Research
+- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: sysmon_reg_office_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_reg_silentprocessexit.yml b/rules/Sigma/sysmon_reg_silentprocessexit.yml
new file mode 100644
index 00000000..e186b2d0
--- /dev/null
+++ b/rules/Sigma/sysmon_reg_silentprocessexit.yml
@@ -0,0 +1,33 @@
+title: SilentProcessExit Monitor Registrytion
+author: Florian Roth
+date: 2021/02/26
+description: Detects changes to the Registry in which a monitor program gets registered
+    to monitor the exit of another process
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*Microsoft\Windows NT\CurrentVersion\SilentProcessExit*'
+    SELECTION_5:
+        Details: '*MonitorProcess*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: c81fe886-cac0-4913-a511-2822d72ff505
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
+tags:
+- attack.persistence
+- attack.t1546.012
+yml_filename: sysmon_reg_silentprocessexit.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_reg_silentprocessexit_lsass.yml b/rules/Sigma/sysmon_reg_silentprocessexit_lsass.yml
new file mode 100644
index 00000000..684ad4b5
--- /dev/null
+++ b/rules/Sigma/sysmon_reg_silentprocessexit_lsass.yml
@@ -0,0 +1,31 @@
+title: SilentProcessExit Monitor Registrytion for LSASS
+author: Florian Roth
+date: 2021/02/26
+description: Detects changes to the Registry in which a monitor program gets registered
+    to dump process memory of the lsass.exe process memory
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 55e29995-75e7-451a-bef0-6225e2f13597
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
+- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+tags:
+- attack.credential_access
+- attack.t1003.007
+yml_filename: sysmon_reg_silentprocessexit_lsass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_reg_vbs_payload_stored.yml b/rules/Sigma/sysmon_reg_vbs_payload_stored.yml
new file mode 100644
index 00000000..da59f309
--- /dev/null
+++ b/rules/Sigma/sysmon_reg_vbs_payload_stored.yml
@@ -0,0 +1,56 @@
+title: VBScript Payload Stored in Registry
+author: Florian Roth
+date: 2021/03/05
+description: Detects VBScript content stored into registry keys as seen being used
+    by UNC2452 group
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        Details: '*RunHTMLApplication*'
+    SELECTION_11:
+        Details: '*Execute(*'
+    SELECTION_12:
+        Details: '*CreateObject*'
+    SELECTION_13:
+        Details: '*RegRead*'
+    SELECTION_14:
+        Details: '*window.close*'
+    SELECTION_15:
+        TargetObject: '*Software\Microsoft\Windows\CurrentVersion\Run*'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*Software\Microsoft\Windows\CurrentVersion*'
+    SELECTION_5:
+        Details: '*vbscript*'
+    SELECTION_6:
+        Details: '*jscript*'
+    SELECTION_7:
+        Details: '*mshtml*'
+    SELECTION_8:
+        Details: '*mshtml,*'
+    SELECTION_9:
+        Details: '*mshtml *'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and (SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14)) and  not
+        (SELECTION_15))
+falsepositives:
+- Unknown
+id: 46490193-1b22-4c29-bdd6-5bf63907216f
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
+yml_filename: sysmon_reg_vbs_payload_stored.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_regedit_export_to_ads.yml b/rules/Sigma/sysmon_regedit_export_to_ads.yml
new file mode 100644
index 00000000..e8fd6d5d
--- /dev/null
+++ b/rules/Sigma/sysmon_regedit_export_to_ads.yml
@@ -0,0 +1,30 @@
+title: Exports Registry Key To an Alternate Data Stream
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+description: Exports the target Registry key and hides it in the specified alternate
+    data stream.
+detection:
+    SELECTION_1:
+        EventID: 15
+    SELECTION_2:
+        Image: '*\regedit.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- TargetFilename
+id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
+level: high
+logsource:
+    category: create_stream_hash
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.004
+yml_filename: sysmon_regedit_export_to_ads.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_stream_hash
+
diff --git a/rules/Sigma/sysmon_registry_add_local_hidden_user.yml b/rules/Sigma/sysmon_registry_add_local_hidden_user.yml
new file mode 100644
index 00000000..fff64074
--- /dev/null
+++ b/rules/Sigma/sysmon_registry_add_local_hidden_user.yml
@@ -0,0 +1,36 @@
+title: Creation of a Local Hidden User Account by Registry
+author: Christian Burkard
+date: 2021/05/03
+description: Sysmon registry detection of a local hidden user account.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKLM\SAM\SAM\Domains\Account\Users\Names\\*
+    SELECTION_5:
+        TargetObject: '*$'
+    SELECTION_6:
+        Image: '*lsass.exe'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- unknown
+id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/05/12
+references:
+- https://twitter.com/SBousseaden/status/1387530414185664538
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136.001
+yml_filename: sysmon_registry_add_local_hidden_user.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_registry_persistence_key_linking.yml b/rules/Sigma/sysmon_registry_persistence_key_linking.yml
new file mode 100644
index 00000000..f19b574e
--- /dev/null
+++ b/rules/Sigma/sysmon_registry_persistence_key_linking.yml
@@ -0,0 +1,39 @@
+title: Windows Registry Persistence COM Key Linking
+author: Kutepov Anton, oscd.community
+date: 2019/10/23
+description: Detects COM object hijacking via TreatAs subkey
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: CreateKey
+    SELECTION_5:
+        TargetObject: '*HKU\\*'
+    SELECTION_6:
+        TargetObject: '*Classes\CLSID\\*'
+    SELECTION_7:
+        TargetObject: '*\TreatAs*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Maybe some system utilities in rare cases use linking keys for backward compatibility
+id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/17
+references:
+- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1122
+- attack.t1546.015
+yml_filename: sysmon_registry_persistence_key_linking.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_registry_persistence_search_order.yml b/rules/Sigma/sysmon_registry_persistence_search_order.yml
new file mode 100644
index 00000000..99f80e89
--- /dev/null
+++ b/rules/Sigma/sysmon_registry_persistence_search_order.yml
@@ -0,0 +1,72 @@
+title: Windows Registry Persistence COM Search Order Hijacking
+author: "Maxime Thiebaut (@0xThiebaut), oscd.community, C\xE9dric Hien"
+date: 2020/04/14
+description: Detects potential COM object hijacking leveraging the COM Search Order
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        Details: '*%%systemroot%%\system32\\*'
+    SELECTION_11:
+        Details: '*%%systemroot%%\SysWow64\\*'
+    SELECTION_12:
+        EventID: 12
+    SELECTION_13:
+        EventID: 13
+    SELECTION_14:
+        EventID: 14
+    SELECTION_15:
+        Details: '*\AppData\Local\Microsoft\OneDrive\\*'
+    SELECTION_16:
+        Details: '*\FileCoAuthLib64.dll*'
+    SELECTION_17:
+        Details: '*\FileSyncShell64.dll*'
+    SELECTION_18:
+        Details: '*\FileSyncApi64.dll*'
+    SELECTION_19:
+        Details: '*\AppData\Local\Microsoft\TeamsMeetingAddin\\*'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_20:
+        Details: '*\Microsoft.Teams.AddinLoader.dll*'
+    SELECTION_21:
+        Details: '*\AppData\Roaming\Dropbox\\*'
+    SELECTION_22:
+        Details: '*\DropboxExt64.*.dll*'
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKCR\CLSID\\*
+    SELECTION_5:
+        TargetObject: HKCU\Software\Classes\CLSID\\*
+    SELECTION_6:
+        TargetObject: '*\InprocServer32\(Default)'
+    SELECTION_7:
+        EventID: 12
+    SELECTION_8:
+        EventID: 13
+    SELECTION_9:
+        EventID: 14
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or SELECTION_5)
+        and SELECTION_6) and  not (((SELECTION_7 or SELECTION_8 or SELECTION_9) and
+        ((((SELECTION_10 or SELECTION_11) or ((SELECTION_12 or SELECTION_13 or SELECTION_14)
+        and SELECTION_15 and (SELECTION_16 or SELECTION_17 or SELECTION_18))) or (SELECTION_19
+        and SELECTION_20)) or (SELECTION_21 and SELECTION_22)))))
+falsepositives:
+- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
+id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/16
+references:
+- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
+- https://attack.mitre.org/techniques/T1546/015/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1546.015
+yml_filename: sysmon_registry_persistence_search_order.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_registry_susp_printer_driver.yml b/rules/Sigma/sysmon_registry_susp_printer_driver.yml
new file mode 100644
index 00000000..59f6253c
--- /dev/null
+++ b/rules/Sigma/sysmon_registry_susp_printer_driver.yml
@@ -0,0 +1,37 @@
+title: Suspicious Printer Driver Empty Manufacturer
+author: Florian Roth
+date: 2020/07/01
+description: Detects a suspicious printer driver installation with an empty Manufacturer
+    value
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Control\Print\Environments\Windows x64\Drivers*'
+    SELECTION_5:
+        TargetObject: '*\Manufacturer*'
+    SELECTION_6:
+        Details: (Empty)
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Alerts on legitimate printer drivers that do not set any more details in the Manufacturer
+    value
+id: e0813366-0407-449a-9869-a2db1119dc41
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://twitter.com/SBousseaden/status/1410545674773467140
+status: experimental
+tags:
+- attack.privilege_escalation
+- cve.2021.1675
+yml_filename: sysmon_registry_susp_printer_driver.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_registry_trust_record_modification.yml b/rules/Sigma/sysmon_registry_trust_record_modification.yml
new file mode 100644
index 00000000..3dea8684
--- /dev/null
+++ b/rules/Sigma/sysmon_registry_trust_record_modification.yml
@@ -0,0 +1,34 @@
+title: Windows Registry Trust Record Modification
+author: Antonlovesdnb
+date: 2020/02/19
+description: Alerts on trust record modification within the registry, indicating usage
+    of macros
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*TrustRecords*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/09/06
+references:
+- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
+- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1193
+- attack.t1566.001
+yml_filename: sysmon_registry_trust_record_modification.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_regsvr32_network_activity.yml b/rules/Sigma/sysmon_regsvr32_network_activity.yml
new file mode 100644
index 00000000..850f76a6
--- /dev/null
+++ b/rules/Sigma/sysmon_regsvr32_network_activity.yml
@@ -0,0 +1,39 @@
+title: Regsvr32 Network Activity
+author: Dmitriy Lifanov, oscd.community
+date: 2019/10/25
+description: Detects network connections and DNS queries initiated by Regsvr32.exe
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_2:
+        Image: '*\regsvr32.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- Image
+- DestinationIp
+- DestinationPort
+id: c7e91a02-d771-4a6d-a700-42587e0b1095
+level: high
+logsource:
+    category: network_connection
+    product: windows
+modified: 2021/09/21
+references:
+- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
+- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
+status: experimental
+tags:
+- attack.execution
+- attack.t1559.001
+- attack.t1175
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
+yml_filename: sysmon_regsvr32_network_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_remote_powershell_session_network.yml b/rules/Sigma/sysmon_remote_powershell_session_network.yml
new file mode 100644
index 00000000..efd24fe6
--- /dev/null
+++ b/rules/Sigma/sysmon_remote_powershell_session_network.yml
@@ -0,0 +1,36 @@
+title: Remote PowerShell Session
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects remote PowerShell connections by monitoring network outbound
+    connections to ports 5985 or 5986 from a non-network service account.
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_2:
+        DestinationPort: 5985
+    SELECTION_3:
+        DestinationPort: 5986
+    SELECTION_4:
+        User: NT AUTHORITY\NETWORK SERVICE
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
+id: c539afac-c12a-46ed-b1bd-5a5567c9f045
+level: high
+logsource:
+    category: network_connection
+    product: windows
+modified: 2020/08/24
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
+yml_filename: sysmon_remote_powershell_session_network.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_removal_amsi_registry_key.yml b/rules/Sigma/sysmon_removal_amsi_registry_key.yml
new file mode 100644
index 00000000..4becaf90
--- /dev/null
+++ b/rules/Sigma/sysmon_removal_amsi_registry_key.yml
@@ -0,0 +1,38 @@
+title: Removal Amsi Provider Reg Key
+author: frack113
+date: 2021/06/07
+description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI
+    to disable AMSI inspection
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: DeleteKey
+    SELECTION_5:
+        TargetObject: '*{2781761E-28E0-4109-99FE-B9D127C57AFE}'
+    SELECTION_6:
+        TargetObject: '*{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and (SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- unknown
+id: 41d1058a-aea7-4952-9293-29eaaf516465
+level: high
+logsource:
+    category: registry_event
+    definition: key must be add to the sysmon configuration to works
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+- https://seclists.org/fulldisclosure/2020/Mar/45
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: sysmon_removal_amsi_registry_key.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_removal_com_hijacking_registry_key.yml b/rules/Sigma/sysmon_removal_com_hijacking_registry_key.yml
new file mode 100644
index 00000000..d1408cfd
--- /dev/null
+++ b/rules/Sigma/sysmon_removal_com_hijacking_registry_key.yml
@@ -0,0 +1,37 @@
+title: Removal of Potential COM Hijacking Registry Keys
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection to trigger for processes removing .*\shell\open\command
+    registry keys. Registry keys that might have been used for COM hijacking activities.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: DeleteKey
+    SELECTION_5:
+        TargetObject: '*\shell\open\command'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- unknown
+id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/7
+- https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html
+- https://docs.microsoft.com/en-us/windows/win32/shell/launch
+- https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
+- https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: sysmon_removal_com_hijacking_registry_key.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_remove_windows_defender_definition_files.yml b/rules/Sigma/sysmon_remove_windows_defender_definition_files.yml
new file mode 100644
index 00000000..be356df0
--- /dev/null
+++ b/rules/Sigma/sysmon_remove_windows_defender_definition_files.yml
@@ -0,0 +1,37 @@
+title: Remove Windows Defender Definition Files
+author: frack113
+date: 2021/07/07
+description: Adversaries may disable security tools to avoid possible detection of
+    their tools and activities by removing Windows Defender Definition Files
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        OriginalFileName: MpCmdRun.exe
+    SELECTION_3:
+        CommandLine: '* -RemoveDefinitions*'
+    SELECTION_4:
+        CommandLine: '* -All*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: sysmon_remove_windows_defender_definition_files.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_rundll32_net_connections.yml b/rules/Sigma/sysmon_rundll32_net_connections.yml
new file mode 100644
index 00000000..fd23bd85
--- /dev/null
+++ b/rules/Sigma/sysmon_rundll32_net_connections.yml
@@ -0,0 +1,74 @@
+title: Rundll32 Internet Connection
+author: Florian Roth
+date: 2017/11/04
+description: Detects a rundll32 that communicates with public IP addresses
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_10:
+        DestinationIp: 172.20.*
+    SELECTION_11:
+        DestinationIp: 172.21.*
+    SELECTION_12:
+        DestinationIp: 172.22.*
+    SELECTION_13:
+        DestinationIp: 172.23.*
+    SELECTION_14:
+        DestinationIp: 172.24.*
+    SELECTION_15:
+        DestinationIp: 172.25.*
+    SELECTION_16:
+        DestinationIp: 172.26.*
+    SELECTION_17:
+        DestinationIp: 172.27.*
+    SELECTION_18:
+        DestinationIp: 172.28.*
+    SELECTION_19:
+        DestinationIp: 172.29.*
+    SELECTION_2:
+        Image: '*\rundll32.exe'
+    SELECTION_20:
+        DestinationIp: 172.30.*
+    SELECTION_21:
+        DestinationIp: 172.31.*
+    SELECTION_22:
+        DestinationIp: 127.*
+    SELECTION_3:
+        Initiated: 'true'
+    SELECTION_4:
+        DestinationIp: 10.*
+    SELECTION_5:
+        DestinationIp: 192.168.*
+    SELECTION_6:
+        DestinationIp: 172.16.*
+    SELECTION_7:
+        DestinationIp: 172.17.*
+    SELECTION_8:
+        DestinationIp: 172.18.*
+    SELECTION_9:
+        DestinationIp: 172.19.*
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22)))
+falsepositives:
+- Communication to other corporate systems that use IP addresses from public address
+    spaces
+id: cdc8da7d-c303-42f8-b08c-b4ab47230263
+level: medium
+logsource:
+    category: network_connection
+    product: windows
+modified: 2020/08/24
+references:
+- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+- attack.t1085
+- attack.execution
+yml_filename: sysmon_rundll32_net_connections.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_runkey_winekey.yml b/rules/Sigma/sysmon_runkey_winekey.yml
new file mode 100644
index 00000000..c63f5e30
--- /dev/null
+++ b/rules/Sigma/sysmon_runkey_winekey.yml
@@ -0,0 +1,35 @@
+title: WINEKEY Registry Modification
+author: omkar72
+date: 2020/10/30
+description: Detects potential malicious modification of run keys by winekey or team9
+    backdoor
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- Image
+- EventType
+- TargetObject
+id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+tags:
+- attack.persistence
+- attack.t1547
+yml_filename: sysmon_runkey_winekey.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_runonce_persistence.yml b/rules/Sigma/sysmon_runonce_persistence.yml
new file mode 100644
index 00000000..60c48e70
--- /dev/null
+++ b/rules/Sigma/sysmon_runonce_persistence.yml
@@ -0,0 +1,34 @@
+title: Run Once Task Configuration in Registry
+author: Avneet Singh @v3t0_, oscd.community
+date: 2020/11/15
+description: Rule to detect the configuration of Run Once registry key. Configured
+    payload can be run by runonce.exe /AlternateShellStartup
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components*
+    SELECTION_5:
+        TargetObject: '*\StubPath'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Legitimate modification of the registry key by legitimate program
+id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://twitter.com/pabraeken/status/990717080805789697
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: sysmon_runonce_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/Sigma/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
new file mode 100644
index 00000000..ac7691b6
--- /dev/null
+++ b/rules/Sigma/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
@@ -0,0 +1,40 @@
+title: WMI Script Host Process Image Loaded
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/09/02
+description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe
+    functionality being used via images being loaded by a process.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\scrcons.exe'
+    SELECTION_3:
+        ImageLoaded: '*\vbscript.dll'
+    SELECTION_4:
+        ImageLoaded: '*\wbemdisp.dll'
+    SELECTION_5:
+        ImageLoaded: '*\wshom.ocx'
+    SELECTION_6:
+        ImageLoaded: '*\scrrun.dll'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Unknown
+id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
+level: high
+logsource:
+    category: image_load
+    product: windows
+references:
+- https://twitter.com/HunterPlaybook/status/1301207718355759107
+- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1546.003
+yml_filename: sysmon_scrcons_imageload_wmi_scripteventconsumer.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_sdclt_child_process.yml b/rules/Sigma/sysmon_sdclt_child_process.yml
new file mode 100644
index 00000000..7c884467
--- /dev/null
+++ b/rules/Sigma/sysmon_sdclt_child_process.yml
@@ -0,0 +1,28 @@
+title: Sdclt Child Processes
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for sdclt spawning new processes. This could be an
+    indicator of sdclt being used for bypass UAC techniques.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\sdclt.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: da2738f2-fadb-4394-afa7-0a0674885afa
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/6
+- https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_sdclt_child_process.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_spoolsv_dll_load.yml b/rules/Sigma/sysmon_spoolsv_dll_load.yml
new file mode 100644
index 00000000..97e71542
--- /dev/null
+++ b/rules/Sigma/sysmon_spoolsv_dll_load.yml
@@ -0,0 +1,35 @@
+title: Windows Spooler Service Suspicious Binary Load
+author: FPT.EagleEye, Thomas Patzke (improvements)
+date: 2021/06/29
+description: Detect DLL Load from Spooler Service backup folder
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*spoolsv.exe'
+    SELECTION_3:
+        ImageLoaded: '*\Windows\System32\spool\drivers\x64\3\\*'
+    SELECTION_4:
+        ImageLoaded: '*.dll'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Loading of legitimate driver
+id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
+level: informational
+logsource:
+    category: image_load
+    product: windows
+modified: 2021/08/24
+references:
+- https://github.com/hhlxf/PrintNightmare
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1574
+- cve.2021.1675
+- cve.2021.34527
+yml_filename: sysmon_spoolsv_dll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_ssp_added_lsa_config.yml b/rules/Sigma/sysmon_ssp_added_lsa_config.yml
new file mode 100644
index 00000000..edd80e71
--- /dev/null
+++ b/rules/Sigma/sysmon_ssp_added_lsa_config.yml
@@ -0,0 +1,42 @@
+title: Security Support Provider (SSP) Added to LSA Configuration
+author: iwillkeepwatch
+date: 2019/01/18
+description: Detects the addition of a SSP to the registry. Upon a reboot or API call,
+    SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKLM\System\CurrentControlSet\Control\Lsa\Security Packages
+    SELECTION_5:
+        TargetObject: HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security
+            Packages
+    SELECTION_6:
+        Image: C:\Windows\system32\msiexec.exe
+    SELECTION_7:
+        Image: C:\Windows\syswow64\MsiExec.exe
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
+        and  not (SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unlikely
+id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/09/06
+references:
+- https://attack.mitre.org/techniques/T1101/
+- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1101
+- attack.t1547.005
+yml_filename: sysmon_ssp_added_lsa_config.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_startup_folder_file_write.yml b/rules/Sigma/sysmon_startup_folder_file_write.yml
new file mode 100644
index 00000000..e38597c7
--- /dev/null
+++ b/rules/Sigma/sysmon_startup_folder_file_write.yml
@@ -0,0 +1,28 @@
+title: Startup Folder File Write
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for files being created in the Windows startup directory.
+    This could be an indicator of persistence.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 2aa0a6b4-a865-495b-ab51-c28249537b75
+level: low
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/12
+- https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
+yml_filename: sysmon_startup_folder_file_write.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_susp_adfs_namedpipe_connection.yml b/rules/Sigma/sysmon_susp_adfs_namedpipe_connection.yml
new file mode 100644
index 00000000..5a67c93b
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_adfs_namedpipe_connection.yml
@@ -0,0 +1,50 @@
+title: ADFS Database Named Pipe Connection
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2021/10/08
+description: Detects suspicious local connections via a named pipe to the AD FS configuration
+    database (Windows Internal Database). Used to access information such as the AD
+    FS configuration settings which contains sensitive information used to sign SAML
+    tokens.
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_10:
+        Image: '*sqlservr.exe'
+    SELECTION_2:
+        EventID: 18
+    SELECTION_3:
+        PipeName: \MICROSOFT##WID\tsql\query
+    SELECTION_4:
+        Image: '*Microsoft.IdentityServer.ServiceHost.exe'
+    SELECTION_5:
+        Image: '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
+    SELECTION_6:
+        Image: '*AzureADConnect.exe'
+    SELECTION_7:
+        Image: '*Microsoft.Tri.Sensor.exe'
+    SELECTION_8:
+        Image: '*wsmprovhost.exe'
+    SELECTION_9:
+        Image: '*mmc.exe'
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and  not ((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10)))
+falsepositives:
+- Processes in the filter condition
+id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
+level: critical
+logsource:
+    category: pipe_created
+    product: windows
+modified: 2021/11/07
+references:
+- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
+- https://o365blog.com/post/adfs/
+- https://github.com/Azure/SimuLand
+status: experimental
+tags:
+- attack.collection
+- attack.t1005
+yml_filename: sysmon_susp_adfs_namedpipe_connection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_susp_adsi_cache_usage.yml b/rules/Sigma/sysmon_susp_adsi_cache_usage.yml
new file mode 100644
index 00000000..e096971b
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_adsi_cache_usage.yml
@@ -0,0 +1,45 @@
+title: Suspicious ADSI-Cache Usage By Unknown Tool
+author: xknow @xknow_infosec
+date: 2019/03/24
+description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect
+    tools like LDAPFragger.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*'
+    SELECTION_3:
+        TargetFilename: '*.sch'
+    SELECTION_4:
+        Image: C:\windows\system32\svchost.exe
+    SELECTION_5:
+        Image: C:\windows\system32\dllhost.exe
+    SELECTION_6:
+        Image: C:\windows\system32\mmc.exe
+    SELECTION_7:
+        Image: C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
+    SELECTION_8:
+        Image: C:\Windows\CCM\CcmExec.exe
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8)))
+falsepositives:
+- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity
+    by MMC, Powershell, Windows etc.
+id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+- https://github.com/fox-it/LDAPFragger
+status: experimental
+tags:
+- attack.t1071
+- attack.t1001.003
+- attack.command_and_control
+yml_filename: sysmon_susp_adsi_cache_usage.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_susp_atbroker_change.yml b/rules/Sigma/sysmon_susp_atbroker_change.yml
new file mode 100644
index 00000000..2a3e9374
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_atbroker_change.yml
@@ -0,0 +1,36 @@
+title: Atbroker Registry Change
+author: Mateusz Wydra, oscd.community
+date: 2020/10/13
+description: Detects creation/modification of Assisitive Technology applications and
+    persistence with usage of ATs
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs*'
+    SELECTION_5:
+        TargetObject: '*Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Creation of non-default, legitimate AT.
+id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/05/24
+references:
+- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.persistence
+- attack.t1547
+yml_filename: sysmon_susp_atbroker_change.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_susp_clr_logs.yml b/rules/Sigma/sysmon_susp_clr_logs.yml
new file mode 100644
index 00000000..a666c43e
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_clr_logs.yml
@@ -0,0 +1,39 @@
+title: Suspcious CLR Logs Creation
+author: omkar72, oscd.community
+date: 2020/10/12
+description: Detects suspicious .NET assembly executions
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\AppData\Local\Microsoft\CLR*'
+    SELECTION_3:
+        TargetFilename: '*\UsageLogs\\*'
+    SELECTION_4:
+        TargetFilename: '*mshta*'
+    SELECTION_5:
+        TargetFilename: '*cscript*'
+    SELECTION_6:
+        TargetFilename: '*wscript*'
+    SELECTION_7:
+        TargetFilename: '*regsvr32*'
+    SELECTION_8:
+        TargetFilename: '*wmic*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: e4b63079-6198-405c-abd7-3fe8b0ce3263
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: sysmon_susp_clr_logs.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/Sigma/sysmon_susp_cobaltstrike_pipe_patterns.yml
new file mode 100644
index 00000000..57ab334d
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_cobaltstrike_pipe_patterns.yml
@@ -0,0 +1,106 @@
+title: CobaltStrike Named Pipe Patterns
+author: Florian Roth, Christian Burkard
+date: 2021/07/30
+description: Detects the creation of a named pipe with a pattern found in CobaltStrike
+    malleable C2 profiles
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_10:
+        PipeName: \spoolss*
+    SELECTION_11:
+        PipeName: \msrpc_*
+    SELECTION_12:
+        PipeName: \win\msrpc_*
+    SELECTION_13:
+        PipeName: \wkssvc*
+    SELECTION_14:
+        PipeName: \f53f*
+    SELECTION_15:
+        PipeName: \windows.update.manager*
+    SELECTION_16:
+        PipeName: \SearchTextHarvester*
+    SELECTION_17:
+        PipeName: \DserNamePipe*
+    SELECTION_18:
+        PipeName: \PGMessagePipe*
+    SELECTION_19:
+        PipeName: \MsFteWds*
+    SELECTION_2:
+        EventID: 18
+    SELECTION_20:
+        PipeName: \f4c3*
+    SELECTION_21:
+        PipeName: \fullduplex_*
+    SELECTION_22:
+        PipeName: \rpc_*
+    SELECTION_23:
+        PipeName: \demoagent_11
+    SELECTION_24:
+        PipeName: \demoagent_22
+    SELECTION_25:
+        PipeName: \Winsock2\CatalogChangeListener-*
+    SELECTION_26:
+        PipeName: '*-0,'
+    SELECTION_27:
+        PipeName: \wkssvc
+    SELECTION_28:
+        PipeName: \spoolss
+    SELECTION_29:
+        PipeName: \scerpc
+    SELECTION_3:
+        PipeName: \mojo.5688.8052.183894939787088877*
+    SELECTION_30:
+        PipeName: \ntsvcs
+    SELECTION_31:
+        PipeName: \SearchTextHarvester
+    SELECTION_32:
+        PipeName: \PGMessagePipe
+    SELECTION_33:
+        PipeName: \MsFteWds
+    SELECTION_4:
+        PipeName: \mojo.5688.8052.35780273329370473*
+    SELECTION_5:
+        PipeName: \mypipe-f*
+    SELECTION_6:
+        PipeName: \mypipe-h*
+    SELECTION_7:
+        PipeName: \ntsvcs*
+    SELECTION_8:
+        PipeName: \scerpc*
+    SELECTION_9:
+        PipeName: \win_svc*
+    condition: ((SELECTION_1 or SELECTION_2) and (((SELECTION_3 or SELECTION_4 or
+        SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or
+        SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22) or (SELECTION_23 or SELECTION_24))
+        or (SELECTION_25 and SELECTION_26)) and  not ((SELECTION_27 or SELECTION_28
+        or SELECTION_29 or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33)))
+falsepositives:
+- Chrome instances using the exactly same name pipe named mojo.something
+id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
+level: high
+logsource:
+    category: pipe_created
+    definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+        config (Event ID 17 and Event ID 18). The basic configuration is in popular
+        sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
+        it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+        https://github.com/olafhartong/sysmon-modular You can also use other repo,
+        e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular.
+        How to test detection? You can always use Cobalt Strike, but also you can
+        check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+    product: windows
+modified: 2021/08/26
+references:
+- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+yml_filename: sysmon_susp_cobaltstrike_pipe_patterns.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_susp_desktop_ini.yml b/rules/Sigma/sysmon_susp_desktop_ini.yml
new file mode 100644
index 00000000..a79e5afe
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_desktop_ini.yml
@@ -0,0 +1,37 @@
+title: Suspicious desktop.ini Action
+author: Maxime Thiebaut (@0xThiebaut)
+date: 2020/03/19
+description: Detects unusual processes accessing desktop.ini, which can be leveraged
+    to alter how Explorer displays a folder's content (i.e. renaming files) without
+    changing them on disk.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\desktop.ini'
+    SELECTION_3:
+        Image: C:\Windows\explorer.exe
+    SELECTION_4:
+        Image: C:\Windows\System32\msiexec.exe
+    SELECTION_5:
+        Image: C:\Windows\System32\mmc.exe
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5)))
+falsepositives:
+- Operations performed through Windows SCCM or equivalent
+id: 81315b50-6b60-4d8f-9928-3466e1022515
+level: medium
+logsource:
+    category: file_event
+    product: windows
+modified: 2020/08/23
+references:
+- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1023
+- attack.t1547.009
+yml_filename: sysmon_susp_desktop_ini.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_susp_download_run_key.yml b/rules/Sigma/sysmon_susp_download_run_key.yml
new file mode 100644
index 00000000..8423033d
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_download_run_key.yml
@@ -0,0 +1,40 @@
+title: Suspicious Run Key from Download
+author: Florian Roth
+date: 2019/10/01
+description: Detects the suspicious RUN keys created by software located in Download
+    or temporary Outlook/Internet Explorer directories
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        Image: '*\Downloads\\*'
+    SELECTION_5:
+        Image: '*\Temporary Internet Files\Content.Outlook\\*'
+    SELECTION_6:
+        Image: '*\Local Settings\Temporary Internet Files\\*'
+    SELECTION_7:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6) and SELECTION_7)
+falsepositives:
+- Software installers downloaded and used by users
+id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/09/06
+references:
+- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1060
+- attack.t1547.001
+yml_filename: sysmon_susp_download_run_key.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_susp_fax_dll.yml b/rules/Sigma/sysmon_susp_fax_dll.yml
new file mode 100644
index 00000000..b532dcc5
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_fax_dll.yml
@@ -0,0 +1,36 @@
+title: Fax Service DLL Search Order Hijack
+author: NVISO
+date: 2020/05/04
+description: The Fax service attempts to load ualapi.dll, which is non-existent. An
+    attacker can then (side)load their own malicious DLL using this service.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*fxssvc.exe'
+    SELECTION_3:
+        ImageLoaded: '*ualapi.dll'
+    SELECTION_4:
+        ImageLoaded: C:\Windows\WinSxS\\*
+    condition: (SELECTION_1 and ((SELECTION_2) and (SELECTION_3)) and  not ((SELECTION_4)))
+falsepositives:
+- Unlikely
+id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://windows-internals.com/faxing-your-way-to-system/
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.t1073
+- attack.t1038
+- attack.t1574.001
+- attack.t1574.002
+yml_filename: sysmon_susp_fax_dll.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_image_load.yml b/rules/Sigma/sysmon_susp_image_load.yml
new file mode 100644
index 00000000..ba73b595
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_image_load.yml
@@ -0,0 +1,33 @@
+title: Possible Process Hollowing Image Loading
+author: Markus Neis
+date: 2018/01/07
+description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g.
+    through process hollowing by Mimikatz
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\notepad.exe'
+    SELECTION_3:
+        ImageLoaded: '*\samlib.dll'
+    SELECTION_4:
+        ImageLoaded: '*\WinSCard.dll'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Very likely, needs more tuning
+id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+yml_filename: sysmon_susp_image_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_lsass_dll_load.yml b/rules/Sigma/sysmon_susp_lsass_dll_load.yml
new file mode 100644
index 00000000..f76692e0
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_lsass_dll_load.yml
@@ -0,0 +1,37 @@
+title: DLL Load via LSASS
+author: Florian Roth
+date: 2019/10/16
+description: Detects a method to load DLL via LSASS process using an undocumented
+    Registry key
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
+    SELECTION_5:
+        TargetObject: '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: b3503044-60ce-4bf4-bbcb-e3db98788823
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/07/01
+references:
+- https://blog.xpnsec.com/exploring-mimikatz-part-1/
+- https://twitter.com/SBousseaden/status/1183745981189427200
+status: experimental
+tags:
+- attack.execution
+- attack.persistence
+- attack.t1177
+- attack.t1547.008
+yml_filename: sysmon_susp_lsass_dll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_susp_mic_cam_access.yml b/rules/Sigma/sysmon_susp_mic_cam_access.yml
new file mode 100644
index 00000000..79783789
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_mic_cam_access.yml
@@ -0,0 +1,53 @@
+title: Suspicious Camera and Microphone Access
+author: Den Iuzvyk
+date: 2020/06/07
+description: Detects Processes accessing the camera and microphone from suspicious
+    folder
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        TargetObject: '*:#Temp#*'
+    SELECTION_11:
+        TargetObject: '*:#Users#Public#*'
+    SELECTION_12:
+        TargetObject: '*:#Users#Default#*'
+    SELECTION_13:
+        TargetObject: '*:#Users#Desktop#*'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*'
+    SELECTION_5:
+        TargetObject: '*\NonPackaged*'
+    SELECTION_6:
+        TargetObject: '*microphone*'
+    SELECTION_7:
+        TargetObject: '*webcam*'
+    SELECTION_8:
+        TargetObject: '*:#Windows#Temp#*'
+    SELECTION_9:
+        TargetObject: '*:#$Recycle.bin#*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and (SELECTION_6 or SELECTION_7) and (SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13))
+falsepositives:
+- Unlikely, there could be conferencing software running from a Temp folder accessing
+    the devices
+id: 62120148-6b7a-42be-8b91-271c04e281a3
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/17
+references:
+- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+tags:
+- attack.collection
+- attack.t1125
+- attack.t1123
+yml_filename: sysmon_susp_mic_cam_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/Sigma/sysmon_susp_office_dotnet_assembly_dll_load.yml
new file mode 100644
index 00000000..95eea5c3
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_office_dotnet_assembly_dll_load.yml
@@ -0,0 +1,37 @@
+title: dotNET DLL Loaded Via Office Applications
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects any assembly DLL being loaded by an Office Product
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\winword.exe'
+    SELECTION_3:
+        Image: '*\powerpnt.exe'
+    SELECTION_4:
+        Image: '*\excel.exe'
+    SELECTION_5:
+        Image: '*\outlook.exe'
+    SELECTION_6:
+        ImageLoaded: C:\Windows\assembly\\*
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6))
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: ff0f2b05-09db-4095-b96d-1b75ca24894a
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
+yml_filename: sysmon_susp_office_dotnet_assembly_dll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/Sigma/sysmon_susp_office_dotnet_clr_dll_load.yml
new file mode 100644
index 00000000..e3484644
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_office_dotnet_clr_dll_load.yml
@@ -0,0 +1,37 @@
+title: CLR DLL Loaded Via Office Applications
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects CLR DLL being loaded by an Office Product
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\winword.exe'
+    SELECTION_3:
+        Image: '*\powerpnt.exe'
+    SELECTION_4:
+        Image: '*\excel.exe'
+    SELECTION_5:
+        Image: '*\outlook.exe'
+    SELECTION_6:
+        ImageLoaded: '*\clr.dll*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6))
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: d13c43f0-f66b-4279-8b2c-5912077c1780
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
+yml_filename: sysmon_susp_office_dotnet_clr_dll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/Sigma/sysmon_susp_office_dotnet_gac_dll_load.yml
new file mode 100644
index 00000000..84180407
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_office_dotnet_gac_dll_load.yml
@@ -0,0 +1,37 @@
+title: GAC DLL Loaded Via Office Applications
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects any GAC DLL being loaded by an Office Product
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\winword.exe'
+    SELECTION_3:
+        Image: '*\powerpnt.exe'
+    SELECTION_4:
+        Image: '*\excel.exe'
+    SELECTION_5:
+        Image: '*\outlook.exe'
+    SELECTION_6:
+        ImageLoaded: C:\Windows\Microsoft.NET\assembly\GAC_MSIL*
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6))
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: 90217a70-13fc-48e4-b3db-0d836c5824ac
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
+yml_filename: sysmon_susp_office_dotnet_gac_dll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_office_dsparse_dll_load.yml b/rules/Sigma/sysmon_susp_office_dsparse_dll_load.yml
new file mode 100644
index 00000000..e6786b9b
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_office_dsparse_dll_load.yml
@@ -0,0 +1,37 @@
+title: Active Directory Parsing DLL Loaded Via Office Applications
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects DSParse DLL being loaded by an Office Product
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\winword.exe'
+    SELECTION_3:
+        Image: '*\powerpnt.exe'
+    SELECTION_4:
+        Image: '*\excel.exe'
+    SELECTION_5:
+        Image: '*\outlook.exe'
+    SELECTION_6:
+        ImageLoaded: '*\dsparse.dll*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6))
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: a2a3b925-7bb0-433b-b508-db9003263cc4
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
+yml_filename: sysmon_susp_office_dsparse_dll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_office_kerberos_dll_load.yml b/rules/Sigma/sysmon_susp_office_kerberos_dll_load.yml
new file mode 100644
index 00000000..862f3f4e
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_office_kerberos_dll_load.yml
@@ -0,0 +1,37 @@
+title: Active Directory Kerberos DLL Loaded Via Office Applications
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects Kerberos DLL being loaded by an Office Product
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\winword.exe'
+    SELECTION_3:
+        Image: '*\powerpnt.exe'
+    SELECTION_4:
+        Image: '*\excel.exe'
+    SELECTION_5:
+        Image: '*\outlook.exe'
+    SELECTION_6:
+        ImageLoaded: '*\kerberos.dll'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6))
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
+yml_filename: sysmon_susp_office_kerberos_dll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_pfx_file_creation.yml b/rules/Sigma/sysmon_susp_pfx_file_creation.yml
new file mode 100644
index 00000000..87bd8b1d
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_pfx_file_creation.yml
@@ -0,0 +1,28 @@
+title: Suspicious PFX File Creation
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A general detection for processes creating PFX files. This could be an
+    indicator of an adversary exporting a local certificate to a PFX file.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*.pfx'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- System administrators managing certififcates.
+id: dca1b3e8-e043-4ec8-85d7-867f334b5724
+level: medium
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/14
+- https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.004
+yml_filename: sysmon_susp_pfx_file_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_susp_plink_remote_forward.yml b/rules/Sigma/sysmon_susp_plink_remote_forward.yml
new file mode 100644
index 00000000..1164d633
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_plink_remote_forward.yml
@@ -0,0 +1,31 @@
+title: Suspicious Plink Remote Forwarding
+author: Florian Roth
+date: 2021/01/19
+description: Detects suspicious Plink tunnel remote forarding to a local port
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Description: Command-line SSH, Telnet, and Rlogin client
+    SELECTION_3:
+        CommandLine: '* -R *'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative activity using a remote port forwarding to a local port
+id: 48a61b29-389f-4032-b317-b30de6b95314
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
+- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1572
+- attack.lateral_movement
+- attack.t1021.001
+yml_filename: sysmon_susp_plink_remote_forward.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_susp_powershell_rundll32.yml b/rules/Sigma/sysmon_susp_powershell_rundll32.yml
new file mode 100644
index 00000000..4caa9ee8
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_powershell_rundll32.yml
@@ -0,0 +1,33 @@
+title: PowerShell Rundll32 Remote Thread Creation
+author: Florian Roth
+date: 2018/06/25
+description: Detects PowerShell remote thread creation in Rundll32.exe
+detection:
+    SELECTION_1:
+        EventID: 8
+    SELECTION_2:
+        SourceImage: '*\powershell.exe'
+    SELECTION_3:
+        TargetImage: '*\rundll32.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 99b97608-3e21-4bfe-8217-2a127c396a0e
+level: high
+logsource:
+    category: create_remote_thread
+    product: windows
+modified: 2021/11/12
+references:
+- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1085
+- attack.t1218.011
+- attack.t1086
+- attack.t1059.001
+yml_filename: sysmon_susp_powershell_rundll32.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
+
diff --git a/rules/Sigma/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/Sigma/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
new file mode 100644
index 00000000..ad1d8764
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
@@ -0,0 +1,43 @@
+title: Suspicious PROCEXP152.sys File Created In TMP
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
+date: 2019/04/08
+description: Detects the creation of the PROCEXP152.sys file in the application-data
+    local temporary folder. This driver is used by Sysinternals Process Explorer but
+    also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),
+    which uses KDU.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\AppData\Local\Temp\\*'
+    SELECTION_3:
+        TargetFilename: '*PROCEXP152.sys'
+    SELECTION_4:
+        Image: '*\procexp64.exe*'
+    SELECTION_5:
+        Image: '*\procexp.exe*'
+    SELECTION_6:
+        Image: '*\procmon64.exe*'
+    SELECTION_7:
+        Image: '*\procmon.exe*'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7)))
+falsepositives:
+- Other legimate tools using this driver and filename (like Sysinternals). Note -
+    Clever attackers may easily bypass this detection by just renaming the driver
+    filename. Therefore just Medium-level and don't rely on it.
+id: 3da70954-0f2c-4103-adff-b7440368f50e
+level: medium
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+status: experimental
+tags:
+- attack.t1089
+- attack.t1562.001
+- attack.defense_evasion
+yml_filename: sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_susp_prog_location_network_connection.yml b/rules/Sigma/sysmon_susp_prog_location_network_connection.yml
new file mode 100644
index 00000000..f353846e
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_prog_location_network_connection.yml
@@ -0,0 +1,51 @@
+title: Suspicious Program Location with Network Connections
+author: Florian Roth
+date: 2017/03/19
+description: Detects programs with network connections running in suspicious files
+    system locations
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_10:
+        Image: '*\Windows\addins\\*'
+    SELECTION_11:
+        Image: '*\$Recycle.bin'
+    SELECTION_12:
+        Image: C:\Perflogs\\*
+    SELECTION_2:
+        Image: '*\Users\All Users\\*'
+    SELECTION_3:
+        Image: '*\Users\Default\\*'
+    SELECTION_4:
+        Image: '*\Users\Public\\*'
+    SELECTION_5:
+        Image: '*\Users\Contacts\\*'
+    SELECTION_6:
+        Image: '*\Users\Searches\\*'
+    SELECTION_7:
+        Image: '*\config\systemprofile\\*'
+    SELECTION_8:
+        Image: '*\Windows\Fonts\\*'
+    SELECTION_9:
+        Image: '*\Windows\IME\\*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+        or (SELECTION_11) or (SELECTION_12)))
+falsepositives:
+- unknown
+id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
+level: high
+logsource:
+    category: network_connection
+    definition: Use the following config to generate the necessary Event ID 3 Network
+        Connection events
+    product: windows
+references:
+- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
+yml_filename: sysmon_susp_prog_location_network_connection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_susp_python_image_load.yml b/rules/Sigma/sysmon_susp_python_image_load.yml
new file mode 100644
index 00000000..a24eb721
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_python_image_load.yml
@@ -0,0 +1,31 @@
+title: Python Py2Exe Image Load
+author: Patrick St. John, OTR (Open Threat Research)
+date: 2020/05/03
+description: Detects the image load of Python Core indicative of a Python script bundled
+    with Py2Exe.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Description: Python Core
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legit Py2Exe Binaries
+fields:
+- Description
+id: cbb56d62-4060-40f7-9466-d8aaf3123f83
+level: medium
+logsource:
+    category: image_load
+    product: windows
+modified: 2021/05/12
+references:
+- https://www.py2exe.org/
+- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027.002
+yml_filename: sysmon_susp_python_image_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_rdp.yml b/rules/Sigma/sysmon_susp_rdp.yml
new file mode 100644
index 00000000..d2d716c1
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_rdp.yml
@@ -0,0 +1,77 @@
+title: Suspicious Outbound RDP Connections
+author: Markus Neis - Swisscom
+date: 2019/05/15
+description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible
+    lateral movement
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_10:
+        Image: '*\RemoteDesktopManagerFree.exe'
+    SELECTION_11:
+        Image: '*\RemoteDesktopManager.exe'
+    SELECTION_12:
+        Image: '*\RemoteDesktopManager64.exe'
+    SELECTION_13:
+        Image: '*\mRemoteNG.exe'
+    SELECTION_14:
+        Image: '*\mRemote.exe'
+    SELECTION_15:
+        Image: '*\Terminals.exe'
+    SELECTION_16:
+        Image: '*\spiceworks-finder.exe'
+    SELECTION_17:
+        Image: '*\FSDiscovery.exe'
+    SELECTION_18:
+        Image: '*\FSAssessment.exe'
+    SELECTION_19:
+        Image: '*\MobaRTE.exe'
+    SELECTION_2:
+        DestinationPort: 3389
+    SELECTION_20:
+        Image: '*\chrome.exe'
+    SELECTION_21:
+        Image: '*\System32\dns.exe'
+    SELECTION_22:
+        Image: '*\thor.exe'
+    SELECTION_23:
+        Image: '*\thor64.exe'
+    SELECTION_3:
+        Initiated: 'true'
+    SELECTION_4:
+        Image: '*\mstsc.exe'
+    SELECTION_5:
+        Image: '*\RTSApp.exe'
+    SELECTION_6:
+        Image: '*\RTS2App.exe'
+    SELECTION_7:
+        Image: '*\RDCMan.exe'
+    SELECTION_8:
+        Image: '*\ws_TunnelService.exe'
+    SELECTION_9:
+        Image: '*\RSSensor.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23)))
+falsepositives:
+- Other Remote Desktop RDP tools
+- domain controller using dns.exe
+id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
+level: high
+logsource:
+    category: network_connection
+    product: windows
+modified: 2020/08/24
+references:
+- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.001
+- attack.t1076
+- car.2013-07-002
+yml_filename: sysmon_susp_rdp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_susp_reg_persist_explorer_run.yml b/rules/Sigma/sysmon_susp_reg_persist_explorer_run.yml
new file mode 100644
index 00000000..a55398bd
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_reg_persist_explorer_run.yml
@@ -0,0 +1,52 @@
+title: Registry Persistence via Explorer Run Key
+author: Florian Roth, oscd.community
+date: 2018/07/18
+description: Detects a possible persistence mechanism using RUN key for Windows Explorer
+    and pointing to a suspicious folder
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        Details: C:\Users\Default\\*
+    SELECTION_11:
+        Details: '*\AppData\\*'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
+    SELECTION_5:
+        Details: C:\Windows\Temp\\*
+    SELECTION_6:
+        Details: C:\ProgramData\\*
+    SELECTION_7:
+        Details: C:\$Recycle.bin\\*
+    SELECTION_8:
+        Details: C:\Temp\\*
+    SELECTION_9:
+        Details: C:\Users\Public\\*
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and ((SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+        or (SELECTION_11)))
+falsepositives:
+- Unknown
+fields:
+- Image
+- ParentImage
+id: b7916c2a-fa2f-4795-9477-32b731f70f11
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/09/06
+references:
+- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1060
+- attack.t1547.001
+yml_filename: sysmon_susp_reg_persist_explorer_run.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_susp_run_key_img_folder.yml b/rules/Sigma/sysmon_susp_run_key_img_folder.yml
new file mode 100644
index 00000000..94260fc6
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_run_key_img_folder.yml
@@ -0,0 +1,59 @@
+title: New RUN Key Pointing to Suspicious Folder
+author: Florian Roth, Markus Neis, Sander Wiebing
+date: 2018/08/25
+description: Detects suspicious new RUN key element pointing to an executable in a
+    suspicious folder
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        Details: '*C:\Users\Default\\*'
+    SELECTION_11:
+        Details: '*C:\Users\Desktop\\*'
+    SELECTION_12:
+        Details: '*\AppData\Local\Temp\\*'
+    SELECTION_13:
+        Details: '%Public%\\*'
+    SELECTION_14:
+        Details: wscript*
+    SELECTION_15:
+        Details: cscript*
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
+    SELECTION_5:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
+    SELECTION_6:
+        Details: '*C:\Windows\Temp\\*'
+    SELECTION_7:
+        Details: '*C:\$Recycle.bin\\*'
+    SELECTION_8:
+        Details: '*C:\Temp\\*'
+    SELECTION_9:
+        Details: '*C:\Users\Public\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
+        and ((SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12) or (SELECTION_13 or SELECTION_14 or SELECTION_15)))
+falsepositives:
+- Software using weird folders for updates
+fields:
+- Image
+id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/10/30
+references:
+- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1060
+- attack.t1547.001
+yml_filename: sysmon_susp_run_key_img_folder.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/Sigma/sysmon_susp_script_dotnet_clr_dll_load.yml
new file mode 100644
index 00000000..d1e6cfd4
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_script_dotnet_clr_dll_load.yml
@@ -0,0 +1,40 @@
+title: CLR DLL Loaded Via Scripting Applications
+author: omkar72, oscd.community
+date: 2020/10/14
+description: Detects CLR DLL being loaded by an scripting applications
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\wscript.exe'
+    SELECTION_3:
+        Image: '*\cscript.exe'
+    SELECTION_4:
+        Image: '*\mshta.exe'
+    SELECTION_5:
+        ImageLoaded: '*\clr.dll'
+    SELECTION_6:
+        ImageLoaded: '*\mscoree.dll'
+    SELECTION_7:
+        ImageLoaded: '*\mscorlib.dll'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and (SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- unknown
+id: 4508a70e-97ef-4300-b62b-ff27992990ea
+level: high
+logsource:
+    category: image_load
+    product: windows
+references:
+- https://github.com/tyranid/DotNetToJScript
+- https://thewover.github.io/Introducing-Donut/
+- https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.t1055
+yml_filename: sysmon_susp_script_dotnet_clr_dll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_service_installed.yml b/rules/Sigma/sysmon_susp_service_installed.yml
new file mode 100644
index 00000000..ae307432
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_service_installed.yml
@@ -0,0 +1,49 @@
+title: Suspicious Service Installed
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
+date: 2019/04/08
+description: Detects installation of NalDrv or PROCEXP152 services via registry-keys
+    to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs
+    (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        Details: '*\WINDOWS\system32\Drivers\PROCEXP152.SYS*'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath
+    SELECTION_5:
+        TargetObject: HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath
+    SELECTION_6:
+        Image: '*\procexp64.exe'
+    SELECTION_7:
+        Image: '*\procexp.exe'
+    SELECTION_8:
+        Image: '*\procmon64.exe'
+    SELECTION_9:
+        Image: '*\procmon.exe'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 or SELECTION_5)
+        and  not ((SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))) and  not
+        ((SELECTION_10)))
+falsepositives:
+- Other legimate tools using this service names and drivers. Note - clever attackers
+    may easily bypass this detection by just renaming the services. Therefore just
+    Medium-level and don't rely on it.
+id: f2485272-a156-4773-82d7-1d178bc4905b
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+status: experimental
+tags:
+- attack.t1089
+- attack.t1562.001
+- attack.defense_evasion
+yml_filename: sysmon_susp_service_installed.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_susp_service_modification.yml b/rules/Sigma/sysmon_susp_service_modification.yml
new file mode 100644
index 00000000..5a3b45d7
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_service_modification.yml
@@ -0,0 +1,41 @@
+title: Stop Or Remove Antivirus Service
+author: frack113
+date: 2021/07/07
+description: Adversaries may disable security tools to avoid possible detection of
+    their tools and activities by stopping antivirus service
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*Stop-Service *'
+    SELECTION_3:
+        CommandLine: '*Remove-Service *'
+    SELECTION_4:
+        CommandLine: '* McAfeeDLPAgentService*'
+    SELECTION_5:
+        CommandLine: '* Trend Micro Deep Security Manager*'
+    SELECTION_6:
+        CommandLine: '* TMBMServer*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: sysmon_susp_service_modification.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_susp_system_drawing_load.yml b/rules/Sigma/sysmon_susp_system_drawing_load.yml
new file mode 100644
index 00000000..d2452005
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_system_drawing_load.yml
@@ -0,0 +1,30 @@
+title: Suspicious System.Drawing Load
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for processes loading System.Drawing.ni.dll. This
+    could be an indicator of potential Screen Capture.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        ImageLoaded: '*\System.Drawing.ni.dll'
+    SELECTION_3:
+        Image: '*\WmiPrvSE.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- unknown
+id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
+level: medium
+logsource:
+    category: image_load
+    product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/16
+- https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html
+status: experimental
+tags:
+- attack.collection
+- attack.t1113
+yml_filename: sysmon_susp_system_drawing_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_webdav_client_execution.yml b/rules/Sigma/sysmon_susp_webdav_client_execution.yml
new file mode 100644
index 00000000..afc94791
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_webdav_client_execution.yml
@@ -0,0 +1,31 @@
+title: Suspicious WebDav Client Execution
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for svchost.exe spawning rundll32.exe with command
+    arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an
+    indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\rundll32.exe'
+    SELECTION_3:
+        CommandLine: '*C:\windows\system32\davclnt.dll,DavSetCookie*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/17
+- https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048.003
+yml_filename: sysmon_susp_webdav_client_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_susp_winword_vbadll_load.yml b/rules/Sigma/sysmon_susp_winword_vbadll_load.yml
new file mode 100644
index 00000000..f2259fec
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_winword_vbadll_load.yml
@@ -0,0 +1,41 @@
+title: VBA DLL Loaded Via Microsoft Word
+author: Antonlovesdnb
+date: 2020/02/19
+description: Detects DLL's Loaded Via Word Containing VBA Macros
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\winword.exe'
+    SELECTION_3:
+        Image: '*\powerpnt.exe'
+    SELECTION_4:
+        Image: '*\excel.exe'
+    SELECTION_5:
+        Image: '*\outlook.exe'
+    SELECTION_6:
+        ImageLoaded: '*\VBE7.DLL'
+    SELECTION_7:
+        ImageLoaded: '*\VBEUI.DLL'
+    SELECTION_8:
+        ImageLoaded: '*\VBE7INTL.DLL'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Alerts on legitimate macro usage as well, will need to filter as appropriate
+id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
+yml_filename: sysmon_susp_winword_vbadll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_winword_wmidll_load.yml b/rules/Sigma/sysmon_susp_winword_wmidll_load.yml
new file mode 100644
index 00000000..126874d3
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_winword_wmidll_load.yml
@@ -0,0 +1,45 @@
+title: Windows Management Instrumentation DLL Loaded Via Microsoft Word
+author: Michael R. (@nahamike01)
+date: 2019/12/26
+description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_10:
+        ImageLoaded: '*\wbemsvc.dll'
+    SELECTION_2:
+        Image: '*\winword.exe'
+    SELECTION_3:
+        Image: '*\powerpnt.exe'
+    SELECTION_4:
+        Image: '*\excel.exe'
+    SELECTION_5:
+        Image: '*\outlook.exe'
+    SELECTION_6:
+        ImageLoaded: '*\wmiutils.dll'
+    SELECTION_7:
+        ImageLoaded: '*\wbemcomn.dll'
+    SELECTION_8:
+        ImageLoaded: '*\wbemprox.dll'
+    SELECTION_9:
+        ImageLoaded: '*\wbemdisp.dll'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10))
+falsepositives:
+- Possible. Requires further testing.
+id: a457f232-7df9-491d-898f-b5aabd2cbe2f
+level: high
+logsource:
+    category: image_load
+    product: windows
+references:
+- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
+- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+yml_filename: sysmon_susp_winword_wmidll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/Sigma/sysmon_susp_wmi_consumer_namedpipe.yml
new file mode 100644
index 00000000..d240997d
--- /dev/null
+++ b/rules/Sigma/sysmon_susp_wmi_consumer_namedpipe.yml
@@ -0,0 +1,31 @@
+title: WMI Event Consumer Created Named Pipe
+author: Florian Roth
+date: 2021/09/01
+description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_2:
+        EventID: 18
+    SELECTION_3:
+        Image: '*\scrcons.exe'
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb
+level: high
+logsource:
+    category: pipe_created
+    definition: Note that you have to configure logging for Named Pipe Events in Sysmon
+        config (Event ID 17 and Event ID 18). The basic configuration is in popular
+        sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but
+        it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config,
+        https://github.com/olafhartong/sysmon-modular. How to test detection? You
+        can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
+    product: windows
+references:
+- https://github.com/RiccardoAncarani/LiquidSnake
+status: experimental
+yml_filename: sysmon_susp_wmi_consumer_namedpipe.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+
diff --git a/rules/Sigma/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/Sigma/sysmon_suspicious_dbghelp_dbgcore_load.yml
new file mode 100644
index 00000000..3ddd40c1
--- /dev/null
+++ b/rules/Sigma/sysmon_suspicious_dbghelp_dbgcore_load.yml
@@ -0,0 +1,99 @@
+title: Load of dbghelp/dbgcore DLL from Suspicious Process
+author: Perez Diego (@darkquassar), oscd.community, Ecco
+date: 2019/10/27
+description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by
+    suspicious processes. Tools like ProcessHacker and some attacker tradecract use
+    MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity
+    C2 Framework has a module that leverages this API to dump the contents of Lsass.exe
+    and transfer it over the network back to the attacker's machine.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_10:
+        Image: '*\excel.exe'
+    SELECTION_11:
+        Image: '*\powerpnt.exe'
+    SELECTION_12:
+        Image: '*\outlook.exe'
+    SELECTION_13:
+        Image: '*\monitoringhost.exe'
+    SELECTION_14:
+        Image: '*\wmic.exe'
+    SELECTION_15:
+        Image: '*\bash.exe'
+    SELECTION_16:
+        Image: '*\wscript.exe'
+    SELECTION_17:
+        Image: '*\cscript.exe'
+    SELECTION_18:
+        Image: '*\mshta.exe'
+    SELECTION_19:
+        Image: '*\regsvr32.exe'
+    SELECTION_2:
+        ImageLoaded: '*\dbghelp.dll'
+    SELECTION_20:
+        Image: '*\schtasks.exe'
+    SELECTION_21:
+        Image: '*\dnx.exe'
+    SELECTION_22:
+        Image: '*\regsvcs.exe'
+    SELECTION_23:
+        Image: '*\sc.exe'
+    SELECTION_24:
+        Image: '*\scriptrunner.exe'
+    SELECTION_25:
+        Image: '*Visual Studio*'
+    SELECTION_26:
+        ImageLoaded: '*\dbghelp.dll'
+    SELECTION_27:
+        ImageLoaded: '*\dbgcore.dll'
+    SELECTION_28:
+        Signed: 'FALSE'
+    SELECTION_29:
+        Image: '*Visual Studio*'
+    SELECTION_3:
+        ImageLoaded: '*\dbgcore.dll'
+    SELECTION_4:
+        Image: '*\msbuild.exe'
+    SELECTION_5:
+        Image: '*\cmd.exe'
+    SELECTION_6:
+        Image: '*\svchost.exe'
+    SELECTION_7:
+        Image: '*\rundll32.exe'
+    SELECTION_8:
+        Image: '*\powershell.exe'
+    SELECTION_9:
+        Image: '*\word.exe'
+    condition: (SELECTION_1 and ((((SELECTION_2 or SELECTION_3) and (SELECTION_4 or
+        SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or
+        SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24))
+        and  not (SELECTION_25)) or (((SELECTION_26 or SELECTION_27) and SELECTION_28)
+        and  not (SELECTION_29))))
+falsepositives:
+- Penetration tests
+fields:
+- ComputerName
+- User
+- Image
+- ImageLoaded
+id: 0e277796-5f23-4e49-a490-483131d4f6e1
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
+- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
+- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+yml_filename: sysmon_suspicious_dbghelp_dbgcore_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_suspicious_keyboard_layout_load.yml b/rules/Sigma/sysmon_suspicious_keyboard_layout_load.yml
new file mode 100644
index 00000000..8d37535b
--- /dev/null
+++ b/rules/Sigma/sysmon_suspicious_keyboard_layout_load.yml
@@ -0,0 +1,45 @@
+title: Suspicious Keyboard Layout Load
+author: Florian Roth
+date: 2019/10/12
+description: Detects the keyboard preload installation with a suspicious keyboard
+    layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems
+    maintained by US staff only
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Keyboard Layout\Preload\\*'
+    SELECTION_5:
+        TargetObject: '*\Keyboard Layout\Substitutes\\*'
+    SELECTION_6:
+        Details: '*00000429*'
+    SELECTION_7:
+        Details: '*00050429*'
+    SELECTION_8:
+        Details: '*0000042a*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Administrators or users that actually use the selected keyboard layouts (heavily
+    depends on the organisation's user base)
+id: 34aa0252-6039-40ff-951f-939fd6ce47d8
+level: medium
+logsource:
+    category: registry_event
+    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload
+        subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
+    product: windows
+modified: 2019/10/15
+references:
+- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
+- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
+tags:
+- attack.resource_development
+- attack.t1588.002
+yml_filename: sysmon_suspicious_keyboard_layout_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/Sigma/sysmon_suspicious_outbound_kerberos_connection.yml
new file mode 100644
index 00000000..06f07681
--- /dev/null
+++ b/rules/Sigma/sysmon_suspicious_outbound_kerberos_connection.yml
@@ -0,0 +1,43 @@
+title: Suspicious Outbound Kerberos Connection
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/24
+description: Detects suspicious outbound network activity via kerberos default port
+    indicating possible lateral movement or first stage PrivEsc via delegation.
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_2:
+        DestinationPort: 88
+    SELECTION_3:
+        Initiated: 'true'
+    SELECTION_4:
+        Image: '*\lsass.exe'
+    SELECTION_5:
+        Image: '*\opera.exe'
+    SELECTION_6:
+        Image: '*\chrome.exe'
+    SELECTION_7:
+        Image: '*\firefox.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7)))
+falsepositives:
+- Other browsers
+id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
+level: high
+logsource:
+    category: network_connection
+    product: windows
+modified: 2020/08/24
+references:
+- https://github.com/GhostPack/Rubeus
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1558
+- attack.t1208
+- attack.lateral_movement
+- attack.t1550.003
+- attack.t1097
+yml_filename: sysmon_suspicious_outbound_kerberos_connection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_suspicious_powershell_profile_create.yml b/rules/Sigma/sysmon_suspicious_powershell_profile_create.yml
new file mode 100644
index 00000000..db63e1cd
--- /dev/null
+++ b/rules/Sigma/sysmon_suspicious_powershell_profile_create.yml
@@ -0,0 +1,32 @@
+title: Powershell Profile.ps1 Modification
+author: HieuTT35
+date: 2019/10/24
+description: Detects a change in profile.ps1 of the Powershell profile
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\profile.ps1*'
+    SELECTION_3:
+        TargetFilename: '*\My Documents\PowerShell\\*'
+    SELECTION_4:
+        TargetFilename: '*C:\Windows\System32\WindowsPowerShell\v1.0\\*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- System administrator create Powershell profile manually
+id: b5b78988-486d-4a80-b991-930eff3ff8bf
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2020/08/24
+references:
+- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.013
+yml_filename: sysmon_suspicious_powershell_profile_create.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_suspicious_remote_thread.yml b/rules/Sigma/sysmon_suspicious_remote_thread.yml
new file mode 100644
index 00000000..293d392a
--- /dev/null
+++ b/rules/Sigma/sysmon_suspicious_remote_thread.yml
@@ -0,0 +1,144 @@
+title: Suspicious Remote Thread Created
+author: Perez Diego (@darkquassar), oscd.community
+date: 2019/10/27
+description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread",
+    however, this is still largely observed in the wild. This rule aims to detect
+    suspicious processes (those we would not expect to behave in this way like word.exe
+    or outlook.exe) creating remote threads on other processes. It is a generalistic
+    rule, but it should have a low FP ratio due to the selected range of processes.
+detection:
+    SELECTION_1:
+        EventID: 8
+    SELECTION_10:
+        SourceImage: '*\find.exe'
+    SELECTION_11:
+        SourceImage: '*\findstr.exe'
+    SELECTION_12:
+        SourceImage: '*\forfiles.exe'
+    SELECTION_13:
+        SourceImage: '*\git.exe'
+    SELECTION_14:
+        SourceImage: '*\gpupdate.exe'
+    SELECTION_15:
+        SourceImage: '*\hh.exe'
+    SELECTION_16:
+        SourceImage: '*\iexplore.exe'
+    SELECTION_17:
+        SourceImage: '*\installutil.exe'
+    SELECTION_18:
+        SourceImage: '*\lync.exe'
+    SELECTION_19:
+        SourceImage: '*\makecab.exe'
+    SELECTION_2:
+        SourceImage: '*\bash.exe'
+    SELECTION_20:
+        SourceImage: '*\mDNSResponder.exe'
+    SELECTION_21:
+        SourceImage: '*\monitoringhost.exe'
+    SELECTION_22:
+        SourceImage: '*\msbuild.exe'
+    SELECTION_23:
+        SourceImage: '*\mshta.exe'
+    SELECTION_24:
+        SourceImage: '*\msiexec.exe'
+    SELECTION_25:
+        SourceImage: '*\mspaint.exe'
+    SELECTION_26:
+        SourceImage: '*\outlook.exe'
+    SELECTION_27:
+        SourceImage: '*\ping.exe'
+    SELECTION_28:
+        SourceImage: '*\powerpnt.exe'
+    SELECTION_29:
+        SourceImage: '*\powershell.exe'
+    SELECTION_3:
+        SourceImage: '*\cvtres.exe'
+    SELECTION_30:
+        SourceImage: '*\provtool.exe'
+    SELECTION_31:
+        SourceImage: '*\python.exe'
+    SELECTION_32:
+        SourceImage: '*\regsvr32.exe'
+    SELECTION_33:
+        SourceImage: '*\robocopy.exe'
+    SELECTION_34:
+        SourceImage: '*\runonce.exe'
+    SELECTION_35:
+        SourceImage: '*\sapcimc.exe'
+    SELECTION_36:
+        SourceImage: '*\schtasks.exe'
+    SELECTION_37:
+        SourceImage: '*\smartscreen.exe'
+    SELECTION_38:
+        SourceImage: '*\spoolsv.exe'
+    SELECTION_39:
+        SourceImage: '*\tstheme.exe'
+    SELECTION_4:
+        SourceImage: '*\defrag.exe'
+    SELECTION_40:
+        SourceImage: '*\userinit.exe'
+    SELECTION_41:
+        SourceImage: '*\vssadmin.exe'
+    SELECTION_42:
+        SourceImage: '*\vssvc.exe'
+    SELECTION_43:
+        SourceImage: '*\w3wp.exe'
+    SELECTION_44:
+        SourceImage: '*\winlogon.exe'
+    SELECTION_45:
+        SourceImage: '*\winscp.exe'
+    SELECTION_46:
+        SourceImage: '*\wmic.exe'
+    SELECTION_47:
+        SourceImage: '*\word.exe'
+    SELECTION_48:
+        SourceImage: '*\wscript.exe'
+    SELECTION_49:
+        SourceImage: '*Visual Studio*'
+    SELECTION_5:
+        SourceImage: '*\dnx.exe'
+    SELECTION_6:
+        SourceImage: '*\esentutl.exe'
+    SELECTION_7:
+        SourceImage: '*\excel.exe'
+    SELECTION_8:
+        SourceImage: '*\expand.exe'
+    SELECTION_9:
+        SourceImage: '*\explorer.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
+        or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
+        or SELECTION_46 or SELECTION_47 or SELECTION_48) and  not (SELECTION_49))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- SourceImage
+- TargetImage
+id: 66d31e5f-52d6-40a4-9615-002d3789a119
+level: high
+logsource:
+    category: create_remote_thread
+    product: windows
+modified: 2021/06/27
+notes:
+- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite
+    for process injection for .NET in-memory offensive tools.
+references:
+- Personal research, statistical analysis
+- https://lolbas-project.github.io
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1055
+yml_filename: sysmon_suspicious_remote_thread.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/create_remote_thread
+
diff --git a/rules/Sigma/sysmon_svchost_cred_dump.yml b/rules/Sigma/sysmon_svchost_cred_dump.yml
new file mode 100644
index 00000000..c97584fa
--- /dev/null
+++ b/rules/Sigma/sysmon_svchost_cred_dump.yml
@@ -0,0 +1,30 @@
+title: SVCHOST Credential Dump
+author: Florent Labouyrie
+date: 2021/04/30
+description: Detects when a process, such as mimikatz, accesses the memory of svchost
+    to dump credentials
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        TargetImage: '*\svchost.exe'
+    SELECTION_3:
+        GrantedAccess: '0x143a'
+    SELECTION_4:
+        SourceImage: '*\services.exe'
+    SELECTION_5:
+        SourceImage: '*\msiexec.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5)))
+falsepositives:
+- Non identified legit exectubale
+id: 174afcfa-6e40-4ae9-af64-496546389294
+level: critical
+logsource:
+    category: process_access
+    product: windows
+tags:
+- attack.t1548
+yml_filename: sysmon_svchost_cred_dump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_svchost_dll_search_order_hijack.yml b/rules/Sigma/sysmon_svchost_dll_search_order_hijack.yml
new file mode 100644
index 00000000..a0681d0b
--- /dev/null
+++ b/rules/Sigma/sysmon_svchost_dll_search_order_hijack.yml
@@ -0,0 +1,44 @@
+title: Svchost DLL Search Order Hijack
+author: SBousseaden
+date: 2019/10/28
+description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that
+    do not exist within C:\Windows\System32\ by default. An attacker can place their
+    malicious logic within the PROCESS_ATTACH block of their library and restart the
+    aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote
+    machine.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\svchost.exe'
+    SELECTION_3:
+        ImageLoaded: '*\tsmsisrv.dll'
+    SELECTION_4:
+        ImageLoaded: '*\tsvipsrv.dll'
+    SELECTION_5:
+        ImageLoaded: '*\wlbsctrl.dll'
+    SELECTION_6:
+        ImageLoaded: C:\Windows\WinSxS\\*
+    condition: (SELECTION_1 and ((SELECTION_2) and (SELECTION_3 or SELECTION_4 or
+        SELECTION_5)) and  not ((SELECTION_6)))
+falsepositives:
+- Pentest
+id: 602a1f13-c640-4d73-b053-be9a2fa58b77
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+- attack.t1038
+- attack.t1574.001
+yml_filename: sysmon_svchost_dll_search_order_hijack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/Sigma/sysmon_sysinternals_sdelete_file_deletion.yml
new file mode 100644
index 00000000..597865e3
--- /dev/null
+++ b/rules/Sigma/sysmon_sysinternals_sdelete_file_deletion.yml
@@ -0,0 +1,32 @@
+title: Sysinternals SDelete File Deletion
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection to trigger for the deletion of files by Sysinternals
+    SDelete. It looks for the common name pattern used to rename files.
+detection:
+    SELECTION_1:
+        EventID: 23
+    SELECTION_2:
+        EventID: 26
+    SELECTION_3:
+        TargetFilename: '*.AAA'
+    SELECTION_4:
+        TargetFilename: '*.ZZZ'
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Legitime usage of SDelete
+id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
+level: medium
+logsource:
+    category: file_delete
+    product: windows
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/9
+- https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.004
+yml_filename: sysmon_sysinternals_sdelete_file_deletion.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_delete
+
diff --git a/rules/Sigma/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/Sigma/sysmon_sysinternals_sdelete_registry_keys.yml
new file mode 100644
index 00000000..8e44b9b5
--- /dev/null
+++ b/rules/Sigma/sysmon_sysinternals_sdelete_registry_keys.yml
@@ -0,0 +1,33 @@
+title: Sysinternals SDelete Registry Keys
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete
+    registry keys. Indicators of the use of Sysinternals SDelete tool.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Software\Sysinternals\SDelete*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- unknown
+id: 9841b233-8df8-4ad7-9133-b0b4402a9014
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/05/12
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/9
+- https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.004
+yml_filename: sysmon_sysinternals_sdelete_registry_keys.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_taskcache_entry.yml b/rules/Sigma/sysmon_taskcache_entry.yml
new file mode 100644
index 00000000..c91f0840
--- /dev/null
+++ b/rules/Sigma/sysmon_taskcache_entry.yml
@@ -0,0 +1,34 @@
+title: New TaskCache Entry
+author: Syed Hasan (@syedhasan009)
+date: 2021/06/18
+description: Monitor the creation of a new key under 'TaskCache' when a new scheduled
+    task is registered
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        EventType: SetValue
+    SELECTION_5:
+        TargetObject: '*SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/07/27
+references:
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+tags:
+- attack.persistence
+- attack.t1053
+- attack.t1053.005
+yml_filename: sysmon_taskcache_entry.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_tsclient_filewrite_startup.yml b/rules/Sigma/sysmon_tsclient_filewrite_startup.yml
new file mode 100644
index 00000000..7314e677
--- /dev/null
+++ b/rules/Sigma/sysmon_tsclient_filewrite_startup.yml
@@ -0,0 +1,27 @@
+title: Hijack Legit RDP Session to Move Laterally
+author: Samir Bousseaden
+date: 2019/02/21
+description: Detects the usage of tsclient share to place a backdoor on the RDP source
+    machine's startup folder
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: '*\mstsc.exe'
+    SELECTION_3:
+        TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 52753ea4-b3a0-4365-910d-36cff487b789
+level: high
+logsource:
+    category: file_event
+    product: windows
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1219
+yml_filename: sysmon_tsclient_filewrite_startup.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_tttracer_mod_load.yml b/rules/Sigma/sysmon_tttracer_mod_load.yml
new file mode 100644
index 00000000..671a76fd
--- /dev/null
+++ b/rules/Sigma/sysmon_tttracer_mod_load.yml
@@ -0,0 +1,36 @@
+title: Time Travel Debugging Utility Usage
+author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative"
+date: 2020/10/06
+description: Detects usage of Time Travel Debugging Utility. Adversaries can execute
+    malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        ImageLoaded: '*\ttdrecord.dll'
+    SELECTION_3:
+        ImageLoaded: '*\ttdwriter.dll'
+    SELECTION_4:
+        ImageLoaded: '*\ttdloader.dll'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Legitimate usage by software developers/testers
+id: e76c8240-d68f-4773-8880-5c6f63595aaf
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2021/09/21
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
+- https://twitter.com/mattifestation/status/1196390321783025666
+- https://twitter.com/oulusoyum/status/1191329746069655553
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.credential_access
+- attack.t1218
+- attack.t1003.001
+yml_filename: sysmon_tttracer_mod_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_uac_bypass_consent_comctl32.yml b/rules/Sigma/sysmon_uac_bypass_consent_comctl32.yml
new file mode 100644
index 00000000..ecb9722c
--- /dev/null
+++ b/rules/Sigma/sysmon_uac_bypass_consent_comctl32.yml
@@ -0,0 +1,30 @@
+title: UAC Bypass Using Consent and Comctl32 - File
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll
+    (UACMe 22)
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: C:\Windows\System32\consent.exe.@*
+    SELECTION_3:
+        TargetFilename: '*\comctl32.dll'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_uac_bypass_consent_comctl32.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_uac_bypass_dotnet_profiler.yml b/rules/Sigma/sysmon_uac_bypass_dotnet_profiler.yml
new file mode 100644
index 00000000..e74b346e
--- /dev/null
+++ b/rules/Sigma/sysmon_uac_bypass_dotnet_profiler.yml
@@ -0,0 +1,30 @@
+title: UAC Bypass Using .NET Code Profiler on MMC
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe
+    DLL hijacking (UACMe 39)
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: C:\Users\\*
+    SELECTION_3:
+        TargetFilename: '*\AppData\Local\Temp\pe386.dll'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 93a19907-d4f9-4deb-9f91-aac4692776a6
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_uac_bypass_dotnet_profiler.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_uac_bypass_ieinstal.yml b/rules/Sigma/sysmon_uac_bypass_ieinstal.yml
new file mode 100644
index 00000000..d1f02441
--- /dev/null
+++ b/rules/Sigma/sysmon_uac_bypass_ieinstal.yml
@@ -0,0 +1,33 @@
+title: UAC Bypass Using IEInstal - File
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: C:\Program Files\Internet Explorer\IEInstal.exe
+    SELECTION_3:
+        TargetFilename: C:\Users\\*
+    SELECTION_4:
+        TargetFilename: '*\AppData\Local\Temp\\*'
+    SELECTION_5:
+        TargetFilename: '*consent.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_uac_bypass_ieinstal.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_uac_bypass_msconfig_gui.yml b/rules/Sigma/sysmon_uac_bypass_msconfig_gui.yml
new file mode 100644
index 00000000..8e96834b
--- /dev/null
+++ b/rules/Sigma/sysmon_uac_bypass_msconfig_gui.yml
@@ -0,0 +1,29 @@
+title: UAC Bypass Using MSConfig Token Modification - File
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: C:\Users\\*
+    SELECTION_3:
+        TargetFilename: '*\AppData\Local\Temp\pkgmgr.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 41bb431f-56d8-4691-bb56-ed34e390906f
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_uac_bypass_msconfig_gui.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/Sigma/sysmon_uac_bypass_ntfs_reparse_point.yml
new file mode 100644
index 00000000..8b695308
--- /dev/null
+++ b/rules/Sigma/sysmon_uac_bypass_ntfs_reparse_point.yml
@@ -0,0 +1,30 @@
+title: UAC Bypass Using NTFS Reparse Point - File
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe
+    DLL hijacking (UACMe 36)
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: C:\Users\\*
+    SELECTION_3:
+        TargetFilename: '*\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_uac_bypass_ntfs_reparse_point.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_uac_bypass_sdclt.yml b/rules/Sigma/sysmon_uac_bypass_sdclt.yml
new file mode 100644
index 00000000..3a4485c1
--- /dev/null
+++ b/rules/Sigma/sysmon_uac_bypass_sdclt.yml
@@ -0,0 +1,41 @@
+title: UAC Bypass via Sdclt
+author: Omer Yampel, Christian Burkard
+date: 2017/03/17
+description: Detects the pattern of UAC Bypass using registry key manipulation of
+    sdclt.exe (e.g. UACMe 53)
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*Software\Classes\exefile\shell\runas\command\isolatedCommand'
+    SELECTION_5:
+        TargetObject: '*Software\Classes\Folder\shell\open\command\SymbolicLinkValue'
+    SELECTION_6:
+        Details: '*-1???\Software\Classes\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or (SELECTION_5
+        and SELECTION_6)))
+falsepositives:
+- unknown
+id: 5b872a46-3b90-45c1-8419-f675db8053aa
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/17
+references:
+- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1088
+- attack.t1548.002
+- car.2019-04-001
+yml_filename: sysmon_uac_bypass_sdclt.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_uac_bypass_shell_open.yml b/rules/Sigma/sysmon_uac_bypass_shell_open.yml
new file mode 100644
index 00000000..c3a67949
--- /dev/null
+++ b/rules/Sigma/sysmon_uac_bypass_shell_open.yml
@@ -0,0 +1,53 @@
+title: UAC Bypass Using Registry Shell Open Keys
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe,
+    slui.exe via registry keys (e.g. UACMe 33 or 62)
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        TargetObject: '*Classes\ms-settings\shell\open\command\(Default)'
+    SELECTION_11:
+        TargetObject: '*Classes\exefile\shell\open\command\(Default)'
+    SELECTION_12:
+        Details: (Empty)
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*Classes\ms-settings\shell\open\command\SymbolicLinkValue'
+    SELECTION_5:
+        Details: '*\Software\Classes\{*'
+    SELECTION_6:
+        TargetObject: '*Classes\ms-settings\shell\open\command\DelegateExecute'
+    SELECTION_7:
+        EventID: 12
+    SELECTION_8:
+        EventID: 13
+    SELECTION_9:
+        EventID: 14
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((SELECTION_4 and
+        SELECTION_5) or SELECTION_6) or ((SELECTION_7 or SELECTION_8 or SELECTION_9)
+        and (SELECTION_10 or SELECTION_11) and  not (SELECTION_12))))
+falsepositives:
+- Unknown
+id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/17
+references:
+- https://github.com/hfiref0x/UACME
+- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
+- https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_uac_bypass_shell_open.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_uac_bypass_via_dism.yml b/rules/Sigma/sysmon_uac_bypass_via_dism.yml
new file mode 100644
index 00000000..a1431719
--- /dev/null
+++ b/rules/Sigma/sysmon_uac_bypass_via_dism.yml
@@ -0,0 +1,32 @@
+title: UAC Bypass With Fake DLL
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/06
+description: Attempts to load dismcore.dll after dropping it
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\dism.exe'
+    SELECTION_3:
+        ImageLoaded: '*\dismcore.dll'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3))
+falsepositives:
+- Pentests
+- Actions of a legitimate telnet client
+id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
+level: high
+logsource:
+    category: image_load
+    product: windows
+references:
+- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1574.002
+yml_filename: sysmon_uac_bypass_via_dism.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_uac_bypass_wow64_logger.yml b/rules/Sigma/sysmon_uac_bypass_wow64_logger.yml
new file mode 100644
index 00000000..1e8d3e41
--- /dev/null
+++ b/rules/Sigma/sysmon_uac_bypass_wow64_logger.yml
@@ -0,0 +1,32 @@
+title: UAC Bypass Using WOW64 Logger DLL Hijack
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe
+    30)
+detection:
+    SELECTION_1:
+        EventID: 10
+    SELECTION_2:
+        SourceImage: '*:\Windows\SysWOW64\\*'
+    SELECTION_3:
+        GrantedAccess: '0x1fffff'
+    SELECTION_4:
+        CallTrace: UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|*
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
+level: high
+logsource:
+    category: process_access
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: sysmon_uac_bypass_wow64_logger.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/sysmon_uipromptforcreds_dlls.yml b/rules/Sigma/sysmon_uipromptforcreds_dlls.yml
new file mode 100644
index 00000000..c7763031
--- /dev/null
+++ b/rules/Sigma/sysmon_uipromptforcreds_dlls.yml
@@ -0,0 +1,36 @@
+title: UIPromptForCredentials DLLs
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects potential use of UIPromptForCredentials functions by looking
+    for some of the DLLs needed for it.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        ImageLoaded: '*\credui.dll'
+    SELECTION_3:
+        ImageLoaded: '*\wincredui.dll'
+    SELECTION_4:
+        OriginalFileName: credui.dll
+    SELECTION_5:
+        OriginalFileName: wincredui.dll
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 or SELECTION_5)))
+falsepositives:
+- other legitimate processes loading those DLLs in your environment.
+id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
+level: medium
+logsource:
+    category: image_load
+    product: windows
+references:
+- https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
+- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
+status: experimental
+tags:
+- attack.credential_access
+- attack.collection
+- attack.t1056.002
+yml_filename: sysmon_uipromptforcreds_dlls.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_uninstall_crowdstrike_falcon.yml b/rules/Sigma/sysmon_uninstall_crowdstrike_falcon.yml
new file mode 100644
index 00000000..c8f1cdf3
--- /dev/null
+++ b/rules/Sigma/sysmon_uninstall_crowdstrike_falcon.yml
@@ -0,0 +1,36 @@
+title: Uninstall Crowdstrike Falcon
+author: frack113
+date: 2021/07/12
+description: Adversaries may disable security tools to avoid possible detection of
+    their tools and activities by uninstalling Crowdstrike Falcon
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\WindowsSensor.exe*'
+    SELECTION_3:
+        CommandLine: '* /uninstall*'
+    SELECTION_4:
+        CommandLine: '* /quiet*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Uninstall by admin
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: f0f7be61-9cf5-43be-9836-99d6ef448a18
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: sysmon_uninstall_crowdstrike_falcon.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/Sigma/sysmon_unsigned_image_loaded_into_lsass.yml
new file mode 100644
index 00000000..18569ea9
--- /dev/null
+++ b/rules/Sigma/sysmon_unsigned_image_loaded_into_lsass.yml
@@ -0,0 +1,30 @@
+title: Unsigned Image Loaded Into LSASS Process
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Loading unsigned image (DLL, EXE) into LSASS process
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\lsass.exe'
+    SELECTION_3:
+        Signed: 'false'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Valid user connecting using RDP
+id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
+level: medium
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+yml_filename: sysmon_unsigned_image_loaded_into_lsass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_vmtoolsd_susp_child_process.yml b/rules/Sigma/sysmon_vmtoolsd_susp_child_process.yml
new file mode 100644
index 00000000..5c1c7b07
--- /dev/null
+++ b/rules/Sigma/sysmon_vmtoolsd_susp_child_process.yml
@@ -0,0 +1,55 @@
+title: VMToolsd Suspicious Child Process
+author: behops, Bhabesh Raj
+date: 2021/10/08
+description: Detects suspicious child process creations of VMware Tools process which
+    may indicate persistence setup
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*\VMware\VMware Tools\poweroff-vm-default.bat*'
+    SELECTION_11:
+        CommandLine: '*\VMware\VMware Tools\resume-vm-default.bat*'
+    SELECTION_12:
+        CommandLine: '*\VMware\VMware Tools\suspend-vm-default.bat*'
+    SELECTION_2:
+        ParentImage: '*\vmtoolsd.exe'
+    SELECTION_3:
+        Image: '*\cmd.exe'
+    SELECTION_4:
+        Image: '*\powershell.exe'
+    SELECTION_5:
+        Image: '*\rundll32.exe'
+    SELECTION_6:
+        Image: '*\regsvr32.exe'
+    SELECTION_7:
+        Image: '*\wscript.exe'
+    SELECTION_8:
+        Image: '*\cscript.exe'
+    SELECTION_9:
+        CommandLine: '*\VMware\VMware Tools\poweron-vm-default.bat*'
+    condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8)) and  not ((SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12)))
+falsepositives:
+- Legitimate use by adminstrator
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: 5687f942-867b-4578-ade7-1e341c46e99a
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/10/10
+references:
+- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
+status: experimental
+tags:
+- attack.execution
+- attack.persistence
+- attack.t1059
+yml_filename: sysmon_vmtoolsd_susp_child_process.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/sysmon_volume_shadow_copy_service_keys.yml b/rules/Sigma/sysmon_volume_shadow_copy_service_keys.yml
new file mode 100644
index 00000000..8f3f5bec
--- /dev/null
+++ b/rules/Sigma/sysmon_volume_shadow_copy_service_keys.yml
@@ -0,0 +1,36 @@
+title: Volume Shadow Copy Service Keys
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+description: Detects the volume shadow copy service initialization and processing.
+    Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume
+    are captured.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*System\CurrentControlSet\Services\VSS*'
+    SELECTION_5:
+        TargetObject: '*System\CurrentControlSet\Services\VSS\Start*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
+        (SELECTION_5))
+falsepositives:
+- Other services accessing that key or sub keys
+id: 5aad0995-46ab-41bd-a9ff-724f41114971
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/06/02
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
+yml_filename: sysmon_volume_shadow_copy_service_keys.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_wab_dllpath_reg_change.yml b/rules/Sigma/sysmon_wab_dllpath_reg_change.yml
new file mode 100644
index 00000000..82dd090c
--- /dev/null
+++ b/rules/Sigma/sysmon_wab_dllpath_reg_change.yml
@@ -0,0 +1,37 @@
+title: Execution DLL of Choice Using WAB.EXE
+author: oscd.community, Natalia Shornikova
+date: 2020/10/13
+description: This rule detects that the path to the DLL written in the registry is
+    different from the default one. Launched WAB.exe tries to load the DLL from Registry.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Software\Microsoft\WAB\DLLPath'
+    SELECTION_5:
+        Details: '%CommonProgramFiles%\System\wab32.dll'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
+        (SELECTION_5))
+falsepositives:
+- Unknown
+id: fc014922-5def-4da9-a0fc-28c973f41bfb
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml
+- https://twitter.com/Hexacorn/status/991447379864932352
+- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: sysmon_wab_dllpath_reg_change.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_wdigest_enable_uselogoncredential.yml b/rules/Sigma/sysmon_wdigest_enable_uselogoncredential.yml
new file mode 100644
index 00000000..14c7b43e
--- /dev/null
+++ b/rules/Sigma/sysmon_wdigest_enable_uselogoncredential.yml
@@ -0,0 +1,33 @@
+title: Wdigest Enable UseLogonCredential
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/09/12
+description: Detects potential malicious modification of the property value of UseLogonCredential
+    from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable
+    clear-text credentials
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*WDigest\UseLogonCredential'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/05/27
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: sysmon_wdigest_enable_uselogoncredential.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_webshell_creation_detect.yml b/rules/Sigma/sysmon_webshell_creation_detect.yml
new file mode 100644
index 00000000..431faddd
--- /dev/null
+++ b/rules/Sigma/sysmon_webshell_creation_detect.yml
@@ -0,0 +1,65 @@
+title: Windows Webshell Creation
+author: Beyu Denis, oscd.community
+date: 2019/10/22
+description: Possible webshell file creation on a static web site
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_10:
+        TargetFilename: '*\html\\*'
+    SELECTION_11:
+        TargetFilename: '*.ph*'
+    SELECTION_12:
+        TargetFilename: '*\AppData\Local\Temp\\*'
+    SELECTION_13:
+        TargetFilename: '*\Windows\Temp\\*'
+    SELECTION_14:
+        TargetFilename: '*.jsp'
+    SELECTION_15:
+        TargetFilename: '*\cgi-bin\\*'
+    SELECTION_16:
+        TargetFilename: '*.pl*'
+    SELECTION_17:
+        TargetFilename: '*\AppData\Local\Temp\\*'
+    SELECTION_18:
+        TargetFilename: '*\Windows\Temp\\*'
+    SELECTION_2:
+        TargetFilename: '*\inetpub\wwwroot\\*'
+    SELECTION_3:
+        TargetFilename: '*.asp*'
+    SELECTION_4:
+        TargetFilename: '*.ashx*'
+    SELECTION_5:
+        TargetFilename: '*.ph*'
+    SELECTION_6:
+        TargetFilename: '*\AppData\Local\Temp\\*'
+    SELECTION_7:
+        TargetFilename: '*\Windows\Temp\\*'
+    SELECTION_8:
+        TargetFilename: '*\www\\*'
+    SELECTION_9:
+        TargetFilename: '*\htdocs\\*'
+    condition: (SELECTION_1 and ((((SELECTION_2 and (SELECTION_3 or SELECTION_4 or
+        SELECTION_5)) and  not ((SELECTION_6 or SELECTION_7))) or (((SELECTION_8 or
+        SELECTION_9 or SELECTION_10) and SELECTION_11) and  not ((SELECTION_12 or
+        SELECTION_13)))) or ((SELECTION_14 or (SELECTION_15 and SELECTION_16)) and  not
+        ((SELECTION_17 or SELECTION_18)))))
+falsepositives:
+- Legitimate administrator or developer creating legitimate executable files in a
+    web application folder
+id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
+level: critical
+logsource:
+    category: file_event
+    product: windows
+modified: 2020/08/23
+references:
+- PT ESC rule and personal experience
+status: experimental
+tags:
+- attack.persistence
+- attack.t1100
+- attack.t1505.003
+yml_filename: sysmon_webshell_creation_detect.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_win_binary_github_com.yml b/rules/Sigma/sysmon_win_binary_github_com.yml
new file mode 100644
index 00000000..5c43108e
--- /dev/null
+++ b/rules/Sigma/sysmon_win_binary_github_com.yml
@@ -0,0 +1,39 @@
+title: Microsoft Binary Github Communication
+author: Michael Haag (idea), Florian Roth (rule)
+date: 2017/08/24
+description: Detects an executable in the Windows folder accessing github.com
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_2:
+        Initiated: 'true'
+    SELECTION_3:
+        DestinationHostname: '*.github.com'
+    SELECTION_4:
+        DestinationHostname: '*.githubusercontent.com'
+    SELECTION_5:
+        Image: C:\Windows\\*
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Unknown
+- '@subTee in your network'
+id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
+level: high
+logsource:
+    category: network_connection
+    product: windows
+modified: 2020/08/24
+references:
+- https://twitter.com/M_haggis/status/900741347035889665
+- https://twitter.com/M_haggis/status/1032799638213066752
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1105
+- attack.exfiltration
+- attack.t1567.001
+- attack.t1048
+yml_filename: sysmon_win_binary_github_com.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_win_binary_susp_com.yml b/rules/Sigma/sysmon_win_binary_susp_com.yml
new file mode 100644
index 00000000..0de828ab
--- /dev/null
+++ b/rules/Sigma/sysmon_win_binary_susp_com.yml
@@ -0,0 +1,36 @@
+title: Microsoft Binary Suspicious Communication Endpoint
+author: Florian Roth
+date: 2018/08/30
+description: Detects an executable in the Windows folder accessing suspicious domains
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_2:
+        Initiated: 'true'
+    SELECTION_3:
+        DestinationHostname: '*dl.dropboxusercontent.com'
+    SELECTION_4:
+        DestinationHostname: '*.pastebin.com'
+    SELECTION_5:
+        DestinationHostname: '*.githubusercontent.com'
+    SELECTION_6:
+        Image: C:\Windows\\*
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and SELECTION_6)
+falsepositives:
+- Unknown
+id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
+level: high
+logsource:
+    category: network_connection
+    product: windows
+references:
+- https://twitter.com/M_haggis/status/900741347035889665
+- https://twitter.com/M_haggis/status/1032799638213066752
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1105
+yml_filename: sysmon_win_binary_susp_com.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/sysmon_win_reg_persistence.yml b/rules/Sigma/sysmon_win_reg_persistence.yml
new file mode 100644
index 00000000..9e611e45
--- /dev/null
+++ b/rules/Sigma/sysmon_win_reg_persistence.yml
@@ -0,0 +1,48 @@
+title: Registry Persistence Mechanisms
+author: Karneades, Jonhnathan Ribeiro
+date: 2018/04/11
+description: Detects persistence registry keys
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        TargetObject: '*\MonitorProcess*'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion*'
+    SELECTION_5:
+        TargetObject: '*\Image File Execution Options\\*'
+    SELECTION_6:
+        TargetObject: '*\GlobalFlag*'
+    SELECTION_7:
+        TargetObject: '*SilentProcessExit\\*'
+    SELECTION_8:
+        TargetObject: '*\ReportingMode*'
+    SELECTION_9:
+        TargetObject: '*SilentProcessExit\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4) and
+        ((SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9
+        and SELECTION_10)))
+falsepositives:
+- unknown
+id: 36803969-5421-41ec-b92f-8500f79c23b0
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2020/09/06
+references:
+- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+tags:
+- attack.privilege_escalation
+- attack.persistence
+- attack.defense_evasion
+- attack.t1183
+- attack.t1546.012
+- car.2013-01-002
+yml_filename: sysmon_win_reg_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_win_reg_telemetry_persistence.yml b/rules/Sigma/sysmon_win_reg_telemetry_persistence.yml
new file mode 100644
index 00000000..0f43acec
--- /dev/null
+++ b/rules/Sigma/sysmon_win_reg_telemetry_persistence.yml
@@ -0,0 +1,41 @@
+title: Registry Persistence Mechanism via Windows Telemetry
+author: Lednyov Alexey, oscd.community
+date: 2020/10/16
+description: Detects persistence method using windows telemetry
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\\*'
+    SELECTION_5:
+        TargetObject: '*\Command*'
+    SELECTION_6:
+        Details: '*.exe*'
+    SELECTION_7:
+        Details: '*\system32\CompatTelRunner.exe*'
+    SELECTION_8:
+        Details: '*\system32\DeviceCensus.exe*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 and SELECTION_5
+        and SELECTION_6) and  not ((SELECTION_7 or SELECTION_8)))
+falsepositives:
+- unknown
+id: 73a883d0-0348-4be4-a8d8-51031c2564f8
+level: critical
+logsource:
+    category: registry_event
+    definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows
+        NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives'
+    product: windows
+references:
+- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1053.005
+yml_filename: sysmon_win_reg_telemetry_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/sysmon_wmi_event_subscription.yml b/rules/Sigma/sysmon_wmi_event_subscription.yml
new file mode 100644
index 00000000..36744d10
--- /dev/null
+++ b/rules/Sigma/sysmon_wmi_event_subscription.yml
@@ -0,0 +1,27 @@
+title: WMI Event Subscription
+author: Tom Ueltschi (@c_APT_ure)
+date: 2019/01/12
+description: Detects creation of WMI event subscription persistence method
+detection:
+    SELECTION_1:
+        EventID: 19
+    SELECTION_2:
+        EventID: 20
+    SELECTION_3:
+        EventID: 21
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
+falsepositives:
+- exclude legitimate (vetted) use of WMI event subscription in your network
+id: 0f06a3a5-6a09-413f-8743-e6cf35561297
+level: high
+logsource:
+    category: wmi_event
+    product: windows
+status: experimental
+tags:
+- attack.t1084
+- attack.persistence
+- attack.t1546.003
+yml_filename: sysmon_wmi_event_subscription.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/wmi_event
+
diff --git a/rules/Sigma/sysmon_wmi_module_load.yml b/rules/Sigma/sysmon_wmi_module_load.yml
new file mode 100644
index 00000000..eb739db2
--- /dev/null
+++ b/rules/Sigma/sysmon_wmi_module_load.yml
@@ -0,0 +1,74 @@
+title: WMI Modules Loaded
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects non wmiprvse loading WMI modules
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_10:
+        ImageLoaded: '*\fastprox.dll'
+    SELECTION_11:
+        Image: '*\WmiPrvSE.exe'
+    SELECTION_12:
+        Image: '*\WmiApSrv.exe'
+    SELECTION_13:
+        Image: '*\svchost.exe'
+    SELECTION_14:
+        Image: '*\DeviceCensus.exe'
+    SELECTION_15:
+        Image: '*\CompatTelRunner.exe'
+    SELECTION_16:
+        Image: '*\sdiagnhost.exe'
+    SELECTION_17:
+        Image: '*\SIHClient.exe'
+    SELECTION_18:
+        Image: '*\ngentask.exe'
+    SELECTION_19:
+        Image: '*\windows\system32\taskhostw.exe'
+    SELECTION_2:
+        ImageLoaded: '*\wmiclnt.dll'
+    SELECTION_20:
+        Image: '*\windows\system32\MoUsoCoreWorker.exe'
+    SELECTION_21:
+        Image: '*\windows\system32\wbem\WMIADAP.exe'
+    SELECTION_3:
+        ImageLoaded: '*\WmiApRpl.dll'
+    SELECTION_4:
+        ImageLoaded: '*\wmiprov.dll'
+    SELECTION_5:
+        ImageLoaded: '*\wmiutils.dll'
+    SELECTION_6:
+        ImageLoaded: '*\wbemcomn.dll'
+    SELECTION_7:
+        ImageLoaded: '*\wbemprox.dll'
+    SELECTION_8:
+        ImageLoaded: '*\WMINet_Utils.dll'
+    SELECTION_9:
+        ImageLoaded: '*\wbemsvc.dll'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+        and  not ((SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or
+        SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21)))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- Image
+- ImageLoaded
+id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2021/08/18
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+yml_filename: sysmon_wmi_module_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/Sigma/sysmon_wmi_persistence_commandline_event_consumer.yml
new file mode 100644
index 00000000..f0dba549
--- /dev/null
+++ b/rules/Sigma/sysmon_wmi_persistence_commandline_event_consumer.yml
@@ -0,0 +1,30 @@
+title: WMI Persistence - Command Line Event Consumer
+author: Thomas Patzke
+date: 2018/03/07
+description: Detects WMI command line event consumers
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: C:\Windows\System32\wbem\WmiPrvSE.exe
+    SELECTION_3:
+        ImageLoaded: '*\wbemcons.dll'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown (data set is too small; further testing needed)
+id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
+level: high
+logsource:
+    category: image_load
+    product: windows
+modified: 2020/08/23
+references:
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+status: experimental
+tags:
+- attack.t1084
+- attack.t1546.003
+- attack.persistence
+yml_filename: sysmon_wmi_persistence_commandline_event_consumer.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/Sigma/sysmon_wmi_persistence_script_event_consumer_write.yml
new file mode 100644
index 00000000..c70550be
--- /dev/null
+++ b/rules/Sigma/sysmon_wmi_persistence_script_event_consumer_write.yml
@@ -0,0 +1,28 @@
+title: WMI Persistence - Script Event Consumer File Write
+author: Thomas Patzke
+date: 2018/03/07
+description: Detects file writes of WMI script event consumer
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: C:\WINDOWS\system32\wbem\scrcons.exe
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
+id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2020/08/23
+references:
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+status: experimental
+tags:
+- attack.t1084
+- attack.t1546.003
+- attack.persistence
+yml_filename: sysmon_wmi_persistence_script_event_consumer_write.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/sysmon_wmi_susp_encoded_scripts.yml b/rules/Sigma/sysmon_wmi_susp_encoded_scripts.yml
new file mode 100644
index 00000000..4b0ddc05
--- /dev/null
+++ b/rules/Sigma/sysmon_wmi_susp_encoded_scripts.yml
@@ -0,0 +1,53 @@
+title: Suspicious Encoded Scripts in a WMI Consumer
+author: Florian Roth
+date: 2021/09/01
+description: Detects suspicious encoded payloads in WMI Event Consumers
+detection:
+    SELECTION_1:
+        EventID: 19
+    SELECTION_10:
+        Destination: '*VGhpcyBwcm9ncmFtIG11c3QgYmUgcnVuIHVuZGVyIFdpbjMy*'
+    SELECTION_11:
+        Destination: '*RoaXMgcHJvZ3JhbSBtdXN0IGJlIHJ1biB1bmRlciBXaW4zM*'
+    SELECTION_12:
+        Destination: '*UaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2luMz*'
+    SELECTION_2:
+        EventID: 20
+    SELECTION_3:
+        EventID: 21
+    SELECTION_4:
+        Destination: '*V3JpdGVQcm9jZXNzTWVtb3J5*'
+    SELECTION_5:
+        Destination: '*dyaXRlUHJvY2Vzc01lbW9ye*'
+    SELECTION_6:
+        Destination: '*Xcml0ZVByb2Nlc3NNZW1vcn*'
+    SELECTION_7:
+        Destination: '*VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZG*'
+    SELECTION_8:
+        Destination: '*RoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2Rl*'
+    SELECTION_9:
+        Destination: '*UaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZ*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12))
+falsepositives:
+- Unknown
+fields:
+- User
+- Operation
+id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
+level: high
+logsource:
+    category: wmi_event
+    product: windows
+references:
+- https://github.com/RiccardoAncarani/LiquidSnake
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.persistence
+- attack.t1546.003
+yml_filename: sysmon_wmi_susp_encoded_scripts.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/wmi_event
+
diff --git a/rules/Sigma/sysmon_wmi_susp_scripting.yml b/rules/Sigma/sysmon_wmi_susp_scripting.yml
new file mode 100644
index 00000000..6db7b6be
--- /dev/null
+++ b/rules/Sigma/sysmon_wmi_susp_scripting.yml
@@ -0,0 +1,66 @@
+title: Suspicious Scripting in a WMI Consumer
+author: Florian Roth, Jonhnathan Ribeiro
+date: 2019/04/15
+description: Detects suspicious scripting in WMI Event Consumers
+detection:
+    SELECTION_1:
+        EventID: 19
+    SELECTION_10:
+        Destination: '* iex(*'
+    SELECTION_11:
+        Destination: '*WScript.shell*'
+    SELECTION_12:
+        Destination: '* -nop *'
+    SELECTION_13:
+        Destination: '* -noprofile *'
+    SELECTION_14:
+        Destination: '* -decode *'
+    SELECTION_15:
+        Destination: '* -enc *'
+    SELECTION_16:
+        Destination: '*WScript.Shell*'
+    SELECTION_17:
+        Destination: '*System.Security.Cryptography.FromBase64Transform*'
+    SELECTION_2:
+        EventID: 20
+    SELECTION_3:
+        EventID: 21
+    SELECTION_4:
+        Destination: '*new-object*'
+    SELECTION_5:
+        Destination: '*net.webclient*'
+    SELECTION_6:
+        Destination: '*.downloadstring*'
+    SELECTION_7:
+        Destination: '*new-object*'
+    SELECTION_8:
+        Destination: '*net.webclient*'
+    SELECTION_9:
+        Destination: '*.downloadfile*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and
+        SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9)
+        or (SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15) or (SELECTION_16 or SELECTION_17)))
+falsepositives:
+- Administrative scripts
+fields:
+- User
+- Operation
+id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
+level: high
+logsource:
+    category: wmi_event
+    product: windows
+modified: 2021/09/01
+references:
+- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
+- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19
+- https://github.com/RiccardoAncarani/LiquidSnake
+status: experimental
+tags:
+- attack.t1086
+- attack.execution
+- attack.t1059.005
+yml_filename: sysmon_wmi_susp_scripting.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/wmi_event
+
diff --git a/rules/Sigma/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/Sigma/sysmon_wmic_remote_xsl_scripting_dlls.yml
new file mode 100644
index 00000000..6ce43520
--- /dev/null
+++ b/rules/Sigma/sysmon_wmic_remote_xsl_scripting_dlls.yml
@@ -0,0 +1,34 @@
+title: WMIC Loading Scripting Libraries
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/17
+description: Detects threat actors proxy executing code and bypassing application
+    controls by leveraging wmic and the `/FORMAT` argument switch to download and
+    execute an XSL file (i.e js, vbs, etc).
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\wmic.exe'
+    SELECTION_3:
+        ImageLoaded: '*\jscript.dll'
+    SELECTION_4:
+        ImageLoaded: '*\vbscript.dll'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Apparently, wmic os get lastboottuptime loads vbscript.dll
+id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
+level: high
+logsource:
+    category: image_load
+    product: windows
+references:
+- https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
+- https://twitter.com/dez_/status/986614411711442944
+- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1220
+yml_filename: sysmon_wmic_remote_xsl_scripting_dlls.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_wsman_provider_image_load.yml b/rules/Sigma/sysmon_wsman_provider_image_load.yml
new file mode 100644
index 00000000..55e6d5dc
--- /dev/null
+++ b/rules/Sigma/sysmon_wsman_provider_image_load.yml
@@ -0,0 +1,52 @@
+title: Suspicious WSMAN Provider Image Loads
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/24
+description: Detects signs of potential use of the WSMAN provider from uncommon processes
+    locally and remote execution.
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_10:
+        Image: '*\svchost.exe'
+    SELECTION_11:
+        OriginalFileName: WsmWmiPl.dll
+    SELECTION_2:
+        EventID: 7
+    SELECTION_3:
+        ImageLoaded: '*\WsmSvc.dll'
+    SELECTION_4:
+        ImageLoaded: '*\WsmAuto.dll'
+    SELECTION_5:
+        ImageLoaded: '*\Microsoft.WSMan.Management.ni.dll'
+    SELECTION_6:
+        OriginalFileName: WsmSvc.dll
+    SELECTION_7:
+        OriginalFileName: WSMANAUTOMATION.DLL
+    SELECTION_8:
+        OriginalFileName: Microsoft.WSMan.Management.dll
+    SELECTION_9:
+        Image: '*\powershell.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 and ((SELECTION_3 or SELECTION_4 or
+        SELECTION_5) or (SELECTION_6 or SELECTION_7 or SELECTION_8)) and  not (SELECTION_9))
+        or (SELECTION_10 and SELECTION_11)))
+falsepositives:
+- Unknown
+id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
+level: medium
+logsource:
+    category: image_load
+    product: windows
+references:
+- https://twitter.com/chadtilbury/status/1275851297770610688
+- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
+- https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
+- https://github.com/bohops/WSMan-WinRM
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.lateral_movement
+- attack.t1021.003
+yml_filename: sysmon_wsman_provider_image_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/sysmon_wuauclt_network_connection.yml b/rules/Sigma/sysmon_wuauclt_network_connection.yml
new file mode 100644
index 00000000..8f9fc862
--- /dev/null
+++ b/rules/Sigma/sysmon_wuauclt_network_connection.yml
@@ -0,0 +1,29 @@
+title: Wuauclt Network Connection
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/12
+description: Detects the use of the Windows Update Client binary (wuauclt.exe) to
+    proxy execute code and making a network connections. One could easily make the
+    DLL spawn a new process and inject to it to proxy the network connection and bypass
+    this rule.
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_2:
+        Image: '*wuauclt*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of wuauclt.exe over the network.
+id: c649a6c7-cd8c-4a78-9c04-000fc76df954
+level: medium
+logsource:
+    category: network_connection
+    product: windows
+references:
+- https://dtm.uk/wuauclt/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: sysmon_wuauclt_network_connection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/win_aadhealth_mon_agent_regkey_access.yml b/rules/Sigma/win_aadhealth_mon_agent_regkey_access.yml
new file mode 100644
index 00000000..978b3fe9
--- /dev/null
+++ b/rules/Sigma/win_aadhealth_mon_agent_regkey_access.yml
@@ -0,0 +1,44 @@
+title: Azure AD Health Monitoring Agent Registry Keys Access
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+description: |
+    This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
+    This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
+detection:
+    SELECTION_1:
+        EventID: 4656
+    SELECTION_2:
+        EventID: 4663
+    SELECTION_3:
+        ObjectType: Key
+    SELECTION_4:
+        ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent
+    SELECTION_5:
+        ProcessName: '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
+    SELECTION_6:
+        ProcessName: '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
+    SELECTION_7:
+        ProcessName: '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
+    SELECTION_8:
+        ProcessName: '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
+    SELECTION_9:
+        ProcessName: '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
+    condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and  not
+        ((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9)))
+falsepositives:
+- Unknown
+id: ff151c33-45fa-475d-af4f-c2f93571f4fe
+level: medium
+logsource:
+    product: windows
+    service: security
+references:
+- https://o365blog.com/post/hybridhealthagent/
+- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+yml_filename: win_aadhealth_mon_agent_regkey_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_aadhealth_svc_agent_regkey_access.yml b/rules/Sigma/win_aadhealth_svc_agent_regkey_access.yml
new file mode 100644
index 00000000..307c22fd
--- /dev/null
+++ b/rules/Sigma/win_aadhealth_svc_agent_regkey_access.yml
@@ -0,0 +1,46 @@
+title: Azure AD Health Service Agents Registry Keys Access
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+description: |
+    This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
+    Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
+    This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
+    Make sure you set the SACL to propagate to its sub-keys.
+detection:
+    SELECTION_1:
+        EventID: 4656
+    SELECTION_2:
+        EventID: 4663
+    SELECTION_3:
+        ObjectType: Key
+    SELECTION_4:
+        ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent
+    SELECTION_5:
+        ProcessName: '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
+    SELECTION_6:
+        ProcessName: '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
+    SELECTION_7:
+        ProcessName: '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
+    SELECTION_8:
+        ProcessName: '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
+    SELECTION_9:
+        ProcessName: '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
+    condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and  not
+        ((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9)))
+falsepositives:
+- Unknown
+id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
+level: medium
+logsource:
+    product: windows
+    service: security
+references:
+- https://o365blog.com/post/hybridhealthagent/
+- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+yml_filename: win_aadhealth_svc_agent_regkey_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_account_backdoor_dcsync_rights.yml b/rules/Sigma/win_account_backdoor_dcsync_rights.yml
new file mode 100644
index 00000000..8c49dc02
--- /dev/null
+++ b/rules/Sigma/win_account_backdoor_dcsync_rights.yml
@@ -0,0 +1,37 @@
+title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
+author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
+date: 2019/04/03
+description: backdooring domain object to grant the rights associated with DCSync
+    to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
+    Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
+detection:
+    SELECTION_1:
+        EventID: 5136
+    SELECTION_2:
+        AttributeLDAPDisplayName: ntSecurityDescriptor
+    SELECTION_3:
+        AttributeValue: '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    SELECTION_4:
+        AttributeValue: '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
+    SELECTION_5:
+        AttributeValue: '*89e95b76-444d-4c62-991a-0facbeda640c*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- New Domain Controller computer account, check user SIDs within the value attribute
+    of event 5136 and verify if it's a regular user or DC computer account.
+id: 2c99737c-585d-4431-b61a-c911d86ff32f
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/09
+references:
+- https://twitter.com/menasec1/status/1111556090137903104
+- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
+status: experimental
+tags:
+- attack.persistence
+- attack.t1098
+yml_filename: win_account_backdoor_dcsync_rights.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_account_discovery.yml b/rules/Sigma/win_account_discovery.yml
new file mode 100644
index 00000000..7db42e05
--- /dev/null
+++ b/rules/Sigma/win_account_discovery.yml
@@ -0,0 +1,54 @@
+title: AD Privileged Users or Groups Reconnaissance
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detect priv users or groups recon based on 4661 eventid and known privileged
+    users or groups SIDs
+detection:
+    SELECTION_1:
+        EventID: 4661
+    SELECTION_10:
+        ObjectName: '*-544'
+    SELECTION_11:
+        ObjectName: '*-551'
+    SELECTION_12:
+        ObjectName: '*-555'
+    SELECTION_13:
+        ObjectName: '*admin*'
+    SELECTION_2:
+        ObjectType: SAM_USER
+    SELECTION_3:
+        ObjectType: SAM_GROUP
+    SELECTION_4:
+        ObjectName: '*-512'
+    SELECTION_5:
+        ObjectName: '*-502'
+    SELECTION_6:
+        ObjectName: '*-500'
+    SELECTION_7:
+        ObjectName: '*-505'
+    SELECTION_8:
+        ObjectName: '*-519'
+    SELECTION_9:
+        ObjectName: '*-520'
+    condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and ((SELECTION_4 or
+        SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or
+        SELECTION_10 or SELECTION_11 or SELECTION_12) or SELECTION_13))
+falsepositives:
+- if source account name is not an admin then its super suspicious
+id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
+level: high
+logsource:
+    definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
+    product: windows
+    service: security
+modified: 2021/09/08
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
+yml_filename: win_account_discovery.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_ad_find_discovery.yml b/rules/Sigma/win_ad_find_discovery.yml
new file mode 100644
index 00000000..abacfa8b
--- /dev/null
+++ b/rules/Sigma/win_ad_find_discovery.yml
@@ -0,0 +1,68 @@
+title: AdFind Usage Detection
+author: Janantha Marasinghe (https://github.com/blueteam0ps)
+date: 2021/02/02
+description: AdFind continues to be seen across majority of breaches. It is used to
+    domain trust discovery to plan out subsequent steps in the attack chain.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*name="Domain Admins"*'
+    SELECTION_11:
+        CommandLine: '*-sc u:*'
+    SELECTION_12:
+        CommandLine: '*domainncs*'
+    SELECTION_13:
+        CommandLine: '*dompol*'
+    SELECTION_14:
+        CommandLine: '* oudmp *'
+    SELECTION_15:
+        CommandLine: '*subnetdmp*'
+    SELECTION_16:
+        CommandLine: '*gpodmp*'
+    SELECTION_17:
+        CommandLine: '*fspdmp*'
+    SELECTION_18:
+        CommandLine: '*users_noexpire*'
+    SELECTION_19:
+        CommandLine: '*computers_active*'
+    SELECTION_2:
+        CommandLine: '*domainlist*'
+    SELECTION_3:
+        CommandLine: '*trustdmp*'
+    SELECTION_4:
+        CommandLine: '*dcmodes*'
+    SELECTION_5:
+        CommandLine: '*adinfo*'
+    SELECTION_6:
+        CommandLine: '* dclist *'
+    SELECTION_7:
+        CommandLine: '*computer_pwdnotreqd*'
+    SELECTION_8:
+        CommandLine: '*objectcategory=*'
+    SELECTION_9:
+        CommandLine: '*-subnets -f*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19))
+falsepositives:
+- Admin activity
+id: 9a132afa-654e-11eb-ae93-0242ac130002
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/02/02
+references:
+- https://thedfirreport.com/2020/05/08/adfind-recon/
+- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
+- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
+- attack.t1018
+yml_filename: win_ad_find_discovery.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_ad_object_writedac_access.yml b/rules/Sigma/win_ad_object_writedac_access.yml
new file mode 100644
index 00000000..a9a7cddd
--- /dev/null
+++ b/rules/Sigma/win_ad_object_writedac_access.yml
@@ -0,0 +1,33 @@
+title: AD Object WriteDAC Access
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects WRITE_DAC access to a domain object
+detection:
+    SELECTION_1:
+        EventID: 4662
+    SELECTION_2:
+        ObjectServer: DS
+    SELECTION_3:
+        AccessMask: '0x40000'
+    SELECTION_4:
+        ObjectType: 19195a5b-6da0-11d0-afd3-00c04fd930c9
+    SELECTION_5:
+        ObjectType: domainDNS
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
+level: critical
+logsource:
+    product: windows
+    service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1222
+- attack.t1222.001
+yml_filename: win_ad_object_writedac_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_ad_replication_non_machine_account.yml b/rules/Sigma/win_ad_replication_non_machine_account.yml
new file mode 100644
index 00000000..f1dcd36f
--- /dev/null
+++ b/rules/Sigma/win_ad_replication_non_machine_account.yml
@@ -0,0 +1,44 @@
+title: Active Directory Replication from Non Machine Account
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/07/26
+description: Detects potential abuse of Active Directory Replication Service (ADRS)
+    from a non machine account to request credentials.
+detection:
+    SELECTION_1:
+        EventID: 4662
+    SELECTION_2:
+        AccessMask: '0x100'
+    SELECTION_3:
+        Properties: '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
+    SELECTION_4:
+        Properties: '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    SELECTION_5:
+        Properties: '*89e95b76-444d-4c62-991a-0facbeda640c*'
+    SELECTION_6:
+        SubjectUserName: '*$'
+    SELECTION_7:
+        SubjectUserName: MSOL_*
+    condition: ((SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+        and  not (SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+id: 17d619c1-e020-4347-957e-1d1207455c93
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2020/08/23
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.006
+yml_filename: win_ad_replication_non_machine_account.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_ad_user_enumeration.yml b/rules/Sigma/win_ad_user_enumeration.yml
new file mode 100644
index 00000000..25c55475
--- /dev/null
+++ b/rules/Sigma/win_ad_user_enumeration.yml
@@ -0,0 +1,36 @@
+title: AD User Enumeration
+author: Maxime Thiebaut (@0xThiebaut)
+date: 2020/03/30
+description: Detects access to a domain user from a non-machine account
+detection:
+    SELECTION_1:
+        EventID: 4662
+    SELECTION_2:
+        ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
+    SELECTION_3:
+        SubjectUserName: '*$'
+    SELECTION_4:
+        SubjectUserName: MSOL_*
+    condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Administrators configuring new users.
+id: ab6bffca-beff-4baa-af11-6733f296d57a
+level: medium
+logsource:
+    definition: Requires the "Read all properties" permission on the user object to
+        be audited for the "Everyone" principal
+    product: windows
+    service: security
+modified: 2021/08/09
+references:
+- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
+- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
+- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
+yml_filename: win_ad_user_enumeration.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_admin_rdp_login.yml b/rules/Sigma/win_admin_rdp_login.yml
new file mode 100644
index 00000000..2decb719
--- /dev/null
+++ b/rules/Sigma/win_admin_rdp_login.yml
@@ -0,0 +1,38 @@
+title: Admin User Remote Logon
+author: juju4
+date: 2017/10/29
+description: Detect remote login by Administrator user (depending on internal pattern).
+detection:
+    SELECTION_1:
+        EventID: 4624
+    SELECTION_2:
+        LogonType: 10
+    SELECTION_3:
+        AuthenticationPackageName: Negotiate
+    SELECTION_4:
+        TargetUserName: Admin*
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate administrative activity.
+id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
+level: low
+logsource:
+    definition: 'Requirements: Identifiable administrators usernames (pattern or special
+        unique character. ex: "Admin-*"), internal policy mandating use only as secondary
+        account'
+    product: windows
+    service: security
+modified: 2021/07/07
+references:
+- https://car.mitre.org/wiki/CAR-2016-04-005
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1078
+- attack.t1078.001
+- attack.t1078.002
+- attack.t1078.003
+- car.2016-04-005
+yml_filename: win_admin_rdp_login.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_admin_share_access.yml b/rules/Sigma/win_admin_share_access.yml
new file mode 100644
index 00000000..adc80fb5
--- /dev/null
+++ b/rules/Sigma/win_admin_share_access.yml
@@ -0,0 +1,30 @@
+title: Access to ADMIN$ Share
+author: Florian Roth
+date: 2017/03/04
+description: Detects access to $ADMIN share
+detection:
+    SELECTION_1:
+        EventID: 5140
+    SELECTION_2:
+        ShareName: Admin$
+    SELECTION_3:
+        SubjectUserName: '*$'
+    condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Legitimate administrative activity
+id: 098d7118-55bc-4912-a836-dc6483a8d150
+level: low
+logsource:
+    definition: The advanced audit policy setting "Object Access > Audit File Share"
+        must be configured for Success/Failure
+    product: windows
+    service: security
+modified: 2020/08/23
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
+yml_filename: win_admin_share_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_alert_active_directory_user_control.yml b/rules/Sigma/win_alert_active_directory_user_control.yml
new file mode 100644
index 00000000..f063b4ee
--- /dev/null
+++ b/rules/Sigma/win_alert_active_directory_user_control.yml
@@ -0,0 +1,31 @@
+title: Enabled User Right in AD to Control User Objects
+author: '@neu5ron'
+date: 2017/07/30
+description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege
+    right in Active Directory it would allow control of other AD user objects.
+detection:
+    SELECTION_1:
+        EventID: 4704
+    SELECTION_2:
+        PrivilegeList: '*SeEnableDelegationPrivilege*'
+    condition: (SELECTION_1 and (SELECTION_2))
+falsepositives:
+- Unknown
+id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
+level: high
+logsource:
+    definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization
+        Policy Change, Group Policy : Computer Configuration\Windows Settings\Security
+        Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit
+        Authorization Policy Change'
+    product: windows
+    service: security
+modified: 2020/08/23
+references:
+- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+tags:
+- attack.persistence
+- attack.t1098
+yml_filename: win_alert_active_directory_user_control.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_alert_ad_user_backdoors.yml b/rules/Sigma/win_alert_ad_user_backdoors.yml
new file mode 100644
index 00000000..96d05973
--- /dev/null
+++ b/rules/Sigma/win_alert_ad_user_backdoors.yml
@@ -0,0 +1,54 @@
+title: Active Directory User Backdoors
+author: '@neu5ron'
+date: 2017/04/13
+description: Detects scenarios where one can control another users or computers account
+    without having to use their credentials.
+detection:
+    SELECTION_1:
+        EventID: 4738
+    SELECTION_10:
+        AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
+    SELECTION_2:
+        AllowedToDelegateTo: '-'
+    SELECTION_3:
+        AllowedToDelegateTo|re: ^$
+    SELECTION_4:
+        EventID: 5136
+    SELECTION_5:
+        AttributeLDAPDisplayName: msDS-AllowedToDelegateTo
+    SELECTION_6:
+        EventID: 5136
+    SELECTION_7:
+        ObjectClass: user
+    SELECTION_8:
+        AttributeLDAPDisplayName: servicePrincipalName
+    SELECTION_9:
+        EventID: 5136
+    condition: (((((SELECTION_1 and  not (SELECTION_2)) and  not (SELECTION_3)) or
+        (SELECTION_4 and SELECTION_5)) or (SELECTION_6 and SELECTION_7 and SELECTION_8))
+        or (SELECTION_9 and SELECTION_10))
+falsepositives:
+- Unknown
+id: 300bac00-e041-4ee2-9c36-e262656a6ecc
+level: high
+logsource:
+    definition: 'Requirements: Audit Policy : Account Management > Audit User Account
+        Management, Group Policy : Computer Configuration\Windows Settings\Security
+        Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit
+        User Account Management, DS Access > Audit Directory Service Changes, Group
+        Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+        Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service
+        Changes'
+    product: windows
+    service: security
+modified: 2020/08/23
+references:
+- https://msdn.microsoft.com/en-us/library/cc220234.aspx
+- https://adsecurity.org/?p=3466
+- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
+tags:
+- attack.t1098
+- attack.persistence
+yml_filename: win_alert_ad_user_backdoors.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_alert_enable_weak_encryption.yml b/rules/Sigma/win_alert_enable_weak_encryption.yml
new file mode 100644
index 00000000..77653f54
--- /dev/null
+++ b/rules/Sigma/win_alert_enable_weak_encryption.yml
@@ -0,0 +1,136 @@
+title: Weak Encryption Enabled and Kerberoast
+author: '@neu5ron'
+date: 2017/07/30
+description: Detects scenario where weak encryption is enabled for a user profile
+    which could be used for hash/password cracking.
+detection:
+    SELECTION_1:
+        EventID: 4738
+    SELECTION_10:
+        OldUacValue: '*8???'
+    SELECTION_11:
+        OldUacValue: '*9???'
+    SELECTION_12:
+        OldUacValue: '*A???'
+    SELECTION_13:
+        OldUacValue: '*B???'
+    SELECTION_14:
+        OldUacValue: '*C???'
+    SELECTION_15:
+        OldUacValue: '*D???'
+    SELECTION_16:
+        OldUacValue: '*E???'
+    SELECTION_17:
+        OldUacValue: '*F???'
+    SELECTION_18:
+        NewUacValue: '*1????'
+    SELECTION_19:
+        NewUacValue: '*3????'
+    SELECTION_2:
+        NewUacValue: '*8???'
+    SELECTION_20:
+        NewUacValue: '*5????'
+    SELECTION_21:
+        NewUacValue: '*7????'
+    SELECTION_22:
+        NewUacValue: '*9????'
+    SELECTION_23:
+        NewUacValue: '*B????'
+    SELECTION_24:
+        NewUacValue: '*D????'
+    SELECTION_25:
+        NewUacValue: '*F????'
+    SELECTION_26:
+        OldUacValue: '*1????'
+    SELECTION_27:
+        OldUacValue: '*3????'
+    SELECTION_28:
+        OldUacValue: '*5????'
+    SELECTION_29:
+        OldUacValue: '*7????'
+    SELECTION_3:
+        NewUacValue: '*9???'
+    SELECTION_30:
+        OldUacValue: '*9????'
+    SELECTION_31:
+        OldUacValue: '*B????'
+    SELECTION_32:
+        OldUacValue: '*D????'
+    SELECTION_33:
+        OldUacValue: '*F????'
+    SELECTION_34:
+        NewUacValue: '*8??'
+    SELECTION_35:
+        NewUacValue: '*9??'
+    SELECTION_36:
+        NewUacValue: '*A??'
+    SELECTION_37:
+        NewUacValue: '*B??'
+    SELECTION_38:
+        NewUacValue: '*C??'
+    SELECTION_39:
+        NewUacValue: '*D??'
+    SELECTION_4:
+        NewUacValue: '*A???'
+    SELECTION_40:
+        NewUacValue: '*E??'
+    SELECTION_41:
+        NewUacValue: '*F??'
+    SELECTION_42:
+        OldUacValue: '*8??'
+    SELECTION_43:
+        OldUacValue: '*9??'
+    SELECTION_44:
+        OldUacValue: '*A??'
+    SELECTION_45:
+        OldUacValue: '*B??'
+    SELECTION_46:
+        OldUacValue: '*C??'
+    SELECTION_47:
+        OldUacValue: '*D??'
+    SELECTION_48:
+        OldUacValue: '*E??'
+    SELECTION_49:
+        OldUacValue: '*F??'
+    SELECTION_5:
+        NewUacValue: '*B???'
+    SELECTION_6:
+        NewUacValue: '*C???'
+    SELECTION_7:
+        NewUacValue: '*D???'
+    SELECTION_8:
+        NewUacValue: '*E???'
+    SELECTION_9:
+        NewUacValue: '*F???'
+    condition: (SELECTION_1 and ((((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and  not ((SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17))) or ((SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25)
+        and  not ((SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or
+        SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33)))) or ((SELECTION_34
+        or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39
+        or SELECTION_40 or SELECTION_41) and  not ((SELECTION_42 or SELECTION_43 or
+        SELECTION_44 or SELECTION_45 or SELECTION_46 or SELECTION_47 or SELECTION_48
+        or SELECTION_49)))))
+falsepositives:
+- Unknown
+id: f6de9536-0441-4b3f-a646-f4e00f300ffd
+level: high
+logsource:
+    definition: 'Requirements: Audit Policy : Account Management > Audit User Account
+        Management, Group Policy : Computer Configuration\Windows Settings\Security
+        Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit
+        User Account Management'
+    product: windows
+    service: security
+references:
+- https://adsecurity.org/?p=2053
+- https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+yml_filename: win_alert_enable_weak_encryption.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_alert_lsass_access.yml b/rules/Sigma/win_alert_lsass_access.yml
new file mode 100644
index 00000000..84486308
--- /dev/null
+++ b/rules/Sigma/win_alert_lsass_access.yml
@@ -0,0 +1,30 @@
+title: LSASS Access Detected via Attack Surface Reduction
+author: Markus Neis
+date: 2018/08/26
+description: Detects Access to LSASS Process
+detection:
+    SELECTION_1:
+        EventID: 1121
+    SELECTION_2:
+        Path: '*\lsass.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Google Chrome GoogleUpdate.exe
+- Some Taskmgr.exe related activity
+id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
+level: high
+logsource:
+    definition: 'Requirements:Enabled Block credential stealing from the Windows local
+        security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID:
+        9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
+    product: windows_defender
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+yml_filename: win_alert_lsass_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_alert_mimikatz_keywords.yml b/rules/Sigma/win_alert_mimikatz_keywords.yml
new file mode 100644
index 00000000..e0402b2c
--- /dev/null
+++ b/rules/Sigma/win_alert_mimikatz_keywords.yml
@@ -0,0 +1,34 @@
+title: Mimikatz Use
+author: Florian Roth
+date: 2017/01/10
+description: This method detects mimikatz keywords in different Eventlogs (some of
+    them only appear in older Mimikatz version that are however still used by different
+    threat groups)
+detection:
+    condition: (\mimikatz or mimikatz.exe or \mimilib.dll or <3 eo.oe or eo.oe.kiwi
+        or privilege::debug or sekurlsa::logonpasswords or lsadump::sam or mimidrv.sys
+        or  p::d  or  s::l  or gentilkiwi.com or Kiwi Legit Printer)
+falsepositives:
+- Naughty administrators
+- Penetration test
+- AV Signature updates
+- Files with Mimikatz in their filename
+id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
+level: critical
+logsource:
+    product: windows
+modified: 2021/08/26
+tags:
+- attack.s0002
+- attack.t1003
+- attack.lateral_movement
+- attack.credential_access
+- car.2013-07-001
+- car.2019-04-004
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.001
+- attack.t1003.006
+yml_filename: win_alert_mimikatz_keywords.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_alert_ruler.yml b/rules/Sigma/win_alert_ruler.yml
new file mode 100644
index 00000000..bbfca60a
--- /dev/null
+++ b/rules/Sigma/win_alert_ruler.yml
@@ -0,0 +1,42 @@
+title: Hacktool Ruler
+author: Florian Roth
+date: 2017/05/31
+description: This events that are generated when using the hacktool Ruler by Sensepost
+detection:
+    SELECTION_1:
+        EventID: 4776
+    SELECTION_2:
+        Workstation: RULER
+    SELECTION_3:
+        EventID: 4624
+    SELECTION_4:
+        EventID: 4625
+    SELECTION_5:
+        WorkstationName: RULER
+    condition: ((SELECTION_1 and SELECTION_2) or ((SELECTION_3 or SELECTION_4) and
+        SELECTION_5))
+falsepositives:
+- Go utilities that use staaldraad awesome NTLM library
+id: 24549159-ac1b-479c-8175-d42aea947cae
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/08/09
+references:
+- https://github.com/sensepost/ruler
+- https://github.com/sensepost/ruler/issues/47
+- https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
+tags:
+- attack.discovery
+- attack.execution
+- attack.t1087
+- attack.t1075
+- attack.t1114
+- attack.t1059
+- attack.t1550.002
+yml_filename: win_alert_ruler.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_anydesk_silent_install.yml b/rules/Sigma/win_anydesk_silent_install.yml
new file mode 100644
index 00000000..8936c495
--- /dev/null
+++ b/rules/Sigma/win_anydesk_silent_install.yml
@@ -0,0 +1,35 @@
+title: AnyDesk Silent Installation
+author: "J\xE1n Tren\u010Dansk\xFD"
+date: 2021/08/06
+description: AnyDesk Remote Desktop silent installation can be used by attacker to
+    gain remote access.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*--install*'
+    SELECTION_3:
+        CommandLine: '*--start-with-win*'
+    SELECTION_4:
+        CommandLine: '*--silent*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate deployment of AnyDesk
+fields:
+- CommandLine
+- ParentCommandLine
+- CurrentDirectory
+id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
+- https://support.anydesk.com/Automatic_Deployment
+status: experimental
+tags:
+- attack.t1219
+yml_filename: win_anydesk_silent_install.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_applocker_file_was_not_allowed_to_run.yml b/rules/Sigma/win_applocker_file_was_not_allowed_to_run.yml
new file mode 100644
index 00000000..e1de4a71
--- /dev/null
+++ b/rules/Sigma/win_applocker_file_was_not_allowed_to_run.yml
@@ -0,0 +1,49 @@
+title: File Was Not Allowed To Run
+author: Pushkarev Dmitry
+date: 2020/06/28
+description: Detect run not allowed files. Applocker is a very useful tool, especially
+    on servers where unprivileged users have access. For example terminal servers.
+    You need configure applocker and log collect to receive these events.
+detection:
+    SELECTION_1:
+        EventID: 8004
+    SELECTION_2:
+        EventID: 8007
+    condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- need tuning applocker or add exceptions in SIEM
+fields:
+- PolicyName
+- RuleId
+- RuleName
+- TargetUser
+- TargetProcessId
+- FilePath
+- FileHash
+- Fqbn
+id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
+level: medium
+logsource:
+    product: windows
+    service: applocker
+modified: 2020/08/23
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
+- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1064
+- attack.t1204
+- attack.t1035
+- attack.t1204.002
+- attack.t1059.001
+- attack.t1059.003
+- attack.t1059.005
+- attack.t1059.006
+- attack.t1059.007
+yml_filename: win_applocker_file_was_not_allowed_to_run.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_apt_apt29_thinktanks.yml b/rules/Sigma/win_apt_apt29_thinktanks.yml
new file mode 100644
index 00000000..37bb4609
--- /dev/null
+++ b/rules/Sigma/win_apt_apt29_thinktanks.yml
@@ -0,0 +1,37 @@
+title: APT29
+author: Florian Roth
+date: 2018/12/04
+description: This method detects a suspicious PowerShell command line combination
+    as used by APT29 in a campaign against U.S. think tanks.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*-noni*'
+    SELECTION_3:
+        CommandLine: '*-ep*'
+    SELECTION_4:
+        CommandLine: '*bypass*'
+    SELECTION_5:
+        CommandLine: '*$*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- unknown
+id: 033fe7d6-66d1-4240-ac6b-28908009c71f
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/26
+references:
+- https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
+- https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
+tags:
+- attack.execution
+- attack.g0016
+- attack.t1086
+- attack.t1059
+- attack.t1059.001
+yml_filename: win_apt_apt29_thinktanks.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_babyshark.yml b/rules/Sigma/win_apt_babyshark.yml
new file mode 100644
index 00000000..1c6e3386
--- /dev/null
+++ b/rules/Sigma/win_apt_babyshark.yml
@@ -0,0 +1,41 @@
+title: Baby Shark Activity
+author: Florian Roth
+date: 2019/02/24
+description: Detects activity that could be related to Baby Shark malware
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server
+            Client\Default"
+    SELECTION_3:
+        CommandLine: powershell.exe mshta.exe http*
+    SELECTION_4:
+        CommandLine: cmd.exe /c taskkill /im cmd.exe
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/26
+references:
+- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
+- attack.t1086
+- attack.t1059.003
+- attack.t1059.001
+- attack.discovery
+- attack.t1012
+- attack.defense_evasion
+- attack.t1170
+- attack.t1218
+- attack.t1218.005
+yml_filename: win_apt_babyshark.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_bear_activity_gtr19.yml b/rules/Sigma/win_apt_bear_activity_gtr19.yml
new file mode 100644
index 00000000..b6b2789d
--- /dev/null
+++ b/rules/Sigma/win_apt_bear_activity_gtr19.yml
@@ -0,0 +1,52 @@
+title: Judgement Panda Credential Access Activity
+author: Florian Roth
+date: 2019/02/21
+description: Detects Russian group activity as described in Global Threat Report 2019
+    by Crowdstrike
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*-snapshot*'
+    SELECTION_11:
+        CommandLine: '*""*'
+    SELECTION_12:
+        CommandLine: '*c:\users\\*'
+    SELECTION_2:
+        Image: '*\xcopy.exe'
+    SELECTION_3:
+        CommandLine: '*/S*'
+    SELECTION_4:
+        CommandLine: '*/E*'
+    SELECTION_5:
+        CommandLine: '*/C*'
+    SELECTION_6:
+        CommandLine: '*/Q*'
+    SELECTION_7:
+        CommandLine: '*/H*'
+    SELECTION_8:
+        CommandLine: '*\\\*'
+    SELECTION_9:
+        Image: '*\adexplorer.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and
+        SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8) or (SELECTION_9
+        and SELECTION_10 and SELECTION_11 and SELECTION_12)))
+falsepositives:
+- unknown
+id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/26
+references:
+- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+tags:
+- attack.credential_access
+- attack.t1081
+- attack.t1003
+- attack.t1552.001
+- attack.t1003.003
+yml_filename: win_apt_bear_activity_gtr19.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_bluemashroom.yml b/rules/Sigma/win_apt_bluemashroom.yml
new file mode 100644
index 00000000..675748d9
--- /dev/null
+++ b/rules/Sigma/win_apt_bluemashroom.yml
@@ -0,0 +1,32 @@
+title: BlueMashroom DLL Load
+author: Florian Roth
+date: 2019/10/02
+description: Detects a suspicious DLL loading from AppData Local path as described
+    in BlueMashroom report
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\AppData\Local\\*'
+    SELECTION_3:
+        CommandLine: '*\regsvr32*'
+    SELECTION_4:
+        CommandLine: '*,DllEntry*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unlikely
+id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1117
+- attack.t1218.010
+yml_filename: win_apt_bluemashroom.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_carbonpaper_turla.yml b/rules/Sigma/win_apt_carbonpaper_turla.yml
new file mode 100644
index 00000000..8e06f20f
--- /dev/null
+++ b/rules/Sigma/win_apt_carbonpaper_turla.yml
@@ -0,0 +1,32 @@
+title: Turla Service Install
+author: Florian Roth
+date: 2017/03/31
+description: This method detects a service install of malicious services mentioned
+    in Carbon Paper - Turla report by ESET
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ServiceName: srservice
+    SELECTION_3:
+        ServiceName: ipvpn
+    SELECTION_4:
+        ServiceName: hkmsvc
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
+level: high
+logsource:
+    product: windows
+    service: system
+references:
+- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+tags:
+- attack.persistence
+- attack.g0010
+- attack.t1050
+- attack.t1543.003
+yml_filename: win_apt_carbonpaper_turla.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_apt_chafer_mar18_security.yml b/rules/Sigma/win_apt_chafer_mar18_security.yml
new file mode 100644
index 00000000..0dab103b
--- /dev/null
+++ b/rules/Sigma/win_apt_chafer_mar18_security.yml
@@ -0,0 +1,42 @@
+title: Chafer Activity
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
+    in March 2018
+detection:
+    SELECTION_1:
+        EventID: 4698
+    SELECTION_2:
+        TaskName: SC Scheduled Scan
+    SELECTION_3:
+        TaskName: UpdatMachine
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: c0580559-a6bd-4ef6-b9b7-83703d98b561
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/19
+references:
+- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+related:
+-   id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+    type: derived
+tags:
+- attack.persistence
+- attack.g0049
+- attack.t1053
+- attack.t1053.005
+- attack.s0111
+- attack.t1050
+- attack.t1543.003
+- attack.defense_evasion
+- attack.t1112
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
+yml_filename: win_apt_chafer_mar18_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_apt_chafer_mar18_system.yml b/rules/Sigma/win_apt_chafer_mar18_system.yml
new file mode 100644
index 00000000..55c22608
--- /dev/null
+++ b/rules/Sigma/win_apt_chafer_mar18_system.yml
@@ -0,0 +1,39 @@
+title: Chafer Activity
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2018/03/23
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
+    in March 2018
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ServiceName: SC Scheduled Scan
+    SELECTION_3:
+        ServiceName: UpdatMachine
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+level: critical
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/19
+references:
+- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+tags:
+- attack.persistence
+- attack.g0049
+- attack.t1053
+- attack.t1053.005
+- attack.s0111
+- attack.t1050
+- attack.t1543.003
+- attack.defense_evasion
+- attack.t1112
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
+yml_filename: win_apt_chafer_mar18_system.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_apt_cloudhopper.yml b/rules/Sigma/win_apt_cloudhopper.yml
new file mode 100644
index 00000000..3f35033b
--- /dev/null
+++ b/rules/Sigma/win_apt_cloudhopper.yml
@@ -0,0 +1,34 @@
+title: WMIExec VBS Script
+author: Florian Roth
+date: 2017/04/07
+description: Detects suspicious file execution by wscript and cscript
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\cscript.exe'
+    SELECTION_3:
+        CommandLine: '*.vbs*'
+    SELECTION_4:
+        CommandLine: '*/shell*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: 966e4016-627f-44f7-8341-f394905c361f
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+tags:
+- attack.execution
+- attack.g0045
+- attack.t1064
+- attack.t1059.005
+yml_filename: win_apt_cloudhopper.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_dragonfly.yml b/rules/Sigma/win_apt_dragonfly.yml
new file mode 100644
index 00000000..58c09c47
--- /dev/null
+++ b/rules/Sigma/win_apt_dragonfly.yml
@@ -0,0 +1,25 @@
+title: CrackMapExecWin
+author: Markus Neis
+date: 2018/04/08
+description: Detects CrackMapExecWin Activity as Described by NCSC
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\crackmapexec.exe'
+    condition: (SELECTION_1 and (SELECTION_2))
+falsepositives:
+- None
+id: 04d9079e-3905-4b70-ad37-6bdf11304965
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
+status: experimental
+tags:
+- attack.g0035
+yml_filename: win_apt_dragonfly.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_elise.yml b/rules/Sigma/win_apt_elise.yml
new file mode 100644
index 00000000..0591afa2
--- /dev/null
+++ b/rules/Sigma/win_apt_elise.yml
@@ -0,0 +1,35 @@
+title: Elise Backdoor
+author: Florian Roth
+date: 2018/01/31
+description: Detects Elise backdoor acitivty as used by APT32
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: C:\Windows\SysWOW64\cmd.exe
+    SELECTION_3:
+        CommandLine: '*\Windows\Caches\NavShExt.dll *'
+    SELECTION_4:
+        CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- Unknown
+id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/26
+references:
+- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
+status: experimental
+tags:
+- attack.g0030
+- attack.g0050
+- attack.s0081
+- attack.execution
+- attack.t1059
+- attack.t1059.003
+yml_filename: win_apt_elise.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_emissarypanda_sep19.yml b/rules/Sigma/win_apt_emissarypanda_sep19.yml
new file mode 100644
index 00000000..f0ad2622
--- /dev/null
+++ b/rules/Sigma/win_apt_emissarypanda_sep19.yml
@@ -0,0 +1,32 @@
+title: Emissary Panda Malware SLLauncher
+author: Florian Roth
+date: 2018/09/03
+description: Detects the execution of DLL side-loading malware used by threat group
+    Emissary Panda aka APT27
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\sllauncher.exe'
+    SELECTION_3:
+        Image: '*\svchost.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/27
+references:
+- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
+- https://twitter.com/cyb3rops/status/1168863899531132929
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+yml_filename: win_apt_emissarypanda_sep19.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_empiremonkey.yml b/rules/Sigma/win_apt_empiremonkey.yml
new file mode 100644
index 00000000..7d0922e0
--- /dev/null
+++ b/rules/Sigma/win_apt_empiremonkey.yml
@@ -0,0 +1,31 @@
+title: Empire Monkey
+author: Markus Neis
+date: 2019/04/02
+description: Detects EmpireMonkey APT reported Activity
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*/i:%APPDATA%\logs.txt scrobj.dll'
+    SELECTION_3:
+        Image: '*\cutil.exe'
+    SELECTION_4:
+        Description: Microsoft(C) Registerserver
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Very Unlikely
+id: 10152a7b-b566-438f-a33c-390b607d1c8d
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/27
+references:
+- https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
+tags:
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
+yml_filename: win_apt_empiremonkey.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_equationgroup_dll_u_load.yml b/rules/Sigma/win_apt_equationgroup_dll_u_load.yml
new file mode 100644
index 00000000..f36e3bc7
--- /dev/null
+++ b/rules/Sigma/win_apt_equationgroup_dll_u_load.yml
@@ -0,0 +1,34 @@
+title: Equation Group DLL_U Load
+author: Florian Roth
+date: 2019/03/04
+description: Detects a specific tool and export used by EquationGroup
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\rundll32.exe'
+    SELECTION_3:
+        CommandLine: '*,dll_u'
+    SELECTION_4:
+        CommandLine: '* -export dll_u *'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- Unknown
+id: d465d1d8-27a2-4cca-9621-a800f37cf72e
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/27
+references:
+- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
+- https://securelist.com/apt-slingshot/84312/
+- https://twitter.com/cyb3rops/status/972186477512839170
+tags:
+- attack.g0020
+- attack.defense_evasion
+- attack.t1085
+- attack.t1218.011
+yml_filename: win_apt_equationgroup_dll_u_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_evilnum_jul20.yml b/rules/Sigma/win_apt_evilnum_jul20.yml
new file mode 100644
index 00000000..812411c4
--- /dev/null
+++ b/rules/Sigma/win_apt_evilnum_jul20.yml
@@ -0,0 +1,39 @@
+title: EvilNum Golden Chickens Deployment via OCX Files
+author: Florian Roth
+date: 2020/07/10
+description: Detects Golden Chickens deployment method as used by Evilnum in report
+    published in July 2020
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*regsvr32*'
+    SELECTION_3:
+        CommandLine: '*/s*'
+    SELECTION_4:
+        CommandLine: '*/i*'
+    SELECTION_5:
+        CommandLine: '*\AppData\Roaming\\*'
+    SELECTION_6:
+        CommandLine: '*.ocx*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Unknown
+id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/27
+references:
+- https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
+- https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1085
+- attack.t1218.011
+yml_filename: win_apt_evilnum_jul20.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_gallium.yml b/rules/Sigma/win_apt_gallium.yml
new file mode 100644
index 00000000..b90e46ec
--- /dev/null
+++ b/rules/Sigma/win_apt_gallium.yml
@@ -0,0 +1,45 @@
+title: GALLIUM Artefacts
+author: Tim Burrell
+date: 2020/02/07
+description: Detects artefacts associated with activity group GALLIUM - Microsoft
+    Threat Intelligence Center indicators released in December 2019.
+detection:
+    SELECTION_1:
+        EventID: 257
+    SELECTION_2:
+        QNAME: asyspy256.ddns.net
+    SELECTION_3:
+        QNAME: hotkillmail9sddcc.ddns.net
+    SELECTION_4:
+        QNAME: rosaf112.ddns.net
+    SELECTION_5:
+        QNAME: cvdfhjh1231.myftp.biz
+    SELECTION_6:
+        QNAME: sz2016rose.ddns.net
+    SELECTION_7:
+        QNAME: dffwescwer4325.myftp.biz
+    SELECTION_8:
+        QNAME: cvdfhjh1231.ddns.net
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- unknown
+id: 3db10f25-2527-4b79-8d4b-471eb900ee29
+level: high
+logsource:
+    product: windows
+    service: dns-server
+modified: 2021/09/19
+references:
+- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+related:
+-   id: 440a56bf-7873-4439-940a-1c8a671073c2
+    type: derived
+status: experimental
+tags:
+- attack.credential_access
+- attack.command_and_control
+yml_filename: win_apt_gallium.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_apt_greenbug_may20.yml b/rules/Sigma/win_apt_greenbug_may20.yml
new file mode 100644
index 00000000..a7463d71
--- /dev/null
+++ b/rules/Sigma/win_apt_greenbug_may20.yml
@@ -0,0 +1,79 @@
+title: Greenbug Campaign Indicators
+author: Florian Roth
+date: 2020/05/20
+description: Detects tools and process executions as observed in a Greenbug campaign
+    in May 2020
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*[Net.CredentialCache]::DefaultCredentials;IEX *'
+    SELECTION_11:
+        CommandLine: '* -nop -w hidden -c $m=new-object net.webclient;$m*'
+    SELECTION_12:
+        CommandLine: '*-noninteractive -executionpolicy bypass whoami*'
+    SELECTION_13:
+        CommandLine: '*-noninteractive -executionpolicy bypass netstat -a*'
+    SELECTION_14:
+        CommandLine: '*L3NlcnZlcj1*'
+    SELECTION_15:
+        Image: '*\adobe\Adobe.exe'
+    SELECTION_16:
+        Image: '*\oracle\local.exe'
+    SELECTION_17:
+        Image: '*\revshell.exe'
+    SELECTION_18:
+        Image: '*infopagesbackup\ncat.exe'
+    SELECTION_19:
+        Image: '*CSIDL_SYSTEM\cmd.exe'
+    SELECTION_2:
+        CommandLine: '*bitsadmin*'
+    SELECTION_20:
+        Image: '*\programdata\oracle\java.exe'
+    SELECTION_21:
+        Image: '*CSIDL_COMMON_APPDATA\comms\comms.exe'
+    SELECTION_22:
+        Image: '*\Programdata\VMware\Vmware.exe'
+    SELECTION_3:
+        CommandLine: '*/transfer*'
+    SELECTION_4:
+        CommandLine: '*CSIDL_APPDATA*'
+    SELECTION_5:
+        CommandLine: '*CSIDL_SYSTEM_DRIVE*'
+    SELECTION_6:
+        CommandLine: '*\msf.ps1*'
+    SELECTION_7:
+        CommandLine: '*8989 -e cmd.exe*'
+    SELECTION_8:
+        CommandLine: '*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill*'
+    SELECTION_9:
+        CommandLine: '*-nop -w hidden -c $k=new-object*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or
+        (SELECTION_5) or (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14)
+        or (SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22)))
+falsepositives:
+- Unknown
+id: 3711eee4-a808-4849-8a14-faf733da3612
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/21
+references:
+- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
+status: experimental
+tags:
+- attack.g0049
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.command_and_control
+- attack.t1105
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.005
+yml_filename: win_apt_greenbug_may20.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_hafnium.yml b/rules/Sigma/win_apt_hafnium.yml
new file mode 100644
index 00000000..838c72df
--- /dev/null
+++ b/rules/Sigma/win_apt_hafnium.yml
@@ -0,0 +1,97 @@
+title: Exchange Exploitation Activity
+author: Florian Roth
+date: 2021/03/09
+description: Detects activity observed by different researchers to be HAFNIUM group
+    activity (or related) on Exchange servers
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*Temp\__output*'
+    SELECTION_11:
+        CommandLine: '*%TEMP%\execute.bat*'
+    SELECTION_12:
+        Image: '*Users\Public\opera\Opera_browser.exe'
+    SELECTION_13:
+        Image: '*Opera_browser.exe'
+    SELECTION_14:
+        ParentImage: '*\services.exe'
+    SELECTION_15:
+        ParentImage: '*\svchost.exe'
+    SELECTION_16:
+        Image: '*\ProgramData\VSPerfMon\\*'
+    SELECTION_17:
+        CommandLine: '* -t7z *'
+    SELECTION_18:
+        CommandLine: '*C:\Programdata\pst*'
+    SELECTION_19:
+        CommandLine: '*\it.zip*'
+    SELECTION_2:
+        CommandLine: '*attrib*'
+    SELECTION_20:
+        Image: '*\makecab.exe'
+    SELECTION_21:
+        CommandLine: '*Microsoft\Exchange Server\\*'
+    SELECTION_22:
+        CommandLine: '*inetpub\wwwroot*'
+    SELECTION_23:
+        CommandLine: '*\Temp\xx.bat*'
+    SELECTION_24:
+        CommandLine: '*Windows\WwanSvcdcs*'
+    SELECTION_25:
+        CommandLine: '*Windows\Temp\cw.exe*'
+    SELECTION_26:
+        CommandLine: '*\comsvcs.dll*'
+    SELECTION_27:
+        CommandLine: '*Minidump*'
+    SELECTION_28:
+        CommandLine: '*\inetpub\wwwroot*'
+    SELECTION_29:
+        CommandLine: '*dsquery*'
+    SELECTION_3:
+        CommandLine: '* +h *'
+    SELECTION_30:
+        CommandLine: '* -uco *'
+    SELECTION_31:
+        CommandLine: '*\inetpub\wwwroot*'
+    SELECTION_4:
+        CommandLine: '* +s *'
+    SELECTION_5:
+        CommandLine: '* +r *'
+    SELECTION_6:
+        CommandLine: '*.aspx*'
+    SELECTION_7:
+        CommandLine: '*schtasks*'
+    SELECTION_8:
+        CommandLine: '*VSPerfMon*'
+    SELECTION_9:
+        CommandLine: '*vssadmin list shadows*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and
+        SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9
+        and SELECTION_10) or SELECTION_11 or SELECTION_12 or (SELECTION_13 and (SELECTION_14
+        or SELECTION_15)) or SELECTION_16 or (SELECTION_17 and SELECTION_18 and SELECTION_19)
+        or (SELECTION_20 and (SELECTION_21 or SELECTION_22)) or (SELECTION_23 or SELECTION_24
+        or SELECTION_25) or (SELECTION_26 and SELECTION_27 and SELECTION_28) or (SELECTION_29
+        and SELECTION_30 and SELECTION_31)))
+falsepositives:
+- Unknown
+id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/03/16
+references:
+- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
+- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
+- https://twitter.com/GadixCRK/status/1369313704869834753?s=20
+- https://twitter.com/BleepinComputer/status/1372218235949617161
+status: experimental
+tags:
+- attack.persistence
+- attack.t1546
+- attack.t1053
+yml_filename: win_apt_hafnium.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_hurricane_panda.yml b/rules/Sigma/win_apt_hurricane_panda.yml
new file mode 100644
index 00000000..3f167041
--- /dev/null
+++ b/rules/Sigma/win_apt_hurricane_panda.yml
@@ -0,0 +1,34 @@
+title: Hurricane Panda Activity
+author: Florian Roth
+date: 2019/03/04
+description: Detects Hurricane Panda Activity
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*localgroup*'
+    SELECTION_3:
+        CommandLine: '*admin*'
+    SELECTION_4:
+        CommandLine: '*/add*'
+    SELECTION_5:
+        CommandLine: '*\Win64.exe*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or
+        (SELECTION_5)))
+falsepositives:
+- Unknown
+id: 0eb2107b-a596-422e-b123-b389d5594ed7
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.g0009
+- attack.t1068
+yml_filename: win_apt_hurricane_panda.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_judgement_panda_gtr19.yml b/rules/Sigma/win_apt_judgement_panda_gtr19.yml
new file mode 100644
index 00000000..d60a1999
--- /dev/null
+++ b/rules/Sigma/win_apt_judgement_panda_gtr19.yml
@@ -0,0 +1,50 @@
+title: Judgement Panda Exfil Activity
+author: Florian Roth
+date: 2019/02/21
+description: Detects Judgement Panda activity as described in Global Threat Report
+    2019 by Crowdstrike
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: C:\Users\Public\7za.exe
+    SELECTION_2:
+        CommandLine: '*eprod.ldf'
+    SELECTION_3:
+        CommandLine: '*\ldifde.exe -f -n *'
+    SELECTION_4:
+        CommandLine: '*\7za.exe a 1.7z *'
+    SELECTION_5:
+        CommandLine: '*\aaaa\procdump64.exe*'
+    SELECTION_6:
+        CommandLine: '*\aaaa\netsess.exe*'
+    SELECTION_7:
+        CommandLine: '*\aaaa\7za.exe*'
+    SELECTION_8:
+        CommandLine: '*copy .\1.7z \\*'
+    SELECTION_9:
+        CommandLine: '*copy \\client\c$\aaaa\\*'
+    condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) or SELECTION_10))
+falsepositives:
+- unknown
+id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/27
+references:
+- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+tags:
+- attack.lateral_movement
+- attack.g0010
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.exfiltration
+- attack.t1002
+- attack.t1560.001
+yml_filename: win_apt_judgement_panda_gtr19.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_ke3chang_regadd.yml b/rules/Sigma/win_apt_ke3chang_regadd.yml
new file mode 100644
index 00000000..b49cc019
--- /dev/null
+++ b/rules/Sigma/win_apt_ke3chang_regadd.yml
@@ -0,0 +1,34 @@
+title: Ke3chang Registry Key Modifications
+author: Markus Neis, Swisscom
+date: 2020/06/18
+description: Detects Registry modifications performed by Ke3chang malware in campaigns
+    running in 2019 and 2020
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*-Property DWORD -name DisableFirstRunCustomize -value 2 -Force*'
+    SELECTION_3:
+        CommandLine: '*-Property String -name Check_Associations -value*'
+    SELECTION_4:
+        CommandLine: '*-Property DWORD -name IEHarden -value 0 -Force*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Will need to be looked for combinations of those processes
+id: 7b544661-69fc-419f-9a59-82ccc328f205
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
+- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
+status: experimental
+tags:
+- attack.g0004
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+yml_filename: win_apt_ke3chang_regadd.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_lazarus_activity_apr21.yml b/rules/Sigma/win_apt_lazarus_activity_apr21.yml
new file mode 100644
index 00000000..d0ff9a91
--- /dev/null
+++ b/rules/Sigma/win_apt_lazarus_activity_apr21.yml
@@ -0,0 +1,38 @@
+title: Lazarus Activity
+author: Bhabesh Raj
+date: 2021/04/20
+description: Detects different process creation events as described in Malwarebytes's
+    threat report on Lazarus group activity
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*mshta*'
+    SELECTION_3:
+        CommandLine: '*.zip*'
+    SELECTION_4:
+        ParentImage: C:\Windows\System32\wbem\wmiprvse.exe
+    SELECTION_5:
+        Image: C:\Windows\System32\mshta.exe
+    SELECTION_6:
+        ParentImage: '*:\Users\Public\\*'
+    SELECTION_7:
+        Image: C:\Windows\System32\rundll32.exe
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or ((SELECTION_4) and
+        (SELECTION_5)) or ((SELECTION_6) and (SELECTION_7))))
+falsepositives:
+- Should not be any false positives
+id: 4a12fa47-c735-4032-a214-6fab5b120670
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+references:
+- https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
+status: experimental
+tags:
+- attack.g0032
+yml_filename: win_apt_lazarus_activity_apr21.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_lazarus_activity_dec20.yml b/rules/Sigma/win_apt_lazarus_activity_dec20.yml
new file mode 100644
index 00000000..8de42e26
--- /dev/null
+++ b/rules/Sigma/win_apt_lazarus_activity_dec20.yml
@@ -0,0 +1,46 @@
+title: Lazarus Activity
+author: Florian Roth
+date: 2020/12/23
+description: Detects different process creation events as described in various threat
+    reports on Lazarus group activity
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*.255 10 C:\ProgramData\\*'
+    SELECTION_2:
+        CommandLine: '*reg.exe save hklm\sam %temp%\~reg_sam.save*'
+    SELECTION_3:
+        CommandLine: '*1q2w3e4r@#$@#$@#$*'
+    SELECTION_4:
+        CommandLine: '* -hp1q2w3e4 *'
+    SELECTION_5:
+        CommandLine: '*.dat data03 10000 -p *'
+    SELECTION_6:
+        CommandLine: '*process call create*'
+    SELECTION_7:
+        CommandLine: '* > %temp%\~*'
+    SELECTION_8:
+        CommandLine: '*netstat -aon | find *'
+    SELECTION_9:
+        CommandLine: '* > %temp%\~*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9) or (SELECTION_10)))
+falsepositives:
+- Overlap with legitimate process activity in some cases (especially selection 3 and
+    4)
+id: 24c4d154-05a4-4b99-b57d-9b977472443a
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+references:
+- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
+- https://www.hvs-consulting.de/lazarus-report/
+status: experimental
+tags:
+- attack.g0032
+yml_filename: win_apt_lazarus_activity_dec20.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_lazarus_loader.yml b/rules/Sigma/win_apt_lazarus_loader.yml
new file mode 100644
index 00000000..e19c0317
--- /dev/null
+++ b/rules/Sigma/win_apt_lazarus_loader.yml
@@ -0,0 +1,52 @@
+title: Lazarus Loaders
+author: Florian Roth, wagga
+date: 2020/12/23
+description: Detects different loaders as described in various threat reports on Lazarus
+    group activity
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*.dat,*'
+    SELECTION_11:
+        CommandLine: '*.io,*'
+    SELECTION_12:
+        CommandLine: '*.ini,*'
+    SELECTION_13:
+        CommandLine: '*.db,*'
+    SELECTION_2:
+        CommandLine: '*cmd.exe /c *'
+    SELECTION_3:
+        CommandLine: '* -p 0x*'
+    SELECTION_4:
+        CommandLine: '*C:\ProgramData\\*'
+    SELECTION_5:
+        CommandLine: '*C:\RECYCLER\\*'
+    SELECTION_6:
+        CommandLine: '*rundll32.exe *'
+    SELECTION_7:
+        CommandLine: '*C:\ProgramData\\*'
+    SELECTION_8:
+        CommandLine: '*.bin,*'
+    SELECTION_9:
+        CommandLine: '*.tmp,*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and (SELECTION_4 or
+        SELECTION_5)) or (SELECTION_6 and SELECTION_7 and (SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13))))
+falsepositives:
+- unknown
+id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+references:
+- https://www.hvs-consulting.de/lazarus-report/
+- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
+status: experimental
+tags:
+- attack.g0032
+yml_filename: win_apt_lazarus_loader.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_lazarus_session_highjack.yml b/rules/Sigma/win_apt_lazarus_session_highjack.yml
new file mode 100644
index 00000000..45296a64
--- /dev/null
+++ b/rules/Sigma/win_apt_lazarus_session_highjack.yml
@@ -0,0 +1,35 @@
+title: Lazarus Session Highjacker
+author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
+date: 2020/06/03
+description: Detects executables launched outside their default directories as used
+    by Lazarus Group (Bluenoroff)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\msdtc.exe'
+    SELECTION_3:
+        Image: '*\gpvc.exe'
+    SELECTION_4:
+        Image: C:\Windows\System32\\*
+    SELECTION_5:
+        Image: C:\Windows\SysWOW64\\*
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5)))
+falsepositives:
+- unknown
+id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.005
+yml_filename: win_apt_lazarus_session_highjack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_mustangpanda.yml b/rules/Sigma/win_apt_mustangpanda.yml
new file mode 100644
index 00000000..fc0c5ba8
--- /dev/null
+++ b/rules/Sigma/win_apt_mustangpanda.yml
@@ -0,0 +1,48 @@
+title: Mustang Panda Dropper
+author: Florian Roth, oscd.community
+date: 2019/10/30
+description: Detects specific process parameters as used by Mustang Panda droppers
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*Temp\winwsh.exe'
+    SELECTION_2:
+        CommandLine: '*Temp\wtask.exe /create*'
+    SELECTION_3:
+        CommandLine: '*%windir:~-3,1%%PUBLIC:~-9,1%*'
+    SELECTION_4:
+        CommandLine: '*/tn "Security Script *'
+    SELECTION_5:
+        CommandLine: '*%windir:~-1,1%*'
+    SELECTION_6:
+        CommandLine: '*/E:vbscript*'
+    SELECTION_7:
+        CommandLine: '*C:\Users\\*'
+    SELECTION_8:
+        CommandLine: '*.txt*'
+    SELECTION_9:
+        CommandLine: '*/F*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9) or SELECTION_10))
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
+- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/
+- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
+status: experimental
+tags:
+- attack.t1587.001
+- attack.resource_development
+yml_filename: win_apt_mustangpanda.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_revil_kaseya.yml b/rules/Sigma/win_apt_revil_kaseya.yml
new file mode 100644
index 00000000..4201e90a
--- /dev/null
+++ b/rules/Sigma/win_apt_revil_kaseya.yml
@@ -0,0 +1,60 @@
+title: REvil Kaseya Incident Malware Patterns
+author: Florian Roth
+date: 2021/07/03
+description: Detects process command line patterns and locations used by REvil group
+    in Kaseya incident (can also match on other malware)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*c:\kworking1\agent.crt*'
+    SELECTION_11:
+        Image: C:\Windows\MsMpEng.exe
+    SELECTION_12:
+        Image: C:\Windows\cert.exe
+    SELECTION_13:
+        Image: C:\kworking\agent.exe
+    SELECTION_14:
+        Image: C:\kworking1\agent.exe
+    SELECTION_2:
+        CommandLine: '*C:\Windows\cert.exe*'
+    SELECTION_3:
+        CommandLine: '*Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem
+            $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess
+            Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled*'
+    SELECTION_4:
+        CommandLine: '*del /q /f c:\kworking\agent.crt*'
+    SELECTION_5:
+        CommandLine: '*Kaseya VSA Agent Hot-fix*'
+    SELECTION_6:
+        CommandLine: '*\AppData\Local\Temp\MsMpEng.exe*'
+    SELECTION_7:
+        CommandLine: '*rmdir /s /q %SystemDrive%\inetpub\logs*'
+    SELECTION_8:
+        CommandLine: '*del /s /q /f %SystemDrive%\\*.log*'
+    SELECTION_9:
+        CommandLine: '*c:\kworking1\agent.exe*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+        and (SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14))
+falsepositives:
+- Unknown
+id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/05
+references:
+- https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
+- https://www.joesandbox.com/analysis/443736/0/html
+- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
+- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
+- https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
+status: experimental
+tags:
+- attack.execution
+- attack.g0115
+yml_filename: win_apt_revil_kaseya.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_slingshot.yml b/rules/Sigma/win_apt_slingshot.yml
new file mode 100644
index 00000000..cae98618
--- /dev/null
+++ b/rules/Sigma/win_apt_slingshot.yml
@@ -0,0 +1,31 @@
+title: Defrag Deactivation
+author: Florian Roth, Bartlomiej Czyz (@bczyz1)
+date: 2019/03/04
+description: Detects the deactivation and disabling of the Scheduled defragmentation
+    task as seen by Slingshot APT group
+detection:
+    SELECTION_1:
+        EventID: 4701
+    SELECTION_2:
+        TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
+level: medium
+logsource:
+    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
+    product: windows
+    service: security
+modified: 2021/09/19
+references:
+- https://securelist.com/apt-slingshot/84312/
+related:
+-   id: 958d81aa-8566-4cea-a565-59ccd4df27b0
+    type: derived
+tags:
+- attack.persistence
+- attack.s0111
+yml_filename: win_apt_slingshot.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_apt_sofacy.yml b/rules/Sigma/win_apt_sofacy.yml
new file mode 100644
index 00000000..af1ebff6
--- /dev/null
+++ b/rules/Sigma/win_apt_sofacy.yml
@@ -0,0 +1,42 @@
+title: Sofacy Trojan Loader Activity
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2018/03/01
+description: Detects Trojan loader acitivty as used by APT28
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*rundll32.exe*'
+    SELECTION_3:
+        CommandLine: '*%APPDATA%\\*'
+    SELECTION_4:
+        CommandLine: '*.dat",*'
+    SELECTION_5:
+        CommandLine: '*.dll",#1'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and (SELECTION_4 or
+        SELECTION_5))
+falsepositives:
+- Unknown
+id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
+- https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
+- https://twitter.com/ClearskySec/status/960924755355369472
+status: experimental
+tags:
+- attack.g0007
+- attack.execution
+- attack.t1059
+- attack.t1059.003
+- attack.defense_evasion
+- attack.t1085
+- car.2013-10-002
+- attack.t1218.011
+yml_filename: win_apt_sofacy.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_stonedrill.yml b/rules/Sigma/win_apt_stonedrill.yml
new file mode 100644
index 00000000..aaa03e5c
--- /dev/null
+++ b/rules/Sigma/win_apt_stonedrill.yml
@@ -0,0 +1,30 @@
+title: StoneDrill Service Install
+author: Florian Roth
+date: 2017/03/07
+description: This method detects a service install of the malicious Microsoft Network
+    Realtime Inspection Service service described in StoneDrill report by Kaspersky
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ServiceName: NtsSrv
+    SELECTION_3:
+        ServiceFileName: '* LocalService'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely
+id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
+level: high
+logsource:
+    product: windows
+    service: system
+references:
+- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+tags:
+- attack.persistence
+- attack.g0064
+- attack.t1050
+- attack.t1543.003
+yml_filename: win_apt_stonedrill.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_apt_ta17_293a_ps.yml b/rules/Sigma/win_apt_ta17_293a_ps.yml
new file mode 100644
index 00000000..90437f54
--- /dev/null
+++ b/rules/Sigma/win_apt_ta17_293a_ps.yml
@@ -0,0 +1,30 @@
+title: Ps.exe Renamed SysInternals Tool
+author: Florian Roth
+date: 2017/10/22
+description: Detects renamed SysInternals tool execution with a binary named ps.exe
+    as used by Dragonfly APT group and documented in TA17-293A report
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: ps.exe -accepteula
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Renamed SysInternals tool
+id: 18da1007-3f26-470f-875d-f77faf1cab31
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/27
+references:
+- https://www.us-cert.gov/ncas/alerts/TA17-293A
+tags:
+- attack.defense_evasion
+- attack.g0035
+- attack.t1036
+- attack.t1036.003
+- car.2013-05-009
+yml_filename: win_apt_ta17_293a_ps.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_ta505_dropper.yml b/rules/Sigma/win_apt_ta505_dropper.yml
new file mode 100644
index 00000000..cf68abca
--- /dev/null
+++ b/rules/Sigma/win_apt_ta505_dropper.yml
@@ -0,0 +1,29 @@
+title: TA505 Dropper Load Pattern
+author: Florian Roth
+date: 2020/12/08
+description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious
+    documents
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\mshta.exe'
+    SELECTION_3:
+        ParentImage: '*\wmiprvse.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/ForensicITGuy/status/1334734244120309760
+status: experimental
+tags:
+- attack.execution
+- attack.g0092
+yml_filename: win_apt_ta505_dropper.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_taidoor.yml b/rules/Sigma/win_apt_taidoor.yml
new file mode 100644
index 00000000..f2f905c2
--- /dev/null
+++ b/rules/Sigma/win_apt_taidoor.yml
@@ -0,0 +1,37 @@
+title: TAIDOOR RAT DLL Load
+author: Florian Roth
+date: 2020/07/30
+description: Detects specific process characteristics of Chinese TAIDOOR RAT malware
+    load
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*dll,MyStart*'
+    SELECTION_3:
+        CommandLine: '*dll MyStart*'
+    SELECTION_4:
+        EventID: 1
+    SELECTION_5:
+        CommandLine: '* MyStart'
+    SELECTION_6:
+        CommandLine: '*rundll32.exe*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and
+        (SELECTION_5) and (SELECTION_6))))
+falsepositives:
+- Unknown
+id: d1aa3382-abab-446f-96ea-4de52908210b
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
+status: experimental
+tags:
+- attack.execution
+- attack.t1055
+- attack.t1055.001
+yml_filename: win_apt_taidoor.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_tropictrooper.yml b/rules/Sigma/win_apt_tropictrooper.yml
new file mode 100644
index 00000000..6335273a
--- /dev/null
+++ b/rules/Sigma/win_apt_tropictrooper.yml
@@ -0,0 +1,27 @@
+title: TropicTrooper Campaign November 2018
+author: '@41thexplorer, Microsoft Defender ATP'
+date: 2019/11/12
+description: Detects TropicTrooper activity, an actor who targeted high-profile organizations
+    in the energy and food and beverage sectors in Asia
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
+    condition: (SELECTION_1 and SELECTION_2)
+id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/27
+references:
+- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
+status: stable
+tags:
+- attack.execution
+- attack.t1059
+- attack.t1059.001
+yml_filename: win_apt_tropictrooper.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_turla_comrat_may20.yml b/rules/Sigma/win_apt_turla_comrat_may20.yml
new file mode 100644
index 00000000..b528745e
--- /dev/null
+++ b/rules/Sigma/win_apt_turla_comrat_may20.yml
@@ -0,0 +1,41 @@
+title: Turla Group Commands May 2020
+author: Florian Roth
+date: 2020/05/26
+description: Detects commands used by Turla group as reported by ESET in May 2020
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*tracert -h 10 yahoo.com*'
+    SELECTION_3:
+        CommandLine: '*.WSqmCons))|iex;*'
+    SELECTION_4:
+        CommandLine: '*Fr`omBa`se6`4Str`ing*'
+    SELECTION_5:
+        CommandLine: '*net use https://docs.live.net*'
+    SELECTION_6:
+        CommandLine: '*@aol.co.uk*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4) or (SELECTION_5
+        and SELECTION_6)))
+falsepositives:
+- Unknown
+id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/27
+references:
+- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
+status: experimental
+tags:
+- attack.g0010
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+- attack.t1053
+- attack.t1053.005
+- attack.t1027
+yml_filename: win_apt_turla_comrat_may20.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_turla_service_png.yml b/rules/Sigma/win_apt_turla_service_png.yml
new file mode 100644
index 00000000..ed1a0b1d
--- /dev/null
+++ b/rules/Sigma/win_apt_turla_service_png.yml
@@ -0,0 +1,28 @@
+title: Turla PNG Dropper Service
+author: Florian Roth
+date: 2018/11/23
+description: This method detects malicious services mentioned in Turla PNG dropper
+    report by NCC Group in November 2018
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ServiceName: WerFaultSvc
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unlikely
+id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
+level: critical
+logsource:
+    product: windows
+    service: system
+references:
+- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
+tags:
+- attack.persistence
+- attack.g0010
+- attack.t1050
+- attack.t1543.003
+yml_filename: win_apt_turla_service_png.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_apt_unc2452_cmds.yml b/rules/Sigma/win_apt_unc2452_cmds.yml
new file mode 100644
index 00000000..155b4b3f
--- /dev/null
+++ b/rules/Sigma/win_apt_unc2452_cmds.yml
@@ -0,0 +1,61 @@
+title: UNC2452 Process Creation Patterns
+author: Florian Roth
+date: 2021/01/22
+description: Detects a specific process creation patterns as seen used by UNC2452
+    and provided by Microsoft as Microsoft Defender ATP queries
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*cmd.exe /C *'
+    SELECTION_11:
+        CommandLine: '*rundll32 c:\windows\\*'
+    SELECTION_12:
+        CommandLine: '*.dll *'
+    SELECTION_13:
+        EventID: 1
+    SELECTION_14:
+        ParentImage: '*\rundll32.exe'
+    SELECTION_15:
+        Image: '*\dllhost.exe'
+    SELECTION_16:
+        CommandLine: ' '
+    SELECTION_17:
+        CommandLine: ''
+    SELECTION_2:
+        CommandLine: '*7z.exe a -v500m -mx9 -r0 -p*'
+    SELECTION_3:
+        ParentCommandLine: '*wscript.exe*'
+    SELECTION_4:
+        ParentCommandLine: '*.vbs*'
+    SELECTION_5:
+        CommandLine: '*rundll32.exe*'
+    SELECTION_6:
+        CommandLine: '*C:\Windows*'
+    SELECTION_7:
+        CommandLine: '*.dll,Tk_*'
+    SELECTION_8:
+        ParentImage: '*\rundll32.exe'
+    SELECTION_9:
+        ParentCommandLine: '*C:\Windows*'
+    condition: (SELECTION_1 and (((((SELECTION_2) or (SELECTION_3 and SELECTION_4
+        and SELECTION_5 and SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9
+        and SELECTION_10)) or (SELECTION_11 and SELECTION_12)) or (SELECTION_13 and
+        (SELECTION_14 and SELECTION_15) and  not ((SELECTION_16 or SELECTION_17)))))
+falsepositives:
+- Unknown
+id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+references:
+- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: win_apt_unc2452_cmds.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_unc2452_ps.yml b/rules/Sigma/win_apt_unc2452_ps.yml
new file mode 100644
index 00000000..434d4916
--- /dev/null
+++ b/rules/Sigma/win_apt_unc2452_ps.yml
@@ -0,0 +1,37 @@
+title: UNC2452 PowerShell Pattern
+author: Florian Roth
+date: 2021/01/20
+description: Detects a specific PowerShell command line pattern used by the UNC2452
+    actors as mentioned in Microsoft and Symantec reports
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*Invoke-WMIMethod win32_process -name create -argumentlist*'
+    SELECTION_3:
+        CommandLine: '*rundll32 c:\windows*'
+    SELECTION_4:
+        CommandLine: '*wmic /node:*'
+    SELECTION_5:
+        CommandLine: '*process call create "rundll32 c:\windows*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5)))
+falsepositives:
+- Unknown, unlikely, but possible
+id: b7155193-8a81-4d8f-805d-88de864ca50c
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/01/22
+references:
+- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
+- https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1047
+yml_filename: win_apt_unc2452_ps.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_unidentified_nov_18.yml b/rules/Sigma/win_apt_unidentified_nov_18.yml
new file mode 100644
index 00000000..b8506e3e
--- /dev/null
+++ b/rules/Sigma/win_apt_unidentified_nov_18.yml
@@ -0,0 +1,30 @@
+title: Unidentified Attacker November 2018
+author: '@41thexplorer, Microsoft Defender ATP'
+date: 2018/11/20
+description: A sigma rule detecting an unidetefied attacker who used phishing emails
+    to target high profile orgs on November 2018. The Actor shares some TTPs with
+    YYTRIUM/APT29 campaign in 2016.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*cyzfc.dat,*'
+    SELECTION_3:
+        CommandLine: '*PointFunctionCall'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+id: 7453575c-a747-40b9-839b-125a0aae324b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://twitter.com/DrunkBinary/status/1063075530180886529
+status: stable
+tags:
+- attack.execution
+- attack.t1218.011
+- attack.t1085
+yml_filename: win_apt_unidentified_nov_18.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_winnti_mal_hk_jan20.yml b/rules/Sigma/win_apt_winnti_mal_hk_jan20.yml
new file mode 100644
index 00000000..33329023
--- /dev/null
+++ b/rules/Sigma/win_apt_winnti_mal_hk_jan20.yml
@@ -0,0 +1,49 @@
+title: Winnti Malware HK University Campaign
+author: Florian Roth, Markus Neis
+date: 2020/02/01
+description: Detects specific process characteristics of Winnti malware noticed in
+    Dec/Jan 2020 in a campaign against Honk Kong universities
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        ParentImage: C:\ProgramData\DRM\Windows*
+    SELECTION_11:
+        Image: '*\SearchFilterHost.exe'
+    SELECTION_2:
+        ParentImage: '*C:\Windows\Temp*'
+    SELECTION_3:
+        ParentImage: '*\hpqhvind.exe*'
+    SELECTION_4:
+        Image: C:\ProgramData\DRM*
+    SELECTION_5:
+        ParentImage: C:\ProgramData\DRM*
+    SELECTION_6:
+        Image: '*\wmplayer.exe'
+    SELECTION_7:
+        ParentImage: '*\Test.exe'
+    SELECTION_8:
+        Image: '*\wmplayer.exe'
+    SELECTION_9:
+        Image: C:\ProgramData\DRM\CLR\CLR.exe
+    condition: (SELECTION_1 and (((SELECTION_2 or SELECTION_3) and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8) or SELECTION_9
+        or (SELECTION_10 and SELECTION_11)))
+falsepositives:
+- Unlikely
+id: 3121461b-5aa0-4a41-b910-66d25524edbb
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1574.002
+- attack.t1073
+- attack.g0044
+yml_filename: win_apt_winnti_mal_hk_jan20.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_winnti_pipemon.yml b/rules/Sigma/win_apt_winnti_pipemon.yml
new file mode 100644
index 00000000..62bcc8a2
--- /dev/null
+++ b/rules/Sigma/win_apt_winnti_pipemon.yml
@@ -0,0 +1,38 @@
+title: Winnti Pipemon Characteristics
+author: Florian Roth, oscd.community
+date: 2020/07/30
+description: Detects specific process characteristics of Winnti Pipemon malware reported
+    by ESET
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*setup0.exe -p*'
+    SELECTION_3:
+        CommandLine: '*setup.exe*'
+    SELECTION_4:
+        CommandLine: '*-x:0'
+    SELECTION_5:
+        CommandLine: '*-x:1'
+    SELECTION_6:
+        CommandLine: '*-x:2'
+    condition: (SELECTION_1 and ((SELECTION_2) or (SELECTION_3 and (SELECTION_4 or
+        SELECTION_5 or SELECTION_6))))
+falsepositives:
+- Legitimate setups that use similar flags
+id: 73d70463-75c9-4258-92c6-17500fe972f2
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1574.002
+- attack.t1073
+- attack.g0044
+yml_filename: win_apt_winnti_pipemon.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_apt_wocao.yml b/rules/Sigma/win_apt_wocao.yml
new file mode 100644
index 00000000..422a5bd2
--- /dev/null
+++ b/rules/Sigma/win_apt_wocao.yml
@@ -0,0 +1,39 @@
+title: Operation Wocao Activity
+author: Florian Roth, frack113
+date: 2019/12/20
+description: Detects activity mentioned in Operation Wocao report
+detection:
+    SELECTION_1:
+        EventID: 4799
+    SELECTION_2:
+        TargetUserName: Administr*
+    SELECTION_3:
+        CallerProcessName: '*\checkadmin.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrators that use checkadmin.exe tool to enumerate local administrators
+id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/19
+references:
+- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
+- https://twitter.com/SBousseaden/status/1207671369963646976
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+- attack.defense_evasion
+- attack.t1036.004
+- attack.t1036
+- attack.t1027
+- attack.execution
+- attack.t1053.005
+- attack.t1053
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_apt_wocao.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_apt_zxshell.yml b/rules/Sigma/win_apt_zxshell.yml
new file mode 100644
index 00000000..5971c263
--- /dev/null
+++ b/rules/Sigma/win_apt_zxshell.yml
@@ -0,0 +1,39 @@
+title: ZxShell Malware
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
+date: 2017/07/20
+description: Detects a ZxShell start by the called and well-known function name
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\rundll32.exe'
+    SELECTION_3:
+        CommandLine: '*zxFunction*'
+    SELECTION_4:
+        CommandLine: '*RemoteDiskXXXXX*'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: f0b70adb-0075-43b0-9745-e82a1c608fcc
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/26
+references:
+- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+tags:
+- attack.execution
+- attack.t1059.003
+- attack.t1059
+- attack.defense_evasion
+- attack.t1218.011
+- attack.t1085
+- attack.s0412
+- attack.g0001
+yml_filename: win_apt_zxshell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/Sigma/win_arbitrary_shell_execution_via_settingcontent.yml
new file mode 100644
index 00000000..51ad235f
--- /dev/null
+++ b/rules/Sigma/win_arbitrary_shell_execution_via_settingcontent.yml
@@ -0,0 +1,35 @@
+title: Arbitrary Shell Command Execution Via Settingcontent-Ms
+author: Sreeman
+date: 2020/03/13
+description: The .SettingContent-ms file type was introduced in Windows 10 and allows
+    a user to create "shortcuts" to various Windows 10 setting pages. These files
+    are simply XML and contain paths to various Windows 10 settings binaries.
+detection:
+    SELECTION_1:
+        CommandLine: '*.SettingContent-ms*'
+    SELECTION_2:
+        FilePath: '*immersivecontrolpanel*'
+    condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- unknown
+fields:
+- ParentProcess
+- CommandLine
+- ParentCommandLine
+id: 24de4f3b-804c-4165-b442-5a06a2302c7e
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/08/09
+references:
+- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
+tags:
+- attack.t1204
+- attack.t1193
+- attack.t1566.001
+- attack.execution
+- attack.initial_access
+yml_filename: win_arbitrary_shell_execution_via_settingcontent.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_asr_bypass_via_appvlp_re.yml b/rules/Sigma/win_asr_bypass_via_appvlp_re.yml
new file mode 100644
index 00000000..ee61a3a3
--- /dev/null
+++ b/rules/Sigma/win_asr_bypass_via_appvlp_re.yml
@@ -0,0 +1,32 @@
+title: Using AppVLP To Circumvent ASR File Path Rule
+author: Sreeman
+date: 2020/03/13
+description: "Application Virtualization Utility is included with Microsoft Office.We\
+    \ are able to abuse \u201CAppVLP\u201D to execute shell commands. Normally, this\
+    \ binary is used for Application Virtualization, but we can use it as an abuse\
+    \ binary to circumvent the ASR file path rule folder or to mark a file as a system\
+    \ file"
+detection:
+    SELECTION_1:
+        CommandLine|re: (?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)
+    condition: SELECTION_1
+falsepositives:
+- unknown
+fields:
+- ParentProcess
+- CommandLine
+- ParentCommandLine
+id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/06/11
+status: experimental
+tags:
+- attack.t1218
+- attack.defense_evasion
+- attack.execution
+yml_filename: win_asr_bypass_via_appvlp_re.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_atsvc_task.yml b/rules/Sigma/win_atsvc_task.yml
new file mode 100644
index 00000000..ff1cf64f
--- /dev/null
+++ b/rules/Sigma/win_atsvc_task.yml
@@ -0,0 +1,36 @@
+title: Remote Task Creation via ATSVC Named Pipe
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects remote task creation via at.exe or API interacting with ATSVC
+    namedpipe
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        ShareName: \\*\IPC$
+    SELECTION_3:
+        RelativeTargetName: atsvc
+    SELECTION_4:
+        Accesses: '*WriteData*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- pentesting
+id: f6de6525-4509-495a-8a82-1f8b0ed73a00
+level: medium
+logsource:
+    definition: The advanced audit policy setting "Object Access > Audit Detailed
+        File Share" must be configured for Success/Failure
+    product: windows
+    service: security
+references:
+- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
+tags:
+- attack.lateral_movement
+- attack.persistence
+- attack.t1053
+- car.2013-05-004
+- car.2015-04-001
+- attack.t1053.002
+yml_filename: win_atsvc_task.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_attrib_hiding_files.yml b/rules/Sigma/win_attrib_hiding_files.yml
new file mode 100644
index 00000000..a1ec7081
--- /dev/null
+++ b/rules/Sigma/win_attrib_hiding_files.yml
@@ -0,0 +1,45 @@
+title: Hiding Files with Attrib.exe
+author: Sami Ruohonen
+date: 2019/01/16
+description: Detects usage of attrib.exe to hide files from users.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\attrib.exe'
+    SELECTION_3:
+        CommandLine: '* +h *'
+    SELECTION_4:
+        EventID: 1
+    SELECTION_5:
+        CommandLine: '*\desktop.ini *'
+    SELECTION_6:
+        ParentImage: '*\cmd.exe'
+    SELECTION_7:
+        CommandLine: +R +H +S +A \\*.cui
+    SELECTION_8:
+        ParentCommandLine: C:\WINDOWS\system32\\*.bat
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        and (SELECTION_5 or (SELECTION_6 and SELECTION_7 and SELECTION_8)))))
+falsepositives:
+- igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe
+    and igfxCUIService.exe is the parent of the cmd.exe)
+- msiexec.exe hiding desktop.ini
+fields:
+- CommandLine
+- ParentCommandLine
+- User
+id: 4281cb20-2994-4580-aa63-c8b86d019934
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/27
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.001
+- attack.t1158
+yml_filename: win_attrib_hiding_files.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_audit_cve.yml b/rules/Sigma/win_audit_cve.yml
new file mode 100644
index 00000000..0732d3a6
--- /dev/null
+++ b/rules/Sigma/win_audit_cve.yml
@@ -0,0 +1,40 @@
+title: Audit CVE Event
+author: Florian Roth
+date: 2020/01/15
+description: Detects events generated by Windows to indicate the exploitation of a
+    known vulnerability (e.g. CVE-2020-0601)
+detection:
+    SELECTION_1:
+        Provider_Name: Microsoft-Windows-Audit-CVE
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
+level: critical
+logsource:
+    product: windows
+    service: application
+modified: 2021/10/13
+references:
+- https://twitter.com/mattifestation/status/1217179698008068096
+- https://twitter.com/VM_vivisector/status/1217190929330655232
+- https://twitter.com/davisrichardg/status/1217517547576348673
+- https://twitter.com/DidierStevens/status/1217533958096924676
+- https://twitter.com/FlemmingRiis/status/1217147415482060800
+status: experimental
+tags:
+- attack.execution
+- attack.t1203
+- attack.privilege_escalation
+- attack.t1068
+- attack.defense_evasion
+- attack.t1211
+- attack.credential_access
+- attack.t1212
+- attack.lateral_movement
+- attack.t1210
+- attack.impact
+- attack.t1499.004
+yml_filename: win_audit_cve.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_av_relevant_match.yml b/rules/Sigma/win_av_relevant_match.yml
new file mode 100644
index 00000000..19fc860a
--- /dev/null
+++ b/rules/Sigma/win_av_relevant_match.yml
@@ -0,0 +1,23 @@
+title: Relevant Anti-Virus Event
+author: Florian Roth
+date: 2017/02/19
+description: This detection method points out highly relevant Antivirus events
+detection:
+    condition: ((HTool- or Hacktool or ASP/Backdoor or JSP/Backdoor or PHP/Backdoor
+        or Backdoor.ASP or Backdoor.JSP or Backdoor.PHP or Webshell or Portscan or
+        Mimikatz or WinCred or PlugX or Korplug or Pwdump or Chopper or WmiExec or
+        Xscan or Clearlog or ASPXSpy) and  not (Keygen or Crack))
+falsepositives:
+- Some software piracy tools (key generators, cracks) are classified as hack tools
+id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
+level: high
+logsource:
+    product: windows
+    service: application
+modified: 2021/07/28
+tags:
+- attack.resource_development
+- attack.t1588
+yml_filename: win_av_relevant_match.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_bad_opsec_sacrificial_processes.yml b/rules/Sigma/win_bad_opsec_sacrificial_processes.yml
new file mode 100644
index 00000000..6dfb2282
--- /dev/null
+++ b/rules/Sigma/win_bad_opsec_sacrificial_processes.yml
@@ -0,0 +1,66 @@
+title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
+author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian
+    Burkard
+date: 2020/10/23
+description: Detects attackers using tooling with bad opsec defaults e.g. spawning
+    a sacrificial process to inject a capability into the process without taking into
+    account how the process is normally run, one trivial example of this is using
+    rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted
+    by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and
+    other examples.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\regsvr32.exe'
+    SELECTION_11:
+        CommandLine: '*\regsvr32.exe'
+    SELECTION_2:
+        Image: '*\WerFault.exe'
+    SELECTION_3:
+        CommandLine: '*\WerFault.exe'
+    SELECTION_4:
+        Image: '*\rundll32.exe'
+    SELECTION_5:
+        CommandLine: '*\rundll32.exe'
+    SELECTION_6:
+        Image: '*\regsvcs.exe'
+    SELECTION_7:
+        CommandLine: '*\regsvcs.exe'
+    SELECTION_8:
+        Image: '*\regasm.exe'
+    SELECTION_9:
+        CommandLine: '*\regasm.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9)
+        or (SELECTION_10 and SELECTION_11)))
+falsepositives:
+- Unlikely
+fields:
+- ParentImage
+- ParentCommandLine
+id: a7c3d773-caef-227e-a7e7-c2f13c622329
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/01
+references:
+- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
+- https://www.cobaltstrike.com/help-opsec
+- https://twitter.com/CyberRaiju/status/1251492025678983169
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
+- https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
+- https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback
+related:
+-   id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
+    type: obsoletes
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1085
+- attack.t1218.011
+yml_filename: win_bad_opsec_sacrificial_processes.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_bootconf_mod.yml b/rules/Sigma/win_bootconf_mod.yml
new file mode 100644
index 00000000..75ad288f
--- /dev/null
+++ b/rules/Sigma/win_bootconf_mod.yml
@@ -0,0 +1,44 @@
+title: Modification of Boot Configuration
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Identifies use of the bcdedit command to delete boot configuration data.
+    This tactic is sometimes used as by malware or an attacker as a destructive technique.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\bcdedit.exe'
+    SELECTION_3:
+        CommandLine: '*set*'
+    SELECTION_4:
+        CommandLine: '*bootstatuspolicy*'
+    SELECTION_5:
+        CommandLine: '*ignoreallfailures*'
+    SELECTION_6:
+        CommandLine: '*recoveryenabled*'
+    SELECTION_7:
+        CommandLine: '*no*'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unlikely
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
+- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
+status: experimental
+tags:
+- attack.impact
+- attack.t1490
+yml_filename: win_bootconf_mod.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_bypass_squiblytwo.yml b/rules/Sigma/win_bypass_squiblytwo.yml
new file mode 100644
index 00000000..c1b59f98
--- /dev/null
+++ b/rules/Sigma/win_bypass_squiblytwo.yml
@@ -0,0 +1,49 @@
+title: SquiblyTwo
+author: Markus Neis / Florian Roth
+date: 2019/01/16
+description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for
+    imphash
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*http*'
+    SELECTION_3:
+        Image: '*\wmic.exe'
+    SELECTION_4:
+        CommandLine: '*wmic*'
+    SELECTION_5:
+        CommandLine: '*format*'
+    SELECTION_6:
+        Imphash: 1B1A3F43BF37B5BFE60751F2EE2F326E
+    SELECTION_7:
+        Imphash: 37777A96245A3C74EB217308F3546F4C
+    SELECTION_8:
+        Imphash: 9D87C9D67CE724033C0B40CC4CA1B206
+    SELECTION_9:
+        CommandLine: '*format:*'
+    condition: (SELECTION_1 and SELECTION_2 and (((SELECTION_3) and SELECTION_4 and
+        SELECTION_5) or ((SELECTION_6 or SELECTION_7 or SELECTION_8) and SELECTION_9)))
+falsepositives:
+- Unknown
+id: 8d63dadf-b91b-4187-87b6-34a1114577ea
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/27
+references:
+- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
+- https://twitter.com/mattifestation/status/986280382042595328
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1047
+- attack.t1220
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1059
+yml_filename: win_bypass_squiblytwo.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_camera_microphone_access.yml b/rules/Sigma/win_camera_microphone_access.yml
new file mode 100644
index 00000000..60f58718
--- /dev/null
+++ b/rules/Sigma/win_camera_microphone_access.yml
@@ -0,0 +1,33 @@
+title: Processes Accessing the Microphone and Webcam
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/07
+description: Potential adversaries accessing the microphone and webcam in an endpoint.
+detection:
+    SELECTION_1:
+        EventID: 4657
+    SELECTION_2:
+        EventID: 4656
+    SELECTION_3:
+        EventID: 4663
+    SELECTION_4:
+        ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*'
+    SELECTION_5:
+        ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
+level: medium
+logsource:
+    product: windows
+    service: security
+references:
+- https://twitter.com/duzvik/status/1269671601852813320
+- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+status: experimental
+tags:
+- attack.collection
+- attack.t1123
+yml_filename: win_camera_microphone_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_change_default_file_association.yml b/rules/Sigma/win_change_default_file_association.yml
new file mode 100644
index 00000000..d79d3fa9
--- /dev/null
+++ b/rules/Sigma/win_change_default_file_association.yml
@@ -0,0 +1,45 @@
+title: Change Default File Association
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: When a file is opened, the default program used to open the file (also
+    called the file association or handler) is checked. File association selections
+    are stored in the Windows Registry and can be edited by users, administrators,
+    or programs that have Registry access or by administrators using the built-in
+    assoc utility. Applications can modify the file association for a given file extension
+    to call an arbitrary program when a file with the given extension is opened.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*cmd*'
+    SELECTION_3:
+        CommandLine: '*/c*'
+    SELECTION_4:
+        CommandLine: '*assoc*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Admin activity
+fields:
+- Image
+- CommandLine
+- User
+- LogonGuid
+- Hashes
+- ParentProcessGuid
+- ParentCommandLine
+id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md
+status: experimental
+tags:
+- attack.persistence
+- attack.t1546.001
+- attack.t1042
+yml_filename: win_change_default_file_association.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_cl_invocation_lolscript.yml b/rules/Sigma/win_cl_invocation_lolscript.yml
new file mode 100644
index 00000000..7b10c067
--- /dev/null
+++ b/rules/Sigma/win_cl_invocation_lolscript.yml
@@ -0,0 +1,30 @@
+title: Execution via CL_Invocation.ps1
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*CL_Invocation.ps1*'
+    SELECTION_3:
+        CommandLine: '*SyncInvoke*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: a0459f02-ac51-4c09-b511-b8c9203fc429
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+- https://twitter.com/bohops/status/948061991012327424
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
+yml_filename: win_cl_invocation_lolscript.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_cl_mutexverifiers_lolscript.yml b/rules/Sigma/win_cl_mutexverifiers_lolscript.yml
new file mode 100644
index 00000000..29f00f62
--- /dev/null
+++ b/rules/Sigma/win_cl_mutexverifiers_lolscript.yml
@@ -0,0 +1,31 @@
+title: Execution via CL_Mutexverifiers.ps1
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
+    module
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*CL_Mutexverifiers.ps1*'
+    SELECTION_3:
+        CommandLine: '*runAfterCancelProcess*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 99465c8f-f102-4157-b11c-b0cddd53b79a
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+- https://twitter.com/pabraeken/status/995111125447577600
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
+yml_filename: win_cl_mutexverifiers_lolscript.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_class_exec_xwizard.yml b/rules/Sigma/win_class_exec_xwizard.yml
new file mode 100644
index 00000000..f315b380
--- /dev/null
+++ b/rules/Sigma/win_class_exec_xwizard.yml
@@ -0,0 +1,29 @@
+title: Custom Class Execution via Xwizard
+author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative"
+date: 2020/10/07
+description: Detects the execution of Xwizard tool with specific arguments which utilized
+    to run custom class properties.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\xwizard.exe'
+    SELECTION_3:
+        CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_class_exec_xwizard.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_cmdkey_recon.yml b/rules/Sigma/win_cmdkey_recon.yml
new file mode 100644
index 00000000..99819ef8
--- /dev/null
+++ b/rules/Sigma/win_cmdkey_recon.yml
@@ -0,0 +1,35 @@
+title: Cmdkey Cached Credentials Recon
+author: jmallette
+date: 2019/01/16
+description: Detects usage of cmdkey to look for cached credentials
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\cmdkey.exe'
+    SELECTION_3:
+        CommandLine: '* /list*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate administrative tasks
+fields:
+- CommandLine
+- ParentCommandLine
+- User
+id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/07
+references:
+- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
+- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.005
+- attack.t1003
+yml_filename: win_cmdkey_recon.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_cmstp_com_object_access.yml b/rules/Sigma/win_cmstp_com_object_access.yml
new file mode 100644
index 00000000..b9dbbdaf
--- /dev/null
+++ b/rules/Sigma/win_cmstp_com_object_access.yml
@@ -0,0 +1,57 @@
+title: CMSTP UAC Bypass via COM Object Access
+author: Nik Seetharaman, Christian Burkard
+date: 2021/08/31
+description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile
+    Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\DllHost.exe'
+    SELECTION_3:
+        IntegrityLevel: High
+    SELECTION_4:
+        IntegrityLevel: System
+    SELECTION_5:
+        ParentCommandLine: '* /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*'
+    SELECTION_6:
+        ParentCommandLine: '* /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}*'
+    SELECTION_7:
+        ParentCommandLine: '* /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}*'
+    SELECTION_8:
+        ParentCommandLine: '* /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}*'
+    SELECTION_9:
+        ParentCommandLine: '* /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4) and (SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- Legitimate CMSTP use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+- Hashes
+id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/07/31
+references:
+- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+- https://twitter.com/hFireF0X/status/897640081053364225
+- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
+- https://github.com/hfiref0x/UACME
+status: stable
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1088
+- attack.t1218.003
+- attack.t1191
+- attack.g0069
+- car.2019-04-001
+yml_filename: win_cmstp_com_object_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_cobaltstrike_process_patterns.yml b/rules/Sigma/win_cobaltstrike_process_patterns.yml
new file mode 100644
index 00000000..986b8f81
--- /dev/null
+++ b/rules/Sigma/win_cobaltstrike_process_patterns.yml
@@ -0,0 +1,54 @@
+title: CobaltStrike Process Patterns
+author: Florian Roth
+date: 2021/07/27
+description: Detects process patterns found in Cobalt Strike beacon activity (see
+    reference for more details)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*\whoami.exe*'
+    SELECTION_11:
+        ParentImage: '*\dllhost.exe'
+    SELECTION_12:
+        Image: '*\cmd.exe'
+    SELECTION_13:
+        ParentImage: '*\runonce.exe'
+    SELECTION_14:
+        ParentCommandLine: '*\runonce.exe'
+    SELECTION_2:
+        CommandLine: '*\cmd.exe /C whoami*'
+    SELECTION_3:
+        ParentImage: C:\Temp*
+    SELECTION_4:
+        CommandLine: '*conhost.exe 0xffffffff -ForceV1*'
+    SELECTION_5:
+        ParentCommandLine: '*/C whoami*'
+    SELECTION_6:
+        ParentCommandLine: '*cmd.exe /C echo*'
+    SELECTION_7:
+        ParentCommandLine: '* > \\.\pipe*'
+    SELECTION_8:
+        CommandLine: '*cmd.exe /c echo*'
+    SELECTION_9:
+        CommandLine: '*> \\.\pipe*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        (SELECTION_5 or SELECTION_6 or SELECTION_7)) or ((SELECTION_8 or SELECTION_9
+        or SELECTION_10) and SELECTION_11) or (SELECTION_12 and SELECTION_13 and SELECTION_14)))
+falsepositives:
+- Other programs that cause these patterns (please report)
+id: f35c5d71-b489-4e22-a115-f003df287317
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/30
+references:
+- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
+- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+status: experimental
+tags:
+- attack.execution
+yml_filename: win_cobaltstrike_process_patterns.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_cobaltstrike_service_installs.yml b/rules/Sigma/win_cobaltstrike_service_installs.yml
new file mode 100644
index 00000000..e3a52c47
--- /dev/null
+++ b/rules/Sigma/win_cobaltstrike_service_installs.yml
@@ -0,0 +1,51 @@
+title: CobaltStrike Service Installations
+author: Florian Roth, Wojciech Lesicki
+date: 2021/05/26
+description: Detects known malicious service installs that appear in cases in which
+    a Cobalt Strike beacon elevates privileges or lateral movement
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_10:
+        ImagePath: '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*'
+    SELECTION_2:
+        ImagePath: '*ADMIN$*'
+    SELECTION_3:
+        ImagePath: '*.exe*'
+    SELECTION_4:
+        ImagePath: '*%COMSPEC%*'
+    SELECTION_5:
+        ImagePath: '*start*'
+    SELECTION_6:
+        ImagePath: '*powershell*'
+    SELECTION_7:
+        ImagePath: '*powershell -nop -w hidden -encodedcommand*'
+    SELECTION_8:
+        ImagePath: '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*'
+    SELECTION_9:
+        ImagePath: '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5 and SELECTION_6) or SELECTION_7 or (SELECTION_8 or SELECTION_9
+        or SELECTION_10)))
+falsepositives:
+- Unknown
+id: 5a105d34-05fc-401e-8553-272b45c1522d
+level: critical
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/21
+references:
+- https://www.sans.org/webcasts/119395
+- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
+- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1543.003
+- attack.t1569.002
+yml_filename: win_cobaltstrike_service_installs.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_commandline_path_traversal.yml b/rules/Sigma/win_commandline_path_traversal.yml
new file mode 100644
index 00000000..059417b8
--- /dev/null
+++ b/rules/Sigma/win_commandline_path_traversal.yml
@@ -0,0 +1,34 @@
+title: Cmd.exe CommandLine Path Traversal
+author: xknow @xknow_infosec
+date: 2020/06/11
+description: detects the usage of path traversal in cmd.exe indicating possible command/argument
+    confusion/hijacking
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentCommandLine: '*cmd*'
+    SELECTION_3:
+        ParentCommandLine: '*/c*'
+    SELECTION_4:
+        CommandLine: '*/../../*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- (not much) some benign Java tools may product false-positive commandlines for loading
+    libraries
+id: 087790e3-3287-436c-bccf-cbd0184a7db1
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
+- https://twitter.com/Oddvarmoe/status/1270633613449723905
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.003
+- attack.t1059
+yml_filename: win_commandline_path_traversal.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_commandline_path_traversal_evasion.yml b/rules/Sigma/win_commandline_path_traversal_evasion.yml
new file mode 100644
index 00000000..7987377d
--- /dev/null
+++ b/rules/Sigma/win_commandline_path_traversal_evasion.yml
@@ -0,0 +1,37 @@
+title: Command Line Path Traversial Evasion
+author: Christian Burkard
+date: 2021/10/26
+description: Detects the attempt to evade or obfuscate the executed command on the
+    CommandLine using bogus path traversal
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\Windows\\*'
+    SELECTION_3:
+        CommandLine: '*\..\Windows\\*'
+    SELECTION_4:
+        CommandLine: '*\..\System32\\*'
+    SELECTION_5:
+        CommandLine: '*\..\..\\*'
+    SELECTION_6:
+        CommandLine: '*.exe\..\\*'
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+        or SELECTION_6))
+falsepositives:
+- Unknown
+id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/hexacorn/status/1448037865435320323
+- https://twitter.com/Gal_B1t/status/1062971006078345217
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+yml_filename: win_commandline_path_traversal_evasion.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_control_panel_item.yml b/rules/Sigma/win_control_panel_item.yml
new file mode 100644
index 00000000..7d034f6c
--- /dev/null
+++ b/rules/Sigma/win_control_panel_item.yml
@@ -0,0 +1,43 @@
+title: Control Panel Items
+author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
+date: 2020/06/22
+description: Detects the malicious use of a control panel item
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*.cpl'
+    SELECTION_3:
+        CommandLine: '*\System32\\*'
+    SELECTION_4:
+        CommandLine: '*%System%*'
+    SELECTION_5:
+        Image: '*\reg.exe'
+    SELECTION_6:
+        CommandLine: '*add*'
+    SELECTION_7:
+        CommandLine: '*CurrentVersion\\Control Panel\\CPLs*'
+    condition: (SELECTION_1 and ((SELECTION_2 and  not ((SELECTION_3 or SELECTION_4)))
+        or (SELECTION_5 and SELECTION_6 and (SELECTION_7))))
+falsepositives:
+- Unknown
+id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://attack.mitre.org/techniques/T1196/
+- https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1218.002
+- attack.t1196
+- attack.persistence
+- attack.t1546
+yml_filename: win_control_panel_item.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_copying_sensitive_files_with_credential_data.yml b/rules/Sigma/win_copying_sensitive_files_with_credential_data.yml
new file mode 100644
index 00000000..f858cfc6
--- /dev/null
+++ b/rules/Sigma/win_copying_sensitive_files_with_credential_data.yml
@@ -0,0 +1,63 @@
+title: Copying Sensitive Files with Credential Data
+author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/22
+description: Files with well-known filenames (sensitive files with credential data)
+    copying
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*\repair\sam*'
+    SELECTION_11:
+        CommandLine: '*\repair\system*'
+    SELECTION_12:
+        CommandLine: '*\repair\security*'
+    SELECTION_13:
+        CommandLine: '*\config\RegBack\sam*'
+    SELECTION_14:
+        CommandLine: '*\config\RegBack\system*'
+    SELECTION_15:
+        CommandLine: '*\config\RegBack\security*'
+    SELECTION_2:
+        Image: '*\esentutl.exe'
+    SELECTION_3:
+        CommandLine: '*vss*'
+    SELECTION_4:
+        CommandLine: '* /m *'
+    SELECTION_5:
+        CommandLine: '* /y *'
+    SELECTION_6:
+        CommandLine: '*\windows\ntds\ntds.dit*'
+    SELECTION_7:
+        CommandLine: '*\config\sam*'
+    SELECTION_8:
+        CommandLine: '*\config\security*'
+    SELECTION_9:
+        CommandLine: '*\config\system *'
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+        or (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15)))
+falsepositives:
+- Copying sensitive files for legitimate use (eg. backup) or forensic investigation
+    by legitimate incident responder or forensic invetigator
+id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/13
+references:
+- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
+- attack.t1003.003
+- attack.t1003
+- car.2013-07-001
+- attack.s0404
+yml_filename: win_copying_sensitive_files_with_credential_data.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_credential_access_via_password_filter.yml b/rules/Sigma/win_credential_access_via_password_filter.yml
new file mode 100644
index 00000000..7515a025
--- /dev/null
+++ b/rules/Sigma/win_credential_access_via_password_filter.yml
@@ -0,0 +1,34 @@
+title: Dropping Of Password Filter DLL
+author: Sreeman
+date: 2020/10/29
+description: Detects dropping of dll files in system32 that may be used to retrieve
+    user credentials from LSASS
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*HKLM\SYSTEM\CurrentControlSet\Control\Lsa*'
+    SELECTION_3:
+        CommandLine: '*scecli\0*'
+    SELECTION_4:
+        CommandLine: '*reg add*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: b7966f4a-b333-455b-8370-8ca53c229762
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/11
+references:
+- https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
+- https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1174
+- attack.t1556.002
+yml_filename: win_credential_access_via_password_filter.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_crime_fireball.yml b/rules/Sigma/win_crime_fireball.yml
new file mode 100644
index 00000000..846a9165
--- /dev/null
+++ b/rules/Sigma/win_crime_fireball.yml
@@ -0,0 +1,35 @@
+title: Fireball Archer Install
+author: Florian Roth
+date: 2017/06/03
+description: Detects Archer malware invocation via rundll32
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*rundll32.exe*'
+    SELECTION_3:
+        CommandLine: '*InstallArcherSvc*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
+- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1218.011
+- attack.t1085
+yml_filename: win_crime_fireball.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_crime_maze_ransomware.yml b/rules/Sigma/win_crime_maze_ransomware.yml
new file mode 100644
index 00000000..069902be
--- /dev/null
+++ b/rules/Sigma/win_crime_maze_ransomware.yml
@@ -0,0 +1,51 @@
+title: Maze Ransomware
+author: Florian Roth
+date: 2020/05/08
+description: Detects specific process characteristics of Maze ransomware word document
+    droppers
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\WINWORD.exe'
+    SELECTION_3:
+        Image: '*.tmp'
+    SELECTION_4:
+        Image: '*\wmic.exe'
+    SELECTION_5:
+        ParentImage: '*\Temp\\*'
+    SELECTION_6:
+        CommandLine: '*shadowcopy delete'
+    SELECTION_7:
+        CommandLine: '*shadowcopy delete'
+    SELECTION_8:
+        CommandLine: '*\..\..\system32*'
+    condition: (SELECTION_1 and (((SELECTION_2) and (SELECTION_3)) or (SELECTION_4
+        and SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8)))
+falsepositives:
+- Unlikely
+fields:
+- ComputerName
+- User
+- Image
+id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+references:
+- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
+- https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
+- https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
+status: experimental
+tags:
+- attack.execution
+- attack.t1204.002
+- attack.t1204
+- attack.t1047
+- attack.impact
+- attack.t1490
+yml_filename: win_crime_maze_ransomware.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_crime_snatch_ransomware.yml b/rules/Sigma/win_crime_snatch_ransomware.yml
new file mode 100644
index 00000000..40e2c9ff
--- /dev/null
+++ b/rules/Sigma/win_crime_snatch_ransomware.yml
@@ -0,0 +1,33 @@
+title: Snatch Ransomware
+author: Florian Roth
+date: 2020/08/26
+description: Detects specific process characteristics of Snatch ransomware word document
+    droppers
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*shutdown /r /f /t 00*'
+    SELECTION_3:
+        CommandLine: '*net stop SuperBackupMan*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
+fields:
+- ComputerName
+- User
+- Image
+id: 5325945e-f1f0-406e-97b8-65104d393fff
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+yml_filename: win_crime_snatch_ransomware.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_crypto_mining_monero.yml b/rules/Sigma/win_crypto_mining_monero.yml
new file mode 100644
index 00000000..a2818862
--- /dev/null
+++ b/rules/Sigma/win_crypto_mining_monero.yml
@@ -0,0 +1,56 @@
+title: Windows Crypto Mining Indicators
+author: Florian Roth
+date: 2021/10/26
+description: Detects command line parameters or strings often used by crypto miners
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*0tZG9uYXRlLWxldmVsP*'
+    SELECTION_11:
+        CommandLine: '*tLWRvbmF0ZS1sZXZlbD*'
+    SELECTION_12:
+        CommandLine: '*c3RyYXR1bSt0Y3A6Ly*'
+    SELECTION_13:
+        CommandLine: '*N0cmF0dW0rdGNwOi8v*'
+    SELECTION_14:
+        CommandLine: '*zdHJhdHVtK3RjcDovL*'
+    SELECTION_15:
+        CommandLine: '*c3RyYXR1bSt1ZHA6Ly*'
+    SELECTION_16:
+        CommandLine: '*N0cmF0dW0rdWRwOi8v*'
+    SELECTION_17:
+        CommandLine: '*zdHJhdHVtK3VkcDovL*'
+    SELECTION_2:
+        CommandLine: '* --cpu-priority=*'
+    SELECTION_3:
+        CommandLine: '*--donate-level=0*'
+    SELECTION_4:
+        CommandLine: '* -o pool.*'
+    SELECTION_5:
+        CommandLine: '* --nicehash*'
+    SELECTION_6:
+        CommandLine: '* --algo=rx/0 *'
+    SELECTION_7:
+        CommandLine: '*stratum+tcp://*'
+    SELECTION_8:
+        CommandLine: '*stratum+udp://*'
+    SELECTION_9:
+        CommandLine: '*LS1kb25hdGUtbGV2ZWw9*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17))
+falsepositives:
+- Legitimate use of crypto miners
+id: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.poolwatch.io/coin/monero
+status: stable
+yml_filename: win_crypto_mining_monero.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_cve_2021_1675_printspooler.yml b/rules/Sigma/win_cve_2021_1675_printspooler.yml
new file mode 100644
index 00000000..43de7412
--- /dev/null
+++ b/rules/Sigma/win_cve_2021_1675_printspooler.yml
@@ -0,0 +1,36 @@
+title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
+author: Florian Roth
+date: 2021/06/29
+description: Detects the default filename used in PoC code against print spooler vulnerability
+    CVE-2021-1675
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*C:\Windows\System32\spool\drivers\x64\3\old\1\123*'
+    SELECTION_3:
+        TargetFilename: '*C:\Windows\System32\spool\drivers\x64\3\New\\*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- TargetFilename
+id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
+level: critical
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/07/01
+references:
+- https://github.com/hhlxf/PrintNightmare
+- https://github.com/afwu/PrintNightmare
+- https://github.com/cube0x0/CVE-2021-1675
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- cve.2021.1675
+yml_filename: win_cve_2021_1675_printspooler.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/win_cve_2021_1675_printspooler_del.yml b/rules/Sigma/win_cve_2021_1675_printspooler_del.yml
new file mode 100644
index 00000000..52f770f6
--- /dev/null
+++ b/rules/Sigma/win_cve_2021_1675_printspooler_del.yml
@@ -0,0 +1,35 @@
+title: Windows Spooler Service Suspicious File Deletion
+author: Bhabesh Raj
+date: 2021/07/01
+description: Detect DLL deletions from Spooler Service driver folder
+detection:
+    SELECTION_1:
+        EventID: 23
+    SELECTION_2:
+        EventID: 26
+    SELECTION_3:
+        Image: '*spoolsv.exe'
+    SELECTION_4:
+        TargetFilename: '*C:\Windows\System32\spool\drivers\x64\3\\*'
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
+level: high
+logsource:
+    category: file_delete
+    product: windows
+modified: 2021/08/24
+references:
+- https://github.com/hhlxf/PrintNightmare
+- https://github.com/cube0x0/CVE-2021-1675
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1574
+- cve.2021.1675
+yml_filename: win_cve_2021_1675_printspooler_del.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_delete
+
diff --git a/rules/Sigma/win_data_compressed_with_rar.yml b/rules/Sigma/win_data_compressed_with_rar.yml
new file mode 100644
index 00000000..481264e6
--- /dev/null
+++ b/rules/Sigma/win_data_compressed_with_rar.yml
@@ -0,0 +1,42 @@
+title: Data Compressed - rar.exe
+author: Timur Zinniatullin, E.M. Anhaus, oscd.community
+date: 2019/10/21
+description: An adversary may compress data (e.g., sensitive documents) that is collected
+    prior to exfiltration in order to make it portable and minimize the amount of
+    data sent over the network.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\rar.exe'
+    SELECTION_3:
+        CommandLine: '* a *'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Highly likely if rar is a default archiver in the monitored environment.
+fields:
+- Image
+- CommandLine
+- User
+- LogonGuid
+- Hashes
+- ParentProcessGuid
+- ParentCommandLine
+id: 6f3e2987-db24-4c78-a860-b4f4095a7095
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
+- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1002
+- attack.collection
+- attack.t1560.001
+yml_filename: win_data_compressed_with_rar.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/Sigma/win_dce_rpc_smb_spoolss_named_pipe.yml
new file mode 100644
index 00000000..bc2091be
--- /dev/null
+++ b/rules/Sigma/win_dce_rpc_smb_spoolss_named_pipe.yml
@@ -0,0 +1,32 @@
+title: DCERPC SMB Spoolss Named Pipe
+author: OTR (Open Threat Research)
+date: 2018/11/28
+description: Detects the use of the spoolss named pipe over SMB. This can be used
+    to trigger the authentication via NTLM of any machine that has the spoolservice
+    enabled.
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        ShareName: \\*\IPC$
+    SELECTION_3:
+        RelativeTargetName: spoolss
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Domain Controllers acting as printer servers too? :)
+id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
+level: medium
+logsource:
+    product: windows
+    service: security
+references:
+- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
+- https://twitter.com/_dirkjan/status/1309214379003588608
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+yml_filename: win_dce_rpc_smb_spoolss_named_pipe.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_dcom_iertutil_dll_hijack.yml b/rules/Sigma/win_dcom_iertutil_dll_hijack.yml
new file mode 100644
index 00000000..d1ffffd1
--- /dev/null
+++ b/rules/Sigma/win_dcom_iertutil_dll_hijack.yml
@@ -0,0 +1,31 @@
+title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program
+    Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer
+    DLL Hijack scenario.
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        RelativeTargetName: '*\Internet Explorer\iertutil.dll'
+    SELECTION_3:
+        SubjectUserName: '*$'
+    condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: c39f0c81-7348-4965-ab27-2fde35a1b641
+level: critical
+logsource:
+    product: windows
+    service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1021.003
+yml_filename: win_dcom_iertutil_dll_hijack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_dcsync.yml b/rules/Sigma/win_dcsync.yml
new file mode 100644
index 00000000..bf388fb9
--- /dev/null
+++ b/rules/Sigma/win_dcsync.yml
@@ -0,0 +1,42 @@
+title: Mimikatz DC Sync
+author: Benjamin Delpy, Florian Roth, Scott Dermott
+date: 2018/06/03
+description: Detects Mimikatz DC sync security events
+detection:
+    SELECTION_1:
+        EventID: 4662
+    SELECTION_2:
+        Properties: '*Replicating Directory Changes All*'
+    SELECTION_3:
+        Properties: '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    SELECTION_4:
+        SubjectDomainName: Window Manager
+    SELECTION_5:
+        SubjectUserName: NT AUTHORITY*
+    SELECTION_6:
+        SubjectUserName: MSOL_*
+    SELECTION_7:
+        SubjectUserName: '*$'
+    condition: ((((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and  not (SELECTION_4))
+        and  not ((SELECTION_5 or SELECTION_6))) and  not (SELECTION_7))
+falsepositives:
+- Valid DC Sync that is not covered by the filters; please report
+- Local Domain Admin account used for Azure AD Connect
+id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/08/09
+references:
+- https://twitter.com/gentilkiwi/status/1003236624925413376
+- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+status: experimental
+tags:
+- attack.credential_access
+- attack.s0002
+- attack.t1003
+- attack.t1003.006
+yml_filename: win_dcsync.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_defender_amsi_trigger.yml b/rules/Sigma/win_defender_amsi_trigger.yml
new file mode 100644
index 00000000..abc9cd76
--- /dev/null
+++ b/rules/Sigma/win_defender_amsi_trigger.yml
@@ -0,0 +1,27 @@
+title: Windows Defender AMSI Trigger Detected
+author: Bhabesh Raj
+date: 2020/09/14
+description: Detects triggering of AMSI by Windows Defender.
+detection:
+    SELECTION_1:
+        EventID: 1116
+    SELECTION_2:
+        Source_Name: AMSI
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unlikely
+id: ea9bf0fa-edec-4fb8-8b78-b119f2528186
+level: high
+logsource:
+    product: windows
+    service: windefend
+modified: 2021/10/13
+references:
+- https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
+status: stable
+tags:
+- attack.execution
+- attack.t1059
+yml_filename: win_defender_amsi_trigger.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_defender_bypass.yml b/rules/Sigma/win_defender_bypass.yml
new file mode 100644
index 00000000..19c6923b
--- /dev/null
+++ b/rules/Sigma/win_defender_bypass.yml
@@ -0,0 +1,35 @@
+title: Windows Defender Exclusion Set
+author: '@BarryShooshooga'
+date: 2019/10/26
+description: Detects scenarios where an windows defender exclusion was added in registry
+    where an entity would want to bypass antivirus scanning from windows defender
+detection:
+    SELECTION_1:
+        EventID: 4657
+    SELECTION_2:
+        EventID: 4656
+    SELECTION_3:
+        EventID: 4660
+    SELECTION_4:
+        EventID: 4663
+    SELECTION_5:
+        ObjectName: '*\Microsoft\Windows Defender\Exclusions\\*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Intended inclusions by administrator
+id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+level: high
+logsource:
+    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit
+        Policy, Registry System Access Control (SACL): Auditing/User'
+    product: windows
+    service: security
+references:
+- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+yml_filename: win_defender_bypass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_defender_disabled.yml b/rules/Sigma/win_defender_disabled.yml
new file mode 100644
index 00000000..3baa51e3
--- /dev/null
+++ b/rules/Sigma/win_defender_disabled.yml
@@ -0,0 +1,33 @@
+title: Windows Defender Threat Detection Disabled
+author: "J\xE1n Tren\u010Dansk\xFD, frack113"
+date: 2020/07/28
+description: Detects disabling Windows Defender threat protection
+detection:
+    SELECTION_1:
+        EventID: 5001
+    SELECTION_2:
+        EventID: 5010
+    SELECTION_3:
+        EventID: 5012
+    SELECTION_4:
+        EventID: 5101
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
+falsepositives:
+- Administrator actions
+id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
+level: high
+logsource:
+    product: windows
+    service: windefend
+modified: 2021/09/21
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+yml_filename: win_defender_disabled.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_defender_exclusions.yml b/rules/Sigma/win_defender_exclusions.yml
new file mode 100644
index 00000000..6d7046aa
--- /dev/null
+++ b/rules/Sigma/win_defender_exclusions.yml
@@ -0,0 +1,28 @@
+title: Windows Defender Exclusions Added
+author: Christian Burkard
+date: 2021/07/06
+description: Detects the Setting of Windows Defender Exclusions
+detection:
+    SELECTION_1:
+        EventID: 5007
+    SELECTION_2:
+        New_Value: '*\Microsoft\Windows Defender\Exclusions*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrator actions
+id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
+level: medium
+logsource:
+    product: windows
+    service: windefend
+modified: 2021/10/13
+references:
+- https://twitter.com/_nullbind/status/1204923340810543109
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+yml_filename: win_defender_exclusions.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_defender_history_delete.yml b/rules/Sigma/win_defender_history_delete.yml
new file mode 100644
index 00000000..0a59b493
--- /dev/null
+++ b/rules/Sigma/win_defender_history_delete.yml
@@ -0,0 +1,32 @@
+title: Windows Defender Malware Detection History Deletion
+author: Cian Heasley
+date: 2020/08/13
+description: Windows Defender logs when the history of detected infections is deleted.
+    Log file will contain the message "Windows Defender Antivirus has removed history
+    of malware and other potentially unwanted software".
+detection:
+    SELECTION_1:
+        EventID: 1013
+    SELECTION_2:
+        EventType: 4
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Deletion of Defender malware detections history for legitimate reasons
+fields:
+- EventID
+- EventType
+id: 2afe6582-e149-11ea-87d0-0242ac130003
+level: high
+logsource:
+    product: windows
+    service: windefend
+modified: 2021/05/30
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.001
+yml_filename: win_defender_history_delete.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_defender_psexec_wmi_asr.yml b/rules/Sigma/win_defender_psexec_wmi_asr.yml
new file mode 100644
index 00000000..a8178e3b
--- /dev/null
+++ b/rules/Sigma/win_defender_psexec_wmi_asr.yml
@@ -0,0 +1,34 @@
+title: PSExec and WMI Process Creations Block
+author: Bhabesh Raj
+date: 2020/07/14
+description: Detects blocking of process creations originating from PSExec and WMI
+    commands
+detection:
+    SELECTION_1:
+        EventID: 1121
+    SELECTION_2:
+        ProcessName: '*\wmiprvse.exe'
+    SELECTION_3:
+        ProcessName: '*\psexesvc.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
+level: high
+logsource:
+    definition: 'Requirements:Enabled Block process creations originating from PSExec
+        and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
+    product: windows_defender
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands
+- https://twitter.com/duff22b/status/1280166329660497920
+status: experimental
+tags:
+- attack.execution
+- attack.lateral_movement
+- attack.t1047
+- attack.t1035
+- attack.t1569.002
+yml_filename: win_defender_psexec_wmi_asr.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_defender_tamper_protection_trigger.yml b/rules/Sigma/win_defender_tamper_protection_trigger.yml
new file mode 100644
index 00000000..32dae926
--- /dev/null
+++ b/rules/Sigma/win_defender_tamper_protection_trigger.yml
@@ -0,0 +1,30 @@
+title: Microsoft Defender Tamper Protection Trigger
+author: Bhabesh Raj
+date: 2021/07/05
+description: Detects block of attempt to disable real time protection of Microsoft
+    Defender by tamper protection
+detection:
+    SELECTION_1:
+        EventID: 5013
+    SELECTION_2:
+        Value: '*\Windows Defender\DisableAntiSpyware = 0x1()'
+    SELECTION_3:
+        Value: '*\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
+    condition: ((SELECTION_1) and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Administrator actions
+id: 49e5bc24-8b86-49f1-b743-535f332c2856
+level: critical
+logsource:
+    product: windows
+    service: windefend
+references:
+- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+yml_filename: win_defender_tamper_protection_trigger.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_defender_threat.yml b/rules/Sigma/win_defender_threat.yml
new file mode 100644
index 00000000..e159af0a
--- /dev/null
+++ b/rules/Sigma/win_defender_threat.yml
@@ -0,0 +1,30 @@
+title: Windows Defender Threat Detected
+author: "J\xE1n Tren\u010Dansk\xFD"
+date: 2020/07/28
+description: Detects all actions taken by Windows Defender malware detection engines
+detection:
+    SELECTION_1:
+        EventID: 1006
+    SELECTION_2:
+        EventID: 1116
+    SELECTION_3:
+        EventID: 1015
+    SELECTION_4:
+        EventID: 1117
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
+falsepositives:
+- unlikely
+id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
+level: high
+logsource:
+    product: windows
+    service: windefend
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+status: stable
+tags:
+- attack.execution
+- attack.t1059
+yml_filename: win_defender_threat.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_detecting_fake_instances_of_hxtsr.yml b/rules/Sigma/win_detecting_fake_instances_of_hxtsr.yml
new file mode 100644
index 00000000..25fe9f8b
--- /dev/null
+++ b/rules/Sigma/win_detecting_fake_instances_of_hxtsr.yml
@@ -0,0 +1,32 @@
+title: Detecting Fake Instances Of Hxtsr.exe
+author: Sreeman
+date: 2020/04/17
+description: HxTsr.exe is a Microsoft compressed executable file called Microsoft
+    Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in
+    a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version
+    number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe".
+    Any instances of hxtsr.exe not in this folder may be malware camouflaging itself
+    as HxTsr.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: hxtsr.exe
+    SELECTION_3:
+        CurrentDirectory|re: (?i)c:\\\\program files\\\\windowsapps\\\\microsoft\.windowscommunicationsapps_.*\\\\hxtsr\.exe
+    condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- unknown
+id: 4e762605-34a8-406d-b72e-c1a089313320
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/07
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+yml_filename: win_detecting_fake_instances_of_hxtsr.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_disable_event_logging.yml b/rules/Sigma/win_disable_event_logging.yml
new file mode 100644
index 00000000..ed80d72c
--- /dev/null
+++ b/rules/Sigma/win_disable_event_logging.yml
@@ -0,0 +1,40 @@
+title: Disabling Windows Event Auditing
+author: '@neu5ron'
+date: 2017/11/19
+description: 'Detects scenarios where system auditing (ie: windows event log auditing)
+    is disabled. This may be used in a scenario where an entity would want to bypass
+    local logging to evade detection when windows event logging is enabled and reviewed.
+    Also, it is recommended to turn off "Local Group Policy Object Processing" via
+    GPO, which will make sure that Active Directory GPOs take precedence over local/edited
+    computer policies via something such as "gpedit.msc". Please note, that disabling
+    "Local Group Policy Object Processing" may cause an issue in scenarios of one
+    off specific GPO modifications -- however it is recommended to perform these modifications
+    in Active Directory anyways.'
+detection:
+    SELECTION_1:
+        EventID: 4719
+    SELECTION_2:
+        AuditPolicyChanges: '*%%8448*'
+    SELECTION_3:
+        AuditPolicyChanges: '*%%8450*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 69aeb277-f15f-4d2d-b32a-55e883609563
+level: high
+logsource:
+    definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration,
+        Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+        Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization
+        Policy Change'
+    product: windows
+    service: security
+references:
+- https://bit.ly/WinLogsZero2Hero
+tags:
+- attack.defense_evasion
+- attack.t1054
+- attack.t1562.002
+yml_filename: win_disable_event_logging.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_dll_sideload_xwizard.yml b/rules/Sigma/win_dll_sideload_xwizard.yml
new file mode 100644
index 00000000..6850abcb
--- /dev/null
+++ b/rules/Sigma/win_dll_sideload_xwizard.yml
@@ -0,0 +1,30 @@
+title: Xwizard DLL Sideloading
+author: Christian Burkard
+date: 2021/09/20
+description: Detects the execution of Xwizard tool from the non-default directory
+    which can be used to sideload a custom xwizards.dll
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\xwizard.exe'
+    SELECTION_3:
+        Image: C:\Windows\System32\\*
+    condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Windows installed on non-C drive
+id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
+- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1574.002
+yml_filename: win_dll_sideload_xwizard.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_dns_exfiltration_tools_execution.yml b/rules/Sigma/win_dns_exfiltration_tools_execution.yml
new file mode 100644
index 00000000..2305388c
--- /dev/null
+++ b/rules/Sigma/win_dns_exfiltration_tools_execution.yml
@@ -0,0 +1,33 @@
+title: DNS Exfiltration and Tunneling Tools Execution
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+description: Well-known DNS Exfiltration tools execution
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\iodine.exe'
+    SELECTION_3:
+        Image: '*\dnscat2*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- "Legitimate usage of iodine or dnscat2 \u2014 DNS Exfiltration tools (unlikely)"
+id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048.001
+- attack.t1048
+- attack.command_and_control
+- attack.t1071.004
+- attack.t1071
+- attack.t1132.001
+- attack.t1132
+yml_filename: win_dns_exfiltration_tools_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_dnscat2_powershell_implementation.yml b/rules/Sigma/win_dnscat2_powershell_implementation.yml
new file mode 100644
index 00000000..77ecd5c1
--- /dev/null
+++ b/rules/Sigma/win_dnscat2_powershell_implementation.yml
@@ -0,0 +1,42 @@
+title: DNSCat2 Powershell Implementation Detection Via Process Creation
+author: Cian Heasley
+date: 2020/08/08
+description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries.
+    Counting nslookup processes spawned by PowerShell will show hundreds or thousands
+    of instances if PS DNSCat2 is active locally.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\powershell.exe'
+    SELECTION_3:
+        Image: '*\nslookup.exe'
+    SELECTION_4:
+        CommandLine: '*\nslookup.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)| count(Image)
+        by ParentImage > 100
+falsepositives:
+- Other powershell scripts that call nslookup.exe
+fields:
+- Image
+- CommandLine
+- ParentImage
+id: b11d75d6-d7c1-11ea-87d0-0242ac130003
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/lukebaggett/dnscat2-powershell
+- https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html
+- https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1071
+- attack.t1071.004
+- attack.t1001.003
+- attack.t1041
+yml_filename: win_dnscat2_powershell_implementation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_dpapi_domain_backupkey_extraction.yml b/rules/Sigma/win_dpapi_domain_backupkey_extraction.yml
new file mode 100644
index 00000000..f10e185a
--- /dev/null
+++ b/rules/Sigma/win_dpapi_domain_backupkey_extraction.yml
@@ -0,0 +1,32 @@
+title: DPAPI Domain Backup Key Extraction
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/06/20
+description: Detects tools extracting LSA secret DPAPI domain backup key from Domain
+    Controllers
+detection:
+    SELECTION_1:
+        EventID: 4662
+    SELECTION_2:
+        ObjectType: SecretObject
+    SELECTION_3:
+        AccessMask: '0x2'
+    SELECTION_4:
+        ObjectName: BCKUPKEY
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 4ac1f50b-3bd0-4968-902d-868b4647937e
+level: critical
+logsource:
+    product: windows
+    service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.004
+yml_filename: win_dpapi_domain_backupkey_extraction.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/Sigma/win_dpapi_domain_masterkey_backup_attempt.yml
new file mode 100644
index 00000000..76492e13
--- /dev/null
+++ b/rules/Sigma/win_dpapi_domain_masterkey_backup_attempt.yml
@@ -0,0 +1,30 @@
+title: DPAPI Domain Master Key Backup Attempt
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects anyone attempting a backup for the DPAPI Master Key. This events
+    gets generated at the source and not the Domain Controller.
+detection:
+    SELECTION_1:
+        EventID: 4692
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
+level: critical
+logsource:
+    product: windows
+    service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.004
+yml_filename: win_dpapi_domain_masterkey_backup_attempt.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_encoded_frombase64string.yml b/rules/Sigma/win_encoded_frombase64string.yml
new file mode 100644
index 00000000..23add9b0
--- /dev/null
+++ b/rules/Sigma/win_encoded_frombase64string.yml
@@ -0,0 +1,35 @@
+title: Encoded FromBase64String
+author: Florian Roth
+date: 2019/08/24
+description: Detects a base64 encoded FromBase64String keyword in a process command
+    line
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*OjpGcm9tQmFzZTY0U3RyaW5n*'
+    SELECTION_3:
+        CommandLine: '*o6RnJvbUJhc2U2NFN0cmluZ*'
+    SELECTION_4:
+        CommandLine: '*6OkZyb21CYXNlNjRTdHJpbm*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_encoded_frombase64string.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_encoded_iex.yml b/rules/Sigma/win_encoded_iex.yml
new file mode 100644
index 00000000..57a79a4b
--- /dev/null
+++ b/rules/Sigma/win_encoded_iex.yml
@@ -0,0 +1,53 @@
+title: Encoded IEX
+author: Florian Roth
+date: 2019/08/23
+description: Detects a base64 encoded IEX command string in a process command line
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*pZXggKE5ld*'
+    SELECTION_11:
+        CommandLine: '*SUVYIChOZX*'
+    SELECTION_12:
+        CommandLine: '*lFWCAoTmV3*'
+    SELECTION_13:
+        CommandLine: '*JRVggKE5ld*'
+    SELECTION_2:
+        CommandLine: '*SUVYIChb*'
+    SELECTION_3:
+        CommandLine: '*lFWCAoW*'
+    SELECTION_4:
+        CommandLine: '*JRVggKF*'
+    SELECTION_5:
+        CommandLine: '*aWV4IChb*'
+    SELECTION_6:
+        CommandLine: '*lleCAoW*'
+    SELECTION_7:
+        CommandLine: '*pZXggKF*'
+    SELECTION_8:
+        CommandLine: '*aWV4IChOZX*'
+    SELECTION_9:
+        CommandLine: '*lleCAoTmV3*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 88f680b8-070e-402c-ae11-d2914f2257f1
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_encoded_iex.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_etw_modification.yml b/rules/Sigma/win_etw_modification.yml
new file mode 100644
index 00000000..9e26520b
--- /dev/null
+++ b/rules/Sigma/win_etw_modification.yml
@@ -0,0 +1,38 @@
+title: COMPlus_ETWEnabled Registry Modification
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/05
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+detection:
+    SELECTION_1:
+        EventID: 4657
+    SELECTION_2:
+        ObjectName: '*\SOFTWARE\Microsoft\.NETFramework'
+    SELECTION_3:
+        ObjectValueName: ETWEnabled
+    SELECTION_4:
+        NewValue: '0'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
+level: critical
+logsource:
+    product: windows
+    service: security
+references:
+- https://twitter.com/_xpn_/status/1268712093928378368
+- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+- https://bunnyinside.com/?term=f71e8cb9c76a
+- http://managed670.rssing.com/chan-5590147/all_p1.html
+- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: win_etw_modification.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_etw_modification_cmdline.yml b/rules/Sigma/win_etw_modification_cmdline.yml
new file mode 100644
index 00000000..1a687362
--- /dev/null
+++ b/rules/Sigma/win_etw_modification_cmdline.yml
@@ -0,0 +1,35 @@
+title: COMPlus_ETWEnabled Command Line Arguments
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*COMPlus_ETWEnabled=0*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 41421f44-58f9-455d-838a-c398859841d4
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://twitter.com/_xpn_/status/1268712093928378368
+- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+- https://bunnyinside.com/?term=f71e8cb9c76a
+- http://managed670.rssing.com/chan-5590147/all_p1.html
+- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562
+yml_filename: win_etw_modification_cmdline.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_etw_trace_evasion.yml b/rules/Sigma/win_etw_trace_evasion.yml
new file mode 100644
index 00000000..63c2e508
--- /dev/null
+++ b/rules/Sigma/win_etw_trace_evasion.yml
@@ -0,0 +1,73 @@
+title: Disable of ETW Trace
+author: '@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community'
+date: 2019/03/22
+description: Detects a command that clears or disables any ETW trace log which could
+    indicate a logging evasion.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*Remove-EtwTraceProvider*'
+    SELECTION_11:
+        CommandLine: '*EventLog-Microsoft-Windows-WMI-Activity-Trace*'
+    SELECTION_12:
+        CommandLine: '*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*'
+    SELECTION_13:
+        CommandLine: '*Set-EtwTraceProvider*'
+    SELECTION_14:
+        CommandLine: '*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*'
+    SELECTION_15:
+        CommandLine: '*EventLog-Microsoft-Windows-WMI-Activity-Trace*'
+    SELECTION_16:
+        CommandLine: '*0x11*'
+    SELECTION_17:
+        CommandLine: '*logman*'
+    SELECTION_18:
+        CommandLine: '*update*'
+    SELECTION_19:
+        CommandLine: '*trace*'
+    SELECTION_2:
+        CommandLine: '*cl*'
+    SELECTION_20:
+        CommandLine: '*--p*'
+    SELECTION_21:
+        CommandLine: '*-ets*'
+    SELECTION_3:
+        CommandLine: '*/Trace*'
+    SELECTION_4:
+        CommandLine: '*clear-log*'
+    SELECTION_5:
+        CommandLine: '*/Trace*'
+    SELECTION_6:
+        CommandLine: '*sl*'
+    SELECTION_7:
+        CommandLine: '*/e:false*'
+    SELECTION_8:
+        CommandLine: '*set-log*'
+    SELECTION_9:
+        CommandLine: '*/e:false*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9)
+        or (SELECTION_10 and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14
+        and SELECTION_15 and SELECTION_16) or (SELECTION_17 and SELECTION_18 and SELECTION_19
+        and SELECTION_20 and SELECTION_21)))
+falsepositives:
+- Unknown
+id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
+- https://abuse.io/lockergoga.txt
+- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.t1562.006
+- car.2016-04-002
+yml_filename: win_etw_trace_evasion.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_event_log_cleared.yml b/rules/Sigma/win_event_log_cleared.yml
new file mode 100644
index 00000000..289fed37
--- /dev/null
+++ b/rules/Sigma/win_event_log_cleared.yml
@@ -0,0 +1,32 @@
+title: Security Event Log Cleared
+author: Saw Winn Naung
+date: 2021/08/15
+description: Checks for event id 1102 which indicates the security event log was cleared.
+detection:
+    SELECTION_1:
+        EventID: 1102
+    SELECTION_2:
+        Provider_Name: Microsoft-Windows-Eventlog
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate administrative activity
+fields:
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SubjectDomainName
+id: a122ac13-daf8-4175-83a2-72c387be339d
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/10/13
+references:
+- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
+status: experimental
+tags:
+- attack.t1107
+- attack.t1070.001
+yml_filename: win_event_log_cleared.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_exchange_proxylogon_oabvirtualdir.yml b/rules/Sigma/win_exchange_proxylogon_oabvirtualdir.yml
new file mode 100644
index 00000000..2412aa6e
--- /dev/null
+++ b/rules/Sigma/win_exchange_proxylogon_oabvirtualdir.yml
@@ -0,0 +1,24 @@
+title: ProxyLogon MSExchange OabVirtualDirectory
+author: Florian Roth
+date: 2021/08/09
+description: Detects specific patterns found after a successful ProxyLogon exploitation
+    in relation to a Commandlet invocation of Set-OabVirtualDirectory
+detection:
+    condition: ((OabVirtualDirectory and  -ExternalUrl ) and (eval(request or http://f/<script
+        or "unsafe"}; or function Page_Load()))
+falsepositives:
+- Unlikely
+id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
+level: critical
+logsource:
+    product: windows
+    service: msexchange-management
+references:
+- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
+status: experimental
+tags:
+- attack.t1587.001
+- attack.resource_development
+yml_filename: win_exchange_proxylogon_oabvirtualdir.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_exchange_proxyshell_certificate_generation.yml b/rules/Sigma/win_exchange_proxyshell_certificate_generation.yml
new file mode 100644
index 00000000..3442ed1f
--- /dev/null
+++ b/rules/Sigma/win_exchange_proxyshell_certificate_generation.yml
@@ -0,0 +1,25 @@
+title: Certificate Request Export to Exchange Webserver
+author: Max Altgelt
+date: 2021/08/23
+description: Detects a write of an Exchange CSR to an untypical directory or with
+    aspx name suffix which can be used to place a webshell
+detection:
+    condition: ((New-ExchangeCertificate and  -GenerateRequest and  -BinaryEncoded
+        and  -RequestFile) and (\\\\localhost\\C$ or \\\\127.0.0.1\\C$ or C:\\inetpub
+        or .aspx))
+falsepositives:
+- unlikely
+id: b7bc7038-638b-4ffd-880c-292c692209ef
+level: critical
+logsource:
+    product: windows
+    service: msexchange-management
+references:
+- https://twitter.com/GossiTheDog/status/1429175908905127938
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+yml_filename: win_exchange_proxyshell_certificate_generation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_exchange_proxyshell_mailbox_export.yml b/rules/Sigma/win_exchange_proxyshell_mailbox_export.yml
new file mode 100644
index 00000000..d644d63e
--- /dev/null
+++ b/rules/Sigma/win_exchange_proxyshell_mailbox_export.yml
@@ -0,0 +1,27 @@
+title: Mailbox Export to Exchange Webserver
+author: Florian Roth, Rich Warren, Christian Burkard
+date: 2021/08/09
+description: Detects a successful export of an Exchange mailbox to untypical directory
+    or with aspx name suffix which can be used to place a webshell or the needed role
+    assignment for it
+detection:
+    condition: (((New-MailboxExportRequest and  -Mailbox ) and (-FilePath "\\localhost\C$
+        or -FilePath "\\127.0.0.1\C$ or .aspx)) or (New-ManagementRoleAssignment and  -Role
+        "Mailbox Import Export" and  -User ))
+falsepositives:
+- unlikely
+id: 516376b4-05cd-4122-bae0-ad7641c38d48
+level: critical
+logsource:
+    product: windows
+    service: msexchange-management
+modified: 2021/08/11
+references:
+- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+yml_filename: win_exchange_proxyshell_mailbox_export.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/Sigma/win_exchange_proxyshell_remove_mailbox_export.yml
new file mode 100644
index 00000000..fdddaf32
--- /dev/null
+++ b/rules/Sigma/win_exchange_proxyshell_remove_mailbox_export.yml
@@ -0,0 +1,23 @@
+title: Remove Exported Mailbox from Exchange Webserver
+author: Christian Burkard
+date: 2021/08/27
+description: Detects removal of an exported Exchange mailbox which could be to cover
+    tracks from ProxyShell exploit
+detection:
+    condition: (Remove-MailboxExportRequest and  -Identity  and  -Confirm "False")
+falsepositives:
+- unknown
+id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
+level: high
+logsource:
+    product: windows
+    service: msexchange-management
+references:
+- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070
+yml_filename: win_exchange_proxyshell_remove_mailbox_export.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_exchange_transportagent.yml b/rules/Sigma/win_exchange_transportagent.yml
new file mode 100644
index 00000000..bc0868ec
--- /dev/null
+++ b/rules/Sigma/win_exchange_transportagent.yml
@@ -0,0 +1,29 @@
+title: MSExchange Transport Agent Installation
+author: Tobias Michalski
+date: 2021/06/08
+description: Detects the Installation of a Exchange Transport Agent
+detection:
+    condition: Install-TransportAgent
+falsepositives:
+- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator
+    for this.
+fields:
+- AssemblyPath
+id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
+level: medium
+logsource:
+    product: windows
+    service: msexchange-management
+modified: 2021/09/19
+references:
+- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+related:
+-   id: 83809e84-4475-4b69-bc3e-4aad8568612f
+    type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.002
+yml_filename: win_exchange_transportagent.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_exchange_transportagent_failed.yml b/rules/Sigma/win_exchange_transportagent_failed.yml
new file mode 100644
index 00000000..6cac4bdf
--- /dev/null
+++ b/rules/Sigma/win_exchange_transportagent_failed.yml
@@ -0,0 +1,27 @@
+title: Failed MSExchange Transport Agent Installation
+author: Tobias Michalski
+date: 2021/06/08
+description: Detects a failed installation of a Exchange Transport Agent
+detection:
+    SELECTION_1:
+        EventID: 6
+    condition: (SELECTION_1 and Install-TransportAgent)
+falsepositives:
+- legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator
+    for this.
+fields:
+- AssemblyPath
+id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
+level: high
+logsource:
+    product: windows
+    service: msexchange-management
+references:
+- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.002
+yml_filename: win_exchange_transportagent_failed.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_exfiltration_and_tunneling_tools_execution.yml b/rules/Sigma/win_exfiltration_and_tunneling_tools_execution.yml
new file mode 100644
index 00000000..5bdfa542
--- /dev/null
+++ b/rules/Sigma/win_exfiltration_and_tunneling_tools_execution.yml
@@ -0,0 +1,35 @@
+title: Exfiltration and Tunneling Tools Execution
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+description: Execution of well known tools for data exfiltration and tunneling
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\plink.exe'
+    SELECTION_3:
+        Image: '*\socat.exe'
+    SELECTION_4:
+        Image: '*\stunnel.exe'
+    SELECTION_5:
+        Image: '*\httptunnel.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- Legitimate Administrator using tools
+id: c75309a3-59f8-4a8d-9c2c-4c927ad50555
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+status: experimental
+tags:
+- attack.exfiltration
+- attack.command_and_control
+- attack.t1043
+- attack.t1041
+- attack.t1572
+- attack.t1071.001
+yml_filename: win_exfiltration_and_tunneling_tools_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_exploit_cve_2015_1641.yml b/rules/Sigma/win_exploit_cve_2015_1641.yml
new file mode 100644
index 00000000..47e0fc21
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2015_1641.yml
@@ -0,0 +1,31 @@
+title: Exploit for CVE-2015-1641
+author: Florian Roth
+date: 2018/02/22
+description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used
+    in exploits for CVE-2015-1641
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\WINWORD.EXE'
+    SELECTION_3:
+        Image: '*\MicroScMgmt.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 7993792c-5ce2-4475-a3db-a3a5539827ef
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
+- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036.005
+- attack.t1036
+yml_filename: win_exploit_cve_2015_1641.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_exploit_cve_2017_0261.yml b/rules/Sigma/win_exploit_cve_2017_0261.yml
new file mode 100644
index 00000000..a0f3b3b2
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2017_0261.yml
@@ -0,0 +1,36 @@
+title: Exploit for CVE-2017-0261
+author: Florian Roth
+date: 2018/02/22
+description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits
+    for CVE-2017-0261 and CVE-2017-0262
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\WINWORD.EXE'
+    SELECTION_3:
+        Image: '*\FLTLDR.exe*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Several false positives identified, check for suspicious file names or locations
+    (e.g. Temp folders)
+id: 864403a1-36c9-40a2-a982-4c9a45f7d833
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1203
+- attack.t1204.002
+- attack.t1204
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
+yml_filename: win_exploit_cve_2017_0261.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_exploit_cve_2017_11882.yml b/rules/Sigma/win_exploit_cve_2017_11882.yml
new file mode 100644
index 00000000..0cebafb0
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2017_11882.yml
@@ -0,0 +1,36 @@
+title: Droppers Exploiting CVE-2017-11882
+author: Florian Roth
+date: 2017/11/23
+description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other
+    sub processes like mshta.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\EQNEDT32.EXE'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+id: 678eb5f4-8597-4be6-8be7-905e4234b53a
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100
+- https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw
+status: experimental
+tags:
+- attack.execution
+- attack.t1203
+- attack.t1204.002
+- attack.t1204
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
+yml_filename: win_exploit_cve_2017_11882.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_exploit_cve_2017_8759.yml b/rules/Sigma/win_exploit_cve_2017_8759.yml
new file mode 100644
index 00000000..a796e0f4
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2017_8759.yml
@@ -0,0 +1,35 @@
+title: Exploit for CVE-2017-8759
+author: Florian Roth
+date: 2017/09/15
+description: Detects Winword starting uncommon sub process csc.exe as used in exploits
+    for CVE-2017-8759
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\WINWORD.EXE'
+    SELECTION_3:
+        Image: '*\csc.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: fdd84c68-a1f6-47c9-9477-920584f94905
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+tags:
+- attack.execution
+- attack.t1203
+- attack.t1204.002
+- attack.t1204
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
+yml_filename: win_exploit_cve_2017_8759.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_exploit_cve_2019_1378.yml b/rules/Sigma/win_exploit_cve_2019_1378.yml
new file mode 100644
index 00000000..76a20dfc
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2019_1378.yml
@@ -0,0 +1,50 @@
+title: Exploiting SetupComplete.cmd CVE-2019-1378
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
+date: 2019/11/15
+description: Detects exploitation attempt of privilege escalation vulnerability via
+    SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: C:\Windows\Setup\\*
+    SELECTION_2:
+        ParentCommandLine: '*\cmd.exe*'
+    SELECTION_3:
+        ParentCommandLine: '*/c*'
+    SELECTION_4:
+        ParentCommandLine: '*C:\Windows\Setup\Scripts\\*'
+    SELECTION_5:
+        ParentCommandLine: '*SetupComplete.cmd'
+    SELECTION_6:
+        ParentCommandLine: '*PartnerSetupComplete.cmd'
+    SELECTION_7:
+        Image: C:\Windows\System32\\*
+    SELECTION_8:
+        Image: C:\Windows\SysWOW64\\*
+    SELECTION_9:
+        Image: C:\Windows\WinSxS\\*
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+        or SELECTION_6)) and  not ((SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)))
+falsepositives:
+- Unknown
+id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1068
+- attack.execution
+- attack.t1059.003
+- attack.t1059
+- attack.t1574
+- cve.2019.1378
+yml_filename: win_exploit_cve_2019_1378.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_exploit_cve_2019_1388.yml b/rules/Sigma/win_exploit_cve_2019_1388.yml
new file mode 100644
index 00000000..04328701
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2019_1388.yml
@@ -0,0 +1,40 @@
+title: Exploiting CVE-2019-1388
+author: Florian Roth
+date: 2019/11/20
+description: Detects an exploitation attempt in which the UAC consent dialogue is
+    used to invoke an Internet Explorer process running as LOCAL_SYSTEM
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\consent.exe'
+    SELECTION_3:
+        Image: '*\iexplore.exe'
+    SELECTION_4:
+        CommandLine: '* http*'
+    SELECTION_5:
+        IntegrityLevel: System
+    SELECTION_6:
+        User: NT AUTHORITY\SYSTEM*
+    SELECTION_7:
+        User: AUTORITE NT\Sys*
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+        or (SELECTION_6 or SELECTION_7)))
+falsepositives:
+- Unknown
+id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/26
+references:
+- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
+- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1068
+yml_filename: win_exploit_cve_2019_1388.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_exploit_cve_2020_10189.yml b/rules/Sigma/win_exploit_cve_2020_10189.yml
new file mode 100644
index 00000000..ca0007fc
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2020_10189.yml
@@ -0,0 +1,41 @@
+title: Exploited CVE-2020-10189 Zoho ManageEngine
+author: Florian Roth
+date: 2020/03/25
+description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization
+    vulnerability reported as CVE-2020-10189
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*DesktopCentral_Server\jre\bin\java.exe'
+    SELECTION_3:
+        Image: '*\cmd.exe'
+    SELECTION_4:
+        Image: '*\powershell.exe'
+    SELECTION_5:
+        Image: '*\bitsadmin.exe'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 846b866e-2a57-46ee-8e16-85fa92759be7
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.t1059.003
+- attack.t1059
+- attack.s0190
+- cve.2020.10189
+yml_filename: win_exploit_cve_2020_10189.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_exploit_cve_2020_1048.yml b/rules/Sigma/win_exploit_cve_2020_1048.yml
new file mode 100644
index 00000000..1d379589
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2020_1048.yml
@@ -0,0 +1,41 @@
+title: Suspicious PrinterPorts Creation (CVE-2020-1048)
+author: EagleEye Team, Florian Roth
+date: 2020/05/13
+description: Detects new commands that add new printer port which point to suspicious
+    file
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        CommandLine: '*Add-PrinterPort -Name*'
+    SELECTION_4:
+        CommandLine: '*.exe*'
+    SELECTION_5:
+        CommandLine: '*.dll*'
+    SELECTION_6:
+        CommandLine: '*.bat*'
+    SELECTION_7:
+        CommandLine: '*Generic / Text Only*'
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3) and (SELECTION_4 or
+        SELECTION_5 or SELECTION_6)) or (SELECTION_7)))
+falsepositives:
+- New printer port install on host
+id: cc08d590-8b90-413a-aff6-31d1a99678d7
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/05/23
+references:
+- https://windows-internals.com/printdemon-cve-2020-1048/
+status: experimental
+tags:
+- attack.persistence
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_exploit_cve_2020_1048.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_exploit_cve_2020_1350.yml b/rules/Sigma/win_exploit_cve_2020_1350.yml
new file mode 100644
index 00000000..c4a82293
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2020_1350.yml
@@ -0,0 +1,37 @@
+title: DNS RCE CVE-2020-1350
+author: Florian Roth
+date: 2020/07/15
+description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the
+    detection of suspicious sub process
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\System32\dns.exe'
+    SELECTION_3:
+        Image: '*\System32\werfault.exe'
+    SELECTION_4:
+        Image: '*\System32\conhost.exe'
+    SELECTION_5:
+        Image: '*\System32\dnscmd.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5)))
+falsepositives:
+- Unknown but benign sub processes of the Windows DNS service dns.exe
+id: b5281f31-f9cc-4d0d-95d0-45b91c45b487
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
+- https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
+- attack.execution
+- attack.t1569.002
+yml_filename: win_exploit_cve_2020_1350.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_exploit_cve_2021_1675_printspooler.yml b/rules/Sigma/win_exploit_cve_2021_1675_printspooler.yml
new file mode 100644
index 00000000..ac1451b2
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2021_1675_printspooler.yml
@@ -0,0 +1,39 @@
+title: Possible CVE-2021-1675 Print Spooler Exploitation
+author: Florian Roth, KevTheHermit, fuzzyf10w
+date: 2021/06/30
+description: Detects events of driver load errors in print service logs that could
+    be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
+detection:
+    SELECTION_1:
+        EventID: 808
+    SELECTION_2:
+        EventID: 4909
+    SELECTION_3:
+        ErrorCode: '0x45A'
+    SELECTION_4:
+        ErrorCode: '0x7e'
+    condition: (((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4)) or
+        (The print spooler failed to load a plug-in module or MyExploit.dll or evil.dll
+        or \addCube.dll or \rev.dll or \rev2.dll or \main64.dll or \mimilib.dll or
+        \mimispool.dll))
+falsepositives:
+- Problems with printer drivers
+fields:
+- PluginDllName
+id: 4e64668a-4da1-49f5-a8df-9e2d5b866718
+level: high
+logsource:
+    product: windows
+    service: printservice-admin
+modified: 2021/07/08
+references:
+- https://github.com/hhlxf/PrintNightmare
+- https://github.com/afwu/PrintNightmare
+- https://twitter.com/fuzzyf10w/status/1410202370835898371
+status: experimental
+tags:
+- attack.execution
+- cve.2021.1675
+yml_filename: win_exploit_cve_2021_1675_printspooler.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/Sigma/win_exploit_cve_2021_1675_printspooler_operational.yml
new file mode 100644
index 00000000..ea8755ea
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2021_1675_printspooler_operational.yml
@@ -0,0 +1,28 @@
+title: CVE-2021-1675 Print Spooler Exploitation
+author: Florian Roth
+date: 2021/07/01
+description: Detects driver load events print service operational log that are a sign
+    of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
+detection:
+    SELECTION_1:
+        EventID: '316'
+    condition: (SELECTION_1 and (UNIDRV.DLL, kernelbase.dll,  or  123  or  1234  or
+        mimispool))
+falsepositives:
+- Unknown
+fields:
+- DriverAdded
+id: f34d942d-c8c4-4f1f-b196-22471aecf10a
+level: critical
+logsource:
+    product: windows
+    service: printservice-operational
+references:
+- https://twitter.com/MalwareJake/status/1410421967463731200
+status: experimental
+tags:
+- attack.execution
+- cve.2021.1675
+yml_filename: win_exploit_cve_2021_1675_printspooler_operational.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/Sigma/win_exploit_cve_2021_1675_printspooler_security.yml
new file mode 100644
index 00000000..098490e0
--- /dev/null
+++ b/rules/Sigma/win_exploit_cve_2021_1675_printspooler_security.yml
@@ -0,0 +1,35 @@
+title: CVE-2021-1675 Print Spooler Exploitation IPC Access
+author: INIT_6
+date: 2021/07/02
+description: Detects remote printer driver load from Detailed File Share in Security
+    logs that are a sign of successful exploitation attempts against print spooler
+    vulnerability CVE-2021-1675 and CVE-2021-34527
+detection:
+    SELECTION_1:
+        EventID: '5145'
+    SELECTION_2:
+        ShareName: \\\*\IPC$
+    SELECTION_3:
+        RelativeTargetName: spoolss
+    SELECTION_4:
+        AccessMask: '0x3'
+    SELECTION_5:
+        ObjectType: File
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- nothing observed so far
+id: 8fe1c584-ee61-444b-be21-e9054b229694
+level: critical
+logsource:
+    product: windows
+    service: security
+references:
+- https://twitter.com/INIT_3/status/1410662463641731075
+status: experimental
+tags:
+- attack.execution
+- cve.2021.1675
+- cve.2021.34527
+yml_filename: win_exploit_cve_2021_1675_printspooler_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_exploit_systemnightmare.yml b/rules/Sigma/win_exploit_systemnightmare.yml
new file mode 100644
index 00000000..868ad310
--- /dev/null
+++ b/rules/Sigma/win_exploit_systemnightmare.yml
@@ -0,0 +1,30 @@
+title: SystemNightmare Exploitation Script Execution
+author: Florian Roth
+date: 2021/08/11
+description: Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*printnightmare.gentilkiwi.com*'
+    SELECTION_3:
+        CommandLine: '* /user:gentilguest *'
+    SELECTION_4:
+        CommandLine: '*Kiwi Legit Printer*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: c01f7bd6-0c1d-47aa-9c61-187b91273a16
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/GossiTheDog/SystemNightmare
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1068
+yml_filename: win_exploit_systemnightmare.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_external_device.yml b/rules/Sigma/win_external_device.yml
new file mode 100644
index 00000000..d88e4069
--- /dev/null
+++ b/rules/Sigma/win_external_device.yml
@@ -0,0 +1,30 @@
+title: External Disk Drive Or USB Storage Device
+author: Keith Wright
+date: 2019/11/20
+description: Detects external diskdrives or plugged in USB devices , EventID 6416
+    on windows 10 or later
+detection:
+    SELECTION_1:
+        EventID: 6416
+    SELECTION_2:
+        ClassName: DiskDrive
+    SELECTION_3:
+        DeviceDescription: USB Mass Storage Device
+    condition: ((SELECTION_1 and SELECTION_2) or SELECTION_3)
+falsepositives:
+- Legitimate administrative activity
+id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
+level: low
+logsource:
+    product: windows
+    service: security
+modified: 2021/08/09
+status: experimental
+tags:
+- attack.t1091
+- attack.t1200
+- attack.lateral_movement
+- attack.initial_access
+yml_filename: win_external_device.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_file_permission_modifications.yml b/rules/Sigma/win_file_permission_modifications.yml
new file mode 100644
index 00000000..c22cc4f2
--- /dev/null
+++ b/rules/Sigma/win_file_permission_modifications.yml
@@ -0,0 +1,43 @@
+title: File or Folder Permissions Modifications
+author: Jakob Weinzettl, oscd.community
+date: 2019/10/23
+description: Detects a file or folder's permissions being modified.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\takeown.exe'
+    SELECTION_3:
+        Image: '*\cacls.exe'
+    SELECTION_4:
+        Image: '*\icacls.exe'
+    SELECTION_5:
+        CommandLine: '*/grant*'
+    SELECTION_6:
+        Image: '*\attrib.exe'
+    SELECTION_7:
+        CommandLine: '*-r*'
+    condition: (SELECTION_1 and (((SELECTION_2 or SELECTION_3 or SELECTION_4) and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Users interacting with the files on their own (unlikely unless privileged users).
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/08
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1222.001
+- attack.t1222
+yml_filename: win_file_permission_modifications.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_file_winword_cve_2021_40444.yml b/rules/Sigma/win_file_winword_cve_2021_40444.yml
new file mode 100644
index 00000000..aae2b88e
--- /dev/null
+++ b/rules/Sigma/win_file_winword_cve_2021_40444.yml
@@ -0,0 +1,37 @@
+title: Suspicious Word Cab File Write CVE-2021-40444
+author: Florian Roth, Sittikorn S
+date: 2021/09/10
+description: Detects file creation patterns noticeable during the exploitation of
+    CVE-2021-40444
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: \winword.exe
+    SELECTION_3:
+        TargetFilename: '*.cab'
+    SELECTION_4:
+        TargetFilename: '*\Windows\INetCache*'
+    SELECTION_5:
+        TargetFilename: '*\AppData\Local\Temp\\*'
+    SELECTION_6:
+        TargetFilename: '*.inf*'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6)))
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
+level: critical
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/09/13
+references:
+- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
+- https://twitter.com/vanitasnk/status/1437329511142420483?s=21
+status: experimental
+yml_filename: win_file_winword_cve_2021_40444.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/win_global_catalog_enumeration.yml b/rules/Sigma/win_global_catalog_enumeration.yml
new file mode 100644
index 00000000..4d13dd2b
--- /dev/null
+++ b/rules/Sigma/win_global_catalog_enumeration.yml
@@ -0,0 +1,34 @@
+title: Enumeration via the Global Catalog
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2020/05/11
+description: Detects enumeration of the global catalog (that can be performed using
+    BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain
+    width.
+detection:
+    SELECTION_1:
+        EventID: 5156
+    SELECTION_2:
+        DestinationPort: 3268
+    SELECTION_3:
+        DestinationPort: 3269
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))| count() by SourceAddress
+        > 2000
+falsepositives:
+- Exclude known DCs.
+id: 619b020f-0fd7-4f23-87db-3f51ef837a34
+level: medium
+logsource:
+    definition: The advanced audit policy setting "Windows Filtering Platform > Filtering
+        Platform Connection" must be configured for Success
+    product: windows
+    service: security
+modified: 2021/06/01
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
+yml_filename: win_global_catalog_enumeration.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_gpo_scheduledtasks.yml b/rules/Sigma/win_gpo_scheduledtasks.yml
new file mode 100644
index 00000000..13d08451
--- /dev/null
+++ b/rules/Sigma/win_gpo_scheduledtasks.yml
@@ -0,0 +1,38 @@
+title: Persistence and Execution at Scale via GPO Scheduled Task
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detect lateral movement using GPO scheduled task, usually used to deploy
+    ransomware at scale
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        ShareName: \\*\SYSVOL
+    SELECTION_3:
+        RelativeTargetName: '*ScheduledTasks.xml'
+    SELECTION_4:
+        Accesses: '*WriteData*'
+    SELECTION_5:
+        Accesses: '*%%4417*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- if the source IP is not localhost then it's super suspicious, better to monitor
+    both local and remote changes to GPO scheduledtasks
+id: a8f29a7b-b137-4446-80a0-b804272f3da2
+level: high
+logsource:
+    definition: The advanced audit policy setting "Object Access > Audit Detailed
+        File Share" must be configured for Success/Failure
+    product: windows
+    service: security
+references:
+- https://twitter.com/menasec1/status/1106899890377052160
+- https://www.secureworks.com/blog/ransomware-as-a-distraction
+tags:
+- attack.persistence
+- attack.lateral_movement
+- attack.t1053
+- attack.t1053.005
+yml_filename: win_gpo_scheduledtasks.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_grabbing_sensitive_hives_via_reg.yml b/rules/Sigma/win_grabbing_sensitive_hives_via_reg.yml
new file mode 100644
index 00000000..4115e031
--- /dev/null
+++ b/rules/Sigma/win_grabbing_sensitive_hives_via_reg.yml
@@ -0,0 +1,72 @@
+title: Grabbing Sensitive Hives via Reg Utility
+author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/22
+description: Dump sam, system or security hives using REG.exe utility
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: "*hkey_\u02EAocal_machine*"
+    SELECTION_11:
+        CommandLine: "*hkey_loca\u02EA_machine*"
+    SELECTION_12:
+        CommandLine: "*hkey_\u02EAoca\u02EA_machine*"
+    SELECTION_13:
+        CommandLine: '*\system'
+    SELECTION_14:
+        CommandLine: '*\sam'
+    SELECTION_15:
+        CommandLine: '*\security'
+    SELECTION_16:
+        CommandLine: "*\\\u02E2ystem"
+    SELECTION_17:
+        CommandLine: "*\\sy\u02E2tem"
+    SELECTION_18:
+        CommandLine: "*\\\u02E2y\u02E2tem"
+    SELECTION_19:
+        CommandLine: "*\\\u02E2am"
+    SELECTION_2:
+        Image: '*\reg.exe'
+    SELECTION_20:
+        CommandLine: "*\\\u02E2ecurity"
+    SELECTION_3:
+        CommandLine: '*save*'
+    SELECTION_4:
+        CommandLine: '*export*'
+    SELECTION_5:
+        CommandLine: "*\u02E2ave*"
+    SELECTION_6:
+        CommandLine: "*e\u02E3port*"
+    SELECTION_7:
+        CommandLine: '*hklm*'
+    SELECTION_8:
+        CommandLine: "*hk\u02EAm*"
+    SELECTION_9:
+        CommandLine: '*hkey_local_machine*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6) and (SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12) and (SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20))
+falsepositives:
+- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
+id: fd877b94-9bb5-4191-bb25-d79cbd93c167
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
+- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003
+- car.2013-07-001
+yml_filename: win_grabbing_sensitive_hives_via_reg.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_hack_adcspwn.yml b/rules/Sigma/win_hack_adcspwn.yml
new file mode 100644
index 00000000..1c3a6cc7
--- /dev/null
+++ b/rules/Sigma/win_hack_adcspwn.yml
@@ -0,0 +1,29 @@
+title: ADCSPwn Hack Tool
+author: Florian Roth
+date: 2021/07/31
+description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges
+    in an active directory network by coercing authenticate from machine accounts
+    and relaying to the certificate service
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* --adcs *'
+    SELECTION_3:
+        CommandLine: '* --port *'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unlikely
+id: cd8c163e-a19b-402e-bdd5-419ff5859f12
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/bats3c/ADCSPwn
+tags:
+- attack.credential_access
+- attack.t1557.001
+yml_filename: win_hack_adcspwn.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_hack_bloodhound.yml b/rules/Sigma/win_hack_bloodhound.yml
new file mode 100644
index 00000000..e566f736
--- /dev/null
+++ b/rules/Sigma/win_hack_bloodhound.yml
@@ -0,0 +1,57 @@
+title: Bloodhound and Sharphound Hack Tool
+author: Florian Roth
+date: 2019/12/20
+description: Detects command line parameters used by Bloodhound and Sharphound hack
+    tools
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '* DCOnly *'
+    SELECTION_11:
+        CommandLine: '* --NoSaveCache *'
+    SELECTION_2:
+        Image: '*\Bloodhound.exe*'
+    SELECTION_3:
+        Image: '*\SharpHound.exe*'
+    SELECTION_4:
+        CommandLine: '* -CollectionMethod All *'
+    SELECTION_5:
+        CommandLine: '*.exe -c All -d *'
+    SELECTION_6:
+        CommandLine: '*Invoke-Bloodhound*'
+    SELECTION_7:
+        CommandLine: '*Get-BloodHoundData*'
+    SELECTION_8:
+        CommandLine: '* -JsonFolder *'
+    SELECTION_9:
+        CommandLine: '* -ZipFileName *'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7) or (SELECTION_8 and SELECTION_9) or (SELECTION_10
+        and SELECTION_11)))
+falsepositives:
+- Other programs that use these command line option and accepts an 'All' parameter
+id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/12/21
+references:
+- https://github.com/BloodHoundAD/BloodHound
+- https://github.com/BloodHoundAD/SharpHound
+tags:
+- attack.discovery
+- attack.t1087.001
+- attack.t1087.002
+- attack.t1087
+- attack.t1482
+- attack.t1069.001
+- attack.t1069.002
+- attack.t1069
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_hack_bloodhound.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_hack_koadic.yml b/rules/Sigma/win_hack_koadic.yml
new file mode 100644
index 00000000..e638c236
--- /dev/null
+++ b/rules/Sigma/win_hack_koadic.yml
@@ -0,0 +1,42 @@
+title: Koadic Execution
+author: wagga, Jonhnathan Ribeiro, oscd.community
+date: 2020/01/12
+description: Detects command line parameters used by Koadic hack tool
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\cmd.exe'
+    SELECTION_3:
+        CommandLine: '*/q*'
+    SELECTION_4:
+        CommandLine: '*/c*'
+    SELECTION_5:
+        CommandLine: '*chcp*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Pentest
+fields:
+- CommandLine
+- ParentCommandLine
+id: 5cddf373-ef00-4112-ad72-960ac29bac34
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
+- https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955
+- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.003
+- attack.t1059
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064
+yml_filename: win_hack_koadic.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_hack_rubeus.yml b/rules/Sigma/win_hack_rubeus.yml
new file mode 100644
index 00000000..9b49beb1
--- /dev/null
+++ b/rules/Sigma/win_hack_rubeus.yml
@@ -0,0 +1,54 @@
+title: Rubeus Hack Tool
+author: Florian Roth
+date: 2018/12/19
+description: Detects command line parameters used by Rubeus hack tool
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '* harvest /interval:*'
+    SELECTION_11:
+        CommandLine: '* s4u /user:*'
+    SELECTION_12:
+        CommandLine: '* s4u /ticket:*'
+    SELECTION_13:
+        CommandLine: '* hash /password:*'
+    SELECTION_2:
+        CommandLine: '* asreproast *'
+    SELECTION_3:
+        CommandLine: '* dump /service:krbtgt *'
+    SELECTION_4:
+        CommandLine: '* kerberoast *'
+    SELECTION_5:
+        CommandLine: '* createnetonly /program:*'
+    SELECTION_6:
+        CommandLine: '* ptt /ticket:*'
+    SELECTION_7:
+        CommandLine: '* /impersonateuser:*'
+    SELECTION_8:
+        CommandLine: '* renew /ticket:*'
+    SELECTION_9:
+        CommandLine: '* asktgt /user:*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13))
+falsepositives:
+- unlikely
+id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1558.003
+- attack.t1558
+- attack.lateral_movement
+- attack.t1550.003
+- attack.t1097
+yml_filename: win_hack_rubeus.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_hack_secutyxploded.yml b/rules/Sigma/win_hack_secutyxploded.yml
new file mode 100644
index 00000000..7dff6e65
--- /dev/null
+++ b/rules/Sigma/win_hack_secutyxploded.yml
@@ -0,0 +1,33 @@
+title: SecurityXploded Tool
+author: Florian Roth
+date: 2018/12/19
+description: Detects the execution of SecurityXploded Tools
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Company: SecurityXploded
+    SELECTION_3:
+        Image: '*PasswordDump.exe'
+    SELECTION_4:
+        OriginalFileName: '*PasswordDump.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unlikely
+id: 7679d464-4f74-45e2-9e01-ac66c5eb041a
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/11
+references:
+- https://securityxploded.com/
+- https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
+tags:
+- attack.credential_access
+- attack.t1555
+- attack.t1003
+- attack.t1503
+yml_filename: win_hack_secutyxploded.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_hack_smbexec.yml b/rules/Sigma/win_hack_smbexec.yml
new file mode 100644
index 00000000..31d57166
--- /dev/null
+++ b/rules/Sigma/win_hack_smbexec.yml
@@ -0,0 +1,36 @@
+title: smbexec.py Service Installation
+author: Omer Faruk Celik
+date: 2018/03/20
+description: Detects the use of smbexec.py tool by detecting a specific service installation
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ServiceName: BTOBTO
+    SELECTION_3:
+        ServiceFileName: '*\execute.bat'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Penetration Test
+- Unknown
+fields:
+- ServiceName
+- ServiceFileName
+id: 52a85084-6989-40c3-8f32-091e12e13f09
+level: critical
+logsource:
+    product: windows
+    service: system
+modified: 2020/08/23
+references:
+- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+tags:
+- attack.lateral_movement
+- attack.execution
+- attack.t1077
+- attack.t1021.002
+- attack.t1035
+- attack.t1569.002
+yml_filename: win_hack_smbexec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_hh_chm.yml b/rules/Sigma/win_hh_chm.yml
new file mode 100644
index 00000000..bd03faf5
--- /dev/null
+++ b/rules/Sigma/win_hh_chm.yml
@@ -0,0 +1,36 @@
+title: HH.exe Execution
+author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
+date: 2019/10/24
+description: Identifies usage of hh.exe executing recently modified .chm files.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\hh.exe'
+    SELECTION_3:
+        CommandLine: '*.chm*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unlike
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md
+- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.001
+- attack.execution
+- attack.t1223
+yml_filename: win_hh_chm.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_hidden_user_creation.yml b/rules/Sigma/win_hidden_user_creation.yml
new file mode 100644
index 00000000..ffba158f
--- /dev/null
+++ b/rules/Sigma/win_hidden_user_creation.yml
@@ -0,0 +1,30 @@
+title: Hidden Local User Creation
+author: Christian Burkard
+date: 2021/05/03
+description: Detects the creation of a local hidden user account which should not
+    happen for event ID 4720.
+detection:
+    SELECTION_1:
+        EventID: 4720
+    SELECTION_2:
+        TargetUserName: '*$'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- EventCode
+- AccountName
+id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
+level: high
+logsource:
+    product: windows
+    service: security
+references:
+- https://twitter.com/SBousseaden/status/1387743867663958021
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136.001
+yml_filename: win_hidden_user_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_hiding_malware_in_fonts_folder.yml b/rules/Sigma/win_hiding_malware_in_fonts_folder.yml
new file mode 100644
index 00000000..1f0ac925
--- /dev/null
+++ b/rules/Sigma/win_hiding_malware_in_fonts_folder.yml
@@ -0,0 +1,35 @@
+title: Writing Of Malicious Files To The Fonts Folder
+author: Sreeman
+date: 2020/21/04
+description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\
+    location. This folder doesn't require admin privillege to be written and executed
+    from.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i).*(echo|copy|type|file createnew|cacls).*C:\\\\Windows\\\\Fonts\\\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentProcess
+- CommandLine
+id: ae9b0bd7-8888-4606-b444-0ed7410cb728
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/11
+references:
+- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
+tags:
+- attack.t1064
+- attack.t1211
+- attack.t1059
+- attack.defense_evasion
+- attack.persistence
+yml_filename: win_hiding_malware_in_fonts_folder.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_hivenightmare_file_exports.yml b/rules/Sigma/win_hivenightmare_file_exports.yml
new file mode 100644
index 00000000..3cdb1356
--- /dev/null
+++ b/rules/Sigma/win_hivenightmare_file_exports.yml
@@ -0,0 +1,44 @@
+title: Typical HiveNightmare SAM File Export
+author: Florian Roth
+date: 2021/07/23
+description: Detects files written by the different tools that exploit HiveNightmare
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\hive_sam_*'
+    SELECTION_3:
+        TargetFilename: '*\SAM-2021-*'
+    SELECTION_4:
+        TargetFilename: '*\SAM-2022-*'
+    SELECTION_5:
+        TargetFilename: '*\SAM-haxx*'
+    SELECTION_6:
+        TargetFilename: '*\Sam.save*'
+    SELECTION_7:
+        TargetFilename: C:\windows\temp\sam
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6) or (SELECTION_7)))
+falsepositives:
+- Files that accidentally contain these strings
+fields:
+- CommandLine
+- ParentCommandLine
+id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://github.com/GossiTheDog/HiveNightmare
+- https://github.com/FireFart/hivenightmare/
+- https://github.com/WiredPulse/Invoke-HiveNightmare
+- https://twitter.com/cube0x0/status/1418920190759378944
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.001
+- cve.2021.36934
+yml_filename: win_hivenightmare_file_exports.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/win_hktl_createminidump.yml b/rules/Sigma/win_hktl_createminidump.yml
new file mode 100644
index 00000000..efe97a5e
--- /dev/null
+++ b/rules/Sigma/win_hktl_createminidump.yml
@@ -0,0 +1,30 @@
+title: CreateMiniDump Hacktool
+author: Florian Roth
+date: 2019/12/22
+description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process
+    memory for credential extraction on the attacker's machine
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\CreateMiniDump.exe*'
+    SELECTION_3:
+        Imphash: 4a07f944a83e8a7c2525efa35dd30e2f
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+yml_filename: win_hktl_createminidump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_hktl_uacme_uac_bypass.yml b/rules/Sigma/win_hktl_uacme_uac_bypass.yml
new file mode 100644
index 00000000..66d27fe9
--- /dev/null
+++ b/rules/Sigma/win_hktl_uacme_uac_bypass.yml
@@ -0,0 +1,32 @@
+title: UAC Bypass Tool UACMe
+author: Christian Burkard
+date: 2021/08/30
+description: Detects execution of UACMe (a tool used for UAC bypass) via default PE
+    metadata
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Product: UACMe
+    SELECTION_3:
+        Company: REvol Corp
+    SELECTION_4:
+        OriginalFileName: Akagi.exe
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_hktl_uacme_uac_bypass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_html_help_spawn.yml b/rules/Sigma/win_html_help_spawn.yml
new file mode 100644
index 00000000..e1e19ed1
--- /dev/null
+++ b/rules/Sigma/win_html_help_spawn.yml
@@ -0,0 +1,55 @@
+title: HTML Help Shell Spawn
+author: Maxim Pavlunin
+date: 2020/04/01
+description: Detects a suspicious child process of a Microsoft HTML Help system when
+    executing compiled HTML files (.chm)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: C:\Windows\hh.exe
+    SELECTION_3:
+        Image: '*\cmd.exe'
+    SELECTION_4:
+        Image: '*\powershell.exe'
+    SELECTION_5:
+        Image: '*\wscript.exe'
+    SELECTION_6:
+        Image: '*\cscript.exe'
+    SELECTION_7:
+        Image: '*\regsvr32.exe'
+    SELECTION_8:
+        Image: '*\wmic.exe'
+    SELECTION_9:
+        Image: '*\rundll32.exe'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.001
+- attack.t1218.010
+- attack.t1218.011
+- attack.execution
+- attack.t1223
+- attack.t1059.001
+- attack.t1059.003
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1047
+yml_filename: win_html_help_spawn.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_hwp_exploits.yml b/rules/Sigma/win_hwp_exploits.yml
new file mode 100644
index 00000000..5ace09d7
--- /dev/null
+++ b/rules/Sigma/win_hwp_exploits.yml
@@ -0,0 +1,40 @@
+title: Suspicious HWP Sub Processes
+author: Florian Roth
+date: 2019/10/24
+description: Detects suspicious Hangul Word Processor (Hanword) sub processes that
+    could indicate an exploitation
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\Hwp.exe'
+    SELECTION_3:
+        Image: '*\gbb.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 023394c4-29d5-46ab-92b8-6a534c6f447b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
+- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
+- https://twitter.com/cyberwar_15/status/1187287262054076416
+- https://blog.alyac.co.kr/1901
+- https://en.wikipedia.org/wiki/Hangul_(word_processor)
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
+- attack.execution
+- attack.t1203
+- attack.t1059.003
+- attack.t1059
+- attack.g0032
+yml_filename: win_hwp_exploits.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_hybridconnectionmgr_svc_installation.yml b/rules/Sigma/win_hybridconnectionmgr_svc_installation.yml
new file mode 100644
index 00000000..affc7b6b
--- /dev/null
+++ b/rules/Sigma/win_hybridconnectionmgr_svc_installation.yml
@@ -0,0 +1,28 @@
+title: HybridConnectionManager Service Installation
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Rule to detect the Hybrid Connection Manager service installation.
+detection:
+    SELECTION_1:
+        EventID: 4697
+    SELECTION_2:
+        ServiceName: HybridConnectionManager
+    SELECTION_3:
+        ServiceFileName: '*HybridConnectionManager*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of Hybrid Connection Manager via Azure function apps.
+id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/08/09
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
+yml_filename: win_hybridconnectionmgr_svc_installation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_hybridconnectionmgr_svc_running.yml b/rules/Sigma/win_hybridconnectionmgr_svc_running.yml
new file mode 100644
index 00000000..d44b4022
--- /dev/null
+++ b/rules/Sigma/win_hybridconnectionmgr_svc_running.yml
@@ -0,0 +1,28 @@
+title: HybridConnectionManager Service Running
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2021/04/12
+description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
+detection:
+    SELECTION_1:
+        EventID: 40300
+    SELECTION_2:
+        EventID: 40301
+    SELECTION_3:
+        EventID: 40302
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (HybridConnection
+        or sb:// or servicebus.windows.net or HybridConnectionManage))
+falsepositives:
+- Legitimate use of Hybrid Connection Manager via Azure function apps.
+id: b55d23e5-6821-44ff-8a6e-67218891e49f
+level: high
+logsource:
+    product: windows
+    service: microsoft-servicebus-client
+references:
+- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+status: experimental
+tags:
+- attack.persistence
+yml_filename: win_hybridconnectionmgr_svc_running.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_impacket_compiled_tools.yml b/rules/Sigma/win_impacket_compiled_tools.yml
new file mode 100644
index 00000000..4607d110
--- /dev/null
+++ b/rules/Sigma/win_impacket_compiled_tools.yml
@@ -0,0 +1,102 @@
+title: Impacket Tool Execution
+author: Florian Roth
+date: 2021/07/24
+description: Detects the execution of different compiled Windows binaries of the impacket
+    toolset (based on names or part of their names - could lead to false positives)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\smbrelayx*'
+    SELECTION_11:
+        Image: '*\wmiexec*'
+    SELECTION_12:
+        Image: '*\wmipersist*'
+    SELECTION_13:
+        Image: '*\atexec_windows.exe'
+    SELECTION_14:
+        Image: '*\dcomexec_windows.exe'
+    SELECTION_15:
+        Image: '*\dpapi_windows.exe'
+    SELECTION_16:
+        Image: '*\findDelegation_windows.exe'
+    SELECTION_17:
+        Image: '*\GetADUsers_windows.exe'
+    SELECTION_18:
+        Image: '*\GetNPUsers_windows.exe'
+    SELECTION_19:
+        Image: '*\getPac_windows.exe'
+    SELECTION_2:
+        Image: '*\goldenPac*'
+    SELECTION_20:
+        Image: '*\getST_windows.exe'
+    SELECTION_21:
+        Image: '*\getTGT_windows.exe'
+    SELECTION_22:
+        Image: '*\GetUserSPNs_windows.exe'
+    SELECTION_23:
+        Image: '*\ifmap_windows.exe'
+    SELECTION_24:
+        Image: '*\mimikatz_windows.exe'
+    SELECTION_25:
+        Image: '*\netview_windows.exe'
+    SELECTION_26:
+        Image: '*\nmapAnswerMachine_windows.exe'
+    SELECTION_27:
+        Image: '*\opdump_windows.exe'
+    SELECTION_28:
+        Image: '*\psexec_windows.exe'
+    SELECTION_29:
+        Image: '*\rdp_check_windows.exe'
+    SELECTION_3:
+        Image: '*\karmaSMB*'
+    SELECTION_30:
+        Image: '*\sambaPipe_windows.exe'
+    SELECTION_31:
+        Image: '*\smbclient_windows.exe'
+    SELECTION_32:
+        Image: '*\smbserver_windows.exe'
+    SELECTION_33:
+        Image: '*\sniffer_windows.exe'
+    SELECTION_34:
+        Image: '*\sniff_windows.exe'
+    SELECTION_35:
+        Image: '*\split_windows.exe'
+    SELECTION_36:
+        Image: '*\ticketer_windows.exe'
+    SELECTION_4:
+        Image: '*\kintercept*'
+    SELECTION_5:
+        Image: '*\ntlmrelayx*'
+    SELECTION_6:
+        Image: '*\rpcdump*'
+    SELECTION_7:
+        Image: '*\samrdump*'
+    SELECTION_8:
+        Image: '*\secretsdump*'
+    SELECTION_9:
+        Image: '*\smbexec*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12) or (SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36)))
+falsepositives:
+- Legitimate use of the impacket tools
+id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
+status: experimental
+tags:
+- attack.execution
+- attack.t1557.001
+yml_filename: win_impacket_compiled_tools.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_impacket_lateralization.yml b/rules/Sigma/win_impacket_lateralization.yml
new file mode 100644
index 00000000..9bc7bb9c
--- /dev/null
+++ b/rules/Sigma/win_impacket_lateralization.yml
@@ -0,0 +1,64 @@
+title: Impacket Lateralization Detection
+author: Ecco, oscd.community, Jonhnathan Ribeiro
+date: 2019/09/03
+description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*\\\\127.0.0.1\\*'
+    SELECTION_11:
+        ParentCommandLine: '*svchost.exe -k netsvcs*'
+    SELECTION_12:
+        ParentCommandLine: '*taskeng.exe*'
+    SELECTION_13:
+        CommandLine: '*/C*'
+    SELECTION_14:
+        CommandLine: '*Windows\Temp\\*'
+    SELECTION_2:
+        CommandLine: '*cmd.exe*'
+    SELECTION_3:
+        CommandLine: '*&1*'
+    SELECTION_4:
+        ParentImage: '*\wmiprvse.exe'
+    SELECTION_5:
+        ParentImage: '*\mmc.exe'
+    SELECTION_6:
+        ParentImage: '*\explorer.exe'
+    SELECTION_7:
+        ParentImage: '*\services.exe'
+    SELECTION_8:
+        CommandLine: '*/Q*'
+    SELECTION_9:
+        CommandLine: '*/c*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (((SELECTION_4 or
+        SELECTION_5 or SELECTION_6 or SELECTION_7) and SELECTION_8 and SELECTION_9
+        and SELECTION_10) or ((SELECTION_11 or SELECTION_12) and SELECTION_13 and
+        SELECTION_14)))
+falsepositives:
+- pentesters
+fields:
+- CommandLine
+- ParentCommandLine
+id: 10c14723-61c7-4c75-92ca-9af245723ad2
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
+- https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py
+- https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py
+- https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1175
+- attack.t1021.003
+- attack.t1021
+yml_filename: win_impacket_lateralization.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_impacket_psexec.yml b/rules/Sigma/win_impacket_psexec.yml
new file mode 100644
index 00000000..9f40196c
--- /dev/null
+++ b/rules/Sigma/win_impacket_psexec.yml
@@ -0,0 +1,33 @@
+title: Impacket PsExec Execution
+author: Bhabesh Raj
+date: 2020/12/14
+description: Detects execution of Impacket's psexec.py.
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        ShareName: \\*\IPC$
+    SELECTION_3:
+        RelativeTargetName: '*RemCom_stdint*'
+    SELECTION_4:
+        RelativeTargetName: '*RemCom_stdoutt*'
+    SELECTION_5:
+        RelativeTargetName: '*RemCom_stderrt*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- nothing observed so far
+id: 32d56ea1-417f-44ff-822b-882873f5f43b
+level: high
+logsource:
+    definition: The advanced audit policy setting "Object Access > Audit Detailed
+        File Share" must be configured for Success/Failure
+    product: windows
+    service: security
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+yml_filename: win_impacket_psexec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_impacket_secretdump.yml b/rules/Sigma/win_impacket_secretdump.yml
new file mode 100644
index 00000000..9c700b1c
--- /dev/null
+++ b/rules/Sigma/win_impacket_secretdump.yml
@@ -0,0 +1,35 @@
+title: Possible Impacket SecretDump Remote Activity
+author: Samir Bousseaden, wagga
+date: 2019/04/03
+description: Detect AD credential dumping using impacket secretdump HKTL
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        ShareName: \\*\ADMIN$
+    SELECTION_3:
+        RelativeTargetName: '*SYSTEM32\\*'
+    SELECTION_4:
+        RelativeTargetName: '*.tmp*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- pentesting
+id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
+level: high
+logsource:
+    definition: The advanced audit policy setting "Object Access > Audit Detailed
+        File Share" must be configured for Success/Failure
+    product: windows
+    service: security
+modified: 2021/06/27
+references:
+- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.003
+yml_filename: win_impacket_secretdump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_indirect_cmd.yml b/rules/Sigma/win_indirect_cmd.yml
new file mode 100644
index 00000000..55d35116
--- /dev/null
+++ b/rules/Sigma/win_indirect_cmd.yml
@@ -0,0 +1,38 @@
+title: Indirect Command Execution
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Detect indirect command execution via Program Compatibility Assistant
+    (pcalua.exe or forfiles.exe).
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\pcalua.exe'
+    SELECTION_3:
+        ParentImage: '*\forfiles.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers
+    as opposed to commonly seen artifacts.
+- Legitimate usage of scripts.
+fields:
+- ComputerName
+- User
+- ParentCommandLine
+- CommandLine
+id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md
+- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
+yml_filename: win_indirect_cmd.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_indirect_cmd_compatibility_assistant.yml b/rules/Sigma/win_indirect_cmd_compatibility_assistant.yml
new file mode 100644
index 00000000..49a13d45
--- /dev/null
+++ b/rules/Sigma/win_indirect_cmd_compatibility_assistant.yml
@@ -0,0 +1,36 @@
+title: Indirect Command Execution By Program Compatibility Wizard
+author: A. Sungurov , oscd.community
+date: 2020/10/12
+description: Detect indirect command execution via Program Compatibility Assistant
+    pcwrun.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\pcwrun.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers
+    as opposed to commonly seen artifacts
+- Legit usage of scripts
+fields:
+- ComputerName
+- User
+- ParentCommandLine
+- CommandLine
+id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc
+level: low
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/pabraeken/status/991335019833708544
+- https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
+yml_filename: win_indirect_cmd_compatibility_assistant.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_install_reg_debugger_backdoor.yml b/rules/Sigma/win_install_reg_debugger_backdoor.yml
new file mode 100644
index 00000000..a343374f
--- /dev/null
+++ b/rules/Sigma/win_install_reg_debugger_backdoor.yml
@@ -0,0 +1,44 @@
+title: Suspicious Debugger Registration Cmdline
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
+date: 2019/09/06
+description: Detects the registration of a debugger for a program that is available
+    in the logon screen (sticky key backdoor).
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\CurrentVersion\Image File Execution Options\\*'
+    SELECTION_3:
+        CommandLine: '*sethc.exe*'
+    SELECTION_4:
+        CommandLine: '*utilman.exe*'
+    SELECTION_5:
+        CommandLine: '*osk.exe*'
+    SELECTION_6:
+        CommandLine: '*magnify.exe*'
+    SELECTION_7:
+        CommandLine: '*narrator.exe*'
+    SELECTION_8:
+        CommandLine: '*displayswitch.exe*'
+    SELECTION_9:
+        CommandLine: '*atbroker.exe*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- Penetration Tests
+id: ae215552-081e-44c7-805f-be16f975c8a2
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.008
+- attack.t1015
+yml_filename: win_install_reg_debugger_backdoor.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_interactive_at.yml b/rules/Sigma/win_interactive_at.yml
new file mode 100644
index 00000000..606f4792
--- /dev/null
+++ b/rules/Sigma/win_interactive_at.yml
@@ -0,0 +1,36 @@
+title: Interactive AT Job
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Detect an interactive AT job, which may be used as a form of privilege
+    escalation.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\at.exe'
+    SELECTION_3:
+        CommandLine: '*interactive*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely (at.exe deprecated as of Windows 8)
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 60fc936d-2eb0-4543-8a13-911c750a1dfc
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md
+- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1053.002
+- attack.t1053
+yml_filename: win_interactive_at.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_clip.yml b/rules/Sigma/win_invoke_obfuscation_clip.yml
new file mode 100644
index 00000000..7d1825a0
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_clip.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: b222df08-0e07-11eb-adc1-0242ac120002
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_clip.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_clip_services.yml b/rules/Sigma/win_invoke_obfuscation_clip_services.yml
new file mode 100644
index 00000000..e2049055
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_clip_services.yml
@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+    SELECTION_1:
+        ImagePath|re: .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
+    SELECTION_2:
+        EventID: 7045
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: f7385ee2-0e0c-11eb-adc1-0242ac120002
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_clip_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_clip_services_security.yml b/rules/Sigma/win_invoke_obfuscation_clip_services_security.yml
new file mode 100644
index 00000000..f704a69b
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_clip_services_security.yml
@@ -0,0 +1,32 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+detection:
+    SELECTION_1:
+        ServiceFileName|re: .*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"
+    SELECTION_2:
+        EventID: 4697
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/16
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: f7385ee2-0e0c-11eb-adc1-0242ac120002
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_clip_services_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_commandline.yml
new file mode 100644
index 00000000..24764c29
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_commandline.yml
@@ -0,0 +1,43 @@
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: "Detects all variations of obfuscated powershell IEX invocation code\
+    \ generated by Invoke-Obfuscation framework from the following code block \u2014\
+    \ https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+    SELECTION_3:
+        CommandLine|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+    SELECTION_4:
+        CommandLine|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+    SELECTION_5:
+        CommandLine|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+    SELECTION_6:
+        CommandLine|re: \\\\*mdr\\\\*\W\s*\)\.Name
+    SELECTION_7:
+        CommandLine|re: \$VerbosePreference\.ToString\(
+    SELECTION_8:
+        CommandLine|re: \\\\String\]\s*\$VerbosePreference
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: 4bf943c6-5146-4273-98dd-e958fd1e3abf
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_invoke_obfuscation_obfuscated_iex_commandline.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_services.yml
new file mode 100644
index 00000000..b6e1f6e3
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_services.yml
@@ -0,0 +1,40 @@
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: "Detects all variations of obfuscated powershell IEX invocation code\
+    \ generated by Invoke-Obfuscation framework from the following code block \u2014\
+    \ https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+    SELECTION_3:
+        ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+    SELECTION_4:
+        ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+    SELECTION_5:
+        ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+    SELECTION_6:
+        ImagePath|re: \\*mdr\*\W\s*\)\.Name
+    SELECTION_7:
+        ImagePath|re: \$VerbosePreference\.ToString\(
+    SELECTION_8:
+        ImagePath|re: \String\]\s*\$VerbosePreference
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/16
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+yml_filename: win_invoke_obfuscation_obfuscated_iex_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_services_security.yml
new file mode 100644
index 00000000..46c47017
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_obfuscated_iex_services_security.yml
@@ -0,0 +1,44 @@
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+description: Detects all variations of obfuscated powershell IEX invocation code generated
+    by Invoke-Obfuscation framework from the code block linked in the references
+detection:
+    SELECTION_1:
+        EventID: 4697
+    SELECTION_2:
+        ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
+    SELECTION_3:
+        ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
+    SELECTION_4:
+        ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
+    SELECTION_5:
+        ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
+    SELECTION_6:
+        ServiceFileName|re: \\*mdr\*\W\s*\)\.Name
+    SELECTION_7:
+        ServiceFileName|re: \$VerbosePreference\.ToString\(
+    SELECTION_8:
+        ServiceFileName|re: \String\]\s*\$VerbosePreference
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+id: fd0f5778-d3cb-4c9a-9695-66759d04702a
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/16
+references:
+- https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+related:
+-   id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+yml_filename: win_invoke_obfuscation_obfuscated_iex_services_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_stdin.yml b/rules/Sigma/win_invoke_obfuscation_stdin.yml
new file mode 100644
index 00000000..cbcd1ea8
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_stdin.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 6c96fc76-0eb1-11eb-adc1-0242ac120002
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_stdin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_stdin_services.yml b/rules/Sigma/win_invoke_obfuscation_stdin_services.yml
new file mode 100644
index 00000000..b6507550
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_stdin_services.yml
@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+    SELECTION_1:
+        ImagePath|re: .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"
+    SELECTION_2:
+        EventID: 7045
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 72862bf2-0eb1-11eb-adc1-0242ac120002
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/17
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_stdin_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_stdin_services_security.yml b/rules/Sigma/win_invoke_obfuscation_stdin_services_security.yml
new file mode 100644
index 00000000..7af79839
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_stdin_services_security.yml
@@ -0,0 +1,32 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of stdin to execute PowerShell
+detection:
+    SELECTION_1:
+        ServiceFileName|re: .*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"
+    SELECTION_2:
+        EventID: 4697
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/17
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 72862bf2-0eb1-11eb-adc1-0242ac120002
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_stdin_services_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_var.yml b/rules/Sigma/win_invoke_obfuscation_var.yml
new file mode 100644
index 00000000..dccc6c8a
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_var.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation VAR+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 27aec9c9-dbb0-4939-8422-1742242471d0
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_var.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_var_services.yml b/rules/Sigma/win_invoke_obfuscation_var_services.yml
new file mode 100644
index 00000000..8172e20d
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_var_services.yml
@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation VAR+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ImagePath|re: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/17
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_var_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_var_services_security.yml b/rules/Sigma/win_invoke_obfuscation_var_services_security.yml
new file mode 100644
index 00000000..ec7053ee
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_var_services_security.yml
@@ -0,0 +1,32 @@
+title: Invoke-Obfuscation VAR+ Launcher
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+detection:
+    SELECTION_1:
+        EventID: 4697
+    SELECTION_2:
+        ServiceFileName|re: .*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: dcf2db1f-f091-425b-a821-c05875b8925a
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/17
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_var_services_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_compress.yml b/rules/Sigma/win_invoke_obfuscation_via_compress.yml
new file mode 100644
index 00000000..8041fb34
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_compress.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_compress.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_compress_services.yml b/rules/Sigma/win_invoke_obfuscation_via_compress_services.yml
new file mode 100644
index 00000000..fa40daad
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_compress_services.yml
@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+    SELECTION_1:
+        ImagePath|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+    SELECTION_2:
+        EventID: 7045
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 175997c5-803c-4b08-8bb0-70b099f47595
+level: medium
+logsource:
+    product: windows
+    service: system
+modified: 2021/08/09
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_compress_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_compress_services_security.yml b/rules/Sigma/win_invoke_obfuscation_via_compress_services_security.yml
new file mode 100644
index 00000000..48eebf18
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_compress_services_security.yml
@@ -0,0 +1,32 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+detection:
+    SELECTION_1:
+        ServiceFileName|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
+    SELECTION_2:
+        EventID: 4697
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 175997c5-803c-4b08-8bb0-70b099f47595
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_compress_services_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_rundll.yml b/rules/Sigma/win_invoke_obfuscation_via_rundll.yml
new file mode 100644
index 00000000..8d46f118
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_rundll.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_rundll.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_rundll_services.yml b/rules/Sigma/win_invoke_obfuscation_via_rundll_services.yml
new file mode 100644
index 00000000..bf41aa58
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_rundll_services.yml
@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+    SELECTION_1:
+        ImagePath|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"
+    SELECTION_2:
+        EventID: 7045
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
+level: medium
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_rundll_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/Sigma/win_invoke_obfuscation_via_rundll_services_security.yml
new file mode 100644
index 00000000..339dd9d4
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_rundll_services_security.yml
@@ -0,0 +1,32 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+detection:
+    SELECTION_1:
+        ServiceFileName|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"
+    SELECTION_2:
+        EventID: 4697
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_rundll_services_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_stdin.yml b/rules/Sigma/win_invoke_obfuscation_via_stdin.yml
new file mode 100644
index 00000000..969de843
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_stdin.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation Via Stdin
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 9c14c9fa-1a63-4a64-8e57-d19280559490
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_stdin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_stdin_services.yml b/rules/Sigma/win_invoke_obfuscation_via_stdin_services.yml
new file mode 100644
index 00000000..e7cbf520
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_stdin_services.yml
@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation Via Stdin
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+    SELECTION_1:
+        ImagePath|re: (?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"
+    SELECTION_2:
+        EventID: 7045
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 487c7524-f892-4054-b263-8a0ace63fc25
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_stdin_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/Sigma/win_invoke_obfuscation_via_stdin_services_security.yml
new file mode 100644
index 00000000..593dee11
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_stdin_services_security.yml
@@ -0,0 +1,32 @@
+title: Invoke-Obfuscation Via Stdin
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+description: Detects Obfuscated Powershell via Stdin in Scripts
+detection:
+    SELECTION_1:
+        ServiceFileName|re: (?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"
+    SELECTION_2:
+        EventID: 4697
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 487c7524-f892-4054-b263-8a0ace63fc25
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_stdin_services_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_clip.yml b/rules/Sigma/win_invoke_obfuscation_via_use_clip.yml
new file mode 100644
index 00000000..379e5561
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_use_clip.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation Via Use Clip
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e1561947-b4e3-4a74-9bdd-83baed21bdb5
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_use_clip.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_clip_services.yml b/rules/Sigma/win_invoke_obfuscation_via_use_clip_services.yml
new file mode 100644
index 00000000..5da081e9
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_use_clip_services.yml
@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation Via Use Clip
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+    SELECTION_1:
+        ImagePath|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+    SELECTION_2:
+        EventID: 7045
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_use_clip_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/Sigma/win_invoke_obfuscation_via_use_clip_services_security.yml
new file mode 100644
index 00000000..5409a64c
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_use_clip_services_security.yml
@@ -0,0 +1,32 @@
+title: Invoke-Obfuscation Via Use Clip
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+detection:
+    SELECTION_1:
+        ServiceFileName|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
+    SELECTION_2:
+        EventID: 4697
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 63e3365d-4824-42d8-8b82-e56810fefa0c
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_use_clip_services_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_mhsta.yml b/rules/Sigma/win_invoke_obfuscation_via_use_mhsta.yml
new file mode 100644
index 00000000..bc8b9cfe
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_use_mhsta.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation Via Use MSHTA
+author: Nikita Nazarov, oscd.community
+date: 2020/10/08
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: ac20ae82-8758-4f38-958e-b44a3140ca88
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_use_mhsta.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/Sigma/win_invoke_obfuscation_via_use_mshta_services.yml
new file mode 100644
index 00000000..4aaf6bd6
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_use_mshta_services.yml
@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation Via Use MSHTA
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+    SELECTION_1:
+        ImagePath|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+    SELECTION_2:
+        EventID: 7045
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_use_mshta_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/Sigma/win_invoke_obfuscation_via_use_mshta_services_security.yml
new file mode 100644
index 00000000..ee22309a
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_use_mshta_services_security.yml
@@ -0,0 +1,32 @@
+title: Invoke-Obfuscation Via Use MSHTA
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+detection:
+    SELECTION_1:
+        ServiceFileName|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
+    SELECTION_2:
+        EventID: 4697
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_use_mshta_services_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_rundll32.yml b/rules/Sigma/win_invoke_obfuscation_via_use_rundll32.yml
new file mode 100644
index 00000000..e663b931
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_use_rundll32.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation Via Use Rundll32
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 36c5146c-d127-4f85-8e21-01bf62355d5a
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_use_rundll32.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/Sigma/win_invoke_obfuscation_via_use_rundll32_services.yml
new file mode 100644
index 00000000..88dead37
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_use_rundll32_services.yml
@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation Via Use Rundll32
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+    SELECTION_1:
+        ImagePath|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+    SELECTION_2:
+        EventID: 7045
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_use_rundll32_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/Sigma/win_invoke_obfuscation_via_use_rundll32_services_security.yml
new file mode 100644
index 00000000..13f257b6
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_use_rundll32_services_security.yml
@@ -0,0 +1,32 @@
+title: Invoke-Obfuscation Via Use Rundll32
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+detection:
+    SELECTION_1:
+        ServiceFileName|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
+    SELECTION_2:
+        EventID: 4697
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_use_rundll32_services_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_var.yml b/rules/Sigma/win_invoke_obfuscation_via_var.yml
new file mode 100644
index 00000000..7aca2331
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_var.yml
@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e9f55347-2928-4c06-88e5-1a7f8169942e
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_var.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_var_services.yml b/rules/Sigma/win_invoke_obfuscation_via_var_services.yml
new file mode 100644
index 00000000..cd257861
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_var_services.yml
@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+    SELECTION_1:
+        ImagePath|re: (?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c
+    SELECTION_2:
+        EventID: 7045
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_var_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_invoke_obfuscation_via_var_services_security.yml b/rules/Sigma/win_invoke_obfuscation_via_var_services_security.yml
new file mode 100644
index 00000000..1c1c0767
--- /dev/null
+++ b/rules/Sigma/win_invoke_obfuscation_via_var_services_security.yml
@@ -0,0 +1,32 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+detection:
+    SELECTION_1:
+        ServiceFileName|re: (?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c
+    SELECTION_2:
+        EventID: 4697
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/18
+references:
+- https://github.com/Neo23x0/sigma/issues/1009
+related:
+-   id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_invoke_obfuscation_via_var_services_security.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_iso_mount.yml b/rules/Sigma/win_iso_mount.yml
new file mode 100644
index 00000000..ccdb6da2
--- /dev/null
+++ b/rules/Sigma/win_iso_mount.yml
@@ -0,0 +1,34 @@
+title: ISO Image Mount
+author: Syed Hasan (@syedhasan009)
+date: 2021/05/29
+description: Detects the mount of ISO images on an endpoint
+detection:
+    SELECTION_1:
+        EventID: 4663
+    SELECTION_2:
+        ObjectServer: Security
+    SELECTION_3:
+        ObjectType: File
+    SELECTION_4:
+        ObjectName: \Device\CdRom*
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Software installation ISO files
+id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
+level: medium
+logsource:
+    definition: The advanced audit policy setting "Object Access > Audit Removable
+        Storage" must be configured for Success/Failure
+    product: windows
+    service: security
+references:
+- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
+- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
+- https://twitter.com/MsftSecIntel/status/1257324139515269121
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1566.001
+yml_filename: win_iso_mount.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_lateral_movement_condrv.yml b/rules/Sigma/win_lateral_movement_condrv.yml
new file mode 100644
index 00000000..95d83d6b
--- /dev/null
+++ b/rules/Sigma/win_lateral_movement_condrv.yml
@@ -0,0 +1,37 @@
+title: Lateral Movement Indicator ConDrv
+author: Janantha Marasinghe
+date: 2021/04/27
+description: This event was observed on the target host during lateral movement. The
+    process name within the event contains the process spawned post compromise. Account
+    Name within the event contains the compromised user account name. This event should
+    to be correlated with 4624 and 4688 for further intrusion context.
+detection:
+    SELECTION_1:
+        EventID: 4674
+    SELECTION_2:
+        ObjectServer: Security
+    SELECTION_3:
+        ObjectType: File
+    SELECTION_4:
+        ObjectName: \Device\ConDrv
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Penetration tests where lateral movement has occurred. This event will be created
+    on the target host.
+id: 29d31aee-30f4-4006-85a9-a4a02d65306c
+level: high
+logsource:
+    product: windows
+    service: security
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
+- https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
+status: stable
+tags:
+- attack.lateral_movement
+- attack.execution
+- attack.t1021
+- attack.t1059
+yml_filename: win_lateral_movement_condrv.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_ldap_recon.yml b/rules/Sigma/win_ldap_recon.yml
new file mode 100644
index 00000000..17b2a83a
--- /dev/null
+++ b/rules/Sigma/win_ldap_recon.yml
@@ -0,0 +1,130 @@
+title: LDAP Reconnaissance / Active Directory Enumeration
+author: Adeem Mawani
+date: 2021/06/22
+description: Detects possible Active Directory enumeration via LDAP
+detection:
+    SELECTION_1:
+        EventID: 30
+    SELECTION_10:
+        SearchFilter: '*(sAMAccountType=268435457)*'
+    SELECTION_11:
+        SearchFilter: '*(sAMAccountType=268435456)*'
+    SELECTION_12:
+        SearchFilter: '*(objectCategory=groupPolicyContainer)*'
+    SELECTION_13:
+        SearchFilter: '*(objectCategory=organizationalUnit)*'
+    SELECTION_14:
+        SearchFilter: '*(objectCategory=Computer)*'
+    SELECTION_15:
+        SearchFilter: '*(objectCategory=nTDSDSA)*'
+    SELECTION_16:
+        SearchFilter: '*(objectCategory=server)*'
+    SELECTION_17:
+        SearchFilter: '*(objectCategory=domain)*'
+    SELECTION_18:
+        SearchFilter: '*(objectCategory=person)*'
+    SELECTION_19:
+        SearchFilter: '*(objectCategory=group)*'
+    SELECTION_2:
+        SearchFilter: '*(groupType:1.2.840.113556.1.4.803:=2147483648)*'
+    SELECTION_20:
+        SearchFilter: '*(objectCategory=user)*'
+    SELECTION_21:
+        SearchFilter: '*(objectClass=trustedDomain)*'
+    SELECTION_22:
+        SearchFilter: '*(objectClass=computer)*'
+    SELECTION_23:
+        SearchFilter: '*(objectClass=server)*'
+    SELECTION_24:
+        SearchFilter: '*(objectClass=group)*'
+    SELECTION_25:
+        SearchFilter: '*(objectClass=user)*'
+    SELECTION_26:
+        SearchFilter: '*(primaryGroupID=521)*'
+    SELECTION_27:
+        SearchFilter: '*(primaryGroupID=516)*'
+    SELECTION_28:
+        SearchFilter: '*(primaryGroupID=515)*'
+    SELECTION_29:
+        SearchFilter: '*(primaryGroupID=512)*'
+    SELECTION_3:
+        SearchFilter: '*(groupType:1.2.840.113556.1.4.803:=2147483656)*'
+    SELECTION_30:
+        SearchFilter: '*Domain Admins*'
+    SELECTION_31:
+        EventID: 30
+    SELECTION_32:
+        SearchFilter: '*(domainSid=*)*'
+    SELECTION_33:
+        SearchFilter: '*(objectSid=*)*'
+    SELECTION_34:
+        EventID: 30
+    SELECTION_35:
+        SearchFilter: '*(userAccountControl:1.2.840.113556.1.4.803:=4194304)*'
+    SELECTION_36:
+        SearchFilter: '*(userAccountControl:1.2.840.113556.1.4.803:=2097152)*'
+    SELECTION_37:
+        SearchFilter: '*!(userAccountControl:1.2.840.113556.1.4.803:=1048574)*'
+    SELECTION_38:
+        SearchFilter: '*(userAccountControl:1.2.840.113556.1.4.803:=524288)*'
+    SELECTION_39:
+        SearchFilter: '*(userAccountControl:1.2.840.113556.1.4.803:=65536)*'
+    SELECTION_4:
+        SearchFilter: '*(groupType:1.2.840.113556.1.4.803:=2147483652)*'
+    SELECTION_40:
+        SearchFilter: '*(userAccountControl:1.2.840.113556.1.4.803:=8192)*'
+    SELECTION_41:
+        SearchFilter: '*(userAccountControl:1.2.840.113556.1.4.803:=544)*'
+    SELECTION_42:
+        SearchFilter: '*!(UserAccountControl:1.2.840.113556.1.4.803:=2)*'
+    SELECTION_43:
+        SearchFilter: '*msDS-AllowedToActOnBehalfOfOtherIdentity*'
+    SELECTION_44:
+        SearchFilter: '*msDS-AllowedToDelegateTo*'
+    SELECTION_45:
+        SearchFilter: '*(accountExpires=9223372036854775807)*'
+    SELECTION_46:
+        SearchFilter: '*(accountExpires=0)*'
+    SELECTION_47:
+        SearchFilter: '*(adminCount=1)*'
+    SELECTION_48:
+        SearchFilter: '*ms-MCS-AdmPwd*'
+    SELECTION_5:
+        SearchFilter: '*(groupType:1.2.840.113556.1.4.803:=2147483650)*'
+    SELECTION_6:
+        SearchFilter: '*(sAMAccountType=805306369)*'
+    SELECTION_7:
+        SearchFilter: '*(sAMAccountType=805306368)*'
+    SELECTION_8:
+        SearchFilter: '*(sAMAccountType=536870913)*'
+    SELECTION_9:
+        SearchFilter: '*(sAMAccountType=536870912)*'
+    condition: (((SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30))
+        and  not (SELECTION_31 and (SELECTION_32 or SELECTION_33))) or (SELECTION_34
+        and (SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39
+        or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44
+        or SELECTION_45 or SELECTION_46 or SELECTION_47 or SELECTION_48)))
+id: 31d68132-4038-47c7-8f8e-635a39a7c174
+level: medium
+logsource:
+    definition: Requires Microsoft-Windows-LDAP-Client/Debug ETW logging
+    product: windows
+    service: ldap_debug
+references:
+- https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
+- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
+- https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs
+status: experimental
+tags:
+- attack.discovery
+- attack.t1069.002
+- attack.t1087.002
+- attack.t1482
+yml_filename: win_ldap_recon.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_lethalhta.yml b/rules/Sigma/win_lethalhta.yml
new file mode 100644
index 00000000..a8ccc2be
--- /dev/null
+++ b/rules/Sigma/win_lethalhta.yml
@@ -0,0 +1,31 @@
+title: MSHTA Spwaned by SVCHOST
+author: Markus Neis
+date: 2018/06/07
+description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described
+    in report
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\svchost.exe'
+    SELECTION_3:
+        Image: '*\mshta.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://codewhitesec.blogspot.com/2018/07/lethalhta.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.005
+- attack.execution
+- attack.t1170
+yml_filename: win_lethalhta.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_lm_namedpipe.yml b/rules/Sigma/win_lm_namedpipe.yml
new file mode 100644
index 00000000..89e3babc
--- /dev/null
+++ b/rules/Sigma/win_lm_namedpipe.yml
@@ -0,0 +1,72 @@
+title: First Time Seen Remote Named Pipe
+author: Samir Bousseaden
+date: 2019/04/03
+description: This detection excludes known namped pipes accessible remotely and notify
+    on newly observed ones, may help to detect lateral movement and remote exec using
+    named pipes
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_10:
+        RelativeTargetName: srvsvc
+    SELECTION_11:
+        RelativeTargetName: protected_storage
+    SELECTION_12:
+        RelativeTargetName: wkssvc
+    SELECTION_13:
+        RelativeTargetName: browser
+    SELECTION_14:
+        RelativeTargetName: netdfs
+    SELECTION_15:
+        RelativeTargetName: svcctl
+    SELECTION_16:
+        RelativeTargetName: spoolss
+    SELECTION_17:
+        RelativeTargetName: ntsvcs
+    SELECTION_18:
+        RelativeTargetName: LSM_API_service
+    SELECTION_19:
+        RelativeTargetName: HydraLsPipe
+    SELECTION_2:
+        ShareName: \\*\IPC$
+    SELECTION_20:
+        RelativeTargetName: TermSrv_API_service
+    SELECTION_21:
+        RelativeTargetName: MsFteWds
+    SELECTION_3:
+        EventID: 5145
+    SELECTION_4:
+        ShareName: \\*\IPC$
+    SELECTION_5:
+        RelativeTargetName: atsvc
+    SELECTION_6:
+        RelativeTargetName: samr
+    SELECTION_7:
+        RelativeTargetName: lsarpc
+    SELECTION_8:
+        RelativeTargetName: winreg
+    SELECTION_9:
+        RelativeTargetName: netlogon
+    condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3 and SELECTION_4
+        and (SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21)))
+falsepositives:
+- update the excluded named pipe to filter out any newly observed legit named pipe
+id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
+level: high
+logsource:
+    definition: The advanced audit policy setting "Object Access > Audit Detailed
+        File Share" must be configured for Success/Failure
+    product: windows
+    service: security
+references:
+- https://twitter.com/menasec1/status/1104489274387451904
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
+yml_filename: win_lm_namedpipe.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_local_system_owner_account_discovery.yml b/rules/Sigma/win_local_system_owner_account_discovery.yml
new file mode 100644
index 00000000..d33b38da
--- /dev/null
+++ b/rules/Sigma/win_local_system_owner_account_discovery.yml
@@ -0,0 +1,90 @@
+title: Local Accounts Discovery
+author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/21
+description: Local accounts, System Owner/User discovery using operating systems utilities
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\cmd.exe'
+    SELECTION_11:
+        CommandLine: '*/c*'
+    SELECTION_12:
+        CommandLine: '*dir *'
+    SELECTION_13:
+        CommandLine: '*\Users\\*'
+    SELECTION_14:
+        CommandLine: '* rmdir *'
+    SELECTION_15:
+        Image: '*\net.exe'
+    SELECTION_16:
+        Image: '*\net1.exe'
+    SELECTION_17:
+        CommandLine: '*user*'
+    SELECTION_18:
+        CommandLine: '*/domain*'
+    SELECTION_19:
+        CommandLine: '*/add*'
+    SELECTION_2:
+        Image: '*\whoami.exe'
+    SELECTION_20:
+        CommandLine: '*/delete*'
+    SELECTION_21:
+        CommandLine: '*/active*'
+    SELECTION_22:
+        CommandLine: '*/expires*'
+    SELECTION_23:
+        CommandLine: '*/passwordreq*'
+    SELECTION_24:
+        CommandLine: '*/scriptpath*'
+    SELECTION_25:
+        CommandLine: '*/times*'
+    SELECTION_26:
+        CommandLine: '*/workstations*'
+    SELECTION_3:
+        Image: '*\wmic.exe'
+    SELECTION_4:
+        CommandLine: '*useraccount*'
+    SELECTION_5:
+        CommandLine: '*get*'
+    SELECTION_6:
+        Image: '*\quser.exe'
+    SELECTION_7:
+        Image: '*\qwinsta.exe'
+    SELECTION_8:
+        Image: '*\cmdkey.exe'
+    SELECTION_9:
+        CommandLine: '*/list*'
+    condition: (SELECTION_1 and (((SELECTION_2 or (SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 or SELECTION_7) or (SELECTION_8 and SELECTION_9)
+        or (SELECTION_10 and SELECTION_11 and SELECTION_12 and SELECTION_13)) and  not
+        ((SELECTION_14))) or (((SELECTION_15 or SELECTION_16) and SELECTION_17) and  not
+        ((SELECTION_18 or SELECTION_19 or SELECTION_20 or SELECTION_21 or SELECTION_22
+        or SELECTION_23 or SELECTION_24 or SELECTION_25 or SELECTION_26)))))
+falsepositives:
+- Legitimate administrator or user enumerates local users for legitimate reason
+fields:
+- Image
+- CommandLine
+- User
+- LogonGuid
+- Hashes
+- ParentProcessGuid
+- ParentCommandLine
+id: 502b42de-4306-40b4-9596-6f590c81f073
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
+status: experimental
+tags:
+- attack.discovery
+- attack.t1033
+- attack.t1087.001
+- attack.t1087
+yml_filename: win_local_system_owner_account_discovery.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_lolbas_execution_of_nltest.yml b/rules/Sigma/win_lolbas_execution_of_nltest.yml
new file mode 100644
index 00000000..49cc38cc
--- /dev/null
+++ b/rules/Sigma/win_lolbas_execution_of_nltest.yml
@@ -0,0 +1,36 @@
+title: Correct Execution of Nltest.exe
+author: Arun Chauhan
+date: 2021/10/04
+description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers,
+    domain trusts, parent domain and the current user permissions.
+detection:
+    SELECTION_1:
+        EventID: 4689
+    SELECTION_2:
+        ProcessName: '*nltest.exe'
+    SELECTION_3:
+        Status: '0x0'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Red team activity
+- rare legitimate use by an administrator
+fields:
+- SubjectUserName
+- SubjectDomainName
+id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
+level: high
+logsource:
+    product: windows
+    service: security
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
+- https://attack.mitre.org/software/S0359/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
+- attack.t1018
+- attack.t1016
+yml_filename: win_lolbas_execution_of_nltest.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_lolbas_execution_of_wuauclt.yml b/rules/Sigma/win_lolbas_execution_of_wuauclt.yml
new file mode 100644
index 00000000..97664078
--- /dev/null
+++ b/rules/Sigma/win_lolbas_execution_of_wuauclt.yml
@@ -0,0 +1,36 @@
+title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL
+author: Sreeman
+date: 2020/10/29
+description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code
+    execution by specifying an arbitrary DLL.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver
+    SELECTION_3:
+        CommandLine: '*wuaueng.dll*'
+    SELECTION_4:
+        CommandLine: '*UpdateDeploymentProvider.dll /ClassId*'
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 or SELECTION_4)))
+falsepositives:
+- Wuaueng.dll which is a module belonging to Microsoft Windows Update.
+fields:
+- CommandLine
+id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/11
+references:
+- https://dtm.uk/wuauclt/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1085
+- attack.t1218.011
+yml_filename: win_lolbas_execution_of_wuauclt.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_lolbin_execution_via_winget.yml b/rules/Sigma/win_lolbin_execution_via_winget.yml
new file mode 100644
index 00000000..3c1b275d
--- /dev/null
+++ b/rules/Sigma/win_lolbin_execution_via_winget.yml
@@ -0,0 +1,35 @@
+title: Monitoring Winget For LOLbin Execution
+author: Sreeman
+date: 2020/21/04
+description: Adversaries can abuse winget to download payloads remotely and execute
+    them without touching disk. Winget will be included by default in Windows 10 and
+    is already available in Windows 10 insider programs. The manifest option enables
+    you to install an application by passing in a YAML file directly to the client.
+    Winget can be used to download and install exe's, msi, msix files later.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*.*(?i)winget install (--m|-m).*'
+    condition: (SELECTION_1 and (SELECTION_2))
+falsepositives:
+- Admin activity installing packages not in the official Microsoft repo. Winget probably
+    won't be used by most users.
+fields:
+- CommandLine
+id: 313d6012-51a0-4d93-8dfc-de8553239e25
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/11
+references:
+- https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059
+yml_filename: win_lolbin_execution_via_winget.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_lsass_access_non_system_account.yml b/rules/Sigma/win_lsass_access_non_system_account.yml
new file mode 100644
index 00000000..42eecc5c
--- /dev/null
+++ b/rules/Sigma/win_lsass_access_non_system_account.yml
@@ -0,0 +1,100 @@
+title: LSASS Access from Non System Account
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/06/20
+description: Detects potential mimikatz-like tools accessing LSASS from non system
+    account
+detection:
+    SELECTION_1:
+        EventID: 4663
+    SELECTION_10:
+        AccessMask: '0x143a'
+    SELECTION_11:
+        AccessMask: '0x1418'
+    SELECTION_12:
+        AccessMask: '0x1f0fff'
+    SELECTION_13:
+        AccessMask: '0x1f1fff'
+    SELECTION_14:
+        AccessMask: '0x1f2fff'
+    SELECTION_15:
+        AccessMask: '0x1f3fff'
+    SELECTION_16:
+        AccessMask: '40'
+    SELECTION_17:
+        AccessMask: '1400'
+    SELECTION_18:
+        AccessMask: '1000'
+    SELECTION_19:
+        AccessMask: '100000'
+    SELECTION_2:
+        EventID: 4656
+    SELECTION_20:
+        AccessMask: '1410'
+    SELECTION_21:
+        AccessMask: '1010'
+    SELECTION_22:
+        AccessMask: '1438'
+    SELECTION_23:
+        AccessMask: 143a
+    SELECTION_24:
+        AccessMask: '1418'
+    SELECTION_25:
+        AccessMask: 1f0fff
+    SELECTION_26:
+        AccessMask: 1f1fff
+    SELECTION_27:
+        AccessMask: 1f2fff
+    SELECTION_28:
+        AccessMask: 1f3fff
+    SELECTION_29:
+        ObjectType: Process
+    SELECTION_3:
+        AccessMask: '0x40'
+    SELECTION_30:
+        ObjectName: '*\lsass.exe'
+    SELECTION_31:
+        SubjectUserName: '*$'
+    SELECTION_32:
+        ProcessName: C:\Program Files*
+    SELECTION_4:
+        AccessMask: '0x1400'
+    SELECTION_5:
+        AccessMask: '0x1000'
+    SELECTION_6:
+        AccessMask: '0x100000'
+    SELECTION_7:
+        AccessMask: '0x1410'
+    SELECTION_8:
+        AccessMask: '0x1010'
+    SELECTION_9:
+        AccessMask: '0x1438'
+    condition: ((((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or
+        SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or
+        SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24
+        or SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28) and SELECTION_29
+        and SELECTION_30) and  not (SELECTION_31)) and  not (SELECTION_32))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- ObjectName
+- SubjectUserName
+- ProcessName
+id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2021/03/17
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+yml_filename: win_lsass_access_non_system_account.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_lsass_dump.yml b/rules/Sigma/win_lsass_dump.yml
new file mode 100644
index 00000000..2de77c9a
--- /dev/null
+++ b/rules/Sigma/win_lsass_dump.yml
@@ -0,0 +1,47 @@
+title: LSASS Memory Dumping
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+description: Detect creation of dump files containing the memory space of lsass.exe,
+    which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe
+    to export the memory space of lsass.exe which contains sensitive credentials.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*lsass*'
+    SELECTION_3:
+        CommandLine: '*.dmp*'
+    SELECTION_4:
+        Image: '*\werfault.exe'
+    SELECTION_5:
+        Image: '*\procdump*'
+    SELECTION_6:
+        Image: '*.exe'
+    SELECTION_7:
+        CommandLine: '*lsass*'
+    condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+        or (SELECTION_5 and SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unlikely
+fields:
+- ComputerName
+- User
+- CommandLine
+id: ffa6861c-4461-4f59-8a41-578c39f3f23e
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
+- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+yml_filename: win_lsass_dump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_mal_adwind.yml b/rules/Sigma/win_mal_adwind.yml
new file mode 100644
index 00000000..5d52a78e
--- /dev/null
+++ b/rules/Sigma/win_mal_adwind.yml
@@ -0,0 +1,39 @@
+title: Adwind RAT / JRAT
+author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
+date: 2017/11/10
+description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\AppData\Roaming\Oracle*'
+    SELECTION_3:
+        CommandLine: '*\java*'
+    SELECTION_4:
+        CommandLine: '*.exe *'
+    SELECTION_5:
+        CommandLine: '*cscript.exe*'
+    SELECTION_6:
+        CommandLine: '*Retrive*'
+    SELECTION_7:
+        CommandLine: '*.vbs *'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6 and SELECTION_7)))
+id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
+- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064
+yml_filename: win_mal_adwind.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_mal_creddumper.yml b/rules/Sigma/win_mal_creddumper.yml
new file mode 100644
index 00000000..dc726952
--- /dev/null
+++ b/rules/Sigma/win_mal_creddumper.yml
@@ -0,0 +1,49 @@
+title: Credential Dumping Tools Service Execution
+author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2017/03/05
+description: Detects well-known credential dumping tools execution via service execution
+    events
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ImagePath: '*fgexec*'
+    SELECTION_3:
+        ImagePath: '*dumpsvc*'
+    SELECTION_4:
+        ImagePath: '*cachedump*'
+    SELECTION_5:
+        ImagePath: '*mimidrv*'
+    SELECTION_6:
+        ImagePath: '*gsecdump*'
+    SELECTION_7:
+        ImagePath: '*servpw*'
+    SELECTION_8:
+        ImagePath: '*pwdump*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Legitimate Administrator using credential dumping tool for password recovery
+id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/21
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
+- attack.t1035
+- attack.t1569.002
+- attack.s0005
+yml_filename: win_mal_creddumper.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_mal_wceaux_dll.yml b/rules/Sigma/win_mal_wceaux_dll.yml
new file mode 100644
index 00000000..9e17f3e6
--- /dev/null
+++ b/rules/Sigma/win_mal_wceaux_dll.yml
@@ -0,0 +1,35 @@
+title: WCE wceaux.dll Access
+author: Thomas Patzke
+date: 2017/06/14
+description: Detects wceaux.dll access while WCE pass-the-hash remote command execution
+    on source host
+detection:
+    SELECTION_1:
+        EventID: 4656
+    SELECTION_2:
+        EventID: 4658
+    SELECTION_3:
+        EventID: 4660
+    SELECTION_4:
+        EventID: 4663
+    SELECTION_5:
+        ObjectName: '*\wceaux.dll'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Penetration testing
+id: 1de68c67-af5c-4097-9c85-fe5578e09e67
+level: critical
+logsource:
+    product: windows
+    service: security
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.s0005
+yml_filename: win_mal_wceaux_dll.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_malware_conti.yml b/rules/Sigma/win_malware_conti.yml
new file mode 100644
index 00000000..a8274122
--- /dev/null
+++ b/rules/Sigma/win_malware_conti.yml
@@ -0,0 +1,33 @@
+title: Conti Volume Shadow Listing
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects a command used by conti to find volume shadow backups
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*vssadmin list shadows*'
+    SELECTION_3:
+        CommandLine: '*log.txt*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- User
+- CommandLine
+- ParentImage
+id: 7b30e0a7-c675-4b24-8a46-82fa67e2433d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816?s=20
+- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
+status: experimental
+tags:
+- attack.t1587.001
+- attack.resource_development
+yml_filename: win_malware_conti.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_conti_7zip.yml b/rules/Sigma/win_malware_conti_7zip.yml
new file mode 100644
index 00000000..da38ad53
--- /dev/null
+++ b/rules/Sigma/win_malware_conti_7zip.yml
@@ -0,0 +1,29 @@
+title: Conti Volume Shadow Listing
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects a command used by conti to exfiltrate NTDS
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*7za.exe*'
+    SELECTION_3:
+        CommandLine: '*\\C$\\temp\\log.zip*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: aa92fd02-09f2-48b0-8a93-864813fb8f41
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816?s=20
+- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
+status: experimental
+tags:
+- attack.collection
+- attack.t1560
+yml_filename: win_malware_conti_7zip.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_conti_shadowcopy.yml b/rules/Sigma/win_malware_conti_shadowcopy.yml
new file mode 100644
index 00000000..4c4848dd
--- /dev/null
+++ b/rules/Sigma/win_malware_conti_shadowcopy.yml
@@ -0,0 +1,36 @@
+title: Conti Volume Shadow Listing
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects a command used by conti to access volume shadow backups
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*'
+    SELECTION_3:
+        CommandLine: '*\\NTDS.dit*'
+    SELECTION_4:
+        CommandLine: '*\\SYSTEM*'
+    SELECTION_5:
+        CommandLine: '*\\SECURITY*'
+    SELECTION_6:
+        CommandLine: '*C:\\tmp\\log*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Some rare backup scenarios
+id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816?s=20
+- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
+status: experimental
+tags:
+- attack.impact
+- attack.t1490
+yml_filename: win_malware_conti_shadowcopy.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_dridex.yml b/rules/Sigma/win_malware_dridex.yml
new file mode 100644
index 00000000..d73766be
--- /dev/null
+++ b/rules/Sigma/win_malware_dridex.yml
@@ -0,0 +1,51 @@
+title: Dridex Process Pattern
+author: Florian Roth, oscd.community
+date: 2019/01/10
+description: Detects typical Dridex process patterns
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\net1.exe'
+    SELECTION_11:
+        CommandLine: '*view*'
+    SELECTION_2:
+        Image: '*\svchost.exe'
+    SELECTION_3:
+        CommandLine: '*C:\Users\\*'
+    SELECTION_4:
+        CommandLine: '*\Desktop\\*'
+    SELECTION_5:
+        ParentImage: '*\svchost.exe'
+    SELECTION_6:
+        EventID: 1
+    SELECTION_7:
+        Image: '*\whoami.exe'
+    SELECTION_8:
+        CommandLine: '*all*'
+    SELECTION_9:
+        Image: '*\net.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6 and ((SELECTION_7 and SELECTION_8) or ((SELECTION_9
+        or SELECTION_10) and SELECTION_11)))))
+falsepositives:
+- Unlikely
+id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+- attack.discovery
+- attack.t1135
+- attack.t1033
+yml_filename: win_malware_dridex.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_dtrack.yml b/rules/Sigma/win_malware_dtrack.yml
new file mode 100644
index 00000000..874bd38a
--- /dev/null
+++ b/rules/Sigma/win_malware_dtrack.yml
@@ -0,0 +1,31 @@
+title: DTRACK Process Creation
+author: Florian Roth
+date: 2019/10/30
+description: Detects specific process parameters as seen in DTRACK infections
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* echo EEEE > *'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://securelist.com/my-name-is-dtrack/93338/
+- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
+- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
+status: experimental
+tags:
+- attack.impact
+- attack.t1490
+yml_filename: win_malware_dtrack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_emotet.yml b/rules/Sigma/win_malware_emotet.yml
new file mode 100644
index 00000000..6eb08e8c
--- /dev/null
+++ b/rules/Sigma/win_malware_emotet.yml
@@ -0,0 +1,52 @@
+title: Emotet Process Creation
+author: Florian Roth
+date: 2019/09/30
+description: Detects all Emotet like process executions that are not covered by the
+    more generic rules
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* -e* PAA*'
+    SELECTION_3:
+        CommandLine: '*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*'
+    SELECTION_4:
+        CommandLine: '*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*'
+    SELECTION_5:
+        CommandLine: '*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*'
+    SELECTION_6:
+        CommandLine: '*IgAoACcAKgAnACkAOwAkA*'
+    SELECTION_7:
+        CommandLine: '*IAKAAnACoAJwApADsAJA*'
+    SELECTION_8:
+        CommandLine: '*iACgAJwAqACcAKQA7ACQA*'
+    SELECTION_9:
+        CommandLine: '*JABGAGwAeAByAGgAYwBmAGQ*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
+- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
+- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/
+- https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.defense_evasion
+- attack.t1027
+yml_filename: win_malware_emotet.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_formbook.yml b/rules/Sigma/win_malware_formbook.yml
new file mode 100644
index 00000000..f99f8eb2
--- /dev/null
+++ b/rules/Sigma/win_malware_formbook.yml
@@ -0,0 +1,65 @@
+title: Formbook Process Creation
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
+date: 2019/09/30
+description: Detects Formbook like process executions that inject code into a set
+    of files in the System32 folder, which executes a special command command line
+    to delete the dropper from the AppData Temp folder. We avoid false positives by
+    excluding all parent process with command line parameters.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*del*'
+    SELECTION_11:
+        CommandLine: '*\Desktop\\*'
+    SELECTION_12:
+        CommandLine: '*/C*'
+    SELECTION_13:
+        CommandLine: '*type nul >*'
+    SELECTION_14:
+        CommandLine: '*\Desktop\\*'
+    SELECTION_15:
+        CommandLine: '*.exe'
+    SELECTION_2:
+        ParentCommandLine: C:\Windows\System32\\*
+    SELECTION_3:
+        ParentCommandLine: C:\Windows\SysWOW64\\*
+    SELECTION_4:
+        ParentCommandLine: '*.exe'
+    SELECTION_5:
+        CommandLine: '*C:\Users\\*'
+    SELECTION_6:
+        CommandLine: '*/c*'
+    SELECTION_7:
+        CommandLine: '*del*'
+    SELECTION_8:
+        CommandLine: '*\AppData\Local\Temp\\*'
+    SELECTION_9:
+        CommandLine: '*/c*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4) and
+        SELECTION_5 and ((SELECTION_6 and SELECTION_7 and SELECTION_8) or (SELECTION_9
+        and SELECTION_10 and SELECTION_11) or (SELECTION_12 and SELECTION_13 and SELECTION_14))
+        and SELECTION_15)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 032f5fb3-d959-41a5-9263-4173c802dc2b
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/10/31
+references:
+- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
+- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
+- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
+- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
+status: experimental
+tags:
+- attack.develop_capabilities
+- attack.t1587.001
+yml_filename: win_malware_formbook.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_notpetya.yml b/rules/Sigma/win_malware_notpetya.yml
new file mode 100644
index 00000000..ef8993ae
--- /dev/null
+++ b/rules/Sigma/win_malware_notpetya.yml
@@ -0,0 +1,48 @@
+title: NotPetya Ransomware Activity
+author: Florian Roth, Tom Ueltschi
+date: 2019/01/16
+description: Detects NotPetya ransomware activity in which the extracted passwords
+    are passed back to the main module via named pipe, the file system journal of
+    drive C is deleted and windows eventlogs are cleared using wevtutil
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\AppData\Local\Temp\\*'
+    SELECTION_3:
+        CommandLine: '*\\.\pipe\\\*'
+    SELECTION_4:
+        Image: '*\rundll32.exe'
+    SELECTION_5:
+        CommandLine: '*.dat,#1'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5) or \perfc.dat))
+falsepositives:
+- Admin activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://securelist.com/schroedingers-petya/78870/
+- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+- attack.execution
+- attack.t1085
+- attack.t1070.001
+- attack.t1070
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- car.2016-04-002
+yml_filename: win_malware_notpetya.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_qbot.yml b/rules/Sigma/win_malware_qbot.yml
new file mode 100644
index 00000000..0ecb1ad9
--- /dev/null
+++ b/rules/Sigma/win_malware_qbot.yml
@@ -0,0 +1,44 @@
+title: QBot Process Creation
+author: Florian Roth
+date: 2019/10/01
+description: Detects QBot like process executions
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\WinRAR.exe'
+    SELECTION_3:
+        Image: '*\wscript.exe'
+    SELECTION_4:
+        CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *'
+    SELECTION_5:
+        CommandLine: '*regsvr32.exe*'
+    SELECTION_6:
+        CommandLine: '*C:\ProgramData*'
+    SELECTION_7:
+        CommandLine: '*.tmp*'
+    condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3) or SELECTION_4) or
+        (SELECTION_5 and SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: 4fcac6eb-0287-4090-8eea-2602e4c20040
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/01/25
+references:
+- https://twitter.com/killamjr/status/1179034907932315648
+- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.defense_evasion
+- attack.t1064
+yml_filename: win_malware_qbot.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_ryuk.yml b/rules/Sigma/win_malware_ryuk.yml
new file mode 100644
index 00000000..2c3f25b3
--- /dev/null
+++ b/rules/Sigma/win_malware_ryuk.yml
@@ -0,0 +1,33 @@
+title: Ryuk Ransomware
+author: Florian Roth
+date: 2019/12/16
+description: Detects Ryuk ransomware activity
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*Microsoft\Windows\CurrentVersion\Run*'
+    SELECTION_3:
+        CommandLine: '*C:\users\Public\\*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely
+fields:
+- CommandLine
+- ParentCommandLine
+id: c37510b8-2107-4b78-aa32-72f251e7a844
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
+- attack.t1060
+yml_filename: win_malware_ryuk.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_script_dropper.yml b/rules/Sigma/win_malware_script_dropper.yml
new file mode 100644
index 00000000..94d23050
--- /dev/null
+++ b/rules/Sigma/win_malware_script_dropper.yml
@@ -0,0 +1,52 @@
+title: WScript or CScript Dropper
+author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community
+date: 2019/01/16
+description: Detects wscript/cscript executions of scripts located in user directories
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*.vbs*'
+    SELECTION_11:
+        ParentImage: '*\winzip*'
+    SELECTION_2:
+        Image: '*\wscript.exe'
+    SELECTION_3:
+        Image: '*\cscript.exe'
+    SELECTION_4:
+        CommandLine: '*C:\Users\\*'
+    SELECTION_5:
+        CommandLine: '*C:\ProgramData\\*'
+    SELECTION_6:
+        CommandLine: '*.jse*'
+    SELECTION_7:
+        CommandLine: '*.vbe*'
+    SELECTION_8:
+        CommandLine: '*.js*'
+    SELECTION_9:
+        CommandLine: '*.vba*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) and (SELECTION_4 or
+        SELECTION_5) and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10)) and  not (SELECTION_11))
+falsepositives:
+- Winzip
+- Other self-extractors
+fields:
+- CommandLine
+- ParentCommandLine
+id: cea72823-df4d-4567-950c-0b579eaf0846
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.defense_evasion
+- attack.t1064
+yml_filename: win_malware_script_dropper.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_trickbot_recon_activity.yml b/rules/Sigma/win_malware_trickbot_recon_activity.yml
new file mode 100644
index 00000000..217be371
--- /dev/null
+++ b/rules/Sigma/win_malware_trickbot_recon_activity.yml
@@ -0,0 +1,34 @@
+title: Trickbot Malware Recon Activity
+author: David Burkett, Florian Roth
+date: 2019/12/28
+description: Trickbot enumerates domain/network topology and executes certain commands
+    automatically every few minutes. This detectors attempts to identify that activity
+    based off a command rarely observed in an enterprise network.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\cmd.exe'
+    SELECTION_3:
+        Image: '*\nltest.exe'
+    SELECTION_4:
+        CommandLine: '*/domain_trusts /all_trusts*'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3) and (SELECTION_4))
+falsepositives:
+- Rare System Admin Activity
+id: 410ad193-a728-4107-bc79-4419789fcbf8
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/26
+references:
+- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
+- https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
+yml_filename: win_malware_trickbot_recon_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_trickbot_wermgr.yml b/rules/Sigma/win_malware_trickbot_wermgr.yml
new file mode 100644
index 00000000..84cd62b1
--- /dev/null
+++ b/rules/Sigma/win_malware_trickbot_wermgr.yml
@@ -0,0 +1,31 @@
+title: Trickbot Malware Activity
+author: Florian Roth
+date: 2020/11/26
+description: Detects Trickbot malware process tree pattern in which rundll32.exe is
+    parent of wermgr.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\wermgr.exe'
+    SELECTION_3:
+        ParentImage: '*\rundll32.exe'
+    SELECTION_4:
+        ParentCommandLine: '*DllRegisterServer*'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3) and (SELECTION_4))
+falsepositives:
+- Unknown
+id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
+- https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
+status: experimental
+tags:
+- attack.execution
+yml_filename: win_malware_trickbot_wermgr.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_malware_wannacry.yml b/rules/Sigma/win_malware_wannacry.yml
new file mode 100644
index 00000000..b0227f72
--- /dev/null
+++ b/rules/Sigma/win_malware_wannacry.yml
@@ -0,0 +1,96 @@
+title: WannaCry Ransomware
+author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan
+    Ribeiro
+date: 2019/01/16
+description: Detects WannaCry ransomware activity
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\linuxnew.exe'
+    SELECTION_11:
+        Image: '*\wannacry.exe'
+    SELECTION_12:
+        Image: '*WanaDecryptor*'
+    SELECTION_13:
+        CommandLine: '*icacls*'
+    SELECTION_14:
+        CommandLine: '*/grant*'
+    SELECTION_15:
+        CommandLine: '*Everyone:F*'
+    SELECTION_16:
+        CommandLine: '*/T*'
+    SELECTION_17:
+        CommandLine: '*/C*'
+    SELECTION_18:
+        CommandLine: '*/Q*'
+    SELECTION_19:
+        CommandLine: '*bcdedit*'
+    SELECTION_2:
+        Image: '*\tasksche.exe'
+    SELECTION_20:
+        CommandLine: '*/set*'
+    SELECTION_21:
+        CommandLine: '*{default}*'
+    SELECTION_22:
+        CommandLine: '*recoveryenabled*'
+    SELECTION_23:
+        CommandLine: '*no*'
+    SELECTION_24:
+        CommandLine: '*wbadmin*'
+    SELECTION_25:
+        CommandLine: '*delete*'
+    SELECTION_26:
+        CommandLine: '*catalog*'
+    SELECTION_27:
+        CommandLine: '*-quiet*'
+    SELECTION_28:
+        CommandLine: '*@Please_Read_Me@.txt*'
+    SELECTION_3:
+        Image: '*\mssecsvc.exe'
+    SELECTION_4:
+        Image: '*\taskdl.exe'
+    SELECTION_5:
+        Image: '*\taskhsvc.exe'
+    SELECTION_6:
+        Image: '*\taskse.exe'
+    SELECTION_7:
+        Image: '*\111.exe'
+    SELECTION_8:
+        Image: '*\lhdfrgui.exe'
+    SELECTION_9:
+        Image: '*\diskpart.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11) or SELECTION_12 or (SELECTION_13 and SELECTION_14 and SELECTION_15
+        and SELECTION_16 and SELECTION_17 and SELECTION_18) or (SELECTION_19 and SELECTION_20
+        and SELECTION_21 and SELECTION_22 and SELECTION_23) or (SELECTION_24 and SELECTION_25
+        and SELECTION_26 and SELECTION_27) or SELECTION_28))
+falsepositives:
+- Diskpart.exe usage to manage partitions on the local hard drive
+fields:
+- CommandLine
+- ParentCommandLine
+id: 41d40bff-377a-43e2-8e1b-2e543069e079
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1210
+- attack.discovery
+- attack.t1083
+- attack.defense_evasion
+- attack.t1222.001
+- attack.t1222
+- attack.impact
+- attack.t1486
+- attack.t1490
+yml_filename: win_malware_wannacry.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_manage_bde_lolbas.yml b/rules/Sigma/win_manage_bde_lolbas.yml
new file mode 100644
index 00000000..18a5e9b5
--- /dev/null
+++ b/rules/Sigma/win_manage_bde_lolbas.yml
@@ -0,0 +1,34 @@
+title: Suspicious Usage of the Manage-bde.wsf Script
+author: oscd.community, Natalia Shornikova
+date: 2020/10/13
+description: Detects a usage of the manage-bde.wsf script that may indicate an attempt
+    of proxy execution from script
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*cscript*'
+    SELECTION_3:
+        CommandLine: '*manage-bde.wsf*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: c363385c-f75d-4753-a108-c1a8e28bdbda
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/21
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Manage-bde.yml
+- https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
+- https://twitter.com/bohops/status/980659399495741441
+- https://twitter.com/JohnLaTwC/status/1223292479270600706
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
+yml_filename: win_manage_bde_lolbas.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_mavinject_proc_inj.yml b/rules/Sigma/win_mavinject_proc_inj.yml
new file mode 100644
index 00000000..f33ea0fb
--- /dev/null
+++ b/rules/Sigma/win_mavinject_proc_inj.yml
@@ -0,0 +1,30 @@
+title: MavInject Process Injection
+author: Florian Roth
+date: 2018/12/12
+description: Detects process injection using the signed Windows tool Mavinject32.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* /INJECTRUNNING *'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://twitter.com/gN3mes1s/status/941315826107510784
+- https://reaqta.com/2017/12/mavinject-microsoft-injector/
+- https://twitter.com/Hexacorn/status/776122138063409152
+status: experimental
+tags:
+- attack.t1055
+- attack.t1055.001
+- attack.t1218
+yml_filename: win_mavinject_proc_inj.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_metasploit_authentication.yml b/rules/Sigma/win_metasploit_authentication.yml
new file mode 100644
index 00000000..01d79062
--- /dev/null
+++ b/rules/Sigma/win_metasploit_authentication.yml
@@ -0,0 +1,40 @@
+title: Metasploit SMB Authentication
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2020/05/06
+description: Alerts on Metasploit host's authentications on the domain.
+detection:
+    SELECTION_1:
+        EventID: 4625
+    SELECTION_2:
+        EventID: 4624
+    SELECTION_3:
+        LogonType: 3
+    SELECTION_4:
+        AuthenticationPackageName: NTLM
+    SELECTION_5:
+        WorkstationName|re: ^[A-Za-z0-9]{16}$
+    SELECTION_6:
+        ProcessName|re: ^$
+    SELECTION_7:
+        EventID: 4776
+    SELECTION_8:
+        Workstation|re: ^[A-Za-z0-9]{16}$
+    condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8))
+falsepositives:
+- Linux hostnames composed of 16 characters.
+id: 72124974-a68b-4366-b990-d30e0b2a190d
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/07
+references:
+- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
+yml_filename: win_metasploit_authentication.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/Sigma/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
new file mode 100644
index 00000000..2643ea9a
--- /dev/null
+++ b/rules/Sigma/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@@ -0,0 +1,66 @@
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+    a specific service installation
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_10:
+        ImagePath: '*cmd.exe*'
+    SELECTION_11:
+        ImagePath: '*/c*'
+    SELECTION_12:
+        ImagePath: '*echo*'
+    SELECTION_13:
+        ImagePath: '*\pipe\\*'
+    SELECTION_14:
+        ImagePath: '*rundll32*'
+    SELECTION_15:
+        ImagePath: '*.dll,a*'
+    SELECTION_16:
+        ImagePath: '*/p:*'
+    SELECTION_2:
+        ImagePath: '*cmd*'
+    SELECTION_3:
+        ImagePath: '*/c*'
+    SELECTION_4:
+        ImagePath: '*echo*'
+    SELECTION_5:
+        ImagePath: '*\pipe\\*'
+    SELECTION_6:
+        ImagePath: '*%COMSPEC%*'
+    SELECTION_7:
+        ImagePath: '*/c*'
+    SELECTION_8:
+        ImagePath: '*echo*'
+    SELECTION_9:
+        ImagePath: '*\pipe\\*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)
+        or (SELECTION_10 and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14
+        and SELECTION_15 and SELECTION_16)))
+falsepositives:
+- Highly unlikely
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ImagePath
+id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+level: critical
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
+yml_filename: win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/Sigma/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
new file mode 100644
index 00000000..dee4d62e
--- /dev/null
+++ b/rules/Sigma/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
@@ -0,0 +1,70 @@
+title: Meterpreter or Cobalt Strike Getsystem Service Start
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+    a specific service starting
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*\pipe\\*'
+    SELECTION_11:
+        CommandLine: '*cmd.exe*'
+    SELECTION_12:
+        CommandLine: '*/c*'
+    SELECTION_13:
+        CommandLine: '*echo*'
+    SELECTION_14:
+        CommandLine: '*\pipe\\*'
+    SELECTION_15:
+        CommandLine: '*rundll32*'
+    SELECTION_16:
+        CommandLine: '*.dll,a*'
+    SELECTION_17:
+        CommandLine: '*/p:*'
+    SELECTION_18:
+        CommandLine: '*MpCmdRun*'
+    SELECTION_2:
+        ParentImage: '*\services.exe'
+    SELECTION_3:
+        CommandLine: '*cmd*'
+    SELECTION_4:
+        CommandLine: '*/c*'
+    SELECTION_5:
+        CommandLine: '*echo*'
+    SELECTION_6:
+        CommandLine: '*\pipe\\*'
+    SELECTION_7:
+        CommandLine: '*%COMSPEC%*'
+    SELECTION_8:
+        CommandLine: '*/c*'
+    SELECTION_9:
+        CommandLine: '*echo*'
+    condition: (SELECTION_1 and (SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+        SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9
+        and SELECTION_10) or (SELECTION_11 and SELECTION_12 and SELECTION_13 and SELECTION_14)
+        or (SELECTION_15 and SELECTION_16 and SELECTION_17))) and  not (SELECTION_18))
+falsepositives:
+- Commandlines containing components like cmd accidentally
+- Jobs and services started with cmd
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 15619216-e993-4721-b590-4c520615a67d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/20
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
+yml_filename: win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_mimikatz_command_line.yml b/rules/Sigma/win_mimikatz_command_line.yml
new file mode 100644
index 00000000..782000d7
--- /dev/null
+++ b/rules/Sigma/win_mimikatz_command_line.yml
@@ -0,0 +1,56 @@
+title: Mimikatz Command Line
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Detection well-known mimikatz command line arguments
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*lsadump*'
+    SELECTION_11:
+        CommandLine: '*privilege*'
+    SELECTION_12:
+        CommandLine: '*process*'
+    SELECTION_13:
+        CommandLine: '*::*'
+    SELECTION_2:
+        CommandLine: '*DumpCreds*'
+    SELECTION_3:
+        CommandLine: '*invoke-mimikatz*'
+    SELECTION_4:
+        CommandLine: '*rpc*'
+    SELECTION_5:
+        CommandLine: '*token*'
+    SELECTION_6:
+        CommandLine: '*crypto*'
+    SELECTION_7:
+        CommandLine: '*dpapi*'
+    SELECTION_8:
+        CommandLine: '*sekurlsa*'
+    SELECTION_9:
+        CommandLine: '*kerberos*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or ((SELECTION_4 or
+        SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or
+        SELECTION_10 or SELECTION_11 or SELECTION_12) and (SELECTION_13))))
+falsepositives:
+- Legitimate Administrator using tool for password recovery
+id: a642964e-bead-4bed-8910-1bb4d63e3b4d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
+yml_filename: win_mimikatz_command_line.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_mmc20_lateral_movement.yml b/rules/Sigma/win_mmc20_lateral_movement.yml
new file mode 100644
index 00000000..99278582
--- /dev/null
+++ b/rules/Sigma/win_mmc20_lateral_movement.yml
@@ -0,0 +1,34 @@
+title: MMC20 Lateral Movement
+author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)'
+date: 2020/03/04
+description: Detects MMC20.Application Lateral Movement; specifically looks for the
+    spawning of the parent MMC.exe with a command line of "-Embedding" as a child
+    of svchost.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\svchost.exe'
+    SELECTION_3:
+        Image: '*\mmc.exe'
+    SELECTION_4:
+        CommandLine: '*-Embedding*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/23
+references:
+- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
+tags:
+- attack.execution
+- attack.t1175
+- attack.t1021.003
+yml_filename: win_mmc20_lateral_movement.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_mmc_spawn_shell.yml b/rules/Sigma/win_mmc_spawn_shell.yml
new file mode 100644
index 00000000..847edfa7
--- /dev/null
+++ b/rules/Sigma/win_mmc_spawn_shell.yml
@@ -0,0 +1,50 @@
+title: MMC Spawning Windows Shell
+author: Karneades, Swisscom CSIRT
+date: 2019/08/05
+description: Detects a Windows command line executable started from MMC
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\regsvr32.exe'
+    SELECTION_11:
+        Image: '*\BITSADMIN*'
+    SELECTION_2:
+        ParentImage: '*\mmc.exe'
+    SELECTION_3:
+        Image: '*\cmd.exe'
+    SELECTION_4:
+        Image: '*\powershell.exe'
+    SELECTION_5:
+        Image: '*\wscript.exe'
+    SELECTION_6:
+        Image: '*\cscript.exe'
+    SELECTION_7:
+        Image: '*\sh.exe'
+    SELECTION_8:
+        Image: '*\bash.exe'
+    SELECTION_9:
+        Image: '*\reg.exe'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+        or (SELECTION_11)))
+fields:
+- CommandLine
+- Image
+- ParentCommandLine
+id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1175
+- attack.t1021.003
+yml_filename: win_mmc_spawn_shell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_modif_of_services_for_via_commandline.yml b/rules/Sigma/win_modif_of_services_for_via_commandline.yml
new file mode 100644
index 00000000..68077e44
--- /dev/null
+++ b/rules/Sigma/win_modif_of_services_for_via_commandline.yml
@@ -0,0 +1,36 @@
+title: Modification Of Existing Services For Persistence
+author: Sreeman
+date: 2020/09/29
+description: Detects modification of an existing service on a compromised host in
+    order to execute an arbitrary payload when the service is started or killed as
+    a method of persistence.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i)sc config.*binpath=.*
+    SELECTION_3:
+        CommandLine|re: (?i)sc failure.*command=.*
+    SELECTION_4:
+        CommandLine|re: (?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin$|\.bat|\.cmd|\.js|\.msh$|\.reg$|\.scr|\.ps|\.vb|\.jar|\.pl).*
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+id: 38879043-7e1e-47a9-8d46-6bec88e201df
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/10
+references:
+- https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1031
+- attack.t1543.003
+- attack.t1058
+- attack.t1574.011
+yml_filename: win_modif_of_services_for_via_commandline.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_monitoring_for_persistence_via_bits.yml b/rules/Sigma/win_monitoring_for_persistence_via_bits.yml
new file mode 100644
index 00000000..c12d3515
--- /dev/null
+++ b/rules/Sigma/win_monitoring_for_persistence_via_bits.yml
@@ -0,0 +1,37 @@
+title: Monitoring For Persistence Via BITS
+author: Sreeman
+date: 2020/10/29
+description: BITS will allow you to schedule a command to execute after a successful
+    download to notify you that the job is finished. When the job runs on the system
+    the command specified in the BITS job will be executed. This can be abused by
+    actors to create a backdoor within the system and for persistence. It will be
+    chained in a BITS job to schedule the download of malware/additional binaries
+    and execute the program after being downloaded
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i).*bitsadmin.*\/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*
+    SELECTION_3:
+        CommandLine|re: (?i).*bitsadmin.*\/Addfile.*(http|https|ftp|ftps):.*
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- None observed yet.
+fields:
+- CommandLine
+id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/15
+references:
+- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+- http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
+- https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
+status: experimental
+tags:
+- attack.defense_evasion
+yml_filename: win_monitoring_for_persistence_via_bits.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_moriya_rootkit.yml b/rules/Sigma/win_moriya_rootkit.yml
new file mode 100644
index 00000000..30030b1a
--- /dev/null
+++ b/rules/Sigma/win_moriya_rootkit.yml
@@ -0,0 +1,29 @@
+title: Moriya Rootkit
+author: Bhabesh Raj
+date: 2021/05/06
+description: Detects the use of Moriya rootkit as described in the securelist's Operation
+    TunnelSnake report
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ServiceName: ZzNetSvc
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- None
+id: 25b9c01c-350d-4b95-bed1-836d04a4f324
+level: critical
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/21
+references:
+- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1543.003
+yml_filename: win_moriya_rootkit.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_mouse_lock.yml b/rules/Sigma/win_mouse_lock.yml
new file mode 100644
index 00000000..afd43442
--- /dev/null
+++ b/rules/Sigma/win_mouse_lock.yml
@@ -0,0 +1,38 @@
+title: Mouse Lock Credential Gathering
+author: Cian Heasley
+date: 2020/08/13
+description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate
+    tool "Mouse Lock" as being used for both credential access and collection in security
+    incidents.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Product: '*Mouse Lock*'
+    SELECTION_3:
+        Company: '*Misc314*'
+    SELECTION_4:
+        CommandLine: '*Mouse Lock_*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Legitimate uses of Mouse Lock software
+fields:
+- Product
+- Company
+- CommandLine
+id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf
+- https://sourceforge.net/projects/mouselock/
+status: experimental
+tags:
+- attack.credential_access
+- attack.collection
+- attack.t1056.002
+yml_filename: win_mouse_lock.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_mshta_javascript.yml b/rules/Sigma/win_mshta_javascript.yml
new file mode 100644
index 00000000..a08bc101
--- /dev/null
+++ b/rules/Sigma/win_mshta_javascript.yml
@@ -0,0 +1,35 @@
+title: Mshta JavaScript Execution
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Identifies suspicious mshta.exe commands.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\mshta.exe'
+    SELECTION_3:
+        CommandLine: '*javascript*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 67f113fa-e23d-4271-befa-30113b3e08b1
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1170
+- attack.t1218.005
+yml_filename: win_mshta_javascript.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_mshta_spawn_shell.yml b/rules/Sigma/win_mshta_spawn_shell.yml
new file mode 100644
index 00000000..4d212972
--- /dev/null
+++ b/rules/Sigma/win_mshta_spawn_shell.yml
@@ -0,0 +1,55 @@
+title: MSHTA Spawning Windows Shell
+author: Michael Haag
+date: 2019/01/16
+description: Detects a Windows command line executable started from MSHTA
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\regsvr32.exe'
+    SELECTION_11:
+        Image: '*\BITSADMIN*'
+    SELECTION_2:
+        ParentImage: '*\mshta.exe'
+    SELECTION_3:
+        Image: '*\cmd.exe'
+    SELECTION_4:
+        Image: '*\powershell.exe'
+    SELECTION_5:
+        Image: '*\wscript.exe'
+    SELECTION_6:
+        Image: '*\cscript.exe'
+    SELECTION_7:
+        Image: '*\sh.exe'
+    SELECTION_8:
+        Image: '*\bash.exe'
+    SELECTION_9:
+        Image: '*\reg.exe'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+        or (SELECTION_11)))
+falsepositives:
+- Printer software / driver installations
+- HP software
+fields:
+- CommandLine
+- ParentCommandLine
+id: 03cc0c25-389f-4bf8-b48d-11878079f1ca
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://www.trustedsec.com/july-2015/malicious-htas/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1170
+- attack.t1218.005
+- car.2013-02-003
+- car.2013-03-001
+- car.2014-04-003
+yml_filename: win_mshta_spawn_shell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_multiple_suspicious_cli.yml b/rules/Sigma/win_multiple_suspicious_cli.yml
new file mode 100644
index 00000000..3f5ae391
--- /dev/null
+++ b/rules/Sigma/win_multiple_suspicious_cli.yml
@@ -0,0 +1,109 @@
+title: Quick Execution of a Series of Suspicious Commands
+author: juju4
+date: 2019/01/16
+description: Detects multiple suspicious process in a limited timeframe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*nbtstat.exe*'
+    SELECTION_11:
+        CommandLine: '*net.exe*'
+    SELECTION_12:
+        CommandLine: '*netsh.exe*'
+    SELECTION_13:
+        CommandLine: '*nslookup.exe*'
+    SELECTION_14:
+        CommandLine: '*ping.exe*'
+    SELECTION_15:
+        CommandLine: '*quser.exe*'
+    SELECTION_16:
+        CommandLine: '*qwinsta.exe*'
+    SELECTION_17:
+        CommandLine: '*reg.exe*'
+    SELECTION_18:
+        CommandLine: '*runas.exe*'
+    SELECTION_19:
+        CommandLine: '*sc.exe*'
+    SELECTION_2:
+        CommandLine: '*arp.exe*'
+    SELECTION_20:
+        CommandLine: '*schtasks.exe*'
+    SELECTION_21:
+        CommandLine: '*ssh.exe*'
+    SELECTION_22:
+        CommandLine: '*systeminfo.exe*'
+    SELECTION_23:
+        CommandLine: '*taskkill.exe*'
+    SELECTION_24:
+        CommandLine: '*telnet.exe*'
+    SELECTION_25:
+        CommandLine: '*tracert.exe*'
+    SELECTION_26:
+        CommandLine: '*wscript.exe*'
+    SELECTION_27:
+        CommandLine: '*xcopy.exe*'
+    SELECTION_28:
+        CommandLine: '*pscp.exe*'
+    SELECTION_29:
+        CommandLine: '*copy.exe*'
+    SELECTION_3:
+        CommandLine: '*at.exe*'
+    SELECTION_30:
+        CommandLine: '*robocopy.exe*'
+    SELECTION_31:
+        CommandLine: '*certutil.exe*'
+    SELECTION_32:
+        CommandLine: '*vssadmin.exe*'
+    SELECTION_33:
+        CommandLine: '*powershell.exe*'
+    SELECTION_34:
+        CommandLine: '*wevtutil.exe*'
+    SELECTION_35:
+        CommandLine: '*psexec.exe*'
+    SELECTION_36:
+        CommandLine: '*bcedit.exe*'
+    SELECTION_37:
+        CommandLine: '*wbadmin.exe*'
+    SELECTION_38:
+        CommandLine: '*icacls.exe*'
+    SELECTION_39:
+        CommandLine: '*diskpart.exe*'
+    SELECTION_4:
+        CommandLine: '*attrib.exe*'
+    SELECTION_5:
+        CommandLine: '*cscript.exe*'
+    SELECTION_6:
+        CommandLine: '*dsquery.exe*'
+    SELECTION_7:
+        CommandLine: '*hostname.exe*'
+    SELECTION_8:
+        CommandLine: '*ipconfig.exe*'
+    SELECTION_9:
+        CommandLine: '*mimikatz.exe*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39))| count()
+        by MachineName > 5
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+id: 61ab5496-748e-4818-a92f-de78e20fe7f1
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/13
+references:
+- https://car.mitre.org/wiki/CAR-2013-04-002
+status: experimental
+tags:
+- car.2013-04-002
+yml_filename: win_multiple_suspicious_cli.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_net_crypto_mining.yml b/rules/Sigma/win_net_crypto_mining.yml
new file mode 100644
index 00000000..11d9ef2d
--- /dev/null
+++ b/rules/Sigma/win_net_crypto_mining.yml
@@ -0,0 +1,69 @@
+title: Windows Crypto Mining Pool Connections
+author: Florian Roth
+date: 2021/10/26
+description: Detects process connections to a Monero crypto mining pool
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_10:
+        DestinationHostname: xmr-eu1.nanopool.org
+    SELECTION_11:
+        DestinationHostname: xmr-eu2.nanopool.org
+    SELECTION_12:
+        DestinationHostname: xmr-us-east1.nanopool.org
+    SELECTION_13:
+        DestinationHostname: xmr-us-west1.nanopool.org
+    SELECTION_14:
+        DestinationHostname: xmr-asia1.nanopool.org
+    SELECTION_15:
+        DestinationHostname: xmr-jp1.nanopool.org
+    SELECTION_16:
+        DestinationHostname: xmr-au1.nanopool.org
+    SELECTION_17:
+        DestinationHostname: xmr.2miners.com
+    SELECTION_18:
+        DestinationHostname: xmr.hashcity.org
+    SELECTION_19:
+        DestinationHostname: xmr.f2pool.com
+    SELECTION_2:
+        DestinationHostname: pool.minexmr.com
+    SELECTION_20:
+        DestinationHostname: xmrpool.eu
+    SELECTION_21:
+        DestinationHostname: pool.hashvault.pro
+    SELECTION_22:
+        DestinationHostname: moneroocean.stream
+    SELECTION_23:
+        DestinationHostname: monerocean.stream
+    SELECTION_3:
+        DestinationHostname: fr.minexmr.com
+    SELECTION_4:
+        DestinationHostname: de.minexmr.com
+    SELECTION_5:
+        DestinationHostname: sg.minexmr.com
+    SELECTION_6:
+        DestinationHostname: ca.minexmr.com
+    SELECTION_7:
+        DestinationHostname: us-west.minexmr.com
+    SELECTION_8:
+        DestinationHostname: pool.supportxmr.com
+    SELECTION_9:
+        DestinationHostname: mine.c3pool.com
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23))
+falsepositives:
+- Legitimate use of crypto miners
+id: fa5b1358-b040-4403-9868-15f7d9ab6329
+level: high
+logsource:
+    category: network_connection
+    product: windows
+references:
+- https://www.poolwatch.io/coin/monero
+status: stable
+yml_filename: win_net_crypto_mining.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+
diff --git a/rules/Sigma/win_net_enum.yml b/rules/Sigma/win_net_enum.yml
new file mode 100644
index 00000000..04cac1b4
--- /dev/null
+++ b/rules/Sigma/win_net_enum.yml
@@ -0,0 +1,40 @@
+title: Windows Network Enumeration
+author: Endgame, JHasenbusch (ported for oscd.community)
+date: 2018/10/30
+description: Identifies attempts to enumerate hosts in a network using the built-in
+    Windows net.exe tool.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\net.exe'
+    SELECTION_3:
+        Image: '*\net1.exe'
+    SELECTION_4:
+        CommandLine: '*view*'
+    SELECTION_5:
+        CommandLine: '*\\\\*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) and SELECTION_4) and  not
+        (SELECTION_5))
+falsepositives:
+- Legitimate use of net.exe utility by legitimate user
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 62510e69-616b-4078-b371-847da438cc03
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+status: stable
+tags:
+- attack.discovery
+- attack.t1018
+yml_filename: win_net_enum.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_net_ntlm_downgrade.yml b/rules/Sigma/win_net_ntlm_downgrade.yml
new file mode 100644
index 00000000..41e68d86
--- /dev/null
+++ b/rules/Sigma/win_net_ntlm_downgrade.yml
@@ -0,0 +1,43 @@
+title: NetNTLM Downgrade Attack
+author: Florian Roth, wagga
+date: 2018/03/20
+description: Detects NetNTLM downgrade attack
+detection:
+    SELECTION_1:
+        EventID: 4657
+    SELECTION_2:
+        ObjectName: '*\REGISTRY\MACHINE\SYSTEM*'
+    SELECTION_3:
+        ObjectName: '*ControlSet*'
+    SELECTION_4:
+        ObjectName: '*\Control\Lsa*'
+    SELECTION_5:
+        ObjectValueName: LmCompatibilityLevel
+    SELECTION_6:
+        ObjectValueName: NtlmMinClientSec
+    SELECTION_7:
+        ObjectValueName: RestrictSendingNTLMTraffic
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unknown
+id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
+level: critical
+logsource:
+    definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
+    product: windows
+    service: security
+modified: 2021/06/27
+references:
+- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+related:
+-   id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
+    type: derived
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+- attack.t1112
+yml_filename: win_net_ntlm_downgrade.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_net_use_admin_share.yml b/rules/Sigma/win_net_use_admin_share.yml
new file mode 100644
index 00000000..fc616d96
--- /dev/null
+++ b/rules/Sigma/win_net_use_admin_share.yml
@@ -0,0 +1,34 @@
+title: Mounted Windows Admin Shares with net.exe
+author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st,
+    wagga
+date: 2020/10/05
+description: Detects when an admin share is mounted using net.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\net.exe'
+    SELECTION_3:
+        Image: '*\net1.exe'
+    SELECTION_4:
+        CommandLine: '* use *'
+    SELECTION_5:
+        CommandLine: '*\\\*\\*$*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Administrators
+id: 3abd6094-7027-475f-9630-8ab9be7b9725
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+references:
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+yml_filename: win_net_use_admin_share.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_net_user_add.yml b/rules/Sigma/win_net_user_add.yml
new file mode 100644
index 00000000..bae9362d
--- /dev/null
+++ b/rules/Sigma/win_net_user_add.yml
@@ -0,0 +1,40 @@
+title: Net.exe User Account Creation
+author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
+date: 2018/10/30
+description: Identifies creation of local users via the net.exe command.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\net.exe'
+    SELECTION_3:
+        Image: '*\net1.exe'
+    SELECTION_4:
+        CommandLine: '*user*'
+    SELECTION_5:
+        CommandLine: '*add*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Legitimate user creation.
+- Better use event IDs for user creation rather than command line rules.
+fields:
+- ComputerName
+- User
+- CommandLine
+id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136
+- attack.t1136.001
+yml_filename: win_net_user_add.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_netsh_allow_port_rdp.yml b/rules/Sigma/win_netsh_allow_port_rdp.yml
new file mode 100644
index 00000000..0466552a
--- /dev/null
+++ b/rules/Sigma/win_netsh_allow_port_rdp.yml
@@ -0,0 +1,42 @@
+title: Netsh RDP Port Opening
+author: Sander Wiebing
+date: 2020/05/23
+description: Detects netsh commands that opens the port 3389 used for RDP, used in
+    Sarwent Malware
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*netsh*'
+    SELECTION_3:
+        CommandLine: '*firewall add portopening*'
+    SELECTION_4:
+        CommandLine: '*tcp 3389*'
+    SELECTION_5:
+        CommandLine: '*advfirewall firewall add rule*'
+    SELECTION_6:
+        CommandLine: '*action=allow*'
+    SELECTION_7:
+        CommandLine: '*protocol=TCP*'
+    SELECTION_8:
+        CommandLine: '*localport=3389*'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8)))
+falsepositives:
+- Legitimate administration
+id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.004
+yml_filename: win_netsh_allow_port_rdp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_netsh_fw_add.yml b/rules/Sigma/win_netsh_fw_add.yml
new file mode 100644
index 00000000..fb0cff6f
--- /dev/null
+++ b/rules/Sigma/win_netsh_fw_add.yml
@@ -0,0 +1,33 @@
+title: Netsh Port or Application Allowed
+author: Markus Neis, Sander Wiebing
+date: 2019/01/29
+description: Allow Incoming Connections by Port or Application on Windows Firewall
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\netsh.exe'
+    SELECTION_3:
+        CommandLine: '*firewall*'
+    SELECTION_4:
+        CommandLine: '*add*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate administration
+id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
+- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.004
+yml_filename: win_netsh_fw_add.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_netsh_fw_add_susp_image.yml b/rules/Sigma/win_netsh_fw_add_susp_image.yml
new file mode 100644
index 00000000..4b0d1bab
--- /dev/null
+++ b/rules/Sigma/win_netsh_fw_add_susp_image.yml
@@ -0,0 +1,94 @@
+title: Netsh Program Allowed with Suspcious Location
+author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2020/05/25
+description: Detects Netsh commands that allows a suspcious application location on
+    Windows Firewall
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*program=*'
+    SELECTION_11:
+        CommandLine: '*%TEMP%*'
+    SELECTION_12:
+        CommandLine: '*:\RECYCLER\\*'
+    SELECTION_13:
+        CommandLine: '*C:\$Recycle.bin\\*'
+    SELECTION_14:
+        CommandLine: '*:\SystemVolumeInformation\\*'
+    SELECTION_15:
+        CommandLine: '*C:\Windows\Temp\\*'
+    SELECTION_16:
+        CommandLine: '*C:\Temp\\*'
+    SELECTION_17:
+        CommandLine: '*C:\Users\Public\\*'
+    SELECTION_18:
+        CommandLine: '*C:\Users\Default\\*'
+    SELECTION_19:
+        CommandLine: '*C:\Users\Desktop\\*'
+    SELECTION_2:
+        EventID: 1
+    SELECTION_20:
+        CommandLine: '*\Downloads\\*'
+    SELECTION_21:
+        CommandLine: '*\Temporary Internet Files\Content.Outlook\\*'
+    SELECTION_22:
+        CommandLine: '*\Local Settings\Temporary Internet Files\\*'
+    SELECTION_23:
+        CommandLine: C:\Windows\Tasks\\*
+    SELECTION_24:
+        CommandLine: C:\Windows\debug\\*
+    SELECTION_25:
+        CommandLine: C:\Windows\fonts\\*
+    SELECTION_26:
+        CommandLine: C:\Windows\help\\*
+    SELECTION_27:
+        CommandLine: C:\Windows\drivers\\*
+    SELECTION_28:
+        CommandLine: C:\Windows\addins\\*
+    SELECTION_29:
+        CommandLine: C:\Windows\cursors\\*
+    SELECTION_3:
+        Image: '*\netsh.exe'
+    SELECTION_30:
+        CommandLine: C:\Windows\system32\tasks\\*
+    SELECTION_31:
+        CommandLine: '%Public%\\*'
+    SELECTION_4:
+        CommandLine: '*firewall*'
+    SELECTION_5:
+        CommandLine: '*add*'
+    SELECTION_6:
+        CommandLine: '*allowedprogram*'
+    SELECTION_7:
+        CommandLine: '*advfirewall*'
+    SELECTION_8:
+        CommandLine: '*rule*'
+    SELECTION_9:
+        CommandLine: '*action=allow*'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and (SELECTION_6 or (SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10)))
+        and ((SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22) or (SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31)))
+falsepositives:
+- Legitimate administration
+id: a35f5a72-f347-4e36-8895-9869b0d5fc6d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://www.virusradar.com/en/Win32_Kasidet.AD/description
+- https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.004
+yml_filename: win_netsh_fw_add_susp_image.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_netsh_packet_capture.yml b/rules/Sigma/win_netsh_packet_capture.yml
new file mode 100644
index 00000000..dc5c554c
--- /dev/null
+++ b/rules/Sigma/win_netsh_packet_capture.yml
@@ -0,0 +1,33 @@
+title: Capture a Network Trace with netsh.exe
+author: Kutepov Anton, oscd.community
+date: 2019/10/24
+description: Detects capture a network trace via netsh.exe trace functionality
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*netsh*'
+    SELECTION_3:
+        CommandLine: '*trace*'
+    SELECTION_4:
+        CommandLine: '*start*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate administrator or user uses netsh.exe trace functionality for legitimate
+    reason
+id: d3c3861d-c504-4c77-ba55-224ba82d0118
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
+status: experimental
+tags:
+- attack.discovery
+- attack.credential_access
+- attack.t1040
+yml_filename: win_netsh_packet_capture.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_netsh_port_fwd.yml b/rules/Sigma/win_netsh_port_fwd.yml
new file mode 100644
index 00000000..d25a7427
--- /dev/null
+++ b/rules/Sigma/win_netsh_port_fwd.yml
@@ -0,0 +1,47 @@
+title: Netsh Port Forwarding
+author: Florian Roth, omkar72, oscd.community
+date: 2019/01/29
+description: Detects netsh commands that configure a port forwarding (PortProxy)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\netsh.exe'
+    SELECTION_3:
+        CommandLine: '*interface*'
+    SELECTION_4:
+        CommandLine: '*portproxy*'
+    SELECTION_5:
+        CommandLine: '*add*'
+    SELECTION_6:
+        CommandLine: '*v4tov4*'
+    SELECTION_7:
+        CommandLine: '*connectp*'
+    SELECTION_8:
+        CommandLine: '*listena*'
+    SELECTION_9:
+        CommandLine: '*c=*'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+        SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Legitimate administration
+- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
+id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/22
+references:
+- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+- https://adepts.of0x.cc/netsh-portproxy-code/
+- https://www.dfirnotes.net/portproxy_detection/
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.defense_evasion
+- attack.command_and_control
+- attack.t1090
+yml_filename: win_netsh_port_fwd.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_netsh_port_fwd_3389.yml b/rules/Sigma/win_netsh_port_fwd_3389.yml
new file mode 100644
index 00000000..85459fce
--- /dev/null
+++ b/rules/Sigma/win_netsh_port_fwd_3389.yml
@@ -0,0 +1,39 @@
+title: Netsh RDP Port Forwarding
+author: Florian Roth, oscd.community
+date: 2019/01/29
+description: Detects netsh commands that configure a port forwarding of port 3389
+    used for RDP
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\netsh.exe'
+    SELECTION_3:
+        CommandLine: '*i*'
+    SELECTION_4:
+        CommandLine: '* p*'
+    SELECTION_5:
+        CommandLine: '*=3389*'
+    SELECTION_6:
+        CommandLine: '* c*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Legitimate administration
+id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.defense_evasion
+- attack.command_and_control
+- attack.t1090
+yml_filename: win_netsh_port_fwd_3389.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_netsh_wifi_credential_harvesting.yml b/rules/Sigma/win_netsh_wifi_credential_harvesting.yml
new file mode 100644
index 00000000..9a873c4f
--- /dev/null
+++ b/rules/Sigma/win_netsh_wifi_credential_harvesting.yml
@@ -0,0 +1,40 @@
+title: Harvesting of Wifi Credentials Using netsh.exe
+author: Andreas Hunkeler (@Karneades), oscd.community
+date: 2020/04/20
+description: Detect the harvesting of wifi credentials using netsh.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\netsh.exe'
+    SELECTION_3:
+        CommandLine: '*wlan*'
+    SELECTION_4:
+        CommandLine: '* s*'
+    SELECTION_5:
+        CommandLine: '* p*'
+    SELECTION_6:
+        CommandLine: '* k*'
+    SELECTION_7:
+        CommandLine: '*=clear*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6 and SELECTION_7)
+falsepositives:
+- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate
+    reason
+id: 42b1a5b8-353f-4f10-b256-39de4467faff
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
+status: experimental
+tags:
+- attack.discovery
+- attack.credential_access
+- attack.t1040
+yml_filename: win_netsh_wifi_credential_harvesting.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_network_sniffing.yml b/rules/Sigma/win_network_sniffing.yml
new file mode 100644
index 00000000..b9ee1fb0
--- /dev/null
+++ b/rules/Sigma/win_network_sniffing.yml
@@ -0,0 +1,43 @@
+title: Network Sniffing
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: Network sniffing refers to using the network interface on a system to
+    monitor or capture information sent over a wired or wireless connection. An adversary
+    may place a network interface into promiscuous mode to passively access data in
+    transit over the network, or use span ports to capture a larger amount of data.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\tshark.exe'
+    SELECTION_3:
+        CommandLine: '*-i*'
+    SELECTION_4:
+        Image: '*\windump.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- Admin activity
+fields:
+- Image
+- CommandLine
+- User
+- LogonGuid
+- Hashes
+- ParentProcessGuid
+- ParentCommandLine
+id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
+status: experimental
+tags:
+- attack.credential_access
+- attack.discovery
+- attack.t1040
+yml_filename: win_network_sniffing.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/Sigma/win_new_or_renamed_user_account_with_dollar_sign.yml
new file mode 100644
index 00000000..f1acd1ce
--- /dev/null
+++ b/rules/Sigma/win_new_or_renamed_user_account_with_dollar_sign.yml
@@ -0,0 +1,31 @@
+title: New or Renamed User Account with '$' in Attribute 'SamAccountName'.
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+description: Detects possible bypass EDR and SIEM via abnormal user account name.
+detection:
+    SELECTION_1:
+        EventID: 4720
+    SELECTION_2:
+        EventID: 4781
+    SELECTION_3:
+        SamAccountName: '*$*'
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- EventID
+- SamAccountName
+- SubjectUserName
+id: cfeed607-6aa4-4bbd-9627-b637deb723c8
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/07
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+yml_filename: win_new_or_renamed_user_account_with_dollar_sign.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_new_service_creation.yml b/rules/Sigma/win_new_service_creation.yml
new file mode 100644
index 00000000..29e46230
--- /dev/null
+++ b/rules/Sigma/win_new_service_creation.yml
@@ -0,0 +1,38 @@
+title: New Service Creation
+author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/21
+description: Detects creation of a new service.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\sc.exe'
+    SELECTION_3:
+        CommandLine: '*create*'
+    SELECTION_4:
+        CommandLine: '*binpath*'
+    SELECTION_5:
+        Image: '*\powershell.exe'
+    SELECTION_6:
+        CommandLine: '*new-service*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6)))
+falsepositives:
+- Legitimate administrator or user creates a service for legitimate reasons.
+id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1050
+- attack.t1543.003
+yml_filename: win_new_service_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_nltest_recon.yml b/rules/Sigma/win_nltest_recon.yml
new file mode 100644
index 00000000..2224d97d
--- /dev/null
+++ b/rules/Sigma/win_nltest_recon.yml
@@ -0,0 +1,52 @@
+title: Recon Activity with NLTEST
+author: Craig Young, oscd.community, Georg Lauenstein
+date: 2021/07/24
+description: Detects nltest commands that can be used for information discovery
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\nltest.exe'
+    SELECTION_3:
+        CommandLine: '*/server*'
+    SELECTION_4:
+        CommandLine: '*/query*'
+    SELECTION_5:
+        CommandLine: '*/dclist:*'
+    SELECTION_6:
+        CommandLine: '*/parentdomain*'
+    SELECTION_7:
+        CommandLine: '*/domain_trusts*'
+    SELECTION_8:
+        CommandLine: '*/trusted_domains*'
+    SELECTION_9:
+        CommandLine: '*/user*'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9)))
+falsepositives:
+- Legitimate administration use but user must be check out
+fields:
+- Image
+- User
+- CommandLine
+- ParentCommandLine
+id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/19
+references:
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
+- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
+- https://attack.mitre.org/techniques/T1482/
+- https://attack.mitre.org/techniques/T1016/
+- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
+status: experimental
+tags:
+- attack.discovery
+- attack.t1016
+- attack.t1482
+yml_filename: win_nltest_recon.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_non_interactive_powershell.yml b/rules/Sigma/win_non_interactive_powershell.yml
new file mode 100644
index 00000000..d75a3991
--- /dev/null
+++ b/rules/Sigma/win_non_interactive_powershell.yml
@@ -0,0 +1,33 @@
+title: Non Interactive PowerShell
+author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
+date: 2019/09/12
+description: Detects non-interactive PowerShell activity by looking at powershell.exe
+    with not explorer.exe as a parent.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        ParentImage: '*\explorer.exe'
+    SELECTION_4:
+        ParentImage: '*\CompatTelRunner.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 or SELECTION_4)))
+falsepositives:
+- Legitimate programs executing PowerShell scripts
+id: f4bbd493-b796-416e-bbf2-121235348529
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/10
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+yml_filename: win_non_interactive_powershell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_non_priv_reg_or_ps.yml b/rules/Sigma/win_non_priv_reg_or_ps.yml
new file mode 100644
index 00000000..7a6c2e25
--- /dev/null
+++ b/rules/Sigma/win_non_priv_reg_or_ps.yml
@@ -0,0 +1,55 @@
+title: Non-privileged Usage of Reg or Powershell
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/05
+description: Search for usage of reg or Powershell by non-priveleged users to modify
+    service configuration in registry
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*Services*'
+    SELECTION_11:
+        CommandLine: '*ImagePath*'
+    SELECTION_12:
+        CommandLine: '*FailureCommand*'
+    SELECTION_13:
+        CommandLine: '*ServiceDLL*'
+    SELECTION_2:
+        IntegrityLevel: Medium
+    SELECTION_3:
+        CommandLine: '*reg*'
+    SELECTION_4:
+        CommandLine: '*add*'
+    SELECTION_5:
+        CommandLine: '*powershell*'
+    SELECTION_6:
+        CommandLine: '*set-itemproperty*'
+    SELECTION_7:
+        CommandLine: '* sp *'
+    SELECTION_8:
+        CommandLine: '*new-itemproperty*'
+    SELECTION_9:
+        CommandLine: '*ControlSet*'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 and (SELECTION_6 or SELECTION_7 or SELECTION_8))) and SELECTION_9
+        and SELECTION_10 and (SELECTION_11 or SELECTION_12 or SELECTION_13))
+falsepositives:
+- Unknown
+fields:
+- EventID
+- IntegrityLevel
+- CommandLine
+id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: win_non_priv_reg_or_ps.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_not_allowed_rdp_access.yml b/rules/Sigma/win_not_allowed_rdp_access.yml
new file mode 100644
index 00000000..ca179480
--- /dev/null
+++ b/rules/Sigma/win_not_allowed_rdp_access.yml
@@ -0,0 +1,32 @@
+title: Denied Access To Remote Desktop
+author: Pushkarev Dmitry
+date: 2020/06/27
+description: This event is generated when an authenticated user who is not allowed
+    to log on remotely attempts to connect to this computer through Remote Desktop.
+    Often, this event can be generated by attackers when searching for available windows
+    servers in the network.
+detection:
+    SELECTION_1:
+        EventID: 4825
+    condition: SELECTION_1
+falsepositives:
+- Valid user was not added to RDP group
+fields:
+- EventCode
+- AccountName
+- ClientAddress
+id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
+level: medium
+logsource:
+    product: windows
+    service: security
+references:
+- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1076
+- attack.t1021.001
+yml_filename: win_not_allowed_rdp_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_ntfs_vuln_exploit.yml b/rules/Sigma/win_ntfs_vuln_exploit.yml
new file mode 100644
index 00000000..ef5e6ff0
--- /dev/null
+++ b/rules/Sigma/win_ntfs_vuln_exploit.yml
@@ -0,0 +1,31 @@
+title: NTFS Vulnerability Exploitation
+author: Florian Roth
+date: 2021/01/11
+description: This the exploitation of a NTFS vulnerability as reported without many
+    details via Twitter
+detection:
+    SELECTION_1:
+        EventID: 55
+    SELECTION_2:
+        Origin: File System Driver
+    SELECTION_3:
+        Description: '*contains a corrupted file record*'
+    SELECTION_4:
+        Description: '*The name of the file is "\"*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unlikely
+id: f14719ce-d3ab-4e25-9ce6-2899092260b0
+level: critical
+logsource:
+    product: windows
+    service: system
+references:
+- https://twitter.com/jonasLyk/status/1347900440000811010
+- https://twitter.com/wdormann/status/1347958161609809921
+tags:
+- attack.impact
+- attack.t1499.001
+yml_filename: win_ntfs_vuln_exploit.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_office_shell.yml b/rules/Sigma/win_office_shell.yml
new file mode 100644
index 00000000..074cbefe
--- /dev/null
+++ b/rules/Sigma/win_office_shell.yml
@@ -0,0 +1,92 @@
+title: Microsoft Office Product Spawning Windows Shell
+author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team
+date: 2018/04/06
+description: Detects a Windows command and scripting interpreter executable started
+    from Microsoft Word, Excel, Powerpoint, Publisher and Visio
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\cmd.exe'
+    SELECTION_11:
+        Image: '*\powershell.exe'
+    SELECTION_12:
+        Image: '*\wscript.exe'
+    SELECTION_13:
+        Image: '*\cscript.exe'
+    SELECTION_14:
+        Image: '*\sh.exe'
+    SELECTION_15:
+        Image: '*\bash.exe'
+    SELECTION_16:
+        Image: '*\scrcons.exe'
+    SELECTION_17:
+        Image: '*\schtasks.exe'
+    SELECTION_18:
+        Image: '*\regsvr32.exe'
+    SELECTION_19:
+        Image: '*\hh.exe'
+    SELECTION_2:
+        ParentImage: '*\WINWORD.EXE'
+    SELECTION_20:
+        Image: '*\wmic.exe'
+    SELECTION_21:
+        Image: '*\mshta.exe'
+    SELECTION_22:
+        Image: '*\rundll32.exe'
+    SELECTION_23:
+        Image: '*\msiexec.exe'
+    SELECTION_24:
+        Image: '*\forfiles.exe'
+    SELECTION_25:
+        Image: '*\scriptrunner.exe'
+    SELECTION_26:
+        Image: '*\mftrace.exe'
+    SELECTION_27:
+        Image: '*\AppVLP.exe'
+    SELECTION_28:
+        Image: '*\svchost.exe'
+    SELECTION_29:
+        Image: '*\msbuild.exe'
+    SELECTION_3:
+        ParentImage: '*\EXCEL.EXE'
+    SELECTION_4:
+        ParentImage: '*\POWERPNT.exe'
+    SELECTION_5:
+        ParentImage: '*\MSPUB.exe'
+    SELECTION_6:
+        ParentImage: '*\VISIO.exe'
+    SELECTION_7:
+        ParentImage: '*\OUTLOOK.EXE'
+    SELECTION_8:
+        ParentImage: '*\MSACCESS.EXE'
+    SELECTION_9:
+        ParentImage: '*\EQNEDT32.EXE'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and (SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 438025f9-5856-4663-83f7-52f878a70a50
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
+- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
+yml_filename: win_office_shell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_office_spawn_exe_from_users_directory.yml b/rules/Sigma/win_office_spawn_exe_from_users_directory.yml
new file mode 100644
index 00000000..0e755ff4
--- /dev/null
+++ b/rules/Sigma/win_office_spawn_exe_from_users_directory.yml
@@ -0,0 +1,50 @@
+title: MS Office Product Spawning Exe in User Dir
+author: Jason Lynch
+date: 2019/04/02
+description: Detects an executable in the users directory started from Microsoft Word,
+    Excel, Powerpoint, Publisher or Visio
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\WINWORD.EXE'
+    SELECTION_3:
+        ParentImage: '*\EXCEL.EXE'
+    SELECTION_4:
+        ParentImage: '*\POWERPNT.exe'
+    SELECTION_5:
+        ParentImage: '*\MSPUB.exe'
+    SELECTION_6:
+        ParentImage: '*\VISIO.exe'
+    SELECTION_7:
+        Image: C:\users\\*
+    SELECTION_8:
+        Image: '*.exe'
+    SELECTION_9:
+        Image: '*\Teams.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6) and SELECTION_7 and SELECTION_8) and  not (SELECTION_9))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: aa3a6f94-890e-4e22-b634-ffdfd54792cc
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/04/01
+references:
+- sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c
+- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
+status: experimental
+tags:
+- attack.execution
+- attack.t1204
+- attack.t1204.002
+- attack.g0046
+- car.2013-05-002
+yml_filename: win_office_spawn_exe_from_users_directory.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_outlook_c2_macro_creation.yml b/rules/Sigma/win_outlook_c2_macro_creation.yml
new file mode 100644
index 00000000..02673083
--- /dev/null
+++ b/rules/Sigma/win_outlook_c2_macro_creation.yml
@@ -0,0 +1,31 @@
+title: Outlook C2 Macro Creation
+author: '@ScoubiMtl'
+date: 2021/04/05
+description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key.
+    VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both
+    events Registry & File Creation happens at the same time.
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*\Microsoft\Outlook\VbaProject.OTM'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- User genuinly creates a VB Macro for their email
+id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
+level: medium
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
+status: experimental
+tags:
+- attack.persistence
+- attack.command_and_control
+- attack.t1137
+- attack.t1008
+- attack.t1546
+yml_filename: win_outlook_c2_macro_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/win_outlook_c2_registry_key.yml b/rules/Sigma/win_outlook_c2_registry_key.yml
new file mode 100644
index 00000000..3c9da4cd
--- /dev/null
+++ b/rules/Sigma/win_outlook_c2_registry_key.yml
@@ -0,0 +1,38 @@
+title: Outlook C2 Registry Key
+author: '@ScoubiMtl'
+date: 2021/04/05
+description: Detects the modification of Outlook Security Setting to allow unprompted
+    execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting
+    if both events occur near to each other.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level
+    SELECTION_5:
+        Details: '*0x00000001*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unlikely
+id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/13
+references:
+- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
+status: experimental
+tags:
+- attack.persistence
+- attack.command_and_control
+- attack.t1137
+- attack.t1008
+- attack.t1546
+yml_filename: win_outlook_c2_registry_key.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/win_outlook_registry_todaypage.yml b/rules/Sigma/win_outlook_registry_todaypage.yml
new file mode 100644
index 00000000..3c49894e
--- /dev/null
+++ b/rules/Sigma/win_outlook_registry_todaypage.yml
@@ -0,0 +1,42 @@
+title: Persistent Outlook Landing Pages
+author: Tobias Michalski
+date: 2021/06/10
+description: Detects the manipulation of persistent URLs which could execute malicious
+    code
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*Software\Microsoft\Office\\*'
+    SELECTION_5:
+        TargetObject: '*\Outlook\Today\\*'
+    SELECTION_6:
+        TargetObject: '*Stamp'
+    SELECTION_7:
+        Details: DWORD (0x00000001)
+    SELECTION_8:
+        TargetObject: '*UserDefinedUrl'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
+        and ((SELECTION_6 and SELECTION_7) or SELECTION_8))
+falsepositives:
+- unknown
+fields:
+- Details
+id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
+level: high
+logsource:
+    category: registry_event
+    product: windows
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
+status: experimental
+tags:
+- attack.persistence
+- attack.t1112
+yml_filename: win_outlook_registry_todaypage.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/win_outlook_registry_webview.yml b/rules/Sigma/win_outlook_registry_webview.yml
new file mode 100644
index 00000000..c940f0c7
--- /dev/null
+++ b/rules/Sigma/win_outlook_registry_webview.yml
@@ -0,0 +1,43 @@
+title: Persistent Outlook Landing Pages
+author: Tobias Michalski
+date: 2021/06/09
+description: Detects the manipulation of persistent URLs which can be malicious
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*Software\Microsoft\Office\\*'
+    SELECTION_5:
+        TargetObject: '*Outlook\WebView\\*'
+    SELECTION_6:
+        TargetObject: '*URL'
+    SELECTION_7:
+        TargetObject: '*Calendar*'
+    SELECTION_8:
+        TargetObject: '*Inbox*'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
+        and SELECTION_6 and (SELECTION_7 or SELECTION_8))
+falsepositives:
+- unknown
+fields:
+- Details
+id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
+level: high
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/17
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
+- https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
+status: experimental
+tags:
+- attack.persistence
+- attack.t1112
+yml_filename: win_outlook_registry_webview.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/win_overpass_the_hash.yml b/rules/Sigma/win_overpass_the_hash.yml
new file mode 100644
index 00000000..8e28709c
--- /dev/null
+++ b/rules/Sigma/win_overpass_the_hash.yml
@@ -0,0 +1,33 @@
+title: Successful Overpass the Hash Attempt
+author: Roberto Rodriguez (source), Dominik Schaudel (rule)
+date: 2018/02/12
+description: Detects successful logon with logon type 9 (NewCredentials) which matches
+    the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
+detection:
+    SELECTION_1:
+        EventID: 4624
+    SELECTION_2:
+        LogonType: 9
+    SELECTION_3:
+        LogonProcessName: seclogo
+    SELECTION_4:
+        AuthenticationPackageName: Negotiate
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Runas command-line tool using /netonly parameter
+id: 192a0330-c20b-4356-90b6-7b7049ae0b87
+level: high
+logsource:
+    product: windows
+    service: security
+references:
+- https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1075
+- attack.s0002
+- attack.t1550.002
+yml_filename: win_overpass_the_hash.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_pass_the_hash.yml b/rules/Sigma/win_pass_the_hash.yml
new file mode 100644
index 00000000..9716e540
--- /dev/null
+++ b/rules/Sigma/win_pass_the_hash.yml
@@ -0,0 +1,44 @@
+title: Pass the Hash Activity
+author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
+date: 2017/03/08
+description: Detects the attack technique pass the hash which is used to move laterally
+    inside the network
+detection:
+    SELECTION_1:
+        EventID: 4624
+    SELECTION_2:
+        EventID: 4625
+    SELECTION_3:
+        LogonType: '3'
+    SELECTION_4:
+        LogonProcessName: NtLmSsp
+    SELECTION_5:
+        WorkstationName: '%Workstations%'
+    SELECTION_6:
+        ComputerName: '%Workstations%'
+    SELECTION_7:
+        AccountName: ANONYMOUS LOGON
+    condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and
+        SELECTION_5 and SELECTION_6) and  not (SELECTION_7))
+falsepositives:
+- Administrator activity
+- Penetration tests
+id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
+level: medium
+logsource:
+    definition: The successful use of PtH for lateral movement between workstations
+        would trigger event ID 4624, a failed logon attempt would trigger an event
+        ID 4625
+    product: windows
+    service: security
+references:
+- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1075
+- car.2016-04-004
+- attack.t1550.002
+yml_filename: win_pass_the_hash.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_pass_the_hash_2.yml b/rules/Sigma/win_pass_the_hash_2.yml
new file mode 100644
index 00000000..ed9a3378
--- /dev/null
+++ b/rules/Sigma/win_pass_the_hash_2.yml
@@ -0,0 +1,46 @@
+title: Pass the Hash Activity 2
+author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
+date: 2019/06/14
+description: Detects the attack technique pass the hash which is used to move laterally
+    inside the network
+detection:
+    SELECTION_1:
+        EventID: 4624
+    SELECTION_2:
+        SubjectUserSid: S-1-0-0
+    SELECTION_3:
+        LogonType: '3'
+    SELECTION_4:
+        LogonProcessName: NtLmSsp
+    SELECTION_5:
+        KeyLength: '0'
+    SELECTION_6:
+        LogonType: '9'
+    SELECTION_7:
+        LogonProcessName: seclogo
+    SELECTION_8:
+        AccountName: ANONYMOUS LOGON
+    condition: ((SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7))) and  not (SELECTION_8))
+falsepositives:
+- Administrator activity
+- Penetration tests
+id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
+level: medium
+logsource:
+    definition: The successful use of PtH for lateral movement between workstations
+        would trigger event ID 4624
+    product: windows
+    service: security
+references:
+- https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+- https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
+- https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
+status: stable
+tags:
+- attack.lateral_movement
+- attack.t1075
+- attack.t1550.002
+yml_filename: win_pass_the_hash_2.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_pc_set_policies_to_unsecure_level.yml b/rules/Sigma/win_pc_set_policies_to_unsecure_level.yml
new file mode 100644
index 00000000..e860fa18
--- /dev/null
+++ b/rules/Sigma/win_pc_set_policies_to_unsecure_level.yml
@@ -0,0 +1,34 @@
+title: Change PowerShell Policies to a Unsecure Level
+author: frack113
+date: 2021/11/01
+description: Detects use of executionpolicy option to set a unsecure policies
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*-executionpolicy *'
+    SELECTION_3:
+        CommandLine: '*Unrestricted*'
+    SELECTION_4:
+        CommandLine: '*bypass*'
+    SELECTION_5:
+        CommandLine: '*RemoteSigned*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- Administrator script
+id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
+- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
+- https://adsecurity.org/?p=2604
+- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: win_pc_set_policies_to_unsecure_level.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_pc_susp_cmdl32_lolbas.yml b/rules/Sigma/win_pc_susp_cmdl32_lolbas.yml
new file mode 100644
index 00000000..70242bbc
--- /dev/null
+++ b/rules/Sigma/win_pc_susp_cmdl32_lolbas.yml
@@ -0,0 +1,36 @@
+title: Suspicious Cmdl32 Execution
+author: frack113
+date: 2021/11/03
+description: lolbas Cmdl32 is use to download a payload to evade antivirus
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\cmdl32.exe'
+    SELECTION_3:
+        OriginalFileName: CMDL32.EXE
+    SELECTION_4:
+        CommandLine: '*/vpn *'
+    SELECTION_5:
+        CommandLine: '*/lan *'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and
+        SELECTION_5))
+falsepositives:
+- unknown
+id: f37aba28-a9e6-4045-882c-d5004043b337
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
+- https://twitter.com/SwiftOnSecurity/status/1455897435063074824
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1218
+- attack.t1202
+yml_filename: win_pc_susp_cmdl32_lolbas.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_pc_susp_schtasks_user_temp.yml b/rules/Sigma/win_pc_susp_schtasks_user_temp.yml
new file mode 100644
index 00000000..62adf64a
--- /dev/null
+++ b/rules/Sigma/win_pc_susp_schtasks_user_temp.yml
@@ -0,0 +1,29 @@
+title: Suspicius Add Task From User AppData Temp
+author: frack113
+date: 2021/11/03
+description: schtasks.exe create task from user AppData\Local\Temp
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*schtasks.exe'
+    SELECTION_3:
+        CommandLine: '*/Create *'
+    SELECTION_4:
+        CommandLine: '*\AppData\Local\Temp*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
+tags:
+- attack.execution
+- attack.t1053.005
+yml_filename: win_pc_susp_schtasks_user_temp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_pc_susp_zipexec.yml b/rules/Sigma/win_pc_susp_zipexec.yml
new file mode 100644
index 00000000..bbfa23df
--- /dev/null
+++ b/rules/Sigma/win_pc_susp_zipexec.yml
@@ -0,0 +1,41 @@
+title: Suspicious ZipExec Execution
+author: frack113
+date: 2021/11/07
+description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into
+    a password-protected zip file.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*.zip*'
+    SELECTION_3:
+        CommandLine: '*/generic:Microsoft_Windows_Shell_ZipFolder:filename=*'
+    SELECTION_4:
+        CommandLine: '*/pass:*'
+    SELECTION_5:
+        CommandLine: '*/user:*'
+    SELECTION_6:
+        CommandLine: '*/delete*'
+    SELECTION_7:
+        CommandLine: '*Microsoft_Windows_Shell_ZipFolder:filename=*'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- unknown
+id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/SBousseaden/status/1451237393017839616
+- https://github.com/Tylous/ZipExec
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1218
+- attack.t1202
+yml_filename: win_pc_susp_zipexec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_pcap_drivers.yml b/rules/Sigma/win_pcap_drivers.yml
new file mode 100644
index 00000000..0241cc76
--- /dev/null
+++ b/rules/Sigma/win_pcap_drivers.yml
@@ -0,0 +1,52 @@
+title: Windows Pcap Drivers
+author: Cian Heasley
+date: 2020/06/10
+description: Detects Windows Pcap driver installation based on a list of associated
+    .sys files.
+detection:
+    SELECTION_1:
+        EventID: 4697
+    SELECTION_10:
+        ServiceFileName: '*pktmon*'
+    SELECTION_2:
+        ServiceFileName: '*pcap*'
+    SELECTION_3:
+        ServiceFileName: '*npcap*'
+    SELECTION_4:
+        ServiceFileName: '*npf*'
+    SELECTION_5:
+        ServiceFileName: '*nm3*'
+    SELECTION_6:
+        ServiceFileName: '*ndiscap*'
+    SELECTION_7:
+        ServiceFileName: '*nmnt*'
+    SELECTION_8:
+        ServiceFileName: '*windivert*'
+    SELECTION_9:
+        ServiceFileName: '*USBPcap*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10))
+falsepositives:
+- unknown
+fields:
+- EventID
+- ServiceFileName
+- Account_Name
+- Computer_Name
+- Originating_Computer
+- ServiceName
+id: 7b687634-ab20-11ea-bb37-0242ac130002
+level: medium
+logsource:
+    product: windows
+    service: security
+references:
+- https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
+status: experimental
+tags:
+- attack.discovery
+- attack.credential_access
+- attack.t1040
+yml_filename: win_pcap_drivers.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_petitpotam_network_share.yml b/rules/Sigma/win_petitpotam_network_share.yml
new file mode 100644
index 00000000..d8dfa4e4
--- /dev/null
+++ b/rules/Sigma/win_petitpotam_network_share.yml
@@ -0,0 +1,34 @@
+title: Possible PetitPotam Coerce Authentication Attempt
+author: Mauricio Velazco, Michael Haag
+date: 2021/09/02
+description: Detect PetitPotam coerced authentication activity.
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        ShareName: \\\*
+    SELECTION_3:
+        ShareName: '*\IPC$'
+    SELECTION_4:
+        RelativeTargetName: lsarpc
+    SELECTION_5:
+        SubjectUserName: ANONYMOUS LOGON
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown. Feedback welcomed.
+id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
+level: high
+logsource:
+    definition: The advanced audit policy setting "Object Access > Detailed File Share"
+        must be configured for Success/Failure
+    product: windows
+    service: security
+references:
+- https://github.com/topotam/PetitPotam
+- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
+tags:
+- attack.credential_access
+- attack.t1187
+yml_filename: win_petitpotam_network_share.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_petitpotam_susp_tgt_request.yml b/rules/Sigma/win_petitpotam_susp_tgt_request.yml
new file mode 100644
index 00000000..1e78da46
--- /dev/null
+++ b/rules/Sigma/win_petitpotam_susp_tgt_request.yml
@@ -0,0 +1,44 @@
+title: PetitPotam Suspicious Kerberos TGT Request
+author: Mauricio Velazco, Michael Haag
+date: 2021/09/02
+description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer
+    certificate by abusing Active Directory Certificate Services in combination with
+    PetitPotam, the next step would be to leverage the certificate for malicious purposes.
+    One way of doing this is to request a Kerberos Ticket Granting Ticket using a
+    tool like Rubeus. This request will generate a 4768 event with some unusual fields
+    depending on the environment. This analytic will require tuning, we recommend
+    filtering Account_Name to the Domain Controller computer accounts.
+detection:
+    SELECTION_1:
+        EventID: 4768
+    SELECTION_2:
+        TargetUserName: '*$'
+    SELECTION_3:
+        CertThumbprint: '*'
+    SELECTION_4:
+        IpAddress: ::1
+    SELECTION_5:
+        CertThumbprint: ''
+    condition: (((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+        and  not (SELECTION_5))
+falsepositives:
+- False positives are possible if the environment is using certificates for authentication.
+    We recommend filtering Account_Name to the Domain Controller computer accounts.
+id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
+level: high
+logsource:
+    definition: The advanced audit policy setting "Account Logon > Kerberos Authentication
+        Service" must be configured for Success/Failure
+    product: windows
+    service: security
+modified: 2021/09/07
+references:
+- https://github.com/topotam/PetitPotam
+- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
+- https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
+tags:
+- attack.credential_access
+- attack.t1187
+yml_filename: win_petitpotam_susp_tgt_request.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_plugx_susp_exe_locations.yml b/rules/Sigma/win_plugx_susp_exe_locations.yml
new file mode 100644
index 00000000..24d43511
--- /dev/null
+++ b/rules/Sigma/win_plugx_susp_exe_locations.yml
@@ -0,0 +1,122 @@
+title: Executable Used by PlugX in Uncommon Location
+author: Florian Roth
+date: 2017/06/12
+description: Detects the execution of an executable that is typically used by PlugX
+    for DLL side loading started from an uncommon location
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\Windows Media Player\\*'
+    SELECTION_11:
+        Image: '*\hcc.exe'
+    SELECTION_12:
+        Image: '*\HTML Help Workshop\\*'
+    SELECTION_13:
+        Image: '*\hkcmd.exe'
+    SELECTION_14:
+        Image: '*\System32\\*'
+    SELECTION_15:
+        Image: '*\SysNative\\*'
+    SELECTION_16:
+        Image: '*\SysWowo64\\*'
+    SELECTION_17:
+        Image: '*\Mc.exe'
+    SELECTION_18:
+        Image: '*\Microsoft Visual Studio*'
+    SELECTION_19:
+        Image: '*\Microsoft SDK*'
+    SELECTION_2:
+        Image: '*\CamMute.exe'
+    SELECTION_20:
+        Image: '*\Windows Kit*'
+    SELECTION_21:
+        Image: '*\MsMpEng.exe'
+    SELECTION_22:
+        Image: '*\Microsoft Security Client\\*'
+    SELECTION_23:
+        Image: '*\Windows Defender\\*'
+    SELECTION_24:
+        Image: '*\AntiMalware\\*'
+    SELECTION_25:
+        Image: '*\msseces.exe'
+    SELECTION_26:
+        Image: '*\Microsoft Security Center\\*'
+    SELECTION_27:
+        Image: '*\Microsoft Security Client\\*'
+    SELECTION_28:
+        Image: '*\Microsoft Security Essentials\\*'
+    SELECTION_29:
+        Image: '*\OInfoP11.exe'
+    SELECTION_3:
+        Image: '*\Lenovo\Communication Utility\\*'
+    SELECTION_30:
+        Image: '*\Common Files\Microsoft Shared\\*'
+    SELECTION_31:
+        Image: '*\OleView.exe'
+    SELECTION_32:
+        Image: '*\Microsoft Visual Studio*'
+    SELECTION_33:
+        Image: '*\Microsoft SDK*'
+    SELECTION_34:
+        Image: '*\Windows Kit*'
+    SELECTION_35:
+        Image: '*\Windows Resource Kit\\*'
+    SELECTION_36:
+        Image: '*\rc.exe'
+    SELECTION_37:
+        Image: '*\Microsoft Visual Studio*'
+    SELECTION_38:
+        Image: '*\Microsoft SDK*'
+    SELECTION_39:
+        Image: '*\Windows Kit*'
+    SELECTION_4:
+        Image: '*\Lenovo\Communications Utility\\*'
+    SELECTION_40:
+        Image: '*\Windows Resource Kit\\*'
+    SELECTION_41:
+        Image: '*\Microsoft.NET\\*'
+    SELECTION_5:
+        Image: '*\chrome_frame_helper.exe'
+    SELECTION_6:
+        Image: '*\Google\Chrome\application\\*'
+    SELECTION_7:
+        Image: '*\dvcemumanager.exe'
+    SELECTION_8:
+        Image: '*\Microsoft Device Emulator\\*'
+    SELECTION_9:
+        Image: '*\Gadget.exe'
+    condition: (SELECTION_1 and ((((((((((((SELECTION_2 and  not ((SELECTION_3 or
+        SELECTION_4))) or (SELECTION_5 and  not (SELECTION_6))) or (SELECTION_7 and  not
+        (SELECTION_8))) or (SELECTION_9 and  not (SELECTION_10))) or (SELECTION_11
+        and  not (SELECTION_12))) or (SELECTION_13 and  not ((SELECTION_14 or SELECTION_15
+        or SELECTION_16)))) or (SELECTION_17 and  not ((SELECTION_18 or SELECTION_19
+        or SELECTION_20)))) or (SELECTION_21 and  not ((SELECTION_22 or SELECTION_23
+        or SELECTION_24)))) or (SELECTION_25 and  not ((SELECTION_26 or SELECTION_27
+        or SELECTION_28)))) or (SELECTION_29 and  not (SELECTION_30))) or (SELECTION_31
+        and  not ((SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35))))
+        or (SELECTION_36 and  not ((SELECTION_37 or SELECTION_38 or SELECTION_39 or
+        SELECTION_40 or SELECTION_41)))))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: aeab5ec5-be14-471a-80e8-e344418305c2
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
+- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
+status: experimental
+tags:
+- attack.s0013
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+yml_filename: win_plugx_susp_exe_locations.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_portproxy_registry_key.yml b/rules/Sigma/win_portproxy_registry_key.yml
new file mode 100644
index 00000000..e045b8c4
--- /dev/null
+++ b/rules/Sigma/win_portproxy_registry_key.yml
@@ -0,0 +1,37 @@
+title: PortProxy Registry Key
+author: Andreas Hunkeler (@Karneades)
+date: 2021/06/22
+description: Detects the modification of PortProxy registry key which is used for
+    port forwarding. For command execution see rule win_netsh_port_fwd.yml.
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
+- Synergy Software KVM (https://symless.com/synergy)
+id: a54f842a-3713-4b45-8c84-5f136fdebd3c
+level: medium
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/09/13
+references:
+- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+- https://adepts.of0x.cc/netsh-portproxy-code/
+- https://www.dfirnotes.net/portproxy_detection/
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.defense_evasion
+- attack.command_and_control
+- attack.t1090
+yml_filename: win_portproxy_registry_key.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/win_possible_applocker_bypass.yml b/rules/Sigma/win_possible_applocker_bypass.yml
new file mode 100644
index 00000000..2107de4d
--- /dev/null
+++ b/rules/Sigma/win_possible_applocker_bypass.yml
@@ -0,0 +1,52 @@
+title: Possible Applocker Bypass
+author: juju4
+date: 2019/01/16
+description: Detects execution of executables that can be used to bypass Applocker
+    whitelisting
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\msdt.exe*'
+    SELECTION_3:
+        CommandLine: '*\installutil.exe*'
+    SELECTION_4:
+        CommandLine: '*\regsvcs.exe*'
+    SELECTION_5:
+        CommandLine: '*\regasm.exe*'
+    SELECTION_6:
+        CommandLine: '*\msbuild.exe*'
+    SELECTION_7:
+        CommandLine: '*\ieexec.exe*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+- Using installutil to add features for .NET applications (primarily would occur in
+    developer environments)
+id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
+- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1118
+- attack.t1218.004
+- attack.t1121
+- attack.t1218.009
+- attack.t1127
+- attack.t1127.001
+- attack.t1170
+- attack.t1218.005
+- attack.t1218
+yml_filename: win_possible_applocker_bypass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_possible_dc_shadow.yml b/rules/Sigma/win_possible_dc_shadow.yml
new file mode 100644
index 00000000..cf2f77d5
--- /dev/null
+++ b/rules/Sigma/win_possible_dc_shadow.yml
@@ -0,0 +1,37 @@
+title: Possible DC Shadow
+author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2019/10/25
+description: Detects DCShadow via create new SPN
+detection:
+    SELECTION_1:
+        EventID: 4742
+    SELECTION_2:
+        ServicePrincipalNames: '*GC/*'
+    SELECTION_3:
+        EventID: 5136
+    SELECTION_4:
+        AttributeLDAPDisplayName: servicePrincipalName
+    SELECTION_5:
+        AttributeValue: GC/*
+    condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4 and
+        SELECTION_5))
+falsepositives:
+- Exclude known DCs
+id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/06
+references:
+- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
+- https://twitter.com/gentilkiwi/status/1003236624925413376
+- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1207
+yml_filename: win_possible_dc_shadow.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_possible_privilege_escalation_via_service_registry_permissions.yml b/rules/Sigma/win_possible_privilege_escalation_via_service_registry_permissions.yml
new file mode 100644
index 00000000..7a9d243b
--- /dev/null
+++ b/rules/Sigma/win_possible_privilege_escalation_via_service_registry_permissions.yml
@@ -0,0 +1,44 @@
+title: Possible Privilege Escalation via Service Permissions Weakness
+author: Teymur Kheirkhabarov
+date: 2019/10/26
+description: Detect modification of services configuration (ImagePath, FailureCommand
+    and ServiceDLL) in registry by processes with Medium integrity level
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        IntegrityLevel: Medium
+    SELECTION_3:
+        CommandLine: '*ControlSet*'
+    SELECTION_4:
+        CommandLine: '*services*'
+    SELECTION_5:
+        CommandLine: '*\ImagePath*'
+    SELECTION_6:
+        CommandLine: '*\FailureCommand*'
+    SELECTION_7:
+        CommandLine: '*\ServiceDll*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+enrichment:
+- EN_0001_cache_sysmon_event_id_1_info
+- EN_0003_enrich_other_sysmon_events_with_event_id_1_data
+falsepositives:
+- Unknown
+id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/15
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1058
+- attack.t1574.011
+yml_filename: win_possible_privilege_escalation_via_service_registry_permissions.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/Sigma/win_possible_zerologon_exploitation_using_wellknown_tools.yml
new file mode 100644
index 00000000..becaf695
--- /dev/null
+++ b/rules/Sigma/win_possible_zerologon_exploitation_using_wellknown_tools.yml
@@ -0,0 +1,28 @@
+title: Zerologon Exploitation Using Well-known Tools
+author: Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community
+date: 2020/10/13
+description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472)
+    vulnerability using mimikatz zerologon module or other exploits from machine with
+    "kali" hostname.
+detection:
+    SELECTION_1:
+        EventID: '5805'
+    SELECTION_2:
+        EventID: '5723'
+    condition: ((SELECTION_1 or SELECTION_2) and (kali or mimikatz))
+id: 18f37338-b9bd-4117-a039-280c81f7a596
+level: critical
+logsource:
+    product: windows
+    service: system
+modified: 2021/05/30
+references:
+- https://www.secura.com/blog/zero-logon
+- https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
+status: stable
+tags:
+- attack.t1210
+- attack.lateral_movement
+yml_filename: win_possible_zerologon_exploitation_using_wellknown_tools.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_powershell_amsi_bypass.yml b/rules/Sigma/win_powershell_amsi_bypass.yml
new file mode 100644
index 00000000..fd2ebbe1
--- /dev/null
+++ b/rules/Sigma/win_powershell_amsi_bypass.yml
@@ -0,0 +1,31 @@
+title: Powershell AMSI Bypass via .NET Reflection
+author: Markus Neis
+date: 2018/08/17
+description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*System.Management.Automation.AmsiUtils*'
+    SELECTION_3:
+        CommandLine: '*amsiInitFailed*'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3))
+falsepositives:
+- Potential Admin Activity
+id: 30edb182-aa75-42c0-b0a9-e998bb29067c
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://twitter.com/mattifestation/status/735261176745988096
+- https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+yml_filename: win_powershell_amsi_bypass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_audio_capture.yml b/rules/Sigma/win_powershell_audio_capture.yml
new file mode 100644
index 00000000..f17eb251
--- /dev/null
+++ b/rules/Sigma/win_powershell_audio_capture.yml
@@ -0,0 +1,28 @@
+title: Audio Capture via PowerShell
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Detects audio capture via PowerShell Cmdlet.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*WindowsAudioDevice-Powershell-Cmdlet*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate audio capture by legitimate user.
+id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
+- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
+status: experimental
+tags:
+- attack.collection
+- attack.t1123
+yml_filename: win_powershell_audio_capture.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_b64_shellcode.yml b/rules/Sigma/win_powershell_b64_shellcode.yml
new file mode 100644
index 00000000..b20176b7
--- /dev/null
+++ b/rules/Sigma/win_powershell_b64_shellcode.yml
@@ -0,0 +1,31 @@
+title: PowerShell Base64 Encoded Shellcode
+author: Florian Roth
+date: 2018/11/17
+description: Detects Base64 encoded Shellcode
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*AAAAYInlM*'
+    SELECTION_3:
+        CommandLine: '*OiCAAAAYInlM*'
+    SELECTION_4:
+        CommandLine: '*OiJAAAAYInlM*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://twitter.com/cyb3rops/status/1063072865992523776
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+yml_filename: win_powershell_b64_shellcode.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_bitsjob.yml b/rules/Sigma/win_powershell_bitsjob.yml
new file mode 100644
index 00000000..aba4fade
--- /dev/null
+++ b/rules/Sigma/win_powershell_bitsjob.yml
@@ -0,0 +1,35 @@
+title: Suspicious Bitsadmin Job via PowerShell
+author: Endgame, JHasenbusch (ported to sigma for oscd.community)
+date: 2018/10/30
+description: Detect download by BITS jobs via PowerShell
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        CommandLine: '*Start-BitsTransfer*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+id: f67dbfce-93bc-440d-86ad-a95ae8858c90
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.persistence
+- attack.t1197
+yml_filename: win_powershell_bitsjob.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_cmdline_reversed_strings.yml b/rules/Sigma/win_powershell_cmdline_reversed_strings.yml
new file mode 100644
index 00000000..9a34785a
--- /dev/null
+++ b/rules/Sigma/win_powershell_cmdline_reversed_strings.yml
@@ -0,0 +1,86 @@
+title: Suspicious PowerShell Cmdline
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/11
+description: Detects the PowerShell command lines with reversed strings
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*golon*'
+    SELECTION_11:
+        CommandLine: '*tninon*'
+    SELECTION_12:
+        CommandLine: '*eddih*'
+    SELECTION_13:
+        CommandLine: '*tpircS*'
+    SELECTION_14:
+        CommandLine: '*ssecorp*'
+    SELECTION_15:
+        CommandLine: '*llehsrewop*'
+    SELECTION_16:
+        CommandLine: '*esnopser*'
+    SELECTION_17:
+        CommandLine: '*daolnwod*'
+    SELECTION_18:
+        CommandLine: '*tneilCbeW*'
+    SELECTION_19:
+        CommandLine: '*tneilc*'
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_20:
+        CommandLine: '*ptth*'
+    SELECTION_21:
+        CommandLine: '*elifotevas*'
+    SELECTION_22:
+        CommandLine: '*46esab*'
+    SELECTION_23:
+        CommandLine: '*htaPpmeTteG*'
+    SELECTION_24:
+        CommandLine: '*tcejbO*'
+    SELECTION_25:
+        CommandLine: '*maerts*'
+    SELECTION_26:
+        CommandLine: '*hcaerof*'
+    SELECTION_27:
+        CommandLine: '*ekovni*'
+    SELECTION_28:
+        CommandLine: '*retupmoc*'
+    SELECTION_3:
+        CommandLine: '*hctac*'
+    SELECTION_4:
+        CommandLine: '*kearb*'
+    SELECTION_5:
+        CommandLine: '*dnammoc*'
+    SELECTION_6:
+        CommandLine: '*ekovn*'
+    SELECTION_7:
+        CommandLine: '*eliFd*'
+    SELECTION_8:
+        CommandLine: '*rahc*'
+    SELECTION_9:
+        CommandLine: '*etirw*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28))
+falsepositives:
+- Unlikely
+id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_powershell_cmdline_reversed_strings.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_cmdline_special_characters.yml b/rules/Sigma/win_powershell_cmdline_special_characters.yml
new file mode 100644
index 00000000..d6fd9040
--- /dev/null
+++ b/rules/Sigma/win_powershell_cmdline_special_characters.yml
@@ -0,0 +1,39 @@
+title: Suspicious PowerShell Command Line
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/15
+description: Detects the PowerShell command lines with special characters
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        CommandLine|re: .*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*
+    SELECTION_4:
+        CommandLine|re: .*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*
+    SELECTION_5:
+        CommandLine|re: .*{.*{.*{.*{.*{.*
+    SELECTION_6:
+        CommandLine|re: .*\^.*\^.*\^.*\^.*\^.*
+    SELECTION_7:
+        CommandLine|re: .*`.*`.*`.*`.*`.*
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unlikely
+id: d7bcd677-645d-4691-a8d4-7a5602b780d1
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_powershell_cmdline_special_characters.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_cmdline_specific_comb_methods.yml b/rules/Sigma/win_powershell_cmdline_specific_comb_methods.yml
new file mode 100644
index 00000000..e376f185
--- /dev/null
+++ b/rules/Sigma/win_powershell_cmdline_specific_comb_methods.yml
@@ -0,0 +1,67 @@
+title: Encoded PowerShell Command Line
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+date: 2020/10/11
+description: Detects specific combinations of encoding methods in the PowerShell command
+    lines
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*ToChar*'
+    SELECTION_11:
+        CommandLine: '*ToString*'
+    SELECTION_12:
+        CommandLine: '*String*'
+    SELECTION_13:
+        CommandLine: '*char*'
+    SELECTION_14:
+        CommandLine: '*join*'
+    SELECTION_15:
+        CommandLine: '*split*'
+    SELECTION_16:
+        CommandLine: '*join*'
+    SELECTION_17:
+        CommandLine: '*ForEach*'
+    SELECTION_18:
+        CommandLine: '*Xor*'
+    SELECTION_19:
+        CommandLine: '*cOnvErTTO-SECUreStRIng*'
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        EventID: 1
+    SELECTION_4:
+        CommandLine: '*ToInt*'
+    SELECTION_5:
+        CommandLine: '*ToDecimal*'
+    SELECTION_6:
+        CommandLine: '*ToByte*'
+    SELECTION_7:
+        CommandLine: '*ToUint*'
+    SELECTION_8:
+        CommandLine: '*ToSingle*'
+    SELECTION_9:
+        CommandLine: '*ToSByte*'
+    condition: (SELECTION_1 and SELECTION_2 and ((((SELECTION_3 and (SELECTION_4 or
+        SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and
+        (SELECTION_10 or SELECTION_11 or SELECTION_12)) or (SELECTION_13 and SELECTION_14))
+        or (SELECTION_15 and SELECTION_16)) or (SELECTION_17 and SELECTION_18) or
+        (SELECTION_19)))
+falsepositives:
+- Unlikely
+id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.execution
+- attack.t1059.001
+yml_filename: win_powershell_cmdline_specific_comb_methods.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_defender_exclusion.yml b/rules/Sigma/win_powershell_defender_exclusion.yml
new file mode 100644
index 00000000..cd16448e
--- /dev/null
+++ b/rules/Sigma/win_powershell_defender_exclusion.yml
@@ -0,0 +1,45 @@
+title: Powershell Defender Exclusion
+author: Florian Roth
+date: 2021/04/29
+description: Detects requests to exclude files, folders or processes from Antivirus
+    scanning using PowerShell cmdlets
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        CommandLine: '*Add-MpPreference *'
+    SELECTION_4:
+        CommandLine: '* -ExclusionPath *'
+    SELECTION_5:
+        CommandLine: '* -ExclusionExtension *'
+    SELECTION_6:
+        CommandLine: '* -ExclusionProcess *'
+    SELECTION_7:
+        CommandLine: '*QWRkLU1wUHJlZmVyZW5jZ*'
+    SELECTION_8:
+        CommandLine: '*FkZC1NcFByZWZlcmVuY2*'
+    SELECTION_9:
+        CommandLine: '*BZGQtTXBQcmVmZXJlbmNl*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and (SELECTION_4 or
+        SELECTION_5 or SELECTION_6)) or (SELECTION_7 or SELECTION_8 or SELECTION_9)))
+falsepositives:
+- Possible Admin Activity
+- Other Cmdlets that may use the same parameters
+id: 17769c90-230e-488b-a463-e05c08e9d48f
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/12
+references:
+- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: win_powershell_defender_exclusion.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_disable_windef_av.yml b/rules/Sigma/win_powershell_disable_windef_av.yml
new file mode 100644
index 00000000..029c9897
--- /dev/null
+++ b/rules/Sigma/win_powershell_disable_windef_av.yml
@@ -0,0 +1,52 @@
+title: Powershell Used To Disable Windows Defender AV Security Monitoring
+author: ok @securonix invrep-de, oscd.community, frack113
+date: 2020/10/12
+description: Detects attackers attempting to disable Windows Defender using Powershell
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*WinDefend*'
+    SELECTION_11:
+        CommandLine: '*start=disabled*'
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        CommandLine: '*-DisableBehaviorMonitoring $true*'
+    SELECTION_4:
+        CommandLine: '*-DisableRuntimeMonitoring $true*'
+    SELECTION_5:
+        CommandLine: '*sc*'
+    SELECTION_6:
+        CommandLine: '*stop*'
+    SELECTION_7:
+        CommandLine: '*WinDefend*'
+    SELECTION_8:
+        CommandLine: '*sc*'
+    SELECTION_9:
+        CommandLine: '*config*'
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4)) or
+        (SELECTION_5 and SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9
+        and SELECTION_10 and SELECTION_11)))
+falsepositives:
+- Minimal, for some older versions of dev tools, such as pycharm, developers were
+    known to sometimes disable Windows Defender to improve performance, but this generally
+    is not considered a good security practice.
+id: a7ee1722-c3c5-aeff-3212-c777e4733217
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/07
+references:
+- https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
+- https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+yml_filename: win_powershell_disable_windef_av.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_dll_execution.yml b/rules/Sigma/win_powershell_dll_execution.yml
new file mode 100644
index 00000000..0abf457f
--- /dev/null
+++ b/rules/Sigma/win_powershell_dll_execution.yml
@@ -0,0 +1,35 @@
+title: Detection of PowerShell Execution via DLL
+author: Markus Neis
+date: 2018/08/25
+description: Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\rundll32.exe'
+    SELECTION_3:
+        Description: '*Windows-Hostprozess (Rundll32)*'
+    SELECTION_4:
+        CommandLine: '*Default.GetString*'
+    SELECTION_5:
+        CommandLine: '*FromBase64String*'
+    condition: (SELECTION_1 and ((SELECTION_2) or (SELECTION_3)) and (SELECTION_4
+        or SELECTION_5))
+falsepositives:
+- Unknown
+id: 6812a10b-60ea-420c-832f-dfcc33b646ba
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/01
+references:
+- https://github.com/p3nt4/PowerShdll/blob/master/README.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1085
+- attack.t1218.011
+yml_filename: win_powershell_dll_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_downgrade_attack.yml b/rules/Sigma/win_powershell_downgrade_attack.yml
new file mode 100644
index 00000000..ac0c4c60
--- /dev/null
+++ b/rules/Sigma/win_powershell_downgrade_attack.yml
@@ -0,0 +1,46 @@
+title: PowerShell Downgrade Attack
+author: Harish Segar (rule)
+date: 2020/03/20
+description: Detects PowerShell downgrade attack by comparing the host versions with
+    the actually used engine version 2.0
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* -version 2 *'
+    SELECTION_3:
+        CommandLine: '* -versio 2 *'
+    SELECTION_4:
+        CommandLine: '* -versi 2 *'
+    SELECTION_5:
+        CommandLine: '* -vers 2 *'
+    SELECTION_6:
+        CommandLine: '* -ver 2 *'
+    SELECTION_7:
+        CommandLine: '* -ve 2 *'
+    SELECTION_8:
+        Image: '*\powershell.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7) and SELECTION_8)
+falsepositives:
+- Penetration Test
+- Unknown
+id: b3512211-c67e-4707-bedc-66efc7848863
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+related:
+-   id: 6331d09b-4785-4c13-980f-f96661356249
+    type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+yml_filename: win_powershell_downgrade_attack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_download.yml b/rules/Sigma/win_powershell_download.yml
new file mode 100644
index 00000000..763d2f89
--- /dev/null
+++ b/rules/Sigma/win_powershell_download.yml
@@ -0,0 +1,40 @@
+title: PowerShell Download from URL
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
+date: 2019/01/16
+description: Detects a Powershell process that contains download commands in its command
+    line string
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        CommandLine: '*new-object*'
+    SELECTION_4:
+        CommandLine: '*net.webclient).*'
+    SELECTION_5:
+        CommandLine: '*download*'
+    SELECTION_6:
+        CommandLine: '*string(*'
+    SELECTION_7:
+        CommandLine: '*file(*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and (SELECTION_6 or SELECTION_7))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+status: experimental
+tags:
+- attack.t1086
+- attack.execution
+- attack.t1059.001
+yml_filename: win_powershell_download.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_frombase64string.yml b/rules/Sigma/win_powershell_frombase64string.yml
new file mode 100644
index 00000000..062304a4
--- /dev/null
+++ b/rules/Sigma/win_powershell_frombase64string.yml
@@ -0,0 +1,29 @@
+title: FromBase64String Command Line
+author: Florian Roth
+date: 2020/01/29
+description: Detects suspicious FromBase64String expressions in command line arguments
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*::FromBase64String(*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrative script libraries
+id: e32d4572-9826-4738-b651-95fa63747e8a
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/06
+references:
+- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
+status: experimental
+tags:
+- attack.t1027
+- attack.defense_evasion
+- attack.t1140
+- attack.t1059.001
+yml_filename: win_powershell_frombase64string.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_reverse_shell_connection.yml b/rules/Sigma/win_powershell_reverse_shell_connection.yml
new file mode 100644
index 00000000..ee706f1a
--- /dev/null
+++ b/rules/Sigma/win_powershell_reverse_shell_connection.yml
@@ -0,0 +1,34 @@
+title: Powershell Reverse Shell Connection
+author: FPT.EagleEye, wagga
+date: 2021/03/03
+description: Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        CommandLine: '*new-object system.net.sockets.tcpclient*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3))
+falsepositives:
+- Administrative might use this function for checking network connectivity
+fields:
+- CommandLine
+- ParentCommandLine
+id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+references:
+- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
+- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+yml_filename: win_powershell_reverse_shell_connection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_script_installed_as_service.yml b/rules/Sigma/win_powershell_script_installed_as_service.yml
new file mode 100644
index 00000000..65f22ff2
--- /dev/null
+++ b/rules/Sigma/win_powershell_script_installed_as_service.yml
@@ -0,0 +1,29 @@
+title: PowerShell Scripts Installed as Services
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects powershell script installed as a Service
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ImagePath: '*powershell*'
+    SELECTION_3:
+        ImagePath: '*pwsh*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
+yml_filename: win_powershell_script_installed_as_service.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_powershell_suspicious_parameter_variation.yml b/rules/Sigma/win_powershell_suspicious_parameter_variation.yml
new file mode 100644
index 00000000..a020f4b4
--- /dev/null
+++ b/rules/Sigma/win_powershell_suspicious_parameter_variation.yml
@@ -0,0 +1,116 @@
+title: Suspicious PowerShell Parameter Substring
+author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
+date: 2019/01/16
+description: Detects suspicious PowerShell invocation with a parameter substring
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '* -win h*'
+    SELECTION_11:
+        CommandLine: '* -wi h*'
+    SELECTION_12:
+        CommandLine: '* -win h *'
+    SELECTION_13:
+        CommandLine: '* -win hi *'
+    SELECTION_14:
+        CommandLine: '* -win hid *'
+    SELECTION_15:
+        CommandLine: '* -win hidd *'
+    SELECTION_16:
+        CommandLine: '* -win hidde *'
+    SELECTION_17:
+        CommandLine: '* -NoPr *'
+    SELECTION_18:
+        CommandLine: '* -NoPro *'
+    SELECTION_19:
+        CommandLine: '* -NoProf *'
+    SELECTION_2:
+        Image: '*\Powershell.exe'
+    SELECTION_20:
+        CommandLine: '* -NoProfi *'
+    SELECTION_21:
+        CommandLine: '* -NoProfil *'
+    SELECTION_22:
+        CommandLine: '* -nonin *'
+    SELECTION_23:
+        CommandLine: '* -nonint *'
+    SELECTION_24:
+        CommandLine: '* -noninte *'
+    SELECTION_25:
+        CommandLine: '* -noninter *'
+    SELECTION_26:
+        CommandLine: '* -nonintera *'
+    SELECTION_27:
+        CommandLine: '* -noninterac *'
+    SELECTION_28:
+        CommandLine: '* -noninteract *'
+    SELECTION_29:
+        CommandLine: '* -noninteracti *'
+    SELECTION_3:
+        CommandLine: '* -windowstyle h *'
+    SELECTION_30:
+        CommandLine: '* -noninteractiv *'
+    SELECTION_31:
+        CommandLine: '* -ec *'
+    SELECTION_32:
+        CommandLine: '* -encodedComman *'
+    SELECTION_33:
+        CommandLine: '* -encodedComma *'
+    SELECTION_34:
+        CommandLine: '* -encodedComm *'
+    SELECTION_35:
+        CommandLine: '* -encodedCom *'
+    SELECTION_36:
+        CommandLine: '* -encodedCo *'
+    SELECTION_37:
+        CommandLine: '* -encodedC *'
+    SELECTION_38:
+        CommandLine: '* -encoded *'
+    SELECTION_39:
+        CommandLine: '* -encode *'
+    SELECTION_4:
+        CommandLine: '* -windowstyl h*'
+    SELECTION_40:
+        CommandLine: '* -encod *'
+    SELECTION_41:
+        CommandLine: '* -enco *'
+    SELECTION_42:
+        CommandLine: '* -en *'
+    SELECTION_5:
+        CommandLine: '* -windowsty h*'
+    SELECTION_6:
+        CommandLine: '* -windowst h*'
+    SELECTION_7:
+        CommandLine: '* -windows h*'
+    SELECTION_8:
+        CommandLine: '* -windo h*'
+    SELECTION_9:
+        CommandLine: '* -wind h*'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
+        or SELECTION_41 or SELECTION_42))
+falsepositives:
+- Penetration tests
+id: 36210e0d-5b19-485d-a087-c096088885f0
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/07/14
+references:
+- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+yml_filename: win_powershell_suspicious_parameter_variation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powershell_xor_commandline.yml b/rules/Sigma/win_powershell_xor_commandline.yml
new file mode 100644
index 00000000..a8892ce6
--- /dev/null
+++ b/rules/Sigma/win_powershell_xor_commandline.yml
@@ -0,0 +1,38 @@
+title: Suspicious XOR Encoded PowerShell Command Line
+author: Sami Ruohonen, Harish Segar (improvement)
+date: 2018/09/05
+description: Detects suspicious powershell process which includes bxor command, alternative
+    obfuscation method to b64 encoded commands.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Description: Windows PowerShell
+    SELECTION_3:
+        Product: PowerShell Core 6
+    SELECTION_4:
+        CommandLine: '*bxor*'
+    SELECTION_5:
+        CommandLine: '*join*'
+    SELECTION_6:
+        CommandLine: '*char*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- unknown
+id: bb780e0c-16cf-4383-8383-1e5471db6cf9
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/06
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1086
+- attack.t1059.001
+- attack.t1140
+- attack.t1027
+yml_filename: win_powershell_xor_commandline.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_powersploit_empire_schtasks.yml b/rules/Sigma/win_powersploit_empire_schtasks.yml
new file mode 100644
index 00000000..14d6e883
--- /dev/null
+++ b/rules/Sigma/win_powersploit_empire_schtasks.yml
@@ -0,0 +1,61 @@
+title: Default PowerSploit and Empire Schtasks Persistence
+author: Markus Neis, @Karneades
+date: 2018/03/06
+description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*/TN*'
+    SELECTION_11:
+        CommandLine: '*Updater*'
+    SELECTION_12:
+        CommandLine: '*/TR*'
+    SELECTION_13:
+        CommandLine: '*powershell*'
+    SELECTION_2:
+        ParentImage: '*\powershell.exe'
+    SELECTION_3:
+        Image: '*\schtasks.exe'
+    SELECTION_4:
+        CommandLine: '*/Create*'
+    SELECTION_5:
+        CommandLine: '*/SC*'
+    SELECTION_6:
+        CommandLine: '*ONLOGON*'
+    SELECTION_7:
+        CommandLine: '*DAILY*'
+    SELECTION_8:
+        CommandLine: '*ONIDLE*'
+    SELECTION_9:
+        CommandLine: '*Updater*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and SELECTION_10
+        and SELECTION_11 and SELECTION_12 and SELECTION_13)
+falsepositives:
+- False positives are possible, depends on organisation and processes
+id: 56c217c3-2de2-479b-990f-5c109ba8458f
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
+- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py
+- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py
+status: experimental
+tags:
+- attack.execution
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1053
+- attack.t1086
+- attack.s0111
+- attack.g0022
+- attack.g0060
+- car.2013-08-001
+- attack.t1053.005
+- attack.t1059.001
+yml_filename: win_powersploit_empire_schtasks.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_privesc_cve_2020_1472.yml b/rules/Sigma/win_privesc_cve_2020_1472.yml
new file mode 100644
index 00000000..5a0a6973
--- /dev/null
+++ b/rules/Sigma/win_privesc_cve_2020_1472.yml
@@ -0,0 +1,33 @@
+title: Possible Zerologon (CVE-2020-1472) Exploitation
+author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community
+date: 2020/10/15
+description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
+detection:
+    SELECTION_1:
+        EventID: 4742
+    SELECTION_2:
+        SubjectUserName: ANONYMOUS LOGON
+    SELECTION_3:
+        TargetUserName: '%DC-MACHINE-NAME%'
+    SELECTION_4:
+        PasswordLastSet: '-'
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- automatic DC computer account password change
+- legitimate DC computer account password change
+id: dd7876d8-0f09-11eb-adc1-0242ac120002
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/07
+references:
+- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
+- https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
+status: experimental
+tags:
+- attack.t1068
+- attack.privilege_escalation
+yml_filename: win_privesc_cve_2020_1472.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_proc_wrong_parent.yml b/rules/Sigma/win_proc_wrong_parent.yml
new file mode 100644
index 00000000..fc187982
--- /dev/null
+++ b/rules/Sigma/win_proc_wrong_parent.yml
@@ -0,0 +1,65 @@
+title: Windows Processes Suspicious Parent Directory
+author: vburov
+date: 2019/02/23
+description: Detect suspicious parent processes of well-known Windows processes
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\winlogon.exe'
+    SELECTION_11:
+        ParentImage: '*\SavService.exe'
+    SELECTION_12:
+        ParentImage: '*\System32\\*'
+    SELECTION_13:
+        ParentImage: '*\SysWOW64\\*'
+    SELECTION_14:
+        ParentImage: '*\Windows Defender\\*'
+    SELECTION_15:
+        ParentImage: '*\Microsoft Security Client\\*'
+    SELECTION_16:
+        ParentImage: '*\MsMpEng.exe'
+    SELECTION_17:
+        ParentImage|re: ^$
+    SELECTION_2:
+        Image: '*\svchost.exe'
+    SELECTION_3:
+        Image: '*\taskhost.exe'
+    SELECTION_4:
+        Image: '*\lsm.exe'
+    SELECTION_5:
+        Image: '*\lsass.exe'
+    SELECTION_6:
+        Image: '*\services.exe'
+    SELECTION_7:
+        Image: '*\lsaiso.exe'
+    SELECTION_8:
+        Image: '*\csrss.exe'
+    SELECTION_9:
+        Image: '*\wininit.exe'
+    condition: (SELECTION_1 and (((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+        and  not (SELECTION_11 or (SELECTION_12 or SELECTION_13))) and  not ((SELECTION_14
+        or SELECTION_15) and SELECTION_16)) and  not (SELECTION_17))
+falsepositives:
+- Some security products seem to spawn these
+id: 96036718-71cc-4027-a538-d1587e0006a7
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
+- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
+- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
+- https://attack.mitre.org/techniques/T1036/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
+- attack.t1036.005
+yml_filename: win_proc_wrong_parent.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_procdump.yml b/rules/Sigma/win_procdump.yml
new file mode 100644
index 00000000..fecfb2ab
--- /dev/null
+++ b/rules/Sigma/win_procdump.yml
@@ -0,0 +1,34 @@
+title: Procdump Usage
+author: Florian Roth
+date: 2021/08/16
+description: Detects uses of the SysInternals Procdump utility
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\procdump.exe'
+    SELECTION_3:
+        Image: '*\procdump64.exe'
+    SELECTION_4:
+        CommandLine: '* -ma *'
+    SELECTION_5:
+        CommandLine: '*.exe*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and
+        SELECTION_5)))
+falsepositives:
+- Legitimate use of procdump by a developer or administrator
+id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- Internal Research
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1003.001
+yml_filename: win_procdump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_process_creation_bitsadmin_download.yml b/rules/Sigma/win_process_creation_bitsadmin_download.yml
new file mode 100644
index 00000000..0b2638f1
--- /dev/null
+++ b/rules/Sigma/win_process_creation_bitsadmin_download.yml
@@ -0,0 +1,48 @@
+title: Bitsadmin Download
+author: Michael Haag, FPT.EagleEye
+date: 2017/03/09
+description: Detects usage of bitsadmin downloading a file
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        Image: '*\bitsadmin.exe'
+    SELECTION_4:
+        CommandLine: '* /create *'
+    SELECTION_5:
+        CommandLine: '* /addfile *'
+    SELECTION_6:
+        CommandLine: '*http*'
+    SELECTION_7:
+        CommandLine: '* /transfer *'
+    SELECTION_8:
+        CommandLine: '*copy bitsadmin.exe*'
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3) and (((SELECTION_4
+        or SELECTION_5) and (SELECTION_6)) or (SELECTION_7))) or (SELECTION_8)))
+falsepositives:
+- Some legitimate apps use this, but limited.
+fields:
+- CommandLine
+- ParentCommandLine
+id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/16
+references:
+- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
+- https://isc.sans.edu/diary/22264
+- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.persistence
+- attack.t1197
+- attack.s0190
+- attack.t1036.003
+yml_filename: win_process_creation_bitsadmin_download.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_process_dump_rdrleakdiag.yml b/rules/Sigma/win_process_dump_rdrleakdiag.yml
new file mode 100644
index 00000000..468ac173
--- /dev/null
+++ b/rules/Sigma/win_process_dump_rdrleakdiag.yml
@@ -0,0 +1,28 @@
+title: Process Dump via RdrLeakDiag.exe
+author: Cedric MAURUGEON
+date: 2021/09/24
+description: Detects a process memory dump performed by RdrLeakDiag.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        OriginalFileName: RdrLeakDiag.exe
+    SELECTION_3:
+        CommandLine: '*fullmemdmp*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+yml_filename: win_process_dump_rdrleakdiag.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_process_dump_rundll32_comsvcs.yml b/rules/Sigma/win_process_dump_rundll32_comsvcs.yml
new file mode 100644
index 00000000..4b4bd71f
--- /dev/null
+++ b/rules/Sigma/win_process_dump_rundll32_comsvcs.yml
@@ -0,0 +1,36 @@
+title: Process Dump via Rundll32 and Comsvcs.dll
+author: Florian Roth
+date: 2020/02/18
+description: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*comsvcs.dll,#24*'
+    SELECTION_3:
+        CommandLine: '*comsvcs.dll,MiniDump*'
+    SELECTION_4:
+        CommandLine: '*comsvcs.dll MiniDump*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unlikely, because no one should dump the process memory in that way
+id: 646ea171-dded-4578-8a4d-65e9822892e3
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/04/23
+references:
+- https://twitter.com/shantanukhande/status/1229348874298388484
+- https://twitter.com/pythonresponder/status/1385064506049630211?s=21
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.credential_access
+- attack.t1003
+- car.2013-05-009
+- attack.t1003.001
+yml_filename: win_process_dump_rundll32_comsvcs.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_protected_storage_service_access.yml b/rules/Sigma/win_protected_storage_service_access.yml
new file mode 100644
index 00000000..03fe3c5d
--- /dev/null
+++ b/rules/Sigma/win_protected_storage_service_access.yml
@@ -0,0 +1,31 @@
+title: Protected Storage Service Access
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects access to a protected_storage service over the network. Potential
+    abuse of DPAPI to extract domain backup keys from Domain Controllers
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        ShareName: '*IPC*'
+    SELECTION_3:
+        RelativeTargetName: protected_storage
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 45545954-4016-43c6-855e-eae8f1c369dc
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2020/08/23
+references:
+- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021
+- attack.t1021.002
+yml_filename: win_protected_storage_service_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_psexesvc_start.yml b/rules/Sigma/win_psexesvc_start.yml
new file mode 100644
index 00000000..76523dbb
--- /dev/null
+++ b/rules/Sigma/win_psexesvc_start.yml
@@ -0,0 +1,26 @@
+title: PsExec Service Start
+author: Florian Roth
+date: 2018/03/13
+description: Detects a PsExec service start
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: C:\Windows\PSEXESVC.exe
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Administrative activity
+id: 3ede524d-21cc-472d-a3ce-d21b568d8db7
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2012/12/11
+tags:
+- attack.execution
+- attack.t1035
+- attack.s0029
+- attack.t1569.002
+yml_filename: win_psexesvc_start.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_purplesharp_indicators.yml b/rules/Sigma/win_purplesharp_indicators.yml
new file mode 100644
index 00000000..bbd62db3
--- /dev/null
+++ b/rules/Sigma/win_purplesharp_indicators.yml
@@ -0,0 +1,31 @@
+title: PurpleSharp Indicator
+author: Florian Roth
+date: 2021/06/18
+description: Detect
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*xyz123456.exe*'
+    SELECTION_3:
+        CommandLine: '*PurpleSharp*'
+    SELECTION_4:
+        OriginalFileName: PurpleSharp.exe
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4)))
+falsepositives:
+- Unlikely
+id: ff23ffbc-3378-435e-992f-0624dcf93ab4
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/06
+references:
+- https://github.com/mvelazc0/PurpleSharp
+status: experimental
+tags:
+- attack.t1587
+- attack.resource_development
+yml_filename: win_purplesharp_indicators.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_quarkspwdump_clearing_hive_access_history.yml b/rules/Sigma/win_quarkspwdump_clearing_hive_access_history.yml
new file mode 100644
index 00000000..f33fd877
--- /dev/null
+++ b/rules/Sigma/win_quarkspwdump_clearing_hive_access_history.yml
@@ -0,0 +1,28 @@
+title: QuarksPwDump Clearing Access History
+author: Florian Roth
+date: 2017/05/15
+description: Detects QuarksPwDump clearing access history in hive
+detection:
+    SELECTION_1:
+        EventID: 16
+    SELECTION_2:
+        HiveName: '*\AppData\Local\Temp\SAM*'
+    SELECTION_3:
+        HiveName: '*.dmp'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
+level: critical
+logsource:
+    product: windows
+    service: system
+modified: 2019/11/13
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+yml_filename: win_quarkspwdump_clearing_hive_access_history.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_query_registry.yml b/rules/Sigma/win_query_registry.yml
new file mode 100644
index 00000000..d610b688
--- /dev/null
+++ b/rules/Sigma/win_query_registry.yml
@@ -0,0 +1,63 @@
+title: Query Registry
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: Adversaries may interact with the Windows Registry to gather information
+    about the system, configuration, and installed software.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*currentVersion\shellServiceObjectDelayLoad*'
+    SELECTION_11:
+        CommandLine: '*currentVersion\runOnce*'
+    SELECTION_12:
+        CommandLine: '*currentVersion\runOnceEx*'
+    SELECTION_13:
+        CommandLine: '*currentVersion\run*'
+    SELECTION_14:
+        CommandLine: '*currentVersion\policies\explorer\run*'
+    SELECTION_15:
+        CommandLine: '*currentcontrolset\services*'
+    SELECTION_2:
+        Image: '*\reg.exe'
+    SELECTION_3:
+        CommandLine: '*query*'
+    SELECTION_4:
+        CommandLine: '*save*'
+    SELECTION_5:
+        CommandLine: '*export*'
+    SELECTION_6:
+        CommandLine: '*currentVersion\windows*'
+    SELECTION_7:
+        CommandLine: '*currentVersion\runServicesOnce*'
+    SELECTION_8:
+        CommandLine: '*currentVersion\runServices*'
+    SELECTION_9:
+        CommandLine: '*winlogon\\*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15))
+fields:
+- Image
+- CommandLine
+- User
+- LogonGuid
+- Hashes
+- ParentProcessGuid
+- ParentCommandLine
+id: 970007b7-ce32-49d0-a4a4-fbef016950bd
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+- attack.t1007
+yml_filename: win_query_registry.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_rare_schtask_creation.yml b/rules/Sigma/win_rare_schtask_creation.yml
new file mode 100644
index 00000000..98cadec2
--- /dev/null
+++ b/rules/Sigma/win_rare_schtask_creation.yml
@@ -0,0 +1,26 @@
+title: Rare Scheduled Task Creations
+author: Florian Roth
+date: 2017/03/17
+description: This rule detects rare scheduled task creations. Typically software gets
+    installed on multiple systems and not only on a few. The aggregation and count
+    function selects tasks with rare names.
+detection:
+    SELECTION_1:
+        EventID: 106
+    condition: SELECTION_1| count() by TaskName < 5
+falsepositives:
+- Software installation
+id: b20f6158-9438-41be-83da-a5a16ac90c2b
+level: low
+logsource:
+    product: windows
+    service: taskscheduler
+status: experimental
+tags:
+- attack.persistence
+- attack.t1053
+- attack.s0111
+- attack.t1053.005
+yml_filename: win_rare_schtask_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_rare_schtasks_creations.yml b/rules/Sigma/win_rare_schtasks_creations.yml
new file mode 100644
index 00000000..40c51982
--- /dev/null
+++ b/rules/Sigma/win_rare_schtasks_creations.yml
@@ -0,0 +1,33 @@
+title: Rare Schtasks Creations
+author: Florian Roth
+date: 2017/03/23
+description: Detects rare scheduled tasks creations that only appear a few times per
+    time frame and could reveal password dumpers, backdoor installs or other types
+    of malicious code
+detection:
+    SELECTION_1:
+        EventID: 4698
+    condition: SELECTION_1| count() by TaskName < 5
+falsepositives:
+- Software installation
+- Software updates
+id: b0d77106-7bb0-41fe-bd94-d1752164d066
+level: low
+logsource:
+    definition: The Advanced Audit Policy setting Object Access > Audit Other Object
+        Access Events has to be configured to allow this detection (not in the baseline
+        recommendations by Microsoft). We also recommend extracting the Command field
+        from the embedded XML in the event data.
+    product: windows
+    service: security
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1053
+- car.2013-08-001
+- attack.t1053.005
+yml_filename: win_rare_schtasks_creations.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_rare_service_installs.yml b/rules/Sigma/win_rare_service_installs.yml
new file mode 100644
index 00000000..d5a4df16
--- /dev/null
+++ b/rules/Sigma/win_rare_service_installs.yml
@@ -0,0 +1,28 @@
+title: Rare Service Installs
+author: Florian Roth
+date: 2017/03/08
+description: Detects rare service installs that only appear a few times per time frame
+    and could reveal password dumpers, backdoor installs or other types of malicious
+    services
+detection:
+    SELECTION_1:
+        EventID: 7045
+    condition: SELECTION_1| count() by ServiceFileName < 5
+falsepositives:
+- Software installation
+- Software updates
+id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
+level: low
+logsource:
+    product: windows
+    service: system
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1050
+- car.2013-09-005
+- attack.t1543.003
+yml_filename: win_rare_service_installs.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_rasautou_dll_execution.yml b/rules/Sigma/win_rasautou_dll_execution.yml
new file mode 100644
index 00000000..34d5113f
--- /dev/null
+++ b/rules/Sigma/win_rasautou_dll_execution.yml
@@ -0,0 +1,40 @@
+title: DLL Execution via Rasautou.exe
+author: Julia Fomina, oscd.community
+date: 2020/10/09
+description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d
+    option and executes the export specified in -p.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\rasautou.exe'
+    SELECTION_3:
+        OriginalFileName: rasdlui.exe
+    SELECTION_4:
+        CommandLine: '*-d*'
+    SELECTION_5:
+        CommandLine: '*-p*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and
+        SELECTION_5))
+falsepositives:
+- Unlikely
+id: cd3d1298-eb3b-476c-ac67-12847de55813
+level: medium
+logsource:
+    category: process_creation
+    definition: Since options '-d' and '-p' were removed in Windows 10 this rule is
+        relevant only for Windows before 10. And as Windows 7 doesn't log command
+        line in 4688 by default, to detect this attack you need Sysmon 1 configured
+        or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
+    product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
+- https://github.com/fireeye/DueDLLigence
+- https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_rasautou_dll_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_rclone_exec_file.yml b/rules/Sigma/win_rclone_exec_file.yml
new file mode 100644
index 00000000..6f5110aa
--- /dev/null
+++ b/rules/Sigma/win_rclone_exec_file.yml
@@ -0,0 +1,29 @@
+title: Rclone Config File Creation
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+description: Detects Rclone config file being created
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        TargetFilename: '*:\Users\\*'
+    SELECTION_3:
+        TargetFilename: '*\.config\rclone\\*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate Rclone usage (rare)
+id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
+level: high
+logsource:
+    category: file_event
+    product: windows
+modified: 2021/10/04
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.002
+yml_filename: win_rclone_exec_file.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/win_rdp_bluekeep_poc_scanner.yml b/rules/Sigma/win_rdp_bluekeep_poc_scanner.yml
new file mode 100644
index 00000000..0466a1ea
--- /dev/null
+++ b/rules/Sigma/win_rdp_bluekeep_poc_scanner.yml
@@ -0,0 +1,29 @@
+title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
+author: Florian Roth (rule), Adam Bradbury (idea)
+date: 2019/06/02
+description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable
+    to  CVE-2019-0708 RDP RCE aka BlueKeep
+detection:
+    SELECTION_1:
+        EventID: 4625
+    SELECTION_2:
+        TargetUserName: AAAAAAA
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely
+id: 8400629e-79a9-4737-b387-5db940ab2367
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2021/11/12
+references:
+- https://twitter.com/AdamTheAnalyst/status/1134394070045003776
+- https://github.com/zerosum0x0/CVE-2019-0708
+tags:
+- attack.lateral_movement
+- attack.t1210
+- car.2013-07-002
+yml_filename: win_rdp_bluekeep_poc_scanner.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_rdp_hijack_shadowing.yml b/rules/Sigma/win_rdp_hijack_shadowing.yml
new file mode 100644
index 00000000..58cf11b7
--- /dev/null
+++ b/rules/Sigma/win_rdp_hijack_shadowing.yml
@@ -0,0 +1,30 @@
+title: MSTSC Shadowing
+author: Florian Roth
+date: 2020/01/24
+description: Detects RDP session hijacking by using MSTSC shadowing
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*noconsentprompt*'
+    SELECTION_3:
+        CommandLine: '*shadow:*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 6ba5a05f-b095-4f0a-8654-b825f4f16334
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/06
+references:
+- https://twitter.com/kmkz_security/status/1220694202301976576
+- https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1563.002
+yml_filename: win_rdp_hijack_shadowing.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_rdp_localhost_login.yml b/rules/Sigma/win_rdp_localhost_login.yml
new file mode 100644
index 00000000..4ef297f3
--- /dev/null
+++ b/rules/Sigma/win_rdp_localhost_login.yml
@@ -0,0 +1,33 @@
+title: RDP Login from Localhost
+author: Thomas Patzke
+date: 2019/01/28
+description: RDP login with localhost source address may be a tunnelled login
+detection:
+    SELECTION_1:
+        EventID: 4624
+    SELECTION_2:
+        LogonType: 10
+    SELECTION_3:
+        IpAddress: ::1
+    SELECTION_4:
+        IpAddress: 127.0.0.1
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: 51e33403-2a37-4d66-a574-1fda1782cc31
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/07
+references:
+- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1076
+- car.2013-07-002
+- attack.t1021.001
+yml_filename: win_rdp_localhost_login.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_rdp_potential_cve_2019_0708.yml b/rules/Sigma/win_rdp_potential_cve_2019_0708.yml
new file mode 100644
index 00000000..d579c7a1
--- /dev/null
+++ b/rules/Sigma/win_rdp_potential_cve_2019_0708.yml
@@ -0,0 +1,31 @@
+title: Potential RDP Exploit CVE-2019-0708
+author: Lionel PRAT, Christophe BROCAS, @atc_project (improvements)
+date: 2019/05/24
+description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
+detection:
+    SELECTION_1:
+        EventID: 56
+    SELECTION_2:
+        EventID: 50
+    SELECTION_3:
+        Provider_Name: TermDD
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Bad connections or network interruptions
+id: aaa5b30d-f418-420b-83a0-299cb6024885
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/10/13
+references:
+- https://github.com/zerosum0x0/CVE-2019-0708
+- https://github.com/Ekultek/BlueKeep
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1210
+- car.2013-07-002
+yml_filename: win_rdp_potential_cve_2019_0708.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_rdp_reverse_tunnel.yml b/rules/Sigma/win_rdp_reverse_tunnel.yml
new file mode 100644
index 00000000..bd942151
--- /dev/null
+++ b/rules/Sigma/win_rdp_reverse_tunnel.yml
@@ -0,0 +1,47 @@
+title: RDP over Reverse SSH Tunnel WFP
+author: Samir Bousseaden
+date: 2019/02/16
+description: Detects svchost hosting RDP termsvcs communicating with the loopback
+    address
+detection:
+    SELECTION_1:
+        EventID: 5156
+    SELECTION_2:
+        SourcePort: 3389
+    SELECTION_3:
+        DestAddress: 127.*
+    SELECTION_4:
+        DestAddress: ::1
+    SELECTION_5:
+        DestPort: 3389
+    SELECTION_6:
+        SourceAddress: 127.*
+    SELECTION_7:
+        SourceAddress: ::1
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4)) or
+        (SELECTION_5 and (SELECTION_6 or SELECTION_7))))
+falsepositives:
+- unknown
+id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/06
+references:
+- https://twitter.com/SBousseaden/status/1096148422984384514
+- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.command_and_control
+- attack.lateral_movement
+- attack.t1076
+- attack.t1090
+- attack.t1090.001
+- attack.t1090.002
+- attack.t1021.001
+- car.2013-07-002
+yml_filename: win_rdp_reverse_tunnel.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_redmimicry_winnti_proc.yml b/rules/Sigma/win_redmimicry_winnti_proc.yml
new file mode 100644
index 00000000..3a07ebf5
--- /dev/null
+++ b/rules/Sigma/win_redmimicry_winnti_proc.yml
@@ -0,0 +1,39 @@
+title: RedMimicry Winnti Playbook Execute
+author: Alexander Rausch
+date: 2020/06/24
+description: Detects actions caused by the RedMimicry Winnti playbook
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*rundll32.exe*'
+    SELECTION_3:
+        Image: '*cmd.exe*'
+    SELECTION_4:
+        CommandLine: '*gthread-3.6.dll*'
+    SELECTION_5:
+        CommandLine: '*\Windows\Temp\tmp.bat*'
+    SELECTION_6:
+        CommandLine: '*sigcmm-2.4.dll*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Unknown
+id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/06
+references:
+- https://redmimicry.com
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1059
+- attack.t1106
+- attack.t1059.003
+- attack.t1218.011
+yml_filename: win_redmimicry_winnti_proc.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_reg_add_run_key.yml b/rules/Sigma/win_reg_add_run_key.yml
new file mode 100644
index 00000000..76a88960
--- /dev/null
+++ b/rules/Sigma/win_reg_add_run_key.yml
@@ -0,0 +1,32 @@
+title: Reg Add RUN Key
+author: Florian Roth
+date: 2021/06/28
+description: Detects suspicious command line reg.exe tool adding key to RUN key in
+    Registry
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*reg*'
+    SELECTION_3:
+        CommandLine: '* ADD *'
+    SELECTION_4:
+        CommandLine: '*Software\Microsoft\Windows\CurrentVersion\Run*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: de587dce-915e-4218-aac4-835ca6af6f70
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
+- https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
+yml_filename: win_reg_add_run_key.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_regedit_export_critical_keys.yml b/rules/Sigma/win_regedit_export_critical_keys.yml
new file mode 100644
index 00000000..5dd7b90a
--- /dev/null
+++ b/rules/Sigma/win_regedit_export_critical_keys.yml
@@ -0,0 +1,43 @@
+title: Exports Critical Registry Keys To a File
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/12
+description: Detects the export of a crital Registry key to a file.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\regedit.exe'
+    SELECTION_3:
+        CommandLine: '* /E *'
+    SELECTION_4:
+        CommandLine: '*hklm*'
+    SELECTION_5:
+        CommandLine: '*hkey_local_machine*'
+    SELECTION_6:
+        CommandLine: '*\system'
+    SELECTION_7:
+        CommandLine: '*\sam'
+    SELECTION_8:
+        CommandLine: '*\security'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
+fields:
+- ParentImage
+- CommandLine
+id: 82880171-b475-4201-b811-e9c826cd5eaa
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1012
+yml_filename: win_regedit_export_critical_keys.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_regedit_export_keys.yml b/rules/Sigma/win_regedit_export_keys.yml
new file mode 100644
index 00000000..9da4f775
--- /dev/null
+++ b/rules/Sigma/win_regedit_export_keys.yml
@@ -0,0 +1,45 @@
+title: Exports Registry Key To a File
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+description: Detects the export of the target Registry key to a file.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\regedit.exe'
+    SELECTION_3:
+        CommandLine: '* /E *'
+    SELECTION_4:
+        EventID: 1
+    SELECTION_5:
+        CommandLine: '*hklm*'
+    SELECTION_6:
+        CommandLine: '*hkey_local_machine*'
+    SELECTION_7:
+        CommandLine: '*\system'
+    SELECTION_8:
+        CommandLine: '*\sam'
+    SELECTION_9:
+        CommandLine: '*\security'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        and (SELECTION_5 or SELECTION_6) and (SELECTION_7 or SELECTION_8 or SELECTION_9))))
+falsepositives:
+- Legitimate export of keys
+fields:
+- ParentImage
+- CommandLine
+id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
+level: low
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1012
+yml_filename: win_regedit_export_keys.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_regedit_import_keys.yml b/rules/Sigma/win_regedit_import_keys.yml
new file mode 100644
index 00000000..11fac178
--- /dev/null
+++ b/rules/Sigma/win_regedit_import_keys.yml
@@ -0,0 +1,43 @@
+title: Imports Registry Key From a File
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+description: Detects the import of the specified file to the registry with regedit.exe.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\regedit.exe'
+    SELECTION_3:
+        CommandLine: '* /i *'
+    SELECTION_4:
+        CommandLine: '*.reg*'
+    SELECTION_5:
+        CommandLine: '* /e *'
+    SELECTION_6:
+        CommandLine: '* /a *'
+    SELECTION_7:
+        CommandLine: '* /c *'
+    SELECTION_8:
+        CommandLine|re: :[^ \\\\]
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4)) and  not
+        ((SELECTION_5 or SELECTION_6 or SELECTION_7))) and  not (SELECTION_8))
+falsepositives:
+- Legitimate import of keys
+fields:
+- ParentImage
+- CommandLine
+id: 73bba97f-a82d-42ce-b315-9182e76c57b1
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.t1112
+- attack.defense_evasion
+yml_filename: win_regedit_import_keys.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_regedit_import_keys_ads.yml b/rules/Sigma/win_regedit_import_keys_ads.yml
new file mode 100644
index 00000000..09410bb9
--- /dev/null
+++ b/rules/Sigma/win_regedit_import_keys_ads.yml
@@ -0,0 +1,43 @@
+title: Imports Registry Key From an ADS
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/12
+description: Detects the import of a alternate datastream to the registry with regedit.exe.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\regedit.exe'
+    SELECTION_3:
+        CommandLine: '* /i *'
+    SELECTION_4:
+        CommandLine: '*.reg*'
+    SELECTION_5:
+        CommandLine|re: :[^ \\\\]
+    SELECTION_6:
+        CommandLine: '* /e *'
+    SELECTION_7:
+        CommandLine: '* /a *'
+    SELECTION_8:
+        CommandLine: '* /c *'
+    condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4) and
+        SELECTION_5) and  not ((SELECTION_6 or SELECTION_7 or SELECTION_8)))
+falsepositives:
+- Unknown
+fields:
+- ParentImage
+- CommandLine
+id: 0b80ade5-6997-4b1d-99a1-71701778ea61
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.t1112
+- attack.defense_evasion
+yml_filename: win_regedit_import_keys_ads.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_regini.yml b/rules/Sigma/win_regini.yml
new file mode 100644
index 00000000..cd62a758
--- /dev/null
+++ b/rules/Sigma/win_regini.yml
@@ -0,0 +1,35 @@
+title: Modifies the Registry From a File
+author: Eli Salem, Sander Wiebing, oscd.community
+date: 2020/10/08
+description: Detects the execution of regini.exe which can be used to modify registry
+    keys, the changes are imported from one or more text files.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\regini.exe'
+    SELECTION_3:
+        CommandLine|re: :[^ \\\\]
+    condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Legitimate modification of keys
+fields:
+- ParentImage
+- CommandLine
+id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/24
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
+status: experimental
+tags:
+- attack.t1112
+- attack.defense_evasion
+yml_filename: win_regini.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_regini_ads.yml b/rules/Sigma/win_regini_ads.yml
new file mode 100644
index 00000000..eb9f7bd4
--- /dev/null
+++ b/rules/Sigma/win_regini_ads.yml
@@ -0,0 +1,35 @@
+title: Modifies the Registry From a ADS
+author: Eli Salem, Sander Wiebing, oscd.community
+date: 2020/10/12
+description: Detects the import of an alternate data stream with regini.exe, regini.exe
+    can be used to modify registry keys.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\regini.exe'
+    SELECTION_3:
+        CommandLine|re: :[^ \\\\]
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ParentImage
+- CommandLine
+id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/24
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini
+status: experimental
+tags:
+- attack.t1112
+- attack.defense_evasion
+yml_filename: win_regini_ads.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_register_new_logon_process_by_rubeus.yml b/rules/Sigma/win_register_new_logon_process_by_rubeus.yml
new file mode 100644
index 00000000..19d73d24
--- /dev/null
+++ b/rules/Sigma/win_register_new_logon_process_by_rubeus.yml
@@ -0,0 +1,29 @@
+title: Register new Logon Process by Rubeus
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+description: Detects potential use of Rubeus via registered new trusted logon process
+detection:
+    SELECTION_1:
+        EventID: 4611
+    SELECTION_2:
+        LogonProcessName: User32LogonProcesss
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 12e6d621-194f-4f59-90cc-1959e21e69f7
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2021/08/14
+references:
+- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.t1208
+- attack.t1558.003
+yml_filename: win_register_new_logon_process_by_rubeus.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_registry_mimikatz_printernightmare.yml b/rules/Sigma/win_registry_mimikatz_printernightmare.yml
new file mode 100644
index 00000000..a07f0ddc
--- /dev/null
+++ b/rules/Sigma/win_registry_mimikatz_printernightmare.yml
@@ -0,0 +1,62 @@
+title: PrinterNightmare Mimimkatz Driver Name
+author: Markus Neis, @markus_neis, Florian Roth
+date: 2021/07/04
+description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited
+    in CVE-2021-1675 and CVE-2021-34527
+detection:
+    SELECTION_1:
+        EventID: 12
+    SELECTION_10:
+        EventID: 14
+    SELECTION_11:
+        TargetObject: '*\Control\Print\Environments*'
+    SELECTION_12:
+        TargetObject: '*\CurrentVersion\Print\Printers*'
+    SELECTION_13:
+        TargetObject: '*Gentil Kiwi*'
+    SELECTION_14:
+        TargetObject: '*mimikatz printer*'
+    SELECTION_15:
+        TargetObject: '*Kiwi Legit Printer*'
+    SELECTION_2:
+        EventID: 13
+    SELECTION_3:
+        EventID: 14
+    SELECTION_4:
+        TargetObject: '*\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS
+            810\\*'
+    SELECTION_5:
+        TargetObject: '*\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz*'
+    SELECTION_6:
+        TargetObject: '*legitprinter*'
+    SELECTION_7:
+        TargetObject: '*\Control\Print\Environments\Windows*'
+    SELECTION_8:
+        EventID: 12
+    SELECTION_9:
+        EventID: 13
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((SELECTION_4 or
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)) or ((SELECTION_8 or SELECTION_9
+        or SELECTION_10) and (SELECTION_11 or SELECTION_12) and (SELECTION_13 or SELECTION_14
+        or SELECTION_15))))
+falsepositives:
+- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser
+    printer (unlikely)
+id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
+level: critical
+logsource:
+    category: registry_event
+    product: windows
+modified: 2021/07/28
+references:
+- https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
+- https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
+- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
+status: experimental
+tags:
+- attack.execution
+- cve.2021.1675
+- cve.2021.34527
+yml_filename: win_registry_mimikatz_printernightmare.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event
+
diff --git a/rules/Sigma/win_remote_powershell_session.yml b/rules/Sigma/win_remote_powershell_session.yml
new file mode 100644
index 00000000..829ec6d9
--- /dev/null
+++ b/rules/Sigma/win_remote_powershell_session.yml
@@ -0,0 +1,33 @@
+title: Remote PowerShell Sessions Network Connections (WinRM)
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound
+    connections to ports 5985 OR 5986
+detection:
+    SELECTION_1:
+        EventID: 5156
+    SELECTION_2:
+        DestPort: 5985
+    SELECTION_3:
+        DestPort: 5986
+    SELECTION_4:
+        LayerRTID: 44
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate use of remote PowerShell execution
+id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/05/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+yml_filename: win_remote_powershell_session.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_remote_powershell_session_process.yml b/rules/Sigma/win_remote_powershell_session_process.yml
new file mode 100644
index 00000000..08596662
--- /dev/null
+++ b/rules/Sigma/win_remote_powershell_session_process.yml
@@ -0,0 +1,37 @@
+title: Remote PowerShell Session Host Process (WinRM)
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM
+    host process) as a parent or child process (sign of an active PowerShell remote
+    session).
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\wsmprovhost.exe'
+    SELECTION_3:
+        ParentImage: '*\wsmprovhost.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Legitimate usage of remote Powershell, e.g. for monitoring purposes.
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+- attack.t1021.006
+yml_filename: win_remote_powershell_session_process.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_remote_registry_management_using_reg_utility.yml b/rules/Sigma/win_remote_registry_management_using_reg_utility.yml
new file mode 100644
index 00000000..1c36456c
--- /dev/null
+++ b/rules/Sigma/win_remote_registry_management_using_reg_utility.yml
@@ -0,0 +1,34 @@
+title: Remote Registry Management Using Reg Utility
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Remote registry management using REG utility from non-admin workstation
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        RelativeTargetName: '*\winreg*'
+    SELECTION_3:
+        IpAddress: '%Admins_Workstations%'
+    condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Legitimate usage of remote registry management by administrator
+id: 68fcba0d-73a5-475e-a915-e8b4c576827e
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2020/08/23
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+- attack.discovery
+- attack.t1012
+- attack.credential_access
+- attack.t1552.002
+- attack.s0075
+yml_filename: win_remote_registry_management_using_reg_utility.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_remote_time_discovery.yml b/rules/Sigma/win_remote_time_discovery.yml
new file mode 100644
index 00000000..76061d07
--- /dev/null
+++ b/rules/Sigma/win_remote_time_discovery.yml
@@ -0,0 +1,43 @@
+title: Discovery of a System Time
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Identifies use of various commands to query a systems time. This technique
+    may be used before executing a scheduled task or to discover the time zone of
+    a target system.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\net.exe'
+    SELECTION_3:
+        Image: '*\net1.exe'
+    SELECTION_4:
+        CommandLine: '*time*'
+    SELECTION_5:
+        Image: '*\w32tm.exe'
+    SELECTION_6:
+        CommandLine: '*tz*'
+    SELECTION_7:
+        Image: '*\powershell.exe'
+    SELECTION_8:
+        CommandLine: '*Get-Date*'
+    condition: (SELECTION_1 and (((SELECTION_2 or SELECTION_3) and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8)))
+falsepositives:
+- Legitimate use of the system utilities to discover system time for legitimate reason
+id: b243b280-65fe-48df-ba07-6ddea7646427
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md
+status: experimental
+tags:
+- attack.discovery
+- attack.t1124
+yml_filename: win_remote_time_discovery.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_renamed_binary.yml b/rules/Sigma/win_renamed_binary.yml
new file mode 100644
index 00000000..666ab1ab
--- /dev/null
+++ b/rules/Sigma/win_renamed_binary.yml
@@ -0,0 +1,119 @@
+title: Renamed Binary
+author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community
+    (improvements), Andreas Hunkeler (@Karneades)
+date: 2019/06/15
+description: Detects the execution of a renamed binary often used by attackers or
+    malware leveraging new Sysmon OriginalFileName datapoint.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        OriginalFileName: regsvr32.exe
+    SELECTION_11:
+        OriginalFileName: wmic.exe
+    SELECTION_12:
+        OriginalFileName: certutil.exe
+    SELECTION_13:
+        OriginalFileName: rundll32.exe
+    SELECTION_14:
+        OriginalFileName: cmstp.exe
+    SELECTION_15:
+        OriginalFileName: msiexec.exe
+    SELECTION_16:
+        OriginalFileName: 7z.exe
+    SELECTION_17:
+        OriginalFileName: winrar.exe
+    SELECTION_18:
+        OriginalFileName: wevtutil.exe
+    SELECTION_19:
+        OriginalFileName: net.exe
+    SELECTION_2:
+        OriginalFileName: cmd.exe
+    SELECTION_20:
+        OriginalFileName: net1.exe
+    SELECTION_21:
+        OriginalFileName: netsh.exe
+    SELECTION_22:
+        Image: '*\cmd.exe'
+    SELECTION_23:
+        Image: '*\powershell.exe'
+    SELECTION_24:
+        Image: '*\powershell_ise.exe'
+    SELECTION_25:
+        Image: '*\psexec.exe'
+    SELECTION_26:
+        Image: '*\psexec64.exe'
+    SELECTION_27:
+        Image: '*\cscript.exe'
+    SELECTION_28:
+        Image: '*\wscript.exe'
+    SELECTION_29:
+        Image: '*\mshta.exe'
+    SELECTION_3:
+        OriginalFileName: powershell.exe
+    SELECTION_30:
+        Image: '*\regsvr32.exe'
+    SELECTION_31:
+        Image: '*\wmic.exe'
+    SELECTION_32:
+        Image: '*\certutil.exe'
+    SELECTION_33:
+        Image: '*\rundll32.exe'
+    SELECTION_34:
+        Image: '*\cmstp.exe'
+    SELECTION_35:
+        Image: '*\msiexec.exe'
+    SELECTION_36:
+        Image: '*\7z.exe'
+    SELECTION_37:
+        Image: '*\winrar.exe'
+    SELECTION_38:
+        Image: '*\wevtutil.exe'
+    SELECTION_39:
+        Image: '*\net.exe'
+    SELECTION_4:
+        OriginalFileName: powershell_ise.exe
+    SELECTION_40:
+        Image: '*\net1.exe'
+    SELECTION_41:
+        Image: '*\netsh.exe'
+    SELECTION_5:
+        OriginalFileName: psexec.exe
+    SELECTION_6:
+        OriginalFileName: psexec.c
+    SELECTION_7:
+        OriginalFileName: cscript.exe
+    SELECTION_8:
+        OriginalFileName: wscript.exe
+    SELECTION_9:
+        OriginalFileName: mshta.exe
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21) and  not ((SELECTION_22 or SELECTION_23 or SELECTION_24 or
+        SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29
+        or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34
+        or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39
+        or SELECTION_40 or SELECTION_41)))
+falsepositives:
+- Custom applications use renamed binaries adding slight change to binary name. Typically
+    this is easy to spot and add to whitelist
+id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/06
+references:
+- https://attack.mitre.org/techniques/T1036/
+- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
+- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
+yml_filename: win_renamed_binary.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_renamed_binary_highly_relevant.yml b/rules/Sigma/win_renamed_binary_highly_relevant.yml
new file mode 100644
index 00000000..ad924057
--- /dev/null
+++ b/rules/Sigma/win_renamed_binary_highly_relevant.yml
@@ -0,0 +1,87 @@
+title: Highly Relevant Renamed Binary
+author: Matthew Green - @mgreen27, Florian Roth
+date: 2019/06/15
+description: Detects the execution of a renamed binary often used by attackers or
+    malware leveraging new Sysmon OriginalFileName datapoint.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        OriginalFileName: wmic.exe
+    SELECTION_11:
+        OriginalFileName: certutil.exe
+    SELECTION_12:
+        OriginalFileName: rundll32.exe
+    SELECTION_13:
+        OriginalFileName: cmstp.exe
+    SELECTION_14:
+        OriginalFileName: msiexec.exe
+    SELECTION_15:
+        Image: '*\powershell.exe'
+    SELECTION_16:
+        Image: '*\powershell_ise.exe'
+    SELECTION_17:
+        Image: '*\psexec.exe'
+    SELECTION_18:
+        Image: '*\psexec64.exe'
+    SELECTION_19:
+        Image: '*\cscript.exe'
+    SELECTION_2:
+        OriginalFileName: powershell.exe
+    SELECTION_20:
+        Image: '*\wscript.exe'
+    SELECTION_21:
+        Image: '*\mshta.exe'
+    SELECTION_22:
+        Image: '*\regsvr32.exe'
+    SELECTION_23:
+        Image: '*\wmic.exe'
+    SELECTION_24:
+        Image: '*\certutil.exe'
+    SELECTION_25:
+        Image: '*\rundll32.exe'
+    SELECTION_26:
+        Image: '*\cmstp.exe'
+    SELECTION_27:
+        Image: '*\msiexec.exe'
+    SELECTION_3:
+        OriginalFileName: powershell_ise.exe
+    SELECTION_4:
+        OriginalFileName: psexec.exe
+    SELECTION_5:
+        OriginalFileName: psexec.c
+    SELECTION_6:
+        OriginalFileName: cscript.exe
+    SELECTION_7:
+        OriginalFileName: wscript.exe
+    SELECTION_8:
+        OriginalFileName: mshta.exe
+    SELECTION_9:
+        OriginalFileName: regsvr32.exe
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14) and  not
+        ((SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24
+        or SELECTION_25 or SELECTION_26 or SELECTION_27)))
+falsepositives:
+- Custom applications use renamed binaries adding slight change to binary name. Typically
+    this is easy to spot and add to whitelist
+id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/06
+references:
+- https://attack.mitre.org/techniques/T1036/
+- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
+- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
+yml_filename: win_renamed_binary_highly_relevant.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_renamed_jusched.yml b/rules/Sigma/win_renamed_jusched.yml
new file mode 100644
index 00000000..dea6c270
--- /dev/null
+++ b/rules/Sigma/win_renamed_jusched.yml
@@ -0,0 +1,36 @@
+title: Renamed jusched.exe
+author: Markus Neis, Swisscom
+date: 2019/06/04
+description: Detects renamed jusched.exe used by cobalt group
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        Description: Java Update Scheduler
+    SELECTION_4:
+        Description: Java(TM) Update Scheduler
+    SELECTION_5:
+        Image: '*\jusched.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4)) and  not
+        ((SELECTION_5)))
+falsepositives:
+- penetration tests, red teaming
+id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/06
+references:
+- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
+yml_filename: win_renamed_jusched.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_renamed_megasync.yml b/rules/Sigma/win_renamed_megasync.yml
new file mode 100644
index 00000000..6235c3ec
--- /dev/null
+++ b/rules/Sigma/win_renamed_megasync.yml
@@ -0,0 +1,38 @@
+title: Renamed MegaSync
+author: Sittikorn S
+date: 2021/06/22
+description: Detects the execution of a renamed meg.exe of MegaSync during incident
+    response engagements associated with ransomware families like Nefilim, Sodinokibi,
+    Pysa, and Conti.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\explorer.exe'
+    SELECTION_3:
+        CommandLine: '*C:\Windows\Temp\meg.exe*'
+    SELECTION_4:
+        EventID: 1
+    SELECTION_5:
+        OriginalFileName: meg.exe
+    SELECTION_6:
+        Image: '*\meg.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5 and  not (SELECTION_6))))
+falsepositives:
+- Software that illegaly integrates MegaSync in a renamed form
+- Administrators that have renamed MegaSync
+id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://redcanary.com/blog/rclone-mega-extortion/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_renamed_megasync.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_renamed_paexec.yml b/rules/Sigma/win_renamed_paexec.yml
new file mode 100644
index 00000000..07c0542a
--- /dev/null
+++ b/rules/Sigma/win_renamed_paexec.yml
@@ -0,0 +1,45 @@
+title: Execution of Renamed PaExec
+author: Jason Lynch
+date: 2019/04/17
+description: Detects execution of renamed paexec via imphash and executable product
+    string
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        Product: '*PAExec*'
+    SELECTION_4:
+        Imphash: 11D40A7B7876288F919AB819CC2D9802
+    SELECTION_5:
+        Imphash: 6444f8a34e99b8f7d9647de66aabe516
+    SELECTION_6:
+        Imphash: dfd6aa3f7b2b1035b76b718f1ddc689f
+    SELECTION_7:
+        Imphash: 1a6cca4d5460b1710a12dea39e4a592c
+    SELECTION_8:
+        Image: '*paexec*'
+    condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3) and (SELECTION_4 or
+        SELECTION_5 or SELECTION_6 or SELECTION_7)) and  not (SELECTION_8))
+falsepositives:
+- Unknown imphashes
+id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/06
+references:
+- sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc
+- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
+- attack.g0046
+- car.2013-05-009
+yml_filename: win_renamed_paexec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_renamed_powershell.yml b/rules/Sigma/win_renamed_powershell.yml
new file mode 100644
index 00000000..051ee60e
--- /dev/null
+++ b/rules/Sigma/win_renamed_powershell.yml
@@ -0,0 +1,41 @@
+title: Renamed PowerShell
+author: Florian Roth, frack113
+date: 2019/08/22
+description: Detects the execution of a renamed PowerShell often used by attackers
+    or malware
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Description: Windows PowerShell*
+    SELECTION_3:
+        Description: pwsh*
+    SELECTION_4:
+        Company: Microsoft Corporation
+    SELECTION_5:
+        Image: '*\powershell.exe'
+    SELECTION_6:
+        Image: '*\powershell_ise.exe'
+    SELECTION_7:
+        Image: '*\pwsh.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) and SELECTION_4) and  not
+        ((SELECTION_5 or SELECTION_6 or SELECTION_7)))
+falsepositives:
+- Unknown
+id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/03
+references:
+- https://twitter.com/christophetd/status/1164506034720952320
+status: experimental
+tags:
+- car.2013-05-009
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
+yml_filename: win_renamed_powershell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_renamed_procdump.yml b/rules/Sigma/win_renamed_procdump.yml
new file mode 100644
index 00000000..634bd906
--- /dev/null
+++ b/rules/Sigma/win_renamed_procdump.yml
@@ -0,0 +1,46 @@
+title: Renamed ProcDump
+author: Florian Roth
+date: 2019/11/18
+description: Detects the execution of a renamed ProcDump executable often used by
+    attackers or malware
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        OriginalFileName: procdump
+    SELECTION_4:
+        CommandLine: '* -ma *'
+    SELECTION_5:
+        CommandLine: '* -accepteula *'
+    SELECTION_6:
+        CommandLine: '* -ma *'
+    SELECTION_7:
+        CommandLine: '*.dmp*'
+    SELECTION_8:
+        Image: '*\procdump.exe'
+    SELECTION_9:
+        Image: '*\procdump64.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and ((SELECTION_3 or (SELECTION_4 and
+        SELECTION_5)) or (SELECTION_6 and SELECTION_7))) and  not ((SELECTION_8 or
+        SELECTION_9)))
+falsepositives:
+- Procdump illegaly bundled with legitimate software
+- Weird admins who renamed binaries
+id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/16
+references:
+- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
+yml_filename: win_renamed_procdump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_renamed_psexec.yml b/rules/Sigma/win_renamed_psexec.yml
new file mode 100644
index 00000000..988f44c3
--- /dev/null
+++ b/rules/Sigma/win_renamed_psexec.yml
@@ -0,0 +1,38 @@
+title: Renamed PsExec
+author: Florian Roth
+date: 2019/05/21
+description: Detects the execution of a renamed PsExec often used by attackers or
+    malware
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Description: Execute processes remotely
+    SELECTION_3:
+        Product: Sysinternals PsExec
+    SELECTION_4:
+        Image: '*\PsExec.exe'
+    SELECTION_5:
+        Image: '*\PsExec64.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5)))
+falsepositives:
+- Software that illegaly integrates PsExec in a renamed form
+- Administrators that have renamed PsExec and no one knows why
+id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/06
+references:
+- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
+status: experimental
+tags:
+- car.2013-05-009
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003
+yml_filename: win_renamed_psexec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_renamed_whoami.yml b/rules/Sigma/win_renamed_whoami.yml
new file mode 100644
index 00000000..e6606272
--- /dev/null
+++ b/rules/Sigma/win_renamed_whoami.yml
@@ -0,0 +1,31 @@
+title: Renamed Whoami Execution
+author: Florian Roth
+date: 2021/08/12
+description: Detects the execution of whoami that has been renamed to a different
+    name to avoid detection
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        OriginalFileName: whoami.exe
+    SELECTION_3:
+        Image: '*\whoami.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
+- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1033
+- car.2016-03-001
+yml_filename: win_renamed_whoami.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_root_certificate_installed.yml b/rules/Sigma/win_root_certificate_installed.yml
new file mode 100644
index 00000000..a94bb7f1
--- /dev/null
+++ b/rules/Sigma/win_root_certificate_installed.yml
@@ -0,0 +1,33 @@
+title: Root Certificate Installed
+author: oscd.community, @redcanary, Zach Stanford @svch0st
+date: 2020/10/10
+description: Adversaries may install a root certificate on a compromised system to
+    avoid warnings when connecting to adversary controlled web servers.
+detection:
+    SELECTION_1:
+        EventID: 4104
+    SELECTION_2:
+        ScriptBlockText: '*Cert:\LocalMachine\Root*'
+    SELECTION_3:
+        ScriptBlockText: '*Move-Item*'
+    SELECTION_4:
+        ScriptBlockText: '*Import-Certificate*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to
+    test if GPO push doesn't trigger FP
+id: 42821614-9264-4761-acfc-5772c3286f76
+level: medium
+logsource:
+    product: windows
+    service: powershell
+modified: 2021/09/21
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1553.004
+yml_filename: win_root_certificate_installed.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_run_powershell_script_from_ads.yml b/rules/Sigma/win_run_powershell_script_from_ads.yml
new file mode 100644
index 00000000..1c9ef6c1
--- /dev/null
+++ b/rules/Sigma/win_run_powershell_script_from_ads.yml
@@ -0,0 +1,33 @@
+title: Run PowerShell Script from ADS
+author: Sergey Soldatov, Kaspersky Lab, oscd.community
+date: 2019/10/30
+description: Detects PowerShell script execution from Alternate Data Stream (ADS)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\powershell.exe'
+    SELECTION_3:
+        Image: '*\powershell.exe'
+    SELECTION_4:
+        CommandLine: '*Get-Content*'
+    SELECTION_5:
+        CommandLine: '*-Stream*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 45a594aa-1fbd-4972-a809-ff5a99dd81b8
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1096
+- attack.t1564.004
+yml_filename: win_run_powershell_script_from_ads.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_run_powershell_script_from_input_stream.yml b/rules/Sigma/win_run_powershell_script_from_input_stream.yml
new file mode 100644
index 00000000..de6d1d40
--- /dev/null
+++ b/rules/Sigma/win_run_powershell_script_from_input_stream.yml
@@ -0,0 +1,30 @@
+title: Run PowerShell Script from Redirected Input Stream
+author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
+date: 2020/10/17
+description: Detects PowerShell script execution via input stream redirect
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        CommandLine|re: \s-\s*<
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: c83bf4b5-cdf0-437c-90fa-43d734f7c476
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Powershell.yml
+- https://twitter.com/Moriarty_Meng/status/984380793383370752
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059
+yml_filename: win_run_powershell_script_from_input_stream.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_run_virtualbox.yml b/rules/Sigma/win_run_virtualbox.yml
new file mode 100644
index 00000000..8333a152
--- /dev/null
+++ b/rules/Sigma/win_run_virtualbox.yml
@@ -0,0 +1,47 @@
+title: Detect Virtualbox Driver Installation OR Starting Of VMs
+author: Janantha Marasinghe
+date: 2020/09/26
+description: Adversaries can carry out malicious operations using a virtual instance
+    to avoid detection. This rule is built to detect the registration of the Virtualbox
+    driver or start of a Virtualbox VM.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*VBoxRT.dll,RTR3Init*'
+    SELECTION_3:
+        CommandLine: '*VBoxC.dll*'
+    SELECTION_4:
+        CommandLine: '*VBoxDrv.sys*'
+    SELECTION_5:
+        CommandLine: '*startvm*'
+    SELECTION_6:
+        CommandLine: '*controlvm*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4) or (SELECTION_5
+        or SELECTION_6)))
+falsepositives:
+- This may have false positives on hosts where Virtualbox is legitimately being used
+    for operations
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: bab049ca-7471-4828-9024-38279a4c04da
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+references:
+- https://attack.mitre.org/techniques/T1564/006/
+- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
+- https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.006
+- attack.t1564
+yml_filename: win_run_virtualbox.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_rundll32_without_parameters.yml b/rules/Sigma/win_rundll32_without_parameters.yml
new file mode 100644
index 00000000..8fc6648b
--- /dev/null
+++ b/rules/Sigma/win_rundll32_without_parameters.yml
@@ -0,0 +1,36 @@
+title: Rundll32 Without Parameters
+author: Bartlomiej Czyz, Relativity
+date: 2021/01/31
+description: Detects rundll32 execution without parameters as observed when running
+    Metasploit windows/smb/psexec exploit module
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: rundll32.exe
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectUserName
+- CommandLine
+- Image
+- ParentImage
+id: 5bb68627-3198-40ca-b458-49f973db8752
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://bczyz1.github.io/2021/01/30/psexec.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1570
+- attack.execution
+- attack.t1569.002
+yml_filename: win_rundll32_without_parameters.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_sam_registry_hive_handle_request.yml b/rules/Sigma/win_sam_registry_hive_handle_request.yml
new file mode 100644
index 00000000..32328dd4
--- /dev/null
+++ b/rules/Sigma/win_sam_registry_hive_handle_request.yml
@@ -0,0 +1,37 @@
+title: SAM Registry Hive Handle Request
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/12
+description: Detects handles requested to SAM registry hive
+detection:
+    SELECTION_1:
+        EventID: 4656
+    SELECTION_2:
+        ObjectType: Key
+    SELECTION_3:
+        ObjectName: '*\SAM'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ProcessName
+- ObjectName
+id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2020/08/23
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+- attack.credential_access
+- attack.t1552.002
+yml_filename: win_sam_registry_hive_handle_request.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_scheduled_task_deletion.yml b/rules/Sigma/win_scheduled_task_deletion.yml
new file mode 100644
index 00000000..7a7a8019
--- /dev/null
+++ b/rules/Sigma/win_scheduled_task_deletion.yml
@@ -0,0 +1,33 @@
+title: Scheduled Task Deletion
+author: David Strassegger
+date: 2021/01/22
+description: Detects scheduled task deletion events. Scheduled tasks are likely to
+    be deleted if not used for persistence. Malicious Software often creates tasks
+    directly under the root node e.g. \TASKNAME
+detection:
+    SELECTION_1:
+        EventID: 4699
+    condition: SELECTION_1
+falsepositives:
+- Software installation
+id: 4f86b304-3e02-40e3-aa5d-e88a167c9617
+level: medium
+logsource:
+    definition: The Advanced Audit Policy setting Object Access > Audit Other Object
+        Access Events has to be configured to allow this detection. We also recommend
+        extracting the Command field from the embedded XML in the event data.
+    product: windows
+    service: security
+references:
+- https://twitter.com/matthewdunwoody/status/1352356685982146562
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
+status: experimental
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.t1053
+- car.2013-08-001
+- attack.t1053.005
+yml_filename: win_scheduled_task_deletion.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_scm_database_handle_failure.yml b/rules/Sigma/win_scm_database_handle_failure.yml
new file mode 100644
index 00000000..2bcf8001
--- /dev/null
+++ b/rules/Sigma/win_scm_database_handle_failure.yml
@@ -0,0 +1,30 @@
+title: SCM Database Handle Failure
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/12
+description: Detects non-system users failing to get a handle of the SCM database.
+detection:
+    SELECTION_1:
+        EventID: 4656
+    SELECTION_2:
+        ObjectType: SC_MANAGER OBJECT
+    SELECTION_3:
+        ObjectName: ServicesActive
+    SELECTION_4:
+        SubjectLogonId: '0x3e4'
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: 13addce7-47b2-4ca0-a98f-1de964d1d669
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2021/11/12
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
+status: experimental
+tags:
+- attack.discovery
+yml_filename: win_scm_database_handle_failure.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_scm_database_privileged_operation.yml b/rules/Sigma/win_scm_database_privileged_operation.yml
new file mode 100644
index 00000000..a1c437fe
--- /dev/null
+++ b/rules/Sigma/win_scm_database_privileged_operation.yml
@@ -0,0 +1,33 @@
+title: SCM Database Privileged Operation
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/15
+description: Detects non-system users performing privileged operation os the SCM database
+detection:
+    SELECTION_1:
+        EventID: 4674
+    SELECTION_2:
+        ObjectType: SC_MANAGER OBJECT
+    SELECTION_3:
+        ObjectName: servicesactive
+    SELECTION_4:
+        PrivilegeList: SeTakeOwnershipPrivilege
+    SELECTION_5:
+        SubjectLogonId: '0x3e4'
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+        (SELECTION_5))
+falsepositives:
+- Unknown
+id: dae8171c-5ec6-4396-b210-8466585b53e9
+level: critical
+logsource:
+    product: windows
+    service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548
+yml_filename: win_scm_database_privileged_operation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/Sigma/win_scrcons_remote_wmi_scripteventconsumer.yml
new file mode 100644
index 00000000..9c5c53a0
--- /dev/null
+++ b/rules/Sigma/win_scrcons_remote_wmi_scripteventconsumer.yml
@@ -0,0 +1,33 @@
+title: Remote WMI ActiveScriptEventConsumers
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/09/02
+description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers
+    remotely to move laterally in a network
+detection:
+    SELECTION_1:
+        EventID: 4624
+    SELECTION_2:
+        LogonType: 3
+    SELECTION_3:
+        ProcessName: '*scrcons.exe'
+    SELECTION_4:
+        TargetLogonId: '0x3e7'
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- SCCM
+id: 9599c180-e3a8-4743-8f92-7fb96d3be648
+level: high
+logsource:
+    product: windows
+    service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.persistence
+- attack.t1546.003
+yml_filename: win_scrcons_remote_wmi_scripteventconsumer.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_script_event_consumer_spawn.yml b/rules/Sigma/win_script_event_consumer_spawn.yml
new file mode 100644
index 00000000..468c61dc
--- /dev/null
+++ b/rules/Sigma/win_script_event_consumer_spawn.yml
@@ -0,0 +1,54 @@
+title: Script Event Consumer Spawning Process
+author: Sittikorn S
+date: 2021/06/21
+description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\mshta.exe'
+    SELECTION_11:
+        Image: '*\rundll32.exe'
+    SELECTION_12:
+        Image: '*\msiexec.exe'
+    SELECTION_13:
+        Image: '*\msbuild.exe'
+    SELECTION_2:
+        ParentImage: '*\scrcons.exe'
+    SELECTION_3:
+        Image: '*\svchost.exe'
+    SELECTION_4:
+        Image: '*\dllhost.exe'
+    SELECTION_5:
+        Image: '*\powershell.exe'
+    SELECTION_6:
+        Image: '*\wscript.exe'
+    SELECTION_7:
+        Image: '*\cscript.exe'
+    SELECTION_8:
+        Image: '*\schtasks.exe'
+    SELECTION_9:
+        Image: '*\regsvr32.exe'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://redcanary.com/blog/child-processes/
+- https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+yml_filename: win_script_event_consumer_spawn.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_sdbinst_shim_persistence.yml b/rules/Sigma/win_sdbinst_shim_persistence.yml
new file mode 100644
index 00000000..449b264c
--- /dev/null
+++ b/rules/Sigma/win_sdbinst_shim_persistence.yml
@@ -0,0 +1,34 @@
+title: Possible Shim Database Persistence via sdbinst.exe
+author: Markus Neis
+date: 2019/01/16
+description: Detects installation of a new shim using sdbinst.exe. A shim can be used
+    to load malicious DLLs into applications.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\sdbinst.exe'
+    SELECTION_3:
+        CommandLine: '*.sdb*'
+    SELECTION_4:
+        CommandLine: '*iisexpressshim.sdb*'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4)))
+falsepositives:
+- Unknown
+id: 517490a7-115a-48c6-8862-1a481504d5a8
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/14
+references:
+- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.011
+- attack.t1138
+yml_filename: win_sdbinst_shim_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_security_cobaltstrike_service_installs.yml b/rules/Sigma/win_security_cobaltstrike_service_installs.yml
new file mode 100644
index 00000000..310cc509
--- /dev/null
+++ b/rules/Sigma/win_security_cobaltstrike_service_installs.yml
@@ -0,0 +1,54 @@
+title: CobaltStrike Service Installations
+author: Florian Roth, Wojciech Lesicki
+date: 2021/05/26
+description: Detects known malicious service installs that appear in cases in which
+    a Cobalt Strike beacon elevates privileges or lateral movement
+detection:
+    SELECTION_1:
+        EventID: 4697
+    SELECTION_10:
+        ServiceFileName: '*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*'
+    SELECTION_2:
+        ServiceFileName: '*ADMIN$*'
+    SELECTION_3:
+        ServiceFileName: '*.exe*'
+    SELECTION_4:
+        ServiceFileName: '*%COMSPEC%*'
+    SELECTION_5:
+        ServiceFileName: '*start*'
+    SELECTION_6:
+        ServiceFileName: '*powershell*'
+    SELECTION_7:
+        ServiceFileName: '*powershell -nop -w hidden -encodedcommand*'
+    SELECTION_8:
+        ServiceFileName: '*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*'
+    SELECTION_9:
+        ServiceFileName: '*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5 and SELECTION_6) or SELECTION_7 or (SELECTION_8 or SELECTION_9
+        or SELECTION_10)))
+falsepositives:
+- Unknown
+id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/21
+references:
+- https://www.sans.org/webcasts/119395
+- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
+- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+related:
+-   id: 5a105d34-05fc-401e-8553-272b45c1522d
+    type: derived
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1543.003
+- attack.t1569.002
+yml_filename: win_security_cobaltstrike_service_installs.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_security_mal_creddumper.yml b/rules/Sigma/win_security_mal_creddumper.yml
new file mode 100644
index 00000000..43fec73f
--- /dev/null
+++ b/rules/Sigma/win_security_mal_creddumper.yml
@@ -0,0 +1,52 @@
+title: Credential Dumping Tools Service Execution
+author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2017/03/05
+description: Detects well-known credential dumping tools execution via service execution
+    events
+detection:
+    SELECTION_1:
+        EventID: 4697
+    SELECTION_2:
+        ServiceFileName: '*fgexec*'
+    SELECTION_3:
+        ServiceFileName: '*dumpsvc*'
+    SELECTION_4:
+        ServiceFileName: '*cachedump*'
+    SELECTION_5:
+        ServiceFileName: '*mimidrv*'
+    SELECTION_6:
+        ServiceFileName: '*gsecdump*'
+    SELECTION_7:
+        ServiceFileName: '*servpw*'
+    SELECTION_8:
+        ServiceFileName: '*pwdump*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Legitimate Administrator using credential dumping tool for password recovery
+id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/21
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+related:
+-   id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
+    type: derived
+tags:
+- attack.credential_access
+- attack.execution
+- attack.t1003
+- attack.t1003.001
+- attack.t1003.002
+- attack.t1003.004
+- attack.t1003.005
+- attack.t1003.006
+- attack.t1035
+- attack.t1569.002
+- attack.s0005
+yml_filename: win_security_mal_creddumper.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_security_mal_service_installs.yml b/rules/Sigma/win_security_mal_service_installs.yml
new file mode 100644
index 00000000..5edca6cd
--- /dev/null
+++ b/rules/Sigma/win_security_mal_service_installs.yml
@@ -0,0 +1,38 @@
+title: Malicious Service Installations
+author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
+date: 2017/03/27
+description: Detects known malicious service installs that only appear in cases of
+    lateral movement, credential dumping, and other suspicious activities.
+detection:
+    SELECTION_1:
+        EventID: 4697
+    SELECTION_2:
+        ServiceName: javamtsup
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Penetration testing
+id: cb062102-587e-4414-8efa-dbe3c7bf19c6
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/21
+references:
+- https://awakesecurity.com/blog/threat-hunting-for-paexec/
+- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
+- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
+related:
+-   id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
+    type: derived
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1003
+- attack.t1035
+- attack.t1050
+- car.2013-09-005
+- attack.t1543.003
+- attack.t1569.002
+yml_filename: win_security_mal_service_installs.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/Sigma/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
new file mode 100644
index 00000000..ed709d7c
--- /dev/null
+++ b/rules/Sigma/win_security_metasploit_or_impacket_smb_psexec_service_install.yml
@@ -0,0 +1,49 @@
+title: Metasploit Or Impacket Service Installation Via SMB PsExec
+author: Bartlomiej Czyz, Relativity
+date: 2021/01/21
+description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and
+    Impacket psexec.py by triggering on specific service installation
+detection:
+    SELECTION_1:
+        EventID: 4697
+    SELECTION_2:
+        ServiceFileName|re: ^%systemroot%\\[a-zA-Z]{8}\.exe$
+    SELECTION_3:
+        ServiceName|re: (^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)
+    SELECTION_4:
+        ServiceStartType: '3'
+    SELECTION_5:
+        ServiceType: '0x10'
+    SELECTION_6:
+        ServiceName: PSEXESVC
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+        and  not (SELECTION_6))
+falsepositives:
+- Possible, different agents with a 8 character binary and a 4, 8 or 16 character
+    service name
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ServiceName
+- ServiceFileName
+id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/23
+references:
+- https://bczyz1.github.io/2021/01/30/psexec.html
+related:
+-   id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
+    type: derived
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1570
+- attack.execution
+- attack.t1569.002
+yml_filename: win_security_metasploit_or_impacket_smb_psexec_service_install.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/Sigma/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
new file mode 100644
index 00000000..e11a77ed
--- /dev/null
+++ b/rules/Sigma/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
@@ -0,0 +1,69 @@
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting
+    a specific service installation
+detection:
+    SELECTION_1:
+        EventID: 4697
+    SELECTION_10:
+        ServiceFileName: '*cmd.exe*'
+    SELECTION_11:
+        ServiceFileName: '*/c*'
+    SELECTION_12:
+        ServiceFileName: '*echo*'
+    SELECTION_13:
+        ServiceFileName: '*\pipe\\*'
+    SELECTION_14:
+        ServiceFileName: '*rundll32*'
+    SELECTION_15:
+        ServiceFileName: '*.dll,a*'
+    SELECTION_16:
+        ServiceFileName: '*/p:*'
+    SELECTION_2:
+        ServiceFileName: '*cmd*'
+    SELECTION_3:
+        ServiceFileName: '*/c*'
+    SELECTION_4:
+        ServiceFileName: '*echo*'
+    SELECTION_5:
+        ServiceFileName: '*\pipe\\*'
+    SELECTION_6:
+        ServiceFileName: '*%COMSPEC%*'
+    SELECTION_7:
+        ServiceFileName: '*/c*'
+    SELECTION_8:
+        ServiceFileName: '*echo*'
+    SELECTION_9:
+        ServiceFileName: '*\pipe\\*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)
+        or (SELECTION_10 and SELECTION_11 and SELECTION_12 and SELECTION_13) or (SELECTION_14
+        and SELECTION_15 and SELECTION_16)))
+falsepositives:
+- Highly unlikely
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ServiceFileName
+id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+related:
+-   id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+    type: derived
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.001
+- attack.t1134.002
+yml_filename: win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_security_powershell_script_installed_as_service.yml b/rules/Sigma/win_security_powershell_script_installed_as_service.yml
new file mode 100644
index 00000000..a73ef7dc
--- /dev/null
+++ b/rules/Sigma/win_security_powershell_script_installed_as_service.yml
@@ -0,0 +1,32 @@
+title: PowerShell Scripts Installed as Services
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects powershell script installed as a Service
+detection:
+    SELECTION_1:
+        EventID: 4697
+    SELECTION_2:
+        ServiceFileName: '*powershell*'
+    SELECTION_3:
+        ServiceFileName: '*pwsh*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+related:
+-   id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
+yml_filename: win_security_powershell_script_installed_as_service.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_security_tap_driver_installation.yml b/rules/Sigma/win_security_tap_driver_installation.yml
new file mode 100644
index 00000000..5104aabf
--- /dev/null
+++ b/rules/Sigma/win_security_tap_driver_installation.yml
@@ -0,0 +1,29 @@
+title: Tap Driver Installation
+author: Daniil Yugoslavskiy, Ian Davis, oscd.community
+date: 2019/10/24
+description: Well-known TAP software installation. Possible preparation for data exfiltration
+    using tunnelling techniques
+detection:
+    SELECTION_1:
+        EventID: 4697
+    SELECTION_2:
+        ServiceFileName: '*tap0901*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate OpenVPN TAP insntallation
+id: 9c8afa4d-0022-48f0-9456-3712466f9701
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/21
+related:
+-   id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
+    type: derived
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048
+yml_filename: win_security_tap_driver_installation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_security_wmi_persistence.yml b/rules/Sigma/win_security_wmi_persistence.yml
new file mode 100644
index 00000000..50996501
--- /dev/null
+++ b/rules/Sigma/win_security_wmi_persistence.yml
@@ -0,0 +1,36 @@
+title: WMI Persistence
+author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
+date: 2017/08/22
+description: Detects suspicious WMI event filter and command line event consumer based
+    on WMI and Security Logs.
+detection:
+    SELECTION_1:
+        EventID: 4662
+    SELECTION_2:
+        ObjectType: WMI Namespace
+    SELECTION_3:
+        ObjectName: '*subscription*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown (data set is too small; further testing needed)
+id: f033f3f3-fd24-4995-97d8-a3bb17550a88
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/21
+references:
+- https://twitter.com/mattifestation/status/899646620148539397
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+related:
+-   id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
+    type: derived
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1084
+- attack.t1546.003
+yml_filename: win_security_wmi_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_service_execution.yml b/rules/Sigma/win_service_execution.yml
new file mode 100644
index 00000000..e448f112
--- /dev/null
+++ b/rules/Sigma/win_service_execution.yml
@@ -0,0 +1,32 @@
+title: Service Execution
+author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/21
+description: Detects manual service execution (start) via system utilities.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\net.exe'
+    SELECTION_3:
+        Image: '*\net1.exe'
+    SELECTION_4:
+        CommandLine: '* start *'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate administrator or user executes a service for legitimate reasons.
+id: 2a072a96-a086-49fa-bcb5-15cc5a619093
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+yml_filename: win_service_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_service_stop.yml b/rules/Sigma/win_service_stop.yml
new file mode 100644
index 00000000..fffaa7c4
--- /dev/null
+++ b/rules/Sigma/win_service_stop.yml
@@ -0,0 +1,35 @@
+title: Stop Windows Service
+author: Jakob Weinzettl, oscd.community
+date: 2019/10/23
+description: Detects a windows service to be stopped
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\sc.exe'
+    SELECTION_3:
+        Image: '*\net.exe'
+    SELECTION_4:
+        Image: '*\net1.exe'
+    SELECTION_5:
+        CommandLine: '*stop*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Administrator shutting down the service due to upgrade or removal purposes
+fields:
+- ComputerName
+- User
+- CommandLine
+id: eb87818d-db5d-49cc-a987-d5da331fbd90
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/14
+status: experimental
+tags:
+- attack.impact
+- attack.t1489
+yml_filename: win_service_stop.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_set_oabvirtualdirectory_externalurl.yml b/rules/Sigma/win_set_oabvirtualdirectory_externalurl.yml
new file mode 100644
index 00000000..6a608403
--- /dev/null
+++ b/rules/Sigma/win_set_oabvirtualdirectory_externalurl.yml
@@ -0,0 +1,23 @@
+title: Set OabVirtualDirectory ExternalUrl Property
+author: Jose Rodriguez @Cyb3rPandaH
+date: 2021/03/15
+description: Rule to detect an adversary setting OabVirtualDirectory External URL
+    property to a script
+detection:
+    condition: (Set-OabVirtualDirectory and ExternalUrl and Page_Load and script)
+falsepositives:
+- Unknown
+id: 9db37458-4df2-46a5-95ab-307e7f29e675
+level: high
+logsource:
+    product: windows
+    service: msexchange-management
+references:
+- https://twitter.com/OTR_Community/status/1371053369071132675
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+yml_filename: win_set_oabvirtualdirectory_externalurl.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_shadow_copies_access_symlink.yml b/rules/Sigma/win_shadow_copies_access_symlink.yml
new file mode 100644
index 00000000..c8c6af5c
--- /dev/null
+++ b/rules/Sigma/win_shadow_copies_access_symlink.yml
@@ -0,0 +1,31 @@
+title: Shadow Copies Access via Symlink
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Shadow Copies storage symbolic link creation using operating systems
+    utilities
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*mklink*'
+    SELECTION_3:
+        CommandLine: '*HarddiskVolumeShadowCopy*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate administrator working with shadow copies, access for backup purposes
+id: 40b19fa6-d835-400c-b301-41f3a2baacaf
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+- attack.t1003.003
+yml_filename: win_shadow_copies_access_symlink.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_shadow_copies_creation.yml b/rules/Sigma/win_shadow_copies_creation.yml
new file mode 100644
index 00000000..5b8bd76d
--- /dev/null
+++ b/rules/Sigma/win_shadow_copies_creation.yml
@@ -0,0 +1,39 @@
+title: Shadow Copies Creation Using Operating Systems Utilities
+author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/22
+description: Shadow Copies creation using operating systems utilities, possible credential
+    access
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        Image: '*\wmic.exe'
+    SELECTION_4:
+        Image: '*\vssadmin.exe'
+    SELECTION_5:
+        CommandLine: '*shadow*'
+    SELECTION_6:
+        CommandLine: '*create*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Legitimate administrator working with shadow copies, access for backup purposes
+id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+- attack.t1003.003
+yml_filename: win_shadow_copies_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_shadow_copies_deletion.yml b/rules/Sigma/win_shadow_copies_deletion.yml
new file mode 100644
index 00000000..a4f250e2
--- /dev/null
+++ b/rules/Sigma/win_shadow_copies_deletion.yml
@@ -0,0 +1,69 @@
+title: Shadow Copies Deletion Using Operating Systems Utilities
+author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community,
+    Andreas Hunkeler (@Karneades)
+date: 2019/10/22
+description: Shadow Copies deletion using operating systems utilities
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*catalog*'
+    SELECTION_11:
+        CommandLine: '*quiet*'
+    SELECTION_12:
+        Image: '*\vssadmin.exe'
+    SELECTION_13:
+        CommandLine: '*resize*'
+    SELECTION_14:
+        CommandLine: '*shadowstorage*'
+    SELECTION_15:
+        CommandLine: '*unbounded*'
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        Image: '*\wmic.exe'
+    SELECTION_4:
+        Image: '*\vssadmin.exe'
+    SELECTION_5:
+        Image: '*\diskshadow.exe'
+    SELECTION_6:
+        CommandLine: '*shadow*'
+    SELECTION_7:
+        CommandLine: '*delete*'
+    SELECTION_8:
+        Image: '*\wbadmin.exe'
+    SELECTION_9:
+        CommandLine: '*delete*'
+    condition: (SELECTION_1 and (((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and SELECTION_6 and SELECTION_7) or ((SELECTION_8) and SELECTION_9 and SELECTION_10
+        and SELECTION_11) or (SELECTION_12 and SELECTION_13 and SELECTION_14 and SELECTION_15)))
+falsepositives:
+- Legitimate Administrator deletes Shadow Copies using operating systems utilities
+    for legitimate reason
+fields:
+- CommandLine
+- ParentCommandLine
+id: c947b146-0abc-4c87-9c64-b17e9d7274a2
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/10/24
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+- https://blog.talosintelligence.com/2017/05/wannacry.html
+- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
+- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
+- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
+- https://github.com/Neo23x0/Raccine#the-process
+- https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar
+- https://redcanary.com/blog/intelligence-insights-october-2021/
+status: stable
+tags:
+- attack.defense_evasion
+- attack.impact
+- attack.t1070
+- attack.t1490
+yml_filename: win_shadow_copies_deletion.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_shell_spawn_mshta.yml b/rules/Sigma/win_shell_spawn_mshta.yml
new file mode 100644
index 00000000..8c6ea628
--- /dev/null
+++ b/rules/Sigma/win_shell_spawn_mshta.yml
@@ -0,0 +1,40 @@
+title: Mshta Spawning Windows Shell
+author: Florian Roth
+date: 2021/06/28
+description: Detects a suspicious child process of a mshta.exe process
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\mshta.exe'
+    SELECTION_3:
+        Image: '*\powershell.exe'
+    SELECTION_4:
+        Image: '*\cmd.exe'
+    SELECTION_5:
+        Image: '*\WScript.exe'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 772bb24c-8df2-4be0-9157-ae4dfa794037
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://app.any.run/tasks/f0fac90f-84ac-4faa-b5b2-f4353c388969/#
+- https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1064
+- attack.t1059.005
+- attack.t1059.001
+- attack.t1218
+yml_filename: win_shell_spawn_mshta.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_shell_spawn_susp_program.yml b/rules/Sigma/win_shell_spawn_susp_program.yml
new file mode 100644
index 00000000..f6667ea5
--- /dev/null
+++ b/rules/Sigma/win_shell_spawn_susp_program.yml
@@ -0,0 +1,59 @@
+title: Windows Shell Spawning Suspicious Program
+author: Florian Roth
+date: 2018/04/06
+description: Detects a suspicious child process of a Windows shell
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\certutil.exe'
+    SELECTION_11:
+        Image: '*\bitsadmin.exe'
+    SELECTION_12:
+        Image: '*\mshta.exe'
+    SELECTION_13:
+        CurrentDirectory: '*\ccmcache\\*'
+    SELECTION_2:
+        ParentImage: '*\mshta.exe'
+    SELECTION_3:
+        ParentImage: '*\powershell.exe'
+    SELECTION_4:
+        ParentImage: '*\rundll32.exe'
+    SELECTION_5:
+        ParentImage: '*\cscript.exe'
+    SELECTION_6:
+        ParentImage: '*\wscript.exe'
+    SELECTION_7:
+        ParentImage: '*\wmiprvse.exe'
+    SELECTION_8:
+        Image: '*\schtasks.exe'
+    SELECTION_9:
+        Image: '*\nslookup.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7) and (SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12)) and  not (SELECTION_13))
+falsepositives:
+- Administrative scripts
+- Microsoft SCCM
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/06
+references:
+- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1064
+- attack.t1059.005
+- attack.t1059.001
+- attack.t1218
+yml_filename: win_shell_spawn_susp_program.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_silenttrinity_stage_use.yml b/rules/Sigma/win_silenttrinity_stage_use.yml
new file mode 100644
index 00000000..8779a1fd
--- /dev/null
+++ b/rules/Sigma/win_silenttrinity_stage_use.yml
@@ -0,0 +1,26 @@
+title: SILENTTRINITY Stager Execution
+author: Aleksey Potapov, oscd.community
+date: 2019/10/22
+description: Detects SILENTTRINITY stager use
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Description: '*st2stager*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- unknown
+id: 03552375-cc2c-4883-bbe4-7958d5a980be
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://github.com/byt3bl33d3r/SILENTTRINITY
+status: experimental
+tags:
+- attack.command_and_control
+yml_filename: win_silenttrinity_stage_use.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_smb_file_creation_admin_shares.yml b/rules/Sigma/win_smb_file_creation_admin_shares.yml
new file mode 100644
index 00000000..c2d2a2a5
--- /dev/null
+++ b/rules/Sigma/win_smb_file_creation_admin_shares.yml
@@ -0,0 +1,32 @@
+title: SMB Create Remote File Admin Share
+author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
+date: 2020/08/06
+description: Look for non-system accounts SMB accessing a file with write (0x2) access
+    mask via administrative share (i.e C$).
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        ShareName: '*C$'
+    SELECTION_3:
+        AccessMask: '0x2'
+    SELECTION_4:
+        SubjectUserName: '*$'
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: b210394c-ba12-4f89-9117-44a2464b9511
+level: high
+logsource:
+    product: windows
+    service: security
+references:
+- https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml
+- https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1021.002
+yml_filename: win_smb_file_creation_admin_shares.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_software_atera_rmm_agent_install.yml b/rules/Sigma/win_software_atera_rmm_agent_install.yml
new file mode 100644
index 00000000..71aff62d
--- /dev/null
+++ b/rules/Sigma/win_software_atera_rmm_agent_install.yml
@@ -0,0 +1,29 @@
+title: Atera Agent Installation
+author: Bhabesh Raj
+date: 2021/09/01
+description: Detects successful installation of Atera Remote Monitoring & Management
+    (RMM) agent as recently found to be used by Conti operators
+detection:
+    SELECTION_1:
+        EventID: 1033
+    SELECTION_2:
+        Provider_Name: MsiInstaller
+    SELECTION_3:
+        Message: '*AteraAgent*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate Atera agent installation
+id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
+level: high
+logsource:
+    product: windows
+    service: application
+modified: 2021/10/13
+references:
+- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
+status: experimental
+tags:
+- attack.t1219
+yml_filename: win_software_atera_rmm_agent_install.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_soundrec_audio_capture.yml b/rules/Sigma/win_soundrec_audio_capture.yml
new file mode 100644
index 00000000..81266f42
--- /dev/null
+++ b/rules/Sigma/win_soundrec_audio_capture.yml
@@ -0,0 +1,30 @@
+title: Audio Capture via SoundRecorder
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Detect attacker collecting audio via SoundRecorder application.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\SoundRecorder.exe'
+    SELECTION_3:
+        CommandLine: '*/FILE*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate audio capture by legitimate user.
+id: 83865853-59aa-449e-9600-74b9d89a6d6e
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
+- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
+status: experimental
+tags:
+- attack.collection
+- attack.t1123
+yml_filename: win_soundrec_audio_capture.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_spn_enum.yml b/rules/Sigma/win_spn_enum.yml
new file mode 100644
index 00000000..d9afcbb8
--- /dev/null
+++ b/rules/Sigma/win_spn_enum.yml
@@ -0,0 +1,34 @@
+title: Possible SPN Enumeration
+author: Markus Neis, keepwatch
+date: 2018/11/14
+description: Detects Service Principal Name Enumeration used for Kerberoasting
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\setspn.exe'
+    SELECTION_3:
+        Description: '*Query or reset the computer*'
+    SELECTION_4:
+        Description: '*SPN attribute*'
+    SELECTION_5:
+        CommandLine: '*-q*'
+    condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)) and
+        SELECTION_5)
+falsepositives:
+- Administrator Activity
+id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1558.003
+- attack.t1208
+yml_filename: win_spn_enum.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/Sigma/win_sticky_keys_unauthenticated_privileged_console_access.yml
new file mode 100644
index 00000000..621d7764
--- /dev/null
+++ b/rules/Sigma/win_sticky_keys_unauthenticated_privileged_console_access.yml
@@ -0,0 +1,34 @@
+title: Using Sticky-keys To Obtain Unauthenticated, Privileged Console Access
+author: Sreeman
+date: 2020/02/18
+description: By replacing the sticky keys executable with the local admins CMD executable,
+    an attacker is able to access a privileged windows console session without authenticating
+    to the system. When the sticky keys are "activated" the privilleged shell is launched.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe
+    condition: (SELECTION_1 and (SELECTION_2))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentProcess
+id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/11
+references:
+- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+- https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
+status: experimental
+tags:
+- attack.t1015
+- attack.t1546.008
+- attack.privilege_escalation
+yml_filename: win_sticky_keys_unauthenticated_privileged_console_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_sus_auditpol_usage.yml b/rules/Sigma/win_sus_auditpol_usage.yml
new file mode 100644
index 00000000..b9b59ce1
--- /dev/null
+++ b/rules/Sigma/win_sus_auditpol_usage.yml
@@ -0,0 +1,38 @@
+title: Suspicious Auditpol Usage
+author: Janantha Marasinghe (https://github.com/blueteam0ps)
+date: 2021/02/02
+description: Threat actors can use auditpol binary to change audit policy configuration
+    to impair detection capability. This can be carried out by selectively disabling/removing
+    certain audit policies as well as restoring a custom policy owned by the threat
+    actor.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\auditpol.exe'
+    SELECTION_3:
+        CommandLine: '*disable*'
+    SELECTION_4:
+        CommandLine: '*clear*'
+    SELECTION_5:
+        CommandLine: '*remove*'
+    SELECTION_6:
+        CommandLine: '*restore*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Admin activity
+id: 0a13e132-651d-11eb-ae93-0242ac130002
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/02/02
+references:
+- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
+tags:
+- attack.defense_evasion
+- attack.t1562.002
+yml_filename: win_sus_auditpol_usage.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_add_domain_trust.yml b/rules/Sigma/win_susp_add_domain_trust.yml
new file mode 100644
index 00000000..f6347bc8
--- /dev/null
+++ b/rules/Sigma/win_susp_add_domain_trust.yml
@@ -0,0 +1,21 @@
+title: Addition of Domain Trusts
+author: Thomas Patzke
+date: 2019/12/03
+description: Addition of domains is seldom and should be verified for legitimacy.
+detection:
+    SELECTION_1:
+        EventID: 4706
+    condition: SELECTION_1
+falsepositives:
+- Legitimate extension of domain structure
+id: 0255a820-e564-4e40-af2b-6ac61160335c
+level: medium
+logsource:
+    product: windows
+    service: security
+status: stable
+tags:
+- attack.persistence
+yml_filename: win_susp_add_domain_trust.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_add_sid_history.yml b/rules/Sigma/win_susp_add_sid_history.yml
new file mode 100644
index 00000000..1acbd727
--- /dev/null
+++ b/rules/Sigma/win_susp_add_sid_history.yml
@@ -0,0 +1,37 @@
+title: Addition of SID History to Active Directory Object
+author: Thomas Patzke, @atc_project (improvements)
+date: 2017/02/19
+description: An attacker can use the SID history attribute to gain additional privileges.
+detection:
+    SELECTION_1:
+        EventID: 4765
+    SELECTION_2:
+        EventID: 4766
+    SELECTION_3:
+        EventID: 4738
+    SELECTION_4:
+        SidHistory: '-'
+    SELECTION_5:
+        SidHistory: '%%1793'
+    SELECTION_6:
+        SidHistory|re: ^$
+    condition: ((SELECTION_1 or SELECTION_2) or ((SELECTION_3 and  not ((SELECTION_4
+        or SELECTION_5))) and  not (SELECTION_6)))
+falsepositives:
+- Migration of an account into a new domain
+id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
+level: medium
+logsource:
+    product: windows
+    service: security
+references:
+- https://adsecurity.org/?p=1772
+status: stable
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1178
+- attack.t1134.005
+yml_filename: win_susp_add_sid_history.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_adfind.yml b/rules/Sigma/win_susp_adfind.yml
new file mode 100644
index 00000000..cc8fefc3
--- /dev/null
+++ b/rules/Sigma/win_susp_adfind.yml
@@ -0,0 +1,43 @@
+title: Suspicious AdFind Execution
+author: FPT.EagleEye Team, omkar72, oscd.community
+date: 2020/09/26
+description: Detects the execution of a AdFind for Active Directory enumeration
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*objectcategory*'
+    SELECTION_3:
+        CommandLine: '*trustdmp*'
+    SELECTION_4:
+        CommandLine: '*dcmodes*'
+    SELECTION_5:
+        CommandLine: '*dclist*'
+    SELECTION_6:
+        CommandLine: '*computers_pwdnotreqd*'
+    SELECTION_7:
+        Image: '*\adfind.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6) and SELECTION_7)
+falsepositives:
+- Administrative activity
+id: 75df3b17-8bcc-4565-b89b-c9898acef911
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/12
+references:
+- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md
+- https://thedfirreport.com/2020/05/08/adfind-recon/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1018
+- attack.t1087.002
+- attack.t1482
+- attack.t1069.002
+yml_filename: win_susp_adfind.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_atbroker.yml b/rules/Sigma/win_susp_atbroker.yml
new file mode 100644
index 00000000..2e4c850b
--- /dev/null
+++ b/rules/Sigma/win_susp_atbroker.yml
@@ -0,0 +1,90 @@
+title: Suspicious Atbroker Execution
+author: Mateusz Wydra, oscd.community
+date: 2020/10/12
+description: Atbroker executing non-deafualt Assistive Technology applications
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*filterkeys*'
+    SELECTION_11:
+        CommandLine: '*focusborderheight*'
+    SELECTION_12:
+        CommandLine: '*focusborderwidth*'
+    SELECTION_13:
+        CommandLine: '*highcontrast*'
+    SELECTION_14:
+        CommandLine: '*keyboardcues*'
+    SELECTION_15:
+        CommandLine: '*keyboardpref*'
+    SELECTION_16:
+        CommandLine: '*magnifierpane*'
+    SELECTION_17:
+        CommandLine: '*messageduration*'
+    SELECTION_18:
+        CommandLine: '*minimumhitradius*'
+    SELECTION_19:
+        CommandLine: '*mousekeys*'
+    SELECTION_2:
+        Image: '*AtBroker.exe'
+    SELECTION_20:
+        CommandLine: '*Narrator*'
+    SELECTION_21:
+        CommandLine: '*osk*'
+    SELECTION_22:
+        CommandLine: '*overlappedcontent*'
+    SELECTION_23:
+        CommandLine: '*showsounds*'
+    SELECTION_24:
+        CommandLine: '*soundsentry*'
+    SELECTION_25:
+        CommandLine: '*stickykeys*'
+    SELECTION_26:
+        CommandLine: '*togglekeys*'
+    SELECTION_27:
+        CommandLine: '*windowarranging*'
+    SELECTION_28:
+        CommandLine: '*windowtracking*'
+    SELECTION_29:
+        CommandLine: '*windowtrackingtimeout*'
+    SELECTION_3:
+        CommandLine: '*start*'
+    SELECTION_30:
+        CommandLine: '*windowtrackingzorder*'
+    SELECTION_4:
+        CommandLine: '*animations*'
+    SELECTION_5:
+        CommandLine: '*audiodescription*'
+    SELECTION_6:
+        CommandLine: '*caretbrowsing*'
+    SELECTION_7:
+        CommandLine: '*caretwidth*'
+    SELECTION_8:
+        CommandLine: '*colorfiltering*'
+    SELECTION_9:
+        CommandLine: '*cursorscheme*'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24
+        or SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29
+        or SELECTION_30)))
+falsepositives:
+- Legitimate, non-default assistive technology applications execution
+id: f24bcaea-0cd1-11eb-adc1-0242ac120002
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/14
+references:
+- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
+- https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_susp_atbroker.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_backup_delete.yml b/rules/Sigma/win_susp_backup_delete.yml
new file mode 100644
index 00000000..c71b68c7
--- /dev/null
+++ b/rules/Sigma/win_susp_backup_delete.yml
@@ -0,0 +1,29 @@
+title: Backup Catalog Deleted
+author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
+date: 2017/05/12
+description: Detects backup catalog deletions
+detection:
+    SELECTION_1:
+        EventID: 524
+    SELECTION_2:
+        Provider_Name: Microsoft-Windows-Backup
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 9703792d-fd9a-456d-a672-ff92efe4806a
+level: medium
+logsource:
+    product: windows
+    service: application
+modified: 2021/10/13
+references:
+- https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
+- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1107
+- attack.t1070.004
+yml_filename: win_susp_backup_delete.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_bcdedit.yml b/rules/Sigma/win_susp_bcdedit.yml
new file mode 100644
index 00000000..2269b71e
--- /dev/null
+++ b/rules/Sigma/win_susp_bcdedit.yml
@@ -0,0 +1,40 @@
+title: Possible Ransomware or Unauthorized MBR Modifications
+author: '@neu5ron'
+date: 2019/02/07
+description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\bcdedit.exe'
+    SELECTION_3:
+        CommandLine: '*delete*'
+    SELECTION_4:
+        CommandLine: '*deletevalue*'
+    SELECTION_5:
+        CommandLine: '*import*'
+    SELECTION_6:
+        CommandLine: '*safeboot*'
+    SELECTION_7:
+        CommandLine: '*network*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/18
+references:
+- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
+- https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.persistence
+- attack.t1542.003
+- attack.t1067
+yml_filename: win_susp_bcdedit.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_bginfo.yml b/rules/Sigma/win_susp_bginfo.yml
new file mode 100644
index 00000000..10825c63
--- /dev/null
+++ b/rules/Sigma/win_susp_bginfo.yml
@@ -0,0 +1,35 @@
+title: Application Whitelisting Bypass via Bginfo
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+description: Execute VBscript code that is referenced within the *.bgi file.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\bginfo.exe'
+    SELECTION_3:
+        CommandLine: '*/popup*'
+    SELECTION_4:
+        CommandLine: '*/nolicprompt*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: aaf46cdc-934e-4284-b329-34aa701e3771
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/05
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml
+- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.defense_evasion
+- attack.t1218
+- attack.t1202
+yml_filename: win_susp_bginfo.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_bitstransfer.yml b/rules/Sigma/win_susp_bitstransfer.yml
new file mode 100644
index 00000000..d1c085e7
--- /dev/null
+++ b/rules/Sigma/win_susp_bitstransfer.yml
@@ -0,0 +1,41 @@
+title: Suspicious Bitstransfer via PowerShell
+author: Austin Songer @austinsonger
+date: 2021/08/19
+description: Detects transferring files from system on a server bitstransfer Powershell
+    cmdlets
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        Image: '*\powershell_ise.exe'
+    SELECTION_4:
+        Image: '*\pwsh.exe'
+    SELECTION_5:
+        CommandLine: '*Get-BitsTransfer*'
+    SELECTION_6:
+        CommandLine: '*Add-BitsFile*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and (SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+id: cd5c8085-4070-4e22-908d-a5b3342deb74
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
+status: experimental
+tags:
+- attack.exfiltration
+- attack.persistence
+- attack.t1197
+yml_filename: win_susp_bitstransfer.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_calc.yml b/rules/Sigma/win_susp_calc.yml
new file mode 100644
index 00000000..4dbe714b
--- /dev/null
+++ b/rules/Sigma/win_susp_calc.yml
@@ -0,0 +1,34 @@
+title: Suspicious Calculator Usage
+author: Florian Roth
+date: 2019/02/09
+description: Detects suspicious use of calc.exe with command line parameters or in
+    a suspicious directory, which is likely caused by some PoC or detection evasion
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\calc.exe *'
+    SELECTION_3:
+        EventID: 1
+    SELECTION_4:
+        Image: '*\calc.exe'
+    SELECTION_5:
+        Image: '*\Windows\Sys*'
+    condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and  not
+        (SELECTION_5))))
+falsepositives:
+- Unknown
+id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/ItsReallyNick/status/1094080242686312448
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+yml_filename: win_susp_calc.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_cdb.yml b/rules/Sigma/win_susp_cdb.yml
new file mode 100644
index 00000000..243d4110
--- /dev/null
+++ b/rules/Sigma/win_susp_cdb.yml
@@ -0,0 +1,33 @@
+title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+description: Launch 64-bit shellcode from a debugger script file using cdb.exe.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\cdb.exe'
+    SELECTION_3:
+        CommandLine: '*-cf*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of debugging tools
+id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/05
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml
+- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1106
+- attack.defense_evasion
+- attack.t1218
+- attack.t1127
+yml_filename: win_susp_cdb.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_certutil_command.yml b/rules/Sigma/win_susp_certutil_command.yml
new file mode 100644
index 00000000..9ea37ebe
--- /dev/null
+++ b/rules/Sigma/win_susp_certutil_command.yml
@@ -0,0 +1,72 @@
+title: Suspicious Certutil Command
+author: Florian Roth, juju4, keepwatch
+date: 2019/01/16
+description: Detects a suspicious Microsoft certutil execution with sub commands like
+    'decode' sub command, which is sometimes used to decode malicious code with the
+    built-in certutil utility
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '* /verifyctl *'
+    SELECTION_11:
+        CommandLine: '* /encode *'
+    SELECTION_12:
+        Image: '*\certutil.exe'
+    SELECTION_13:
+        CommandLine: '*URL*'
+    SELECTION_14:
+        CommandLine: '*ping*'
+    SELECTION_2:
+        CommandLine: '* -decode *'
+    SELECTION_3:
+        CommandLine: '* -decodehex *'
+    SELECTION_4:
+        CommandLine: '* -urlcache *'
+    SELECTION_5:
+        CommandLine: '* -verifyctl *'
+    SELECTION_6:
+        CommandLine: '* -encode *'
+    SELECTION_7:
+        CommandLine: '* /decode *'
+    SELECTION_8:
+        CommandLine: '* /decodehex *'
+    SELECTION_9:
+        CommandLine: '* /urlcache *'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11) or (SELECTION_12 and (SELECTION_13 or SELECTION_14))))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+fields:
+- CommandLine
+- ParentCommandLine
+id: e011a729-98a6-4139-b5c4-bf6f6dd8239a
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/04/23
+references:
+- https://twitter.com/JohnLaTwC/status/835149808817991680
+- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
+- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
+- https://twitter.com/egre55/status/1087685529016193025
+- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.command_and_control
+- attack.t1105
+- attack.s0160
+- attack.g0007
+- attack.g0010
+- attack.g0045
+- attack.g0049
+- attack.g0075
+- attack.g0096
+yml_filename: win_susp_certutil_command.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_certutil_encode.yml b/rules/Sigma/win_susp_certutil_encode.yml
new file mode 100644
index 00000000..13b1dad9
--- /dev/null
+++ b/rules/Sigma/win_susp_certutil_encode.yml
@@ -0,0 +1,33 @@
+title: Certutil Encode
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2019/02/24
+description: Detects suspicious a certutil command that used to encode files, which
+    is sometimes used for data exfiltration
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\certutil.exe'
+    SELECTION_3:
+        CommandLine: '*-f*'
+    SELECTION_4:
+        CommandLine: '*-encode*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- unknown
+id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
+- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+yml_filename: win_susp_certutil_encode.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_child_process_as_system_.yml b/rules/Sigma/win_susp_child_process_as_system_.yml
new file mode 100644
index 00000000..005e1247
--- /dev/null
+++ b/rules/Sigma/win_susp_child_process_as_system_.yml
@@ -0,0 +1,49 @@
+title: Suspicious Child Process Created as System
+author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research
+    (OTR)
+date: 2019/10/26
+description: Detection of child processes spawned with SYSTEM privileges by parents
+    with LOCAL SERVICE or NETWORK SERVICE accounts
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentUser: NT AUTHORITY\NETWORK SERVICE
+    SELECTION_3:
+        ParentUser: NT AUTHORITY\LOCAL SERVICE
+    SELECTION_4:
+        ParentUser: AUTORITE NT\
+    SELECTION_5:
+        User: NT AUTHORITY\SYSTEM
+    SELECTION_6:
+        User: AUTORITE NT\Sys
+    SELECTION_7:
+        IntegrityLevel: System
+    SELECTION_8:
+        Image: '*\rundll32.exe'
+    SELECTION_9:
+        CommandLine: '*DavSetCookie*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4) and (SELECTION_5
+        or SELECTION_6) and SELECTION_7) and  not (SELECTION_8 and SELECTION_9))
+falsepositives:
+- Unknown
+id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d
+level: high
+logsource:
+    category: process_creation
+    definition: ParentUser field needs sysmon >= 13.30
+    product: windows
+modified: 2020/10/26
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
+- https://github.com/antonioCoco/RogueWinRM
+- https://twitter.com/Cyb3rWard0g/status/1453123054243024897
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1134
+- attack.t1134.002
+yml_filename: win_susp_child_process_as_system_.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_cli_escape.yml b/rules/Sigma/win_susp_cli_escape.yml
new file mode 100644
index 00000000..5fa0e1c7
--- /dev/null
+++ b/rules/Sigma/win_susp_cli_escape.yml
@@ -0,0 +1,34 @@
+title: Suspicious Commandline Escape
+author: juju4
+date: 2018/12/11
+description: Detects suspicious process that use escape characters
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*h^t^t^p*'
+    SELECTION_3:
+        CommandLine: '*h"t"t"p*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/03/14
+references:
+- https://twitter.com/vysecurity/status/885545634958385153
+- https://twitter.com/Hexacorn/status/885553465417756673
+- https://twitter.com/Hexacorn/status/885570278637678592
+- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
+- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+yml_filename: win_susp_cli_escape.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_cmd_http_appdata.yml b/rules/Sigma/win_susp_cmd_http_appdata.yml
new file mode 100644
index 00000000..287fb1da
--- /dev/null
+++ b/rules/Sigma/win_susp_cmd_http_appdata.yml
@@ -0,0 +1,42 @@
+title: Command Line Execution with Suspicious URL and AppData Strings
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2019/01/16
+description: Detects a suspicious command line execution that includes an URL and
+    AppData string in the command line parameters as used by several droppers (js/vbs
+    > powershell)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\cmd.exe'
+    SELECTION_3:
+        CommandLine: '*http*'
+    SELECTION_4:
+        CommandLine: '*://*'
+    SELECTION_5:
+        CommandLine: '*%AppData%*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- High
+fields:
+- CommandLine
+- ParentCommandLine
+id: 1ac8666b-046f-4201-8aba-1951aaec03a3
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/20
+references:
+- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
+- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.003
+- attack.t1059.001
+- attack.command_and_control
+- attack.t1105
+yml_filename: win_susp_cmd_http_appdata.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_cmd_shadowcopy_access.yml b/rules/Sigma/win_susp_cmd_shadowcopy_access.yml
new file mode 100644
index 00000000..ec9e762c
--- /dev/null
+++ b/rules/Sigma/win_susp_cmd_shadowcopy_access.yml
@@ -0,0 +1,27 @@
+title: Conti Volume Shadow Listing
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects a command used by conti to access volume shadow backups
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*copy \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Some rare backup scenarios
+id: c73124a7-3e89-44a3-bdc1-25fe4df754b1
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/vxunderground/status/1423336151860002816?s=20
+- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
+status: experimental
+tags:
+- attack.impact
+- attack.t1490
+yml_filename: win_susp_cmd_shadowcopy_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_codeintegrity_check_failure.yml b/rules/Sigma/win_susp_codeintegrity_check_failure.yml
new file mode 100644
index 00000000..333ae717
--- /dev/null
+++ b/rules/Sigma/win_susp_codeintegrity_check_failure.yml
@@ -0,0 +1,26 @@
+title: Failed Code Integrity Checks
+author: Thomas Patzke
+date: 2019/12/03
+description: Code integrity failures may indicate tampered executables.
+detection:
+    SELECTION_1:
+        EventID: 5038
+    SELECTION_2:
+        EventID: 6281
+    condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Disk device errors
+id: 470ec5fa-7b4e-4071-b200-4c753100f49b
+level: low
+logsource:
+    product: windows
+    service: security
+modified: 2020/08/23
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1009
+- attack.t1027.001
+yml_filename: win_susp_codeintegrity_check_failure.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_codepage_switch.yml b/rules/Sigma/win_susp_codepage_switch.yml
new file mode 100644
index 00000000..5b015e7c
--- /dev/null
+++ b/rules/Sigma/win_susp_codepage_switch.yml
@@ -0,0 +1,35 @@
+title: Suspicious Code Page Switch
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2019/10/14
+description: Detects a code page switch in command line or batch scripts to a rare
+    language
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\chcp.com'
+    SELECTION_3:
+        CommandLine: '* 936'
+    SELECTION_4:
+        CommandLine: '* 1258'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Administrative activity (adjust code pages according to your organisation's region)
+fields:
+- ParentCommandLine
+id: c7942406-33dd-4377-a564-0f62db0593a3
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
+- https://twitter.com/cglyer/status/1183756892952248325
+status: experimental
+tags:
+- attack.t1036
+- attack.defense_evasion
+yml_filename: win_susp_codepage_switch.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_commands_recon_activity.yml b/rules/Sigma/win_susp_commands_recon_activity.yml
new file mode 100644
index 00000000..cf2b2181
--- /dev/null
+++ b/rules/Sigma/win_susp_commands_recon_activity.yml
@@ -0,0 +1,69 @@
+title: Reconnaissance Activity with Net Command
+author: Florian Roth, Markus Neis
+date: 2018/08/22
+description: Detects a set of commands often used in recon stages by different attack
+    groups
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: hostname.exe
+    SELECTION_11:
+        CommandLine: netstat -an
+    SELECTION_12:
+        CommandLine: '*\net1 start'
+    SELECTION_13:
+        CommandLine: '*\net1 user /domain'
+    SELECTION_14:
+        CommandLine: '*\net1 group /domain'
+    SELECTION_15:
+        CommandLine: '*\net1 group "domain admins" /domain'
+    SELECTION_16:
+        CommandLine: '*\net1 group "Exchange Trusted Subsystem" /domain'
+    SELECTION_17:
+        CommandLine: '*\net1 accounts /domain'
+    SELECTION_18:
+        CommandLine: '*\net1 user net localgroup administrators'
+    SELECTION_2:
+        CommandLine: tasklist
+    SELECTION_3:
+        CommandLine: net time
+    SELECTION_4:
+        CommandLine: systeminfo
+    SELECTION_5:
+        CommandLine: whoami
+    SELECTION_6:
+        CommandLine: nbtstat
+    SELECTION_7:
+        CommandLine: net start
+    SELECTION_8:
+        CommandLine: qprocess
+    SELECTION_9:
+        CommandLine: nslookup
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11) or (SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18)))| count() by CommandLine
+        > 4
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+id: 2887e914-ce96-435f-8105-593937e90757
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://twitter.com/haroonmeer/status/939099379834658817
+- https://twitter.com/c_APT_ure/status/939475433711722497
+- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1082
+- car.2016-03-001
+yml_filename: win_susp_commands_recon_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_compression_params.yml b/rules/Sigma/win_susp_compression_params.yml
new file mode 100644
index 00000000..e24ec755
--- /dev/null
+++ b/rules/Sigma/win_susp_compression_params.yml
@@ -0,0 +1,51 @@
+title: Suspicious Compression Tool Parameters
+author: Florian Roth, Samir Bousseaden
+date: 2019/10/15
+description: Detects suspicious command line arguments of common data compression
+    tools
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '* -hp*'
+    SELECTION_11:
+        ParentImage: C:\Program*
+    SELECTION_2:
+        OriginalFileName: 7z*.exe
+    SELECTION_3:
+        OriginalFileName: '*rar.exe'
+    SELECTION_4:
+        OriginalFileName: '*Command*Line*RAR*'
+    SELECTION_5:
+        CommandLine: '* -p*'
+    SELECTION_6:
+        CommandLine: '* -ta*'
+    SELECTION_7:
+        CommandLine: '* -tb*'
+    SELECTION_8:
+        CommandLine: '* -sdel*'
+    SELECTION_9:
+        CommandLine: '* -dw*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4) and (SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10))
+        and  not (SELECTION_11))
+falsepositives:
+- unknown
+id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/05
+references:
+- https://twitter.com/SBousseaden/status/1184067445612535811
+status: experimental
+tags:
+- attack.collection
+- attack.t1560.001
+- attack.exfiltration
+- attack.t1020
+- attack.t1002
+yml_filename: win_susp_compression_params.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_comsvcs_procdump.yml b/rules/Sigma/win_susp_comsvcs_procdump.yml
new file mode 100644
index 00000000..8f324fee
--- /dev/null
+++ b/rules/Sigma/win_susp_comsvcs_procdump.yml
@@ -0,0 +1,43 @@
+title: Process Dump via Comsvcs DLL
+author: Modexp (idea)
+date: 2019/09/02
+description: Detects process memory dump via comsvcs.dll and rundll32
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\rundll32.exe'
+    SELECTION_3:
+        OriginalFileName: RUNDLL32.EXE
+    SELECTION_4:
+        CommandLine: '*comsvcs*'
+    SELECTION_5:
+        CommandLine: '*MiniDump*'
+    SELECTION_6:
+        CommandLine: '*full*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and
+        SELECTION_5 and SELECTION_6))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/05
+references:
+- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+- https://twitter.com/SBousseaden/status/1167417096374050817
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+yml_filename: win_susp_comsvcs_procdump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_conhost.yml b/rules/Sigma/win_susp_conhost.yml
new file mode 100644
index 00000000..b9faed2d
--- /dev/null
+++ b/rules/Sigma/win_susp_conhost.yml
@@ -0,0 +1,32 @@
+title: Conhost Parent Process Executions
+author: omkar72
+date: 2020/10/25
+description: Detects the conhost execution as parent process. Can be used to evaded
+    defense mechanism.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\conhost.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unlikely, conhost is a child less process
+fields:
+- Image
+- CommandLine
+- ParentCommandLine
+id: 7dc2dedd-7603-461a-bc13-15803d132355
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+references:
+- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
+yml_filename: win_susp_conhost.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_control_cve_2021_40444.yml b/rules/Sigma/win_susp_control_cve_2021_40444.yml
new file mode 100644
index 00000000..ec6300b2
--- /dev/null
+++ b/rules/Sigma/win_susp_control_cve_2021_40444.yml
@@ -0,0 +1,35 @@
+title: CVE-2021-40444 Process Pattern
+author: '@neonprimetime, Florian Roth'
+date: 2021/09/08
+description: Detects a suspicious process pattern found in CVE-2021-40444 exploitation
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\control.exe'
+    SELECTION_3:
+        ParentImage: '*\winword.exe'
+    SELECTION_4:
+        ParentImage: '*\powerpnt.exe'
+    SELECTION_5:
+        ParentImage: '*\excel.exe'
+    SELECTION_6:
+        CommandLine: '*\control.exe input.dll'
+    condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+        and  not (SELECTION_6))
+falsepositives:
+- Unknown
+id: 894397c6-da03-425c-a589-3d09e7d1f750
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/09
+references:
+- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
+- https://twitter.com/neonprimetime/status/1435584010202255375
+- https://www.joesandbox.com/analysis/476188/1/iochtml
+status: experimental
+yml_filename: win_susp_control_cve_2021_40444.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_control_dll_load.yml b/rules/Sigma/win_susp_control_dll_load.yml
new file mode 100644
index 00000000..1531dd41
--- /dev/null
+++ b/rules/Sigma/win_susp_control_dll_load.yml
@@ -0,0 +1,36 @@
+title: Suspicious Control Panel DLL Load
+author: Florian Roth
+date: 2017/04/15
+description: Detects suspicious Rundll32 execution from control.exe as used by Equation
+    Group and Exploit Kits
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\System32\control.exe'
+    SELECTION_3:
+        Image: '*\rundll32.exe '
+    SELECTION_4:
+        CommandLine: '*Shell32.dll*'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/05
+references:
+- https://twitter.com/rikvduijn/status/853251879320662017
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1085
+- attack.t1218.011
+yml_filename: win_susp_control_dll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_copy_lateral_movement.yml b/rules/Sigma/win_susp_copy_lateral_movement.yml
new file mode 100644
index 00000000..ee31ad67
--- /dev/null
+++ b/rules/Sigma/win_susp_copy_lateral_movement.yml
@@ -0,0 +1,59 @@
+title: Copy from Admin Share
+author: Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford
+    @svch0st
+date: 2019/12/30
+description: Detects a suspicious copy command to or from an Admin share
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '* cp *'
+    SELECTION_11:
+        CommandLine: '*\\\\\*'
+    SELECTION_12:
+        CommandLine: '*$*'
+    SELECTION_2:
+        Image: '*\robocopy.exe'
+    SELECTION_3:
+        Image: '*\xcopy.exe'
+    SELECTION_4:
+        Image: '*\cmd.exe'
+    SELECTION_5:
+        CommandLine: '*copy*'
+    SELECTION_6:
+        Image: '*\powershell*'
+    SELECTION_7:
+        CommandLine: '*copy-item*'
+    SELECTION_8:
+        CommandLine: '*copy*'
+    SELECTION_9:
+        CommandLine: '*cpi *'
+    condition: (SELECTION_1 and (((SELECTION_2 or SELECTION_3) or (SELECTION_4 and
+        SELECTION_5)) or (SELECTION_6 and (SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10))) and (SELECTION_11 and SELECTION_12))
+falsepositives:
+- Administrative scripts
+fields:
+- CommandLine
+- ParentCommandLine
+id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://twitter.com/SBousseaden/status/1211636381086339073
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.collection
+- attack.exfiltration
+- attack.t1039
+- attack.t1105
+- attack.t1048
+- attack.t1021.002
+yml_filename: win_susp_copy_lateral_movement.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_copy_system32.yml b/rules/Sigma/win_susp_copy_system32.yml
new file mode 100644
index 00000000..0fde7eb2
--- /dev/null
+++ b/rules/Sigma/win_susp_copy_system32.yml
@@ -0,0 +1,38 @@
+title: Suspicious Copy From or To System32
+author: Florian Roth, Markus Neis
+date: 2020/07/03
+description: Detects a suspicious copy command that copies a system program from System32
+    to another directory on disk - sometimes used to use LOLBINs like certutil or
+    desktopimgdownldr to a different location with a different name
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* /c copy*'
+    SELECTION_3:
+        CommandLine: '*xcopy*'
+    SELECTION_4:
+        CommandLine: '*\System32\\*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+- Admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/
+fields:
+- CommandLine
+- ParentCommandLine
+id: fff9d2b7-e11c-4a69-93d3-40ef66189767
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/05
+references:
+- https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036.003
+yml_filename: win_susp_copy_system32.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_covenant.yml b/rules/Sigma/win_susp_covenant.yml
new file mode 100644
index 00000000..05cfd685
--- /dev/null
+++ b/rules/Sigma/win_susp_covenant.yml
@@ -0,0 +1,47 @@
+title: Covenant Launcher Indicators
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2020/06/04
+description: Detects suspicious command lines used in Covenant luanchers
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*GruntHTTP*'
+    SELECTION_11:
+        CommandLine: '*-EncodedCommand cwB2ACAAbwAgA*'
+    SELECTION_2:
+        CommandLine: '*-Sta*'
+    SELECTION_3:
+        CommandLine: '*-Nop*'
+    SELECTION_4:
+        CommandLine: '*-Window*'
+    SELECTION_5:
+        CommandLine: '*Hidden*'
+    SELECTION_6:
+        CommandLine: '*-Command*'
+    SELECTION_7:
+        CommandLine: '*-EncodedCommand*'
+    SELECTION_8:
+        CommandLine: '*sv o (New-Object IO.MemorySteam);sv d *'
+    SELECTION_9:
+        CommandLine: '*mshta file.hta*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and
+        SELECTION_5 and (SELECTION_6 or SELECTION_7)) or (SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11)))
+id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://posts.specterops.io/covenant-v0-5-eee0507b85ba
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1059.001
+- attack.t1564.003
+- attack.t1086
+yml_filename: win_susp_covenant.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_crackmapexec_execution.yml b/rules/Sigma/win_susp_crackmapexec_execution.yml
new file mode 100644
index 00000000..98c47cc5
--- /dev/null
+++ b/rules/Sigma/win_susp_crackmapexec_execution.yml
@@ -0,0 +1,44 @@
+title: CrackMapExec Command Execution
+author: Thomas Patzke
+date: 2020/05/22
+description: Detect various execution methods of the CrackMapExec pentesting framework
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
+    SELECTION_3:
+        CommandLine: '*cmd.exe /C * > \\\\*\\*\\* 2>&1'
+    SELECTION_4:
+        CommandLine: '*cmd.exe /C * > *\\Temp\\* 2>&1'
+    SELECTION_5:
+        CommandLine: '*powershell.exe -exec bypass -noni -nop -w 1 -C "*'
+    SELECTION_6:
+        CommandLine: '*powershell.exe -noni -nop -w 1 -enc *'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and (SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 058f4380-962d-40a5-afce-50207d36d7e2
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/byt3bl33d3r/CrackMapExec
+status: stable
+tags:
+- attack.execution
+- attack.t1047
+- attack.t1053
+- attack.t1059.003
+- attack.t1059.001
+- attack.s0106
+- attack.t1086
+yml_filename: win_susp_crackmapexec_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/Sigma/win_susp_crackmapexec_powershell_obfuscation.yml
new file mode 100644
index 00000000..c8248727
--- /dev/null
+++ b/rules/Sigma/win_susp_crackmapexec_powershell_obfuscation.yml
@@ -0,0 +1,49 @@
+title: CrackMapExec PowerShell Obfuscation
+author: Thomas Patzke
+date: 2020/05/22
+description: The CrachMapExec pentesting framework implements a PowerShell obfuscation
+    with some static strings detected by this rule.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*powershell.exe*'
+    SELECTION_3:
+        CommandLine: '*join*split*'
+    SELECTION_4:
+        CommandLine: '*( $ShellId[1]+$ShellId[13]+''x'')*'
+    SELECTION_5:
+        CommandLine: '*( $PSHome[*]+$PSHOME[*]+*'
+    SELECTION_6:
+        CommandLine: '*( $env:Public[13]+$env:Public[5]+''x'')*'
+    SELECTION_7:
+        CommandLine: '*( $env:ComSpec[4,*,25]-Join'''')*'
+    SELECTION_8:
+        CommandLine: '*[1,3]+''x''-Join'''')*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/byt3bl33d3r/CrackMapExec
+- https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.defense_evasion
+- attack.t1027.005
+- attack.t1027
+- attack.t1086
+yml_filename: win_susp_crackmapexec_powershell_obfuscation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_csc.yml b/rules/Sigma/win_susp_csc.yml
new file mode 100644
index 00000000..875720f5
--- /dev/null
+++ b/rules/Sigma/win_susp_csc.yml
@@ -0,0 +1,39 @@
+title: Suspicious Parent of Csc.exe
+author: Florian Roth
+date: 2019/02/11
+description: Detects a suspicious parent of csc.exe, which could by a sign of payload
+    delivery
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\csc.exe'
+    SELECTION_3:
+        ParentImage: '*\wscript.exe'
+    SELECTION_4:
+        ParentImage: '*\cscript.exe'
+    SELECTION_5:
+        ParentImage: '*\mshta.exe'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://twitter.com/SBousseaden/status/1094924091256176641
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.defense_evasion
+- attack.t1500
+- attack.t1218.005
+- attack.t1027.004
+yml_filename: win_susp_csc.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_csc_folder.yml b/rules/Sigma/win_susp_csc_folder.yml
new file mode 100644
index 00000000..e5ca3a59
--- /dev/null
+++ b/rules/Sigma/win_susp_csc_folder.yml
@@ -0,0 +1,47 @@
+title: Suspicious Csc.exe Source File Folder
+author: Florian Roth
+date: 2019/08/24
+description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious
+    folder (e.g. AppData)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\csc.exe'
+    SELECTION_3:
+        CommandLine: '*\AppData\\*'
+    SELECTION_4:
+        CommandLine: '*\Windows\Temp\\*'
+    SELECTION_5:
+        ParentImage: C:\Program Files*
+    SELECTION_6:
+        ParentImage: '*\sdiagnhost.exe'
+    SELECTION_7:
+        ParentImage: '*\w3wp.exe'
+    SELECTION_8:
+        ParentCommandLine: '*\ProgramData\Microsoft\Windows Defender Advanced Threat
+            Protection*'
+    condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4)) and  not
+        (SELECTION_5 or (SELECTION_6 or SELECTION_7) or (SELECTION_8)))
+falsepositives:
+- https://twitter.com/gN3mes1s/status/1206874118282448897
+- https://twitter.com/gabriele_pippi/status/1206907900268072962
+id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/02/01
+references:
+- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
+- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
+- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
+- https://twitter.com/gN3mes1s/status/1206874118282448897
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1500
+- attack.t1027.004
+yml_filename: win_susp_csc_folder.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_csi.yml b/rules/Sigma/win_susp_csi.yml
new file mode 100644
index 00000000..e342cfb7
--- /dev/null
+++ b/rules/Sigma/win_susp_csi.yml
@@ -0,0 +1,50 @@
+title: Suspicious Csi.exe Usage
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/17
+description: "Csi.exe is a signed binary from Microsoft that comes with Visual Studio\
+    \ and provides C# interactive capabilities. It can be used to run C# code from\
+    \ a file passed as a parameter in command line. Early version of this utility\
+    \ provided with Microsoft \u201CRoslyn\u201D Community Technology Preview was\
+    \ named 'rcsi.exe'"
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\csi.exe'
+    SELECTION_3:
+        Image: '*\rcsi.exe'
+    SELECTION_4:
+        OriginalFileName: csi.exe
+    SELECTION_5:
+        OriginalFileName: rcsi.exe
+    SELECTION_6:
+        Company: Microsoft Corporation
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and SELECTION_6)
+falsepositives:
+- Legitimate usage by software developers
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 40b95d31-1afc-469e-8d34-9a3a667d058e
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/11
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Rcsi.yml
+- https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
+- https://twitter.com/Z3Jpa29z/status/1317545798981324801
+status: experimental
+tags:
+- attack.execution
+- attack.t1072
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_susp_csi.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_curl_download.yml b/rules/Sigma/win_susp_curl_download.yml
new file mode 100644
index 00000000..1157fb6b
--- /dev/null
+++ b/rules/Sigma/win_susp_curl_download.yml
@@ -0,0 +1,36 @@
+title: Suspicious Curl Usage on Windows
+author: Florian Roth
+date: 2020/07/03
+description: Detects a suspicious curl process start on Windows and outputs the requested
+    document to a local file
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\curl.exe'
+    SELECTION_3:
+        Product: The curl executable
+    SELECTION_4:
+        CommandLine: '* -O *'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Scripts created by developers and admins
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/05
+references:
+- https://twitter.com/reegun21/status/1222093798009790464
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
+yml_filename: win_susp_curl_download.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_curl_fileupload.yml b/rules/Sigma/win_susp_curl_fileupload.yml
new file mode 100644
index 00000000..6a379ccc
--- /dev/null
+++ b/rules/Sigma/win_susp_curl_fileupload.yml
@@ -0,0 +1,33 @@
+title: Suspicious Curl File Upload
+author: Florian Roth
+date: 2020/07/03
+description: Detects a suspicious curl process start the adds a file to a web request
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\curl.exe'
+    SELECTION_3:
+        CommandLine: '* -F *'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Scripts created by developers and admins
+fields:
+- CommandLine
+- ParentCommandLine
+id: 00bca14a-df4e-4649-9054-3f2aa676bc04
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/05
+references:
+- https://twitter.com/d1r4c/status/1279042657508081664
+- https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567
+yml_filename: win_susp_curl_fileupload.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_curl_start_combo.yml b/rules/Sigma/win_susp_curl_start_combo.yml
new file mode 100644
index 00000000..6140ec11
--- /dev/null
+++ b/rules/Sigma/win_susp_curl_start_combo.yml
@@ -0,0 +1,35 @@
+title: Curl Start Combination
+author: Sreeman
+date: 2020/01/13
+description: Adversaries can use curl to download payloads remotely and execute them.
+    Curl is included by default in Windows 10 build 17063 and later.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*curl*'
+    SELECTION_3:
+        CommandLine: '* start *'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative scripts (installers)
+fields:
+- ParentImage
+- CommandLine
+id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/09/05
+references:
+- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
+status: experimental
+tags:
+- attack.execution
+- attack.t1218
+- attack.command_and_control
+- attack.t1105
+yml_filename: win_susp_curl_start_combo.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_dctask64_proc_inject.yml b/rules/Sigma/win_susp_dctask64_proc_inject.yml
new file mode 100644
index 00000000..a4f79333
--- /dev/null
+++ b/rules/Sigma/win_susp_dctask64_proc_inject.yml
@@ -0,0 +1,36 @@
+title: ZOHO Dctask64 Process Injection
+author: Florian Roth
+date: 2020/01/28
+description: Detects suspicious process injection using ZOHO's dctask64.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\dctask64.exe'
+    SELECTION_3:
+        CommandLine: '*DesktopCentral_Agent\agent*'
+    condition: (SELECTION_1 and (SELECTION_2) and  not ((SELECTION_3)))
+falsepositives:
+- Unknown yet
+fields:
+- CommandLine
+- ParentCommandLine
+- ParentImage
+id: 6345b048-8441-43a7-9bed-541133633d7a
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/30
+references:
+- https://twitter.com/gN3mes1s/status/1222088214581825540
+- https://twitter.com/gN3mes1s/status/1222095963789111296
+- https://twitter.com/gN3mes1s/status/1222095371175911424
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055.001
+- attack.t1055
+yml_filename: win_susp_dctask64_proc_inject.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_desktopimgdownldr.yml b/rules/Sigma/win_susp_desktopimgdownldr.yml
new file mode 100644
index 00000000..1d3a9c9a
--- /dev/null
+++ b/rules/Sigma/win_susp_desktopimgdownldr.yml
@@ -0,0 +1,46 @@
+title: Suspicious Desktopimgdownldr Command
+author: Florian Roth
+date: 2020/07/03
+description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters
+    used to download files from the Internet
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        CommandLine: '* /lockscreenurl:*'
+    SELECTION_4:
+        CommandLine: '*.jpg*'
+    SELECTION_5:
+        CommandLine: '*.jpeg*'
+    SELECTION_6:
+        CommandLine: '*.png*'
+    SELECTION_7:
+        CommandLine: '*reg delete*'
+    SELECTION_8:
+        CommandLine: '*\PersonalizationCSP*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and  not ((SELECTION_4
+        or SELECTION_5 or SELECTION_6))) or (SELECTION_7 and SELECTION_8)))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+fields:
+- CommandLine
+- ParentCommandLine
+id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/30
+references:
+- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+- https://twitter.com/SBousseaden/status/1278977301745741825
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
+yml_filename: win_susp_desktopimgdownldr.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_desktopimgdownldr_file.yml b/rules/Sigma/win_susp_desktopimgdownldr_file.yml
new file mode 100644
index 00000000..eee1c655
--- /dev/null
+++ b/rules/Sigma/win_susp_desktopimgdownldr_file.yml
@@ -0,0 +1,43 @@
+title: Suspicious Desktopimgdownldr Target File
+author: Florian Roth
+date: 2020/07/03
+description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores
+    a file to a suspicious location or contains a file with a suspicious extension
+detection:
+    SELECTION_1:
+        EventID: 11
+    SELECTION_2:
+        Image: '*svchost.exe'
+    SELECTION_3:
+        TargetFilename: '*\Personalization\LockScreenImage\\*'
+    SELECTION_4:
+        TargetFilename: '*C:\Windows\\*'
+    SELECTION_5:
+        TargetFilename: '*.jpg*'
+    SELECTION_6:
+        TargetFilename: '*.jpeg*'
+    SELECTION_7:
+        TargetFilename: '*.png*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+        and  not ((SELECTION_5 or SELECTION_6 or SELECTION_7)))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+fields:
+- CommandLine
+- ParentCommandLine
+id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
+level: high
+logsource:
+    category: file_event
+    product: windows
+references:
+- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+- https://twitter.com/SBousseaden/status/1278977301745741825
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1105
+yml_filename: win_susp_desktopimgdownldr_file.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
+
diff --git a/rules/Sigma/win_susp_devtoolslauncher.yml b/rules/Sigma/win_susp_devtoolslauncher.yml
new file mode 100644
index 00000000..e864ff12
--- /dev/null
+++ b/rules/Sigma/win_susp_devtoolslauncher.yml
@@ -0,0 +1,31 @@
+title: Devtoolslauncher.exe Executes Specified Binary
+author: Beyu Denis, oscd.community (rule), @_felamos (idea)
+date: 2019/10/12
+description: The Devtoolslauncher.exe executes other binary
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\devtoolslauncher.exe'
+    SELECTION_3:
+        CommandLine: '*LaunchForDeploy*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of devtoolslauncher.exe by legitimate user
+id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/04
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml
+- https://twitter.com/_felamos/status/1179811992841797632
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
+yml_filename: win_susp_devtoolslauncher.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_dhcp_config.yml b/rules/Sigma/win_susp_dhcp_config.yml
new file mode 100644
index 00000000..f17b03f3
--- /dev/null
+++ b/rules/Sigma/win_susp_dhcp_config.yml
@@ -0,0 +1,31 @@
+title: DHCP Server Loaded the CallOut DLL
+author: Dimitrios Slamaris
+date: 2017/05/15
+description: This rule detects a DHCP server in which a specified Callout DLL (in
+    registry) was loaded
+detection:
+    SELECTION_1:
+        EventID: 1033
+    SELECTION_2:
+        Provider_Name: Microsoft-Windows-DHCP-Server
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
+level: critical
+logsource:
+    product: windows
+    service: system
+modified: 2021/10/13
+references:
+- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
+- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
+- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+yml_filename: win_susp_dhcp_config.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_dhcp_config_failed.yml b/rules/Sigma/win_susp_dhcp_config_failed.yml
new file mode 100644
index 00000000..f439d269
--- /dev/null
+++ b/rules/Sigma/win_susp_dhcp_config_failed.yml
@@ -0,0 +1,35 @@
+title: DHCP Server Error Failed Loading the CallOut DLL
+author: Dimitrios Slamaris, @atc_project (fix)
+date: 2017/05/15
+description: This rule detects a DHCP server error in which a specified Callout DLL
+    (in registry) could not be loaded
+detection:
+    SELECTION_1:
+        EventID: 1031
+    SELECTION_2:
+        EventID: 1032
+    SELECTION_3:
+        EventID: 1034
+    SELECTION_4:
+        Provider_Name: Microsoft-Windows-DHCP-Server
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 75edd3fd-7146-48e5-9848-3013d7f0282c
+level: critical
+logsource:
+    product: windows
+    service: system
+modified: 2021/10/13
+references:
+- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
+- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
+- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+yml_filename: win_susp_dhcp_config_failed.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_direct_asep_reg_keys_modification.yml b/rules/Sigma/win_susp_direct_asep_reg_keys_modification.yml
new file mode 100644
index 00000000..8920afd9
--- /dev/null
+++ b/rules/Sigma/win_susp_direct_asep_reg_keys_modification.yml
@@ -0,0 +1,59 @@
+title: Direct Autorun Keys Modification
+author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/25
+description: Detects direct modification of autostart extensibility point (ASEP) in
+    registry using reg.exe.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell*'
+    SELECTION_11:
+        CommandLine: '*\software\Microsoft\Windows NT\CurrentVersion\Windows*'
+    SELECTION_12:
+        CommandLine: '*\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
+            Folders*'
+    SELECTION_13:
+        CommandLine: '*\system\CurrentControlSet\Control\SafeBoot\AlternateShell*'
+    SELECTION_2:
+        Image: '*\reg.exe'
+    SELECTION_3:
+        CommandLine: '*add*'
+    SELECTION_4:
+        CommandLine: '*\software\Microsoft\Windows\CurrentVersion\Run*'
+    SELECTION_5:
+        CommandLine: '*\software\Microsoft\Windows\CurrentVersion\RunOnce*'
+    SELECTION_6:
+        CommandLine: '*\software\Microsoft\Windows\CurrentVersion\RunOnceEx*'
+    SELECTION_7:
+        CommandLine: '*\software\Microsoft\Windows\CurrentVersion\RunServices*'
+    SELECTION_8:
+        CommandLine: '*\software\Microsoft\Windows\CurrentVersion\RunServicesOnce*'
+    SELECTION_9:
+        CommandLine: '*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13))
+falsepositives:
+- Legitimate software automatically (mostly, during installation) sets up autorun
+    keys for legitimate reasons.
+- Legitimate administrator sets up autorun keys for legitimate reasons.
+fields:
+- CommandLine
+- ParentCommandLine
+id: 24357373-078f-44ed-9ac4-6d334a668a11
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/10
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
+- attack.t1060
+yml_filename: win_susp_direct_asep_reg_keys_modification.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_disable_eventlog.yml b/rules/Sigma/win_susp_disable_eventlog.yml
new file mode 100644
index 00000000..63920d1c
--- /dev/null
+++ b/rules/Sigma/win_susp_disable_eventlog.yml
@@ -0,0 +1,38 @@
+title: Disable or Delete Windows Eventlog
+author: Florian Roth
+date: 2021/02/11
+description: Detects command that is used to disable or delete Windows eventlog via
+    logman Windows utility
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*logman *'
+    SELECTION_3:
+        CommandLine: '*stop *'
+    SELECTION_4:
+        CommandLine: '*delete *'
+    SELECTION_5:
+        CommandLine: '*EventLog-System*'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3 or SELECTION_4) and
+        (SELECTION_5))
+falsepositives:
+- Legitimate deactivation by administrative staff
+- Installer tools that disable services, e.g. before log collection agent installation
+id: cd1f961e-0b96-436b-b7c6-38da4583ec00
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/21
+references:
+- https://twitter.com/0gtweet/status/1359039665232306183?s=21
+- https://ss64.com/nt/logman.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+- attack.t1070.001
+yml_filename: win_susp_disable_eventlog.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_disable_ie_features.yml b/rules/Sigma/win_susp_disable_ie_features.yml
new file mode 100644
index 00000000..e33f940a
--- /dev/null
+++ b/rules/Sigma/win_susp_disable_ie_features.yml
@@ -0,0 +1,39 @@
+title: Disabled IE Security Features
+author: Florian Roth
+date: 2020/06/19
+description: Detects command lines that indicate unwanted modifications to registry
+    keys that disable important Internet Explorer security features
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* -name IEHarden *'
+    SELECTION_3:
+        CommandLine: '* -value 0 *'
+    SELECTION_4:
+        CommandLine: '* -name DEPOff *'
+    SELECTION_5:
+        CommandLine: '* -value 1 *'
+    SELECTION_6:
+        CommandLine: '* -name DisableFirstRunCustomize *'
+    SELECTION_7:
+        CommandLine: '* -value 2 *'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unknown, maybe some security software installer disables these features temporarily
+id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+- attack.t1089
+yml_filename: win_susp_disable_ie_features.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_disable_raccine.yml b/rules/Sigma/win_susp_disable_raccine.yml
new file mode 100644
index 00000000..53033490
--- /dev/null
+++ b/rules/Sigma/win_susp_disable_raccine.yml
@@ -0,0 +1,43 @@
+title: Raccine Uninstall
+author: Florian Roth
+date: 2021/01/21
+description: Detects commands that indicate a Raccine removal from an end system.
+    Raccine is a free ransomware protection tool.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*taskkill *'
+    SELECTION_3:
+        CommandLine: '*RaccineSettings.exe*'
+    SELECTION_4:
+        CommandLine: '*reg.exe*'
+    SELECTION_5:
+        CommandLine: '*delete*'
+    SELECTION_6:
+        CommandLine: '*Raccine Tray*'
+    SELECTION_7:
+        CommandLine: '*schtasks*'
+    SELECTION_8:
+        CommandLine: '*/DELETE*'
+    SELECTION_9:
+        CommandLine: '*Raccine Rules Updater*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9)))
+falsepositives:
+- Legitimate deinstallation by administrative staff
+id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/14
+references:
+- https://github.com/Neo23x0/Raccine
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: win_susp_disable_raccine.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_diskshadow.yml b/rules/Sigma/win_susp_diskshadow.yml
new file mode 100644
index 00000000..76024dbc
--- /dev/null
+++ b/rules/Sigma/win_susp_diskshadow.yml
@@ -0,0 +1,35 @@
+title: Execution via Diskshadow.exe
+author: Ivan Dyachkov, oscd.community
+date: 2020/10/07
+description: Detects using Diskshadow.exe to execute arbitrary code in text file
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\diskshadow.exe'
+    SELECTION_3:
+        CommandLine: '*/s*'
+    SELECTION_4:
+        CommandLine: '*-s*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- False postitve can be if administrators use diskshadow tool in their infrastructure
+    as a main backup tool with scripts.
+fields:
+- CommandLine
+id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2
+level: high
+logsource:
+    category: process_creation
+    definition: 'Requirements: Sysmon ProcessCreation logging must be activated and
+        Windows audit must Include command line in process creation events'
+    product: windows
+references:
+- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+status: experimental
+tags:
+- attack.execution
+- attack.t1218
+yml_filename: win_susp_diskshadow.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_ditsnap.yml b/rules/Sigma/win_susp_ditsnap.yml
new file mode 100644
index 00000000..6664a080
--- /dev/null
+++ b/rules/Sigma/win_susp_ditsnap.yml
@@ -0,0 +1,30 @@
+title: DIT Snapshot Viewer Use
+author: Furkan Caliskan (@caliskanfurkan_)
+date: 2020/07/04
+description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\ditsnap.exe'
+    SELECTION_3:
+        CommandLine: '*ditsnap.exe*'
+    condition: (SELECTION_1 and ((SELECTION_2) or (SELECTION_3)))
+falsepositives:
+- Legitimate admin usage
+id: d3b70aad-097e-409c-9df2-450f80dc476b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://thedfirreport.com/2020/06/21/snatch-ransomware/
+- https://github.com/yosqueoy/ditsnap
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.003
+- attack.t1003
+yml_filename: win_susp_ditsnap.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_dns_config.yml b/rules/Sigma/win_susp_dns_config.yml
new file mode 100644
index 00000000..4ff43650
--- /dev/null
+++ b/rules/Sigma/win_susp_dns_config.yml
@@ -0,0 +1,30 @@
+title: DNS Server Error Failed Loading the ServerLevelPluginDLL
+author: Florian Roth
+date: 2017/05/08
+description: This rule detects a DNS server error in which a specified plugin DLL
+    (in registry) could not be loaded
+detection:
+    SELECTION_1:
+        EventID: 150
+    SELECTION_2:
+        EventID: 770
+    condition: (SELECTION_1 or SELECTION_2)
+falsepositives:
+- Unknown
+id: cbe51394-cd93-4473-b555-edf0144952d9
+level: critical
+logsource:
+    product: windows
+    service: dns-server
+references:
+- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+- https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
+- https://twitter.com/gentilkiwi/status/861641945944391680
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1073
+- attack.t1574.002
+yml_filename: win_susp_dns_config.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_dnx.yml b/rules/Sigma/win_susp_dnx.yml
new file mode 100644
index 00000000..bc110cbc
--- /dev/null
+++ b/rules/Sigma/win_susp_dnx.yml
@@ -0,0 +1,30 @@
+title: Application Whitelisting Bypass via Dnx.exe
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+description: Execute C# code located in the consoleapp folder
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\dnx.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of dnx.exe by legitimate user
+id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/30
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
+- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.t1027.004
+- attack.execution
+yml_filename: win_susp_dnx.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_double_extension.yml b/rules/Sigma/win_susp_double_extension.yml
new file mode 100644
index 00000000..ecea7ff4
--- /dev/null
+++ b/rules/Sigma/win_susp_double_extension.yml
@@ -0,0 +1,51 @@
+title: Suspicious Double Extension
+author: Florian Roth (rule), @blu3_team (idea)
+date: 2019/06/26
+description: Detects suspicious use of an .exe extension after a non-executable file
+    extension like .pdf.exe, a set of spaces or underlines to cloak the executable
+    file in spear phishing campaigns
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*.txt.exe'
+    SELECTION_11:
+        Image: '*      .exe'
+    SELECTION_12:
+        Image: '*______.exe'
+    SELECTION_2:
+        Image: '*.doc.exe'
+    SELECTION_3:
+        Image: '*.docx.exe'
+    SELECTION_4:
+        Image: '*.xls.exe'
+    SELECTION_5:
+        Image: '*.xlsx.exe'
+    SELECTION_6:
+        Image: '*.ppt.exe'
+    SELECTION_7:
+        Image: '*.pptx.exe'
+    SELECTION_8:
+        Image: '*.rtf.exe'
+    SELECTION_9:
+        Image: '*.pdf.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12))
+falsepositives:
+- Unknown
+id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
+- https://twitter.com/blackorbird/status/1140519090961825792
+tags:
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
+yml_filename: win_susp_double_extension.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_dsrm_password_change.yml b/rules/Sigma/win_susp_dsrm_password_change.yml
new file mode 100644
index 00000000..33c9f9b0
--- /dev/null
+++ b/rules/Sigma/win_susp_dsrm_password_change.yml
@@ -0,0 +1,26 @@
+title: Password Change on Directory Service Restore Mode (DSRM) Account
+author: Thomas Patzke
+date: 2017/02/19
+description: The Directory Service Restore Mode (DSRM) account is a local administrator
+    account on Domain Controllers. Attackers may change the password to gain persistence.
+detection:
+    SELECTION_1:
+        EventID: 4794
+    condition: SELECTION_1
+falsepositives:
+- Initial installation of a domain controller
+id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2020/08/23
+references:
+- https://adsecurity.org/?p=1714
+status: stable
+tags:
+- attack.persistence
+- attack.t1098
+yml_filename: win_susp_dsrm_password_change.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_dxcap.yml b/rules/Sigma/win_susp_dxcap.yml
new file mode 100644
index 00000000..a471287a
--- /dev/null
+++ b/rules/Sigma/win_susp_dxcap.yml
@@ -0,0 +1,33 @@
+title: Application Whitelisting Bypass via Dxcap.exe
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+description: Detects execution of of Dxcap.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\dxcap.exe'
+    SELECTION_3:
+        CommandLine: '*-c*'
+    SELECTION_4:
+        CommandLine: '*.exe*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate execution of dxcap.exe by legitimate user
+id: 60f16a96-db70-42eb-8f76-16763e333590
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/04
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml
+- https://twitter.com/harr0ey/status/992008180904419328
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
+yml_filename: win_susp_dxcap.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_emotet_rudll32_execution.yml b/rules/Sigma/win_susp_emotet_rudll32_execution.yml
new file mode 100644
index 00000000..6776849e
--- /dev/null
+++ b/rules/Sigma/win_susp_emotet_rudll32_execution.yml
@@ -0,0 +1,31 @@
+title: Emotet RunDLL32 Process Creation
+author: FPT.EagleEye
+date: 2020/12/25
+description: Detecting Emotet DLL loading by looking for rundll32.exe processes with
+    command lines ending in ,RunDLL or ,#1
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\rundll32.exe'
+    SELECTION_3:
+        CommandLine: '*,RunDLL'
+    SELECTION_4:
+        ParentImage: '*\tracker.exe'
+    condition: (SELECTION_1 and ((SELECTION_2) and (SELECTION_3)) and  not ((SELECTION_4)))
+falsepositives:
+- Unknown
+id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+yml_filename: win_susp_emotet_rudll32_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_esentutl_activity.yml b/rules/Sigma/win_susp_esentutl_activity.yml
new file mode 100644
index 00000000..06bf8d9c
--- /dev/null
+++ b/rules/Sigma/win_susp_esentutl_activity.yml
@@ -0,0 +1,36 @@
+title: Suspicious Esentutl Use
+author: Florian Roth
+date: 2020/05/23
+description: Detects flags often used with the LOLBAS Esentutl for malicious activity.
+    It could be used in rare cases by administrators to access locked files or during
+    maintenance.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* /vss *'
+    SELECTION_3:
+        CommandLine: '* /y *'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://lolbas-project.github.io/
+- https://twitter.com/chadtilbury/status/1264226341408452610
+status: deprecated
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.s0404
+- attack.t1218
+yml_filename: win_susp_esentutl_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
+
diff --git a/rules/Sigma/win_susp_eventlog_clear.yml b/rules/Sigma/win_susp_eventlog_clear.yml
new file mode 100644
index 00000000..2a554531
--- /dev/null
+++ b/rules/Sigma/win_susp_eventlog_clear.yml
@@ -0,0 +1,56 @@
+title: Suspicious Eventlog Clear or Configuration Using Wevtutil
+author: Ecco, Daniil Yugoslavskiy, oscd.community
+date: 2019/09/26
+description: Detects clearing or configuration of eventlogs using wevtutil, powershell
+    and wmic. Might be used by ransomwares during the attack (seen by NotPetya and
+    others).
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*clear-log*'
+    SELECTION_11:
+        CommandLine: '* cl *'
+    SELECTION_12:
+        CommandLine: '*set-log*'
+    SELECTION_13:
+        CommandLine: '* sl *'
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        CommandLine: '*Clear-EventLog*'
+    SELECTION_4:
+        CommandLine: '*Remove-EventLog*'
+    SELECTION_5:
+        CommandLine: '*Limit-EventLog*'
+    SELECTION_6:
+        Image: '*\wmic.exe'
+    SELECTION_7:
+        CommandLine: '* ClearEventLog *'
+    SELECTION_8:
+        EventID: 1
+    SELECTION_9:
+        Image: '*\wevtutil.exe'
+    condition: (SELECTION_1 and (((SELECTION_2 and (SELECTION_3 or SELECTION_4 or
+        SELECTION_5)) or (SELECTION_6 and SELECTION_7)) or (SELECTION_8 and SELECTION_9
+        and (SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13))))
+falsepositives:
+- Admin activity
+- Scripts and administrative tools used in the monitored environment
+id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md
+- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
+tags:
+- attack.defense_evasion
+- attack.t1070.001
+- attack.t1070
+- car.2016-04-002
+yml_filename: win_susp_eventlog_clear.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_eventlog_cleared.yml b/rules/Sigma/win_susp_eventlog_cleared.yml
new file mode 100644
index 00000000..990587fe
--- /dev/null
+++ b/rules/Sigma/win_susp_eventlog_cleared.yml
@@ -0,0 +1,37 @@
+title: Eventlog Cleared
+author: Florian Roth
+date: 2017/01/10
+description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil
+    cl" command execution
+detection:
+    SELECTION_1:
+        EventID: 517
+    SELECTION_2:
+        EventID: 1102
+    SELECTION_3:
+        Provider_Name: Microsoft-Windows-Eventlog
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Rollout of log collection agents (the setup routine often includes a reset of the
+    local Eventlog)
+- System provisioning (system reset before the golden image creation)
+id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/10/13
+references:
+- https://twitter.com/deviouspolack/status/832535435960209408
+- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+related:
+-   id: f2f01843-e7b8-4f95-a35a-d23584476423
+    type: obsoletes
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.t1070.001
+- car.2016-04-002
+yml_filename: win_susp_eventlog_cleared.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_execution_path.yml b/rules/Sigma/win_susp_execution_path.yml
new file mode 100644
index 00000000..7f3c026f
--- /dev/null
+++ b/rules/Sigma/win_susp_execution_path.yml
@@ -0,0 +1,75 @@
+title: Execution from Suspicious Folder
+author: Florian Roth
+date: 2019/01/16
+description: Detects a suspicious execution from an uncommon folder
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\Windows\addins\\*'
+    SELECTION_11:
+        Image: '*\Windows\debug\\*'
+    SELECTION_12:
+        Image: '*\Windows\Fonts\\*'
+    SELECTION_13:
+        Image: '*\Windows\Help\\*'
+    SELECTION_14:
+        Image: '*\Windows\IME\\*'
+    SELECTION_15:
+        Image: '*\Windows\Media\\*'
+    SELECTION_16:
+        Image: '*\Windows\repair\\*'
+    SELECTION_17:
+        Image: '*\Windows\security\\*'
+    SELECTION_18:
+        Image: '*\Windows\system32\config\systemprofile\\*'
+    SELECTION_19:
+        Image: '*\Windows\System32\Tasks\\*'
+    SELECTION_2:
+        Image: '*\$Recycle.bin\\*'
+    SELECTION_20:
+        Image: '*\Windows\Tasks\\*'
+    SELECTION_21:
+        Image: C:\Perflogs\\*
+    SELECTION_3:
+        Image: '*\config\systemprofile\\*'
+    SELECTION_4:
+        Image: '*\Intel\Logs\\*'
+    SELECTION_5:
+        Image: '*\RSA\MachineKeys\\*'
+    SELECTION_6:
+        Image: '*\Users\All Users\\*'
+    SELECTION_7:
+        Image: '*\Users\Default\\*'
+    SELECTION_8:
+        Image: '*\Users\NetworkService\\*'
+    SELECTION_9:
+        Image: '*\Users\Public\\*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20)
+        or SELECTION_21))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/03/31
+references:
+- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
+- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
+- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+yml_filename: win_susp_execution_path.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_execution_path_webserver.yml b/rules/Sigma/win_susp_execution_path_webserver.yml
new file mode 100644
index 00000000..dd80d6f2
--- /dev/null
+++ b/rules/Sigma/win_susp_execution_path_webserver.yml
@@ -0,0 +1,43 @@
+title: Execution in Webserver Root Folder
+author: Florian Roth
+date: 2019/01/16
+description: Detects a suspicious program execution in a web service root folder (filter
+    out false positives)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\wwwroot\\*'
+    SELECTION_3:
+        Image: '*\wmpub\\*'
+    SELECTION_4:
+        Image: '*\htdocs\\*'
+    SELECTION_5:
+        Image: '*bin\\*'
+    SELECTION_6:
+        Image: '*\Tools\\*'
+    SELECTION_7:
+        Image: '*\SMSComponent\\*'
+    SELECTION_8:
+        ParentImage: '*\services.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and  not
+        ((SELECTION_5 or SELECTION_6 or SELECTION_7) and (SELECTION_8)))
+falsepositives:
+- Various applications
+- Tools that include ping or nslookup command invocations
+fields:
+- CommandLine
+- ParentCommandLine
+id: 35efb964-e6a5-47ad-bbcd-19661854018d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.t1100
+yml_filename: win_susp_execution_path_webserver.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_explorer.yml b/rules/Sigma/win_susp_explorer.yml
new file mode 100644
index 00000000..19a87253
--- /dev/null
+++ b/rules/Sigma/win_susp_explorer.yml
@@ -0,0 +1,30 @@
+title: Proxy Execution Via Explorer.exe
+author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
+date: 2020/10/05
+description: Attackers can use explorer.exe for evading defense mechanisms
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\explorer.exe'
+    SELECTION_3:
+        ParentImage: '*\cmd.exe'
+    SELECTION_4:
+        CommandLine: '*explorer.exe*'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3) and (SELECTION_4))
+falsepositives:
+- Legitimate explorer.exe run from cmd.exe
+id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e
+level: low
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/CyberRaiju/status/1273597319322058752
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_susp_explorer.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_explorer_break_proctree.yml b/rules/Sigma/win_susp_explorer_break_proctree.yml
new file mode 100644
index 00000000..b805623f
--- /dev/null
+++ b/rules/Sigma/win_susp_explorer_break_proctree.yml
@@ -0,0 +1,32 @@
+title: Explorer Root Flag Process Tree Break
+author: Florian Roth
+date: 2019/06/29
+description: Detects a command line process that uses explorer.exe /root, which is
+    similar to cmd.exe /c, only it breaks the process tree and makes its parent a
+    new instance of explorer
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*explorer.exe*'
+    SELECTION_3:
+        CommandLine: '* /root,*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown how many legitimate software products use that method
+id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/30
+references:
+- https://twitter.com/CyberRaiju/status/1273597319322058752
+- https://twitter.com/bohops/status/1276357235954909188?s=12
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+yml_filename: win_susp_explorer_break_proctree.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_failed_guest_logon.yml b/rules/Sigma/win_susp_failed_guest_logon.yml
new file mode 100644
index 00000000..c85ad0d1
--- /dev/null
+++ b/rules/Sigma/win_susp_failed_guest_logon.yml
@@ -0,0 +1,37 @@
+title: Suspicious Rejected SMB Guest Logon From IP
+author: Florian Roth, KevTheHermit, fuzzyf10w
+date: 2021/06/30
+description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in
+    Windows Spooler Service
+detection:
+    SELECTION_1:
+        EventID: 31017
+    SELECTION_2:
+        Description: '*Rejected an insecure guest logon*'
+    SELECTION_3:
+        UserName: ''
+    SELECTION_4:
+        ServerName: \1*
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Account fallback reasons (after failed login with specific account)
+fields:
+- Computer
+- User
+id: 71886b70-d7b4-4dbf-acce-87d2ca135262
+level: medium
+logsource:
+    product: windows
+    service: smbclient-security
+modified: 2021/07/05
+references:
+- https://twitter.com/KevTheHermit/status/1410203844064301056
+- https://github.com/hhlxf/PrintNightmare
+- https://github.com/afwu/PrintNightmare
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1110.001
+yml_filename: win_susp_failed_guest_logon.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_failed_logon_reasons.yml b/rules/Sigma/win_susp_failed_logon_reasons.yml
new file mode 100644
index 00000000..0ff4911d
--- /dev/null
+++ b/rules/Sigma/win_susp_failed_logon_reasons.yml
@@ -0,0 +1,46 @@
+title: Account Tampering - Suspicious Failed Logon Reasons
+author: Florian Roth
+date: 2017/02/19
+description: This method uses uncommon error codes on failed logons to determine suspicious
+    activity and tampering with accounts that have been disabled or somehow restricted.
+detection:
+    SELECTION_1:
+        EventID: 4625
+    SELECTION_2:
+        EventID: 4776
+    SELECTION_3:
+        Status: '0xC0000072'
+    SELECTION_4:
+        Status: '0xC000006F'
+    SELECTION_5:
+        Status: '0xC0000070'
+    SELECTION_6:
+        Status: '0xC0000413'
+    SELECTION_7:
+        Status: '0xC000018C'
+    SELECTION_8:
+        Status: '0xC000015B'
+    SELECTION_9:
+        SubjectUserSid: S-1-0-0
+    condition: (((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8)) and  not (SELECTION_9))
+falsepositives:
+- User using a disabled account
+id: 9eb99343-d336-4020-a3cd-67f3819e68ee
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/10/29
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
+- https://twitter.com/SBousseaden/status/1101431884540710913
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.initial_access
+- attack.t1078
+yml_filename: win_susp_failed_logon_reasons.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_failed_logon_source.yml b/rules/Sigma/win_susp_failed_logon_source.yml
new file mode 100644
index 00000000..69cbcf28
--- /dev/null
+++ b/rules/Sigma/win_susp_failed_logon_source.yml
@@ -0,0 +1,79 @@
+title: Failed Logon From Public IP
+author: NVISO
+date: 2020/05/06
+description: A login from a public IP can indicate a misconfigured firewall or network
+    boundary.
+detection:
+    SELECTION_1:
+        EventID: 4625
+    SELECTION_10:
+        IpAddress: 172.21.*
+    SELECTION_11:
+        IpAddress: 172.22.*
+    SELECTION_12:
+        IpAddress: 172.23.*
+    SELECTION_13:
+        IpAddress: 172.24.*
+    SELECTION_14:
+        IpAddress: 172.25.*
+    SELECTION_15:
+        IpAddress: 172.26.*
+    SELECTION_16:
+        IpAddress: 172.27.*
+    SELECTION_17:
+        IpAddress: 172.28.*
+    SELECTION_18:
+        IpAddress: 172.29.*
+    SELECTION_19:
+        IpAddress: 172.30.*
+    SELECTION_2:
+        IpAddress: '*-*'
+    SELECTION_20:
+        IpAddress: 172.31.*
+    SELECTION_21:
+        IpAddress: 127.*
+    SELECTION_22:
+        IpAddress: 169.254.*
+    SELECTION_23:
+        IpAddress: ::1
+    SELECTION_24:
+        IpAddress: fe80::*
+    SELECTION_25:
+        IpAddress: fc00::*
+    SELECTION_3:
+        IpAddress: 10.*
+    SELECTION_4:
+        IpAddress: 192.168.*
+    SELECTION_5:
+        IpAddress: 172.16.*
+    SELECTION_6:
+        IpAddress: 172.17.*
+    SELECTION_7:
+        IpAddress: 172.18.*
+    SELECTION_8:
+        IpAddress: 172.19.*
+    SELECTION_9:
+        IpAddress: 172.20.*
+    condition: (SELECTION_1 and  not ((SELECTION_2 or (SELECTION_3 or SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22) or SELECTION_23 or (SELECTION_24
+        or SELECTION_25))))
+falsepositives:
+- Legitimate logon attempts over the internet
+- IPv4-to-IPv6 mapped IPs
+id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
+level: medium
+logsource:
+    product: windows
+    service: security
+tags:
+- attack.initial_access
+- attack.persistence
+- attack.t1078
+- attack.t1190
+- attack.t1133
+yml_filename: win_susp_failed_logon_source.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_failed_logons_single_source.yml b/rules/Sigma/win_susp_failed_logons_single_source.yml
new file mode 100644
index 00000000..85c0b923
--- /dev/null
+++ b/rules/Sigma/win_susp_failed_logons_single_source.yml
@@ -0,0 +1,34 @@
+title: Failed Logins with Different Accounts from Single Source System
+author: Florian Roth
+date: 2017/01/10
+description: Detects suspicious failed logins with different user accounts from a
+    single source system
+detection:
+    SELECTION_1:
+        EventID: 529
+    SELECTION_2:
+        EventID: 4625
+    SELECTION_3:
+        TargetUserName: '*'
+    SELECTION_4:
+        WorkstationName: '*'
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)| count(TargetUserName)
+        by WorkstationName > 3
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: e98374a6-e2d9-4076-9b5c-11bdb2569995
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/21
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1078
+yml_filename: win_susp_failed_logons_single_source.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_failed_logons_single_source2.yml b/rules/Sigma/win_susp_failed_logons_single_source2.yml
new file mode 100644
index 00000000..79daca36
--- /dev/null
+++ b/rules/Sigma/win_susp_failed_logons_single_source2.yml
@@ -0,0 +1,35 @@
+title: Failed Logins with Different Accounts from Single Source System
+author: Florian Roth
+date: 2017/01/10
+description: Detects suspicious failed logins with different user accounts from a
+    single source system
+detection:
+    SELECTION_1:
+        EventID: 4776
+    SELECTION_2:
+        TargetUserName: '*'
+    SELECTION_3:
+        Workstation: '*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)| count(TargetUserName)
+        by Workstation > 3
+falsepositives:
+- Terminal servers
+- Jump servers
+- Other multiuser systems like Citrix server farms
+- Workstations with frequently changing users
+id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/09/21
+related:
+-   id: e98374a6-e2d9-4076-9b5c-11bdb2569995
+    type: derived
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1078
+yml_filename: win_susp_failed_logons_single_source2.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_file_characteristics.yml b/rules/Sigma/win_susp_file_characteristics.yml
new file mode 100644
index 00000000..53606452
--- /dev/null
+++ b/rules/Sigma/win_susp_file_characteristics.yml
@@ -0,0 +1,43 @@
+title: Suspicious File Characteristics Due to Missing Fields
+author: Markus Neis, Sander Wiebing
+date: 2018/11/22
+description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company
+    likely created with py2exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Description: \?
+    SELECTION_3:
+        FileVersion: \?
+    SELECTION_4:
+        Product: \?
+    SELECTION_5:
+        Company: \?
+    SELECTION_6:
+        Image: '*\Downloads\\*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and SELECTION_6)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+references:
+- https://securelist.com/muddywater/88059/
+- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.006
+- attack.defense_evasion
+- attack.t1064
+yml_filename: win_susp_file_characteristics.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/Sigma/win_susp_file_download_via_gfxdownloadwrapper.yml
new file mode 100644
index 00000000..0d6b4dd5
--- /dev/null
+++ b/rules/Sigma/win_susp_file_download_via_gfxdownloadwrapper.yml
@@ -0,0 +1,33 @@
+title: GfxDownloadWrapper.exe Downloads File from Suspicious URL
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+description: Detects when GfxDownloadWrapper.exe downloads file from non standard
+    URL
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\GfxDownloadWrapper.exe'
+    SELECTION_3:
+        CommandLine: '*gameplayapi.intel.com*'
+    SELECTION_4:
+        ParentImage: '*\GfxDownloadWrapper.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and  not (SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: eee00933-a761-4cd0-be70-c42fe91731e7
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/GfxDownloadWrapper.yml
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
+yml_filename: win_susp_file_download_via_gfxdownloadwrapper.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_findstr.yml b/rules/Sigma/win_susp_findstr.yml
new file mode 100644
index 00000000..b198844b
--- /dev/null
+++ b/rules/Sigma/win_susp_findstr.yml
@@ -0,0 +1,38 @@
+title: Abusing Findstr for Defense Evasion
+author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
+date: 2020/10/05
+description: Attackers can use findstr to hide their artifacts or search specific
+    strings and evade defense mechanism
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*findstr*'
+    SELECTION_3:
+        CommandLine: '*/V*'
+    SELECTION_4:
+        CommandLine: '*/L*'
+    SELECTION_5:
+        CommandLine: '*/S*'
+    SELECTION_6:
+        CommandLine: '*/I*'
+    condition: (SELECTION_1 and (SELECTION_2) and ((SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6)))
+falsepositives:
+- Administrative findstr usage
+id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml
+- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_susp_findstr.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_findstr_lnk.yml b/rules/Sigma/win_susp_findstr_lnk.yml
new file mode 100644
index 00000000..b8ddf6b4
--- /dev/null
+++ b/rules/Sigma/win_susp_findstr_lnk.yml
@@ -0,0 +1,36 @@
+title: Findstr Launching .lnk File
+author: Trent Liffick
+date: 2020/05/01
+description: Detects usage of findstr to identify and execute a lnk file as seen within
+    the HHS redirect attack
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\findstr.exe'
+    SELECTION_3:
+        CommandLine: '*.lnk'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- Image
+- CommandLine
+- ParentCommandLine
+id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/30
+references:
+- https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1202
+- attack.t1027.003
+yml_filename: win_susp_findstr_lnk.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_finger_usage.yml b/rules/Sigma/win_susp_finger_usage.yml
new file mode 100644
index 00000000..7e03c45d
--- /dev/null
+++ b/rules/Sigma/win_susp_finger_usage.yml
@@ -0,0 +1,28 @@
+title: Finger.exe Suspicious Invocation
+author: Florian Roth, omkar72, oscd.community
+date: 2021/02/24
+description: Detects suspicious aged finger.exe tool execution often used in malware
+    attacks nowadays
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\finger.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Admin activity (unclear what they do nowadays with finger.exe)
+id: af491bca-e752-4b44-9c86-df5680533dbc
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
+- https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
+- http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
+tags:
+- attack.command_and_control
+- attack.t1105
+yml_filename: win_susp_finger_usage.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_firewall_disable.yml b/rules/Sigma/win_susp_firewall_disable.yml
new file mode 100644
index 00000000..71e025a3
--- /dev/null
+++ b/rules/Sigma/win_susp_firewall_disable.yml
@@ -0,0 +1,31 @@
+title: Firewall Disabled via Netsh
+author: Fatih Sirin
+date: 2019/11/01
+description: Detects netsh commands that turns off the Windows firewall
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: netsh firewall set opmode mode=disable
+    SELECTION_3:
+        CommandLine: netsh advfirewall set * state off
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Legitimate administration
+id: 57c4bf16-227f-4394-8ec7-1b745ee061c3
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/30
+references:
+- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/
+- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.004
+- attack.s0108
+yml_filename: win_susp_firewall_disable.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_fsutil_usage.yml b/rules/Sigma/win_susp_fsutil_usage.yml
new file mode 100644
index 00000000..ed40c369
--- /dev/null
+++ b/rules/Sigma/win_susp_fsutil_usage.yml
@@ -0,0 +1,37 @@
+title: Fsutil Suspicious Invocation
+author: Ecco, E.M. Anhaus, oscd.community
+date: 2019/09/26
+description: Detects suspicious parameters of fsutil (deleting USN journal, configuring
+    it with small size, etc). Might be used by ransomwares during the attack (seen
+    by NotPetya and others).
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\fsutil.exe'
+    SELECTION_3:
+        OriginalFileName: fsutil.exe
+    SELECTION_4:
+        CommandLine: '*deletejournal*'
+    SELECTION_5:
+        CommandLine: '*createjournal*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Admin activity
+- Scripts and administrative tools used in the monitored environment
+id: add64136-62e5-48ea-807e-88638d02df1e
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md
+- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
+tags:
+- attack.defense_evasion
+- attack.t1070
+yml_filename: win_susp_fsutil_usage.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_ftp.yml b/rules/Sigma/win_susp_ftp.yml
new file mode 100644
index 00000000..6cf93cd0
--- /dev/null
+++ b/rules/Sigma/win_susp_ftp.yml
@@ -0,0 +1,47 @@
+title: Suspicious ftp.exe
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+description: Detects renamed ftp.exe, ftp.exe script execution and child processes
+    ran by ftp.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        CommandLine: '*-s:*'
+    SELECTION_4:
+        Image: '*ftp.exe'
+    SELECTION_5:
+        OriginalFileName: '*ftp.exe*'
+    SELECTION_6:
+        EventID: 1
+    SELECTION_7:
+        OriginalFileName: '*ftp.exe*'
+    SELECTION_8:
+        Image: '*ftp.exe'
+    SELECTION_9:
+        ParentImage: '*ftp.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and (SELECTION_4 or
+        SELECTION_5)) or (SELECTION_6 and SELECTION_7 and  not (SELECTION_8)) or SELECTION_9))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentImage
+id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
+- attack.defense_evasion
+- attack.t1202
+yml_filename: win_susp_ftp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_gup.yml b/rules/Sigma/win_susp_gup.yml
new file mode 100644
index 00000000..7fbf64a9
--- /dev/null
+++ b/rules/Sigma/win_susp_gup.yml
@@ -0,0 +1,38 @@
+title: Suspicious GUP Usage
+author: Florian Roth
+date: 2019/02/06
+description: Detects execution of the Notepad++ updater in a suspicious directory,
+    which is often used in DLL side-loading attacks
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\GUP.exe'
+    SELECTION_3:
+        Image: '*\Users\\*\AppData\Local\Notepad++\updater\GUP.exe'
+    SELECTION_4:
+        Image: '*\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe'
+    SELECTION_5:
+        Image: '*\Program Files\Notepad++\updater\GUP.exe'
+    SELECTION_6:
+        Image: '*\Program Files (x86)\Notepad++\updater\GUP.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5 or SELECTION_6)))
+falsepositives:
+- Execution of tools named GUP.exe and located in folders different than Notepad++\updater
+id: 0a4f6091-223b-41f6-8743-f322ec84930b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/09
+references:
+- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1574.002
+- attack.t1073
+yml_filename: win_susp_gup.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_interactive_logons.yml b/rules/Sigma/win_susp_interactive_logons.yml
new file mode 100644
index 00000000..13f00666
--- /dev/null
+++ b/rules/Sigma/win_susp_interactive_logons.yml
@@ -0,0 +1,38 @@
+title: Interactive Logon to Server Systems
+author: Florian Roth
+date: 2017/03/17
+description: Detects interactive console logons to Server Systems
+detection:
+    SELECTION_1:
+        EventID: 528
+    SELECTION_2:
+        EventID: 529
+    SELECTION_3:
+        EventID: 4624
+    SELECTION_4:
+        EventID: 4625
+    SELECTION_5:
+        LogonType: 2
+    SELECTION_6:
+        ComputerName: '%ServerSystems%'
+    SELECTION_7:
+        ComputerName: '%DomainControllers%'
+    SELECTION_8:
+        LogonProcessName: Advapi
+    SELECTION_9:
+        ComputerName: '%Workstations%'
+    condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5
+        and (SELECTION_6 or SELECTION_7)) and  not (SELECTION_8 and SELECTION_9))
+falsepositives:
+- Administrative activity via KVM or ILO board
+id: 3ff152b2-1388-4984-9cd9-a323323fdadf
+level: medium
+logsource:
+    product: windows
+    service: security
+tags:
+- attack.lateral_movement
+- attack.t1078
+yml_filename: win_susp_interactive_logons.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_iss_module_install.yml b/rules/Sigma/win_susp_iss_module_install.yml
new file mode 100644
index 00000000..753a02b3
--- /dev/null
+++ b/rules/Sigma/win_susp_iss_module_install.yml
@@ -0,0 +1,35 @@
+title: IIS Native-Code Module Command Line Installation
+author: Florian Roth
+date: 2012/12/11
+description: Detects suspicious IIS native-code module installations via command line
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\appcmd.exe'
+    SELECTION_3:
+        CommandLine: '*install*'
+    SELECTION_4:
+        CommandLine: '*module*'
+    SELECTION_5:
+        CommandLine: '*/name:*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown as it may vary from organisation to arganisation how admins use to install
+    IIS modules
+id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.t1100
+yml_filename: win_susp_iss_module_install.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_kerberos_manipulation.yml b/rules/Sigma/win_susp_kerberos_manipulation.yml
new file mode 100644
index 00000000..7332fbb8
--- /dev/null
+++ b/rules/Sigma/win_susp_kerberos_manipulation.yml
@@ -0,0 +1,94 @@
+title: Kerberos Manipulation
+author: Florian Roth
+date: 2017/02/10
+description: This method triggers on rare Kerberos Failure Codes caused by manipulations
+    of Kerberos messages
+detection:
+    SELECTION_1:
+        EventID: 675
+    SELECTION_10:
+        FailureCode: '0x11'
+    SELECTION_11:
+        FailureCode: '0x13'
+    SELECTION_12:
+        FailureCode: '0x14'
+    SELECTION_13:
+        FailureCode: '0x1A'
+    SELECTION_14:
+        FailureCode: '0x1F'
+    SELECTION_15:
+        FailureCode: '0x21'
+    SELECTION_16:
+        FailureCode: '0x22'
+    SELECTION_17:
+        FailureCode: '0x23'
+    SELECTION_18:
+        FailureCode: '0x24'
+    SELECTION_19:
+        FailureCode: '0x26'
+    SELECTION_2:
+        EventID: 4768
+    SELECTION_20:
+        FailureCode: '0x27'
+    SELECTION_21:
+        FailureCode: '0x28'
+    SELECTION_22:
+        FailureCode: '0x29'
+    SELECTION_23:
+        FailureCode: '0x2C'
+    SELECTION_24:
+        FailureCode: '0x2D'
+    SELECTION_25:
+        FailureCode: '0x2E'
+    SELECTION_26:
+        FailureCode: '0x2F'
+    SELECTION_27:
+        FailureCode: '0x31'
+    SELECTION_28:
+        FailureCode: '0x32'
+    SELECTION_29:
+        FailureCode: '0x3E'
+    SELECTION_3:
+        EventID: 4769
+    SELECTION_30:
+        FailureCode: '0x3F'
+    SELECTION_31:
+        FailureCode: '0x40'
+    SELECTION_32:
+        FailureCode: '0x41'
+    SELECTION_33:
+        FailureCode: '0x43'
+    SELECTION_34:
+        FailureCode: '0x44'
+    SELECTION_4:
+        EventID: 4771
+    SELECTION_5:
+        FailureCode: '0x9'
+    SELECTION_6:
+        FailureCode: '0xA'
+    SELECTION_7:
+        FailureCode: '0xB'
+    SELECTION_8:
+        FailureCode: '0xF'
+    SELECTION_9:
+        FailureCode: '0x10'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and (SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34))
+falsepositives:
+- Faulty legacy applications
+id: f7644214-0eb0-4ace-9455-331ec4c09253
+level: high
+logsource:
+    product: windows
+    service: security
+tags:
+- attack.credential_access
+- attack.t1212
+yml_filename: win_susp_kerberos_manipulation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_ldap_dataexchange.yml b/rules/Sigma/win_susp_ldap_dataexchange.yml
new file mode 100644
index 00000000..c792d114
--- /dev/null
+++ b/rules/Sigma/win_susp_ldap_dataexchange.yml
@@ -0,0 +1,38 @@
+title: Suspicious LDAP-Attributes Used
+author: xknow @xknow_infosec
+date: 2019/03/24
+description: Detects the usage of particular AttributeLDAPDisplayNames, which are
+    known for data exchange via LDAP by the tool LDAPFragger and are additionally
+    not commonly used in companies.
+detection:
+    SELECTION_1:
+        EventID: 5136
+    SELECTION_2:
+        AttributeValue: '*'
+    SELECTION_3:
+        AttributeLDAPDisplayName: primaryInternationalISDNNumber
+    SELECTION_4:
+        AttributeLDAPDisplayName: otherFacsimileTelephoneNumber
+    SELECTION_5:
+        AttributeLDAPDisplayName: primaryTelexNumber
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- Companies, who may use these default LDAP-Attributes for personal information
+id: d00a9a72-2c09-4459-ad03-5e0a23351e36
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2020/08/23
+references:
+- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
+- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
+- https://github.com/fox-it/LDAPFragger
+status: experimental
+tags:
+- attack.t1071
+- attack.t1001.003
+- attack.command_and_control
+yml_filename: win_susp_ldap_dataexchange.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_local_anon_logon_created.yml b/rules/Sigma/win_susp_local_anon_logon_created.yml
new file mode 100644
index 00000000..a59ae3aa
--- /dev/null
+++ b/rules/Sigma/win_susp_local_anon_logon_created.yml
@@ -0,0 +1,33 @@
+title: Suspicious Windows ANONYMOUS LOGON Local Account Created
+author: James Pemberton / @4A616D6573
+date: 2019/10/31
+description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON,
+    such as using additional spaces. Created as an covering detection for exclusion
+    of Logon Type 3 from ANONYMOUS LOGON accounts.
+detection:
+    SELECTION_1:
+        EventID: 4720
+    SELECTION_2:
+        SamAccountName: '*ANONYMOUS*'
+    SELECTION_3:
+        SamAccountName: '*LOGON*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 1bbf25b9-8038-4154-a50b-118f2a32be27
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/06
+references:
+- https://twitter.com/SBousseaden/status/1189469425482829824
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136
+- attack.t1136.001
+- attack.t1136.002
+yml_filename: win_susp_local_anon_logon_created.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_logon_explicit_credentials.yml b/rules/Sigma/win_susp_logon_explicit_credentials.yml
new file mode 100644
index 00000000..0fd829dd
--- /dev/null
+++ b/rules/Sigma/win_susp_logon_explicit_credentials.yml
@@ -0,0 +1,44 @@
+title: Suspicious Remote Logon with Explicit Credentials
+author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st
+date: 2020/10/05
+description: Detects suspicious processes logging on with explicit credentials
+detection:
+    SELECTION_1:
+        EventID: 4648
+    SELECTION_10:
+        TargetServerName: localhost
+    SELECTION_2:
+        ProcessName: '*\cmd.exe'
+    SELECTION_3:
+        ProcessName: '*\powershell.exe'
+    SELECTION_4:
+        ProcessName: '*\pwsh.exe'
+    SELECTION_5:
+        ProcessName: '*\winrs.exe'
+    SELECTION_6:
+        ProcessName: '*\wmic.exe'
+    SELECTION_7:
+        ProcessName: '*\net.exe'
+    SELECTION_8:
+        ProcessName: '*\net1.exe'
+    SELECTION_9:
+        ProcessName: '*\reg.exe'
+    condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9)) and  not (SELECTION_10))
+falsepositives:
+- Administrators that use the RunAS command or scheduled tasks
+id: 941e5c45-cda7-4864-8cea-bbb7458d194a
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/11/12
+references:
+- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+status: experimental
+tags:
+- attack.t1078
+- attack.lateral_movement
+yml_filename: win_susp_logon_explicit_credentials.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_lsass_dump.yml b/rules/Sigma/win_susp_lsass_dump.yml
new file mode 100644
index 00000000..528dad5c
--- /dev/null
+++ b/rules/Sigma/win_susp_lsass_dump.yml
@@ -0,0 +1,33 @@
+title: Password Dumper Activity on LSASS
+author: sigma
+date: 2017/02/12
+description: Detects process handle on LSASS process with certain access mask and
+    object type SAM_DOMAIN
+detection:
+    SELECTION_1:
+        EventID: 4656
+    SELECTION_2:
+        ProcessName: '*\lsass.exe'
+    SELECTION_3:
+        AccessMask: '0x705'
+    SELECTION_4:
+        ObjectType: SAM_DOMAIN
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/06/21
+references:
+- https://twitter.com/jackcr/status/807385668833968128
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+yml_filename: win_susp_lsass_dump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_lsass_dump_generic.yml b/rules/Sigma/win_susp_lsass_dump_generic.yml
new file mode 100644
index 00000000..5ca7b01e
--- /dev/null
+++ b/rules/Sigma/win_susp_lsass_dump_generic.yml
@@ -0,0 +1,118 @@
+title: Generic Password Dumper Activity on LSASS
+author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich,
+    Aleksey Potapov, oscd.community (update)
+date: 2019/11/01
+description: Detects process handle on LSASS process with certain access mask
+detection:
+    SELECTION_1:
+        ObjectName: '*\lsass.exe'
+    SELECTION_10:
+        AccessMask: '*0x143a*'
+    SELECTION_11:
+        AccessMask: '*0x1418*'
+    SELECTION_12:
+        AccessMask: '*0x1f0fff*'
+    SELECTION_13:
+        AccessMask: '*0x1f1fff*'
+    SELECTION_14:
+        AccessMask: '*0x1f2fff*'
+    SELECTION_15:
+        AccessMask: '*0x1f3fff*'
+    SELECTION_16:
+        EventID: 4663
+    SELECTION_17:
+        AccessList: '*4484*'
+    SELECTION_18:
+        AccessList: '*4416*'
+    SELECTION_19:
+        ProcessName: '*\wmiprvse.exe'
+    SELECTION_2:
+        EventID: 4656
+    SELECTION_20:
+        ProcessName: '*\taskmgr.exe'
+    SELECTION_21:
+        ProcessName: '*\procexp64.exe'
+    SELECTION_22:
+        ProcessName: '*\procexp.exe'
+    SELECTION_23:
+        ProcessName: '*\lsm.exe'
+    SELECTION_24:
+        ProcessName: '*\csrss.exe'
+    SELECTION_25:
+        ProcessName: '*\wininit.exe'
+    SELECTION_26:
+        ProcessName: '*\vmtoolsd.exe'
+    SELECTION_27:
+        ProcessName: '*\minionhost.exe'
+    SELECTION_28:
+        ProcessName: '*\VsTskMgr.exe'
+    SELECTION_29:
+        ProcessName: '*\thor64.exe'
+    SELECTION_3:
+        AccessMask: '*0x40*'
+    SELECTION_30:
+        ProcessName: '*\MicrosoftEdgeUpdate.exe'
+    SELECTION_31:
+        ProcessName: '*\GamingServices.exe'
+    SELECTION_32:
+        ProcessName: '*\svchost.exe'
+    SELECTION_33:
+        ProcessName: C:\Windows\System32\\*
+    SELECTION_34:
+        ProcessName: C:\Windows\SysWow64\\*
+    SELECTION_35:
+        ProcessName: C:\Windows\SysNative\\*
+    SELECTION_36:
+        ProcessName: C:\Program Files\\*
+    SELECTION_37:
+        ProcessName: C:\Windows\Temp\asgard2-agent\\*
+    SELECTION_38:
+        ProcessName: C:\Program Files*
+    SELECTION_4:
+        AccessMask: '*0x1400*'
+    SELECTION_5:
+        AccessMask: '*0x1000*'
+    SELECTION_6:
+        AccessMask: '*0x100000*'
+    SELECTION_7:
+        AccessMask: '*0x1410*'
+    SELECTION_8:
+        AccessMask: '*0x1010*'
+    SELECTION_9:
+        AccessMask: '*0x1438*'
+    condition: (((SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4 or
+        SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or
+        SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15)) or (SELECTION_16 and (SELECTION_17 or SELECTION_18)))) and  not
+        ((SELECTION_19 or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23
+        or SELECTION_24 or SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28
+        or SELECTION_29 or SELECTION_30 or SELECTION_31 or SELECTION_32) and (SELECTION_33
+        or SELECTION_34 or SELECTION_35 or SELECTION_36 or SELECTION_37))) and  not
+        ((SELECTION_38)))
+falsepositives:
+- Legitimate software accessing LSASS process for legitimate reason; update the whitelist
+    with it
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- ProcessName
+- ProcessID
+id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/11/09
+references:
+- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- car.2019-04-004
+- attack.t1003.001
+yml_filename: win_susp_lsass_dump_generic.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_mounted_share_deletion.yml b/rules/Sigma/win_susp_mounted_share_deletion.yml
new file mode 100644
index 00000000..f3c5d3e7
--- /dev/null
+++ b/rules/Sigma/win_susp_mounted_share_deletion.yml
@@ -0,0 +1,34 @@
+title: Mounted Share Deleted
+author: oscd.community, @redcanary, Zach Stanford @svch0st
+date: 2020/10/08
+description: Detects when when a mounted share is removed. Adversaries may remove
+    share connections that are no longer useful in order to clean up traces of their
+    operation
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\net.exe'
+    SELECTION_3:
+        Image: '*\net1.exe'
+    SELECTION_4:
+        CommandLine: '*share*'
+    SELECTION_5:
+        CommandLine: '*/delete*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Administrators or Power users may remove their shares via cmd line
+id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
+level: low
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070.005
+yml_filename: win_susp_mounted_share_deletion.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_mpcmdrun_download.yml b/rules/Sigma/win_susp_mpcmdrun_download.yml
new file mode 100644
index 00000000..b78dfbe5
--- /dev/null
+++ b/rules/Sigma/win_susp_mpcmdrun_download.yml
@@ -0,0 +1,38 @@
+title: Windows Defender Download Activity
+author: Matthew Matchen
+date: 2020/09/04
+description: Detect the use of Windows Defender to download payloads
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*MpCmdRun.exe*'
+    SELECTION_3:
+        Description: Microsoft Malware Protection Command Line Utility
+    SELECTION_4:
+        CommandLine: '*DownloadFile*'
+    SELECTION_5:
+        CommandLine: '*url*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and
+        SELECTION_5))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: 46123129-1024-423e-9fae-43af4a0fa9a5
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/djmtshepana/status/1301608169496612866
+- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.command_and_control
+- attack.t1105
+yml_filename: win_susp_mpcmdrun_download.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_mshta_execution.yml b/rules/Sigma/win_susp_mshta_execution.yml
new file mode 100644
index 00000000..e1c467ac
--- /dev/null
+++ b/rules/Sigma/win_susp_mshta_execution.yml
@@ -0,0 +1,48 @@
+title: MSHTA Suspicious Execution 01
+author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
+date: 2019/02/22
+description: Detection for mshta.exe suspicious execution patterns sometimes involving
+    file polyglotism
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\mshta.exe'
+    SELECTION_3:
+        CommandLine: '*vbscript*'
+    SELECTION_4:
+        CommandLine: '*.jpg*'
+    SELECTION_5:
+        CommandLine: '*.png*'
+    SELECTION_6:
+        CommandLine: '*.lnk*'
+    SELECTION_7:
+        CommandLine: '*.xls*'
+    SELECTION_8:
+        CommandLine: '*.doc*'
+    SELECTION_9:
+        CommandLine: '*.zip*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/23
+references:
+- http://blog.sevagas.com/?Hacking-around-HTA-files
+- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
+- https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.t1218.005
+yml_filename: win_susp_mshta_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_mshta_pattern.yml b/rules/Sigma/win_susp_mshta_pattern.yml
new file mode 100644
index 00000000..621d01ea
--- /dev/null
+++ b/rules/Sigma/win_susp_mshta_pattern.yml
@@ -0,0 +1,51 @@
+title: Suspicious MSHTA Process Patterns
+author: Florian Roth
+date: 2021/07/17
+description: Detects suspicious mshta process patterns
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*.htm*'
+    SELECTION_11:
+        CommandLine: '*.hta*'
+    SELECTION_12:
+        CommandLine: '*mshta.exe'
+    SELECTION_13:
+        CommandLine: '*mshta'
+    SELECTION_2:
+        Image: '*\mshta.exe'
+    SELECTION_3:
+        ParentImage: '*\cmd.exe'
+    SELECTION_4:
+        ParentImage: '*\powershell.exe'
+    SELECTION_5:
+        CommandLine: '*\AppData\Local*'
+    SELECTION_6:
+        CommandLine: '*C:\Windows\Temp*'
+    SELECTION_7:
+        CommandLine: '*C:\Users\Public*'
+    SELECTION_8:
+        Image: '*C:\Windows\System32*'
+    SELECTION_9:
+        Image: '*C:\Windows\SysWOW64*'
+    condition: (SELECTION_1 and SELECTION_2 and ((((SELECTION_3 or SELECTION_4) or
+        (SELECTION_5 or SELECTION_6 or SELECTION_7)) or  not ((SELECTION_8 or SELECTION_9)))
+        or  not ((SELECTION_10 or SELECTION_11) and (SELECTION_12 or SELECTION_13))))
+falsepositives:
+- Unknown
+id: e32f92d1-523e-49c3-9374-bdb13b46a3ba
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://en.wikipedia.org/wiki/HTML_Application
+- https://www.echotrail.io/insights/search/mshta.exe
+- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
+status: experimental
+tags:
+- attack.execution
+yml_filename: win_susp_mshta_pattern.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_msiexec_cwd.yml b/rules/Sigma/win_susp_msiexec_cwd.yml
new file mode 100644
index 00000000..11ae04d3
--- /dev/null
+++ b/rules/Sigma/win_susp_msiexec_cwd.yml
@@ -0,0 +1,34 @@
+title: Suspicious MsiExec Directory
+author: Florian Roth
+date: 2019/11/14
+description: Detects suspicious msiexec process starts in an uncommon directory
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\msiexec.exe'
+    SELECTION_3:
+        Image: C:\Windows\System32\\*
+    SELECTION_4:
+        Image: C:\Windows\SysWOW64\\*
+    SELECTION_5:
+        Image: C:\Windows\WinSxS\\*
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5)))
+falsepositives:
+- Unknown
+id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/200_okay_/status/1194765831911215104
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036.005
+- attack.t1036
+yml_filename: win_susp_msiexec_cwd.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_msiexec_web_install.yml b/rules/Sigma/win_susp_msiexec_web_install.yml
new file mode 100644
index 00000000..cd9f5a9b
--- /dev/null
+++ b/rules/Sigma/win_susp_msiexec_web_install.yml
@@ -0,0 +1,32 @@
+title: MsiExec Web Install
+author: Florian Roth
+date: 2018/02/09
+description: Detects suspicious msiexec process starts with web addresses as parameter
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* msiexec*'
+    SELECTION_3:
+        CommandLine: '*://*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.007
+- attack.command_and_control
+- attack.t1105
+yml_filename: win_susp_msiexec_web_install.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_msmpeng_crash.yml b/rules/Sigma/win_susp_msmpeng_crash.yml
new file mode 100644
index 00000000..77a47543
--- /dev/null
+++ b/rules/Sigma/win_susp_msmpeng_crash.yml
@@ -0,0 +1,36 @@
+title: Microsoft Malware Protection Engine Crash
+author: Florian Roth
+date: 2017/05/09
+description: This rule detects a suspicious crash of the Microsoft Malware Protection
+    Engine
+detection:
+    SELECTION_1:
+        Provider_Name: Application Error
+    SELECTION_2:
+        EventID: 1000
+    SELECTION_3:
+        Provider_Name: Windows Error Reporting
+    SELECTION_4:
+        EventID: 1001
+    condition: (((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4)) and
+        (MsMpEng.exe and mpengine.dll))
+falsepositives:
+- MsMpEng.exe can crash when C:\ is full
+id: 6c82cf5c-090d-4d57-9188-533577631108
+level: high
+logsource:
+    product: windows
+    service: application
+modified: 2021/10/13
+references:
+- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
+- https://technet.microsoft.com/en-us/library/security/4022344
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1211
+- attack.t1562.001
+yml_filename: win_susp_msmpeng_crash.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_msoffice.yml b/rules/Sigma/win_susp_msoffice.yml
new file mode 100644
index 00000000..a54442e1
--- /dev/null
+++ b/rules/Sigma/win_susp_msoffice.yml
@@ -0,0 +1,35 @@
+title: Malicious Payload Download via Office Binaries
+author: Beyu Denis, oscd.community
+date: 2019/10/26
+description: Downloads payload from remote server
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\powerpnt.exe'
+    SELECTION_3:
+        Image: '*\winword.exe'
+    SELECTION_4:
+        Image: '*\excel.exe'
+    SELECTION_5:
+        CommandLine: '*http*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5)
+falsepositives:
+- Unknown
+id: 0c79148b-118e-472b-bdb7-9b57b444cc19
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/04
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml
+- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
+- Reegun J (OCBC Bank)
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1105
+yml_filename: win_susp_msoffice.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_multiple_files_renamed_or_deleted.yml b/rules/Sigma/win_susp_multiple_files_renamed_or_deleted.yml
new file mode 100644
index 00000000..270137db
--- /dev/null
+++ b/rules/Sigma/win_susp_multiple_files_renamed_or_deleted.yml
@@ -0,0 +1,36 @@
+title: Suspicious Multiple File Rename Or Delete Occurred
+author: Vasiliy Burov, oscd.community
+date: 2020/10/16
+description: Detects multiple file rename or delete events occurrence within a specified
+    period of time by a same user (these events may signalize about ransomware activity).
+detection:
+    SELECTION_1:
+        EventID: 4663
+    SELECTION_2:
+        ObjectType: File
+    SELECTION_3:
+        AccessList: '%%1537'
+    SELECTION_4:
+        Keywords: '0x8020000000000000'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)| count()
+        by SubjectLogonId > 10
+falsepositives:
+- Software uninstallation
+- Files restore activities
+id: 97919310-06a7-482c-9639-92b67ed63cf8
+level: medium
+logsource:
+    definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local
+        Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security
+        Settings/Advanced Audit Policy Configuration/Object Access'
+    product: windows
+    service: security
+references:
+- https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html
+status: experimental
+tags:
+- attack.impact
+- attack.t1486
+yml_filename: win_susp_multiple_files_renamed_or_deleted.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_net_execution.yml b/rules/Sigma/win_susp_net_execution.yml
new file mode 100644
index 00000000..dd0991e1
--- /dev/null
+++ b/rules/Sigma/win_susp_net_execution.yml
@@ -0,0 +1,65 @@
+title: Net.exe Execution
+author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community
+    (improvements)
+date: 2019/01/16
+description: Detects execution of Net.exe, whether suspicious or benign.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '* stop *'
+    SELECTION_2:
+        Image: '*\net.exe'
+    SELECTION_3:
+        Image: '*\net1.exe'
+    SELECTION_4:
+        CommandLine: '* group*'
+    SELECTION_5:
+        CommandLine: '* localgroup*'
+    SELECTION_6:
+        CommandLine: '* user*'
+    SELECTION_7:
+        CommandLine: '* view*'
+    SELECTION_8:
+        CommandLine: '* share*'
+    SELECTION_9:
+        CommandLine: '* accounts*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10))
+falsepositives:
+- Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine
+    following the search for easy hunting by computer/CommandLine.
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
+- https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
+- https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html
+- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1049
+- attack.t1018
+- attack.t1135
+- attack.t1201
+- attack.t1069.001
+- attack.t1069.002
+- attack.t1087.001
+- attack.t1087.002
+- attack.lateral_movement
+- attack.t1021.002
+- attack.t1077
+- attack.s0039
+yml_filename: win_susp_net_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_net_recon_activity.yml b/rules/Sigma/win_susp_net_recon_activity.yml
new file mode 100644
index 00000000..25508ed4
--- /dev/null
+++ b/rules/Sigma/win_susp_net_recon_activity.yml
@@ -0,0 +1,48 @@
+title: Reconnaissance Activity
+author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements),
+    oscd.community
+date: 2017/03/07
+description: Detects activity as "net user administrator /domain" and "net group domain
+    admins /domain"
+detection:
+    SELECTION_1:
+        EventID: 4661
+    SELECTION_2:
+        ObjectType: SAM_USER
+    SELECTION_3:
+        ObjectType: SAM_GROUP
+    SELECTION_4:
+        ObjectName: S-1-5-21-*
+    SELECTION_5:
+        AccessMask: '0x2d'
+    SELECTION_6:
+        ObjectName: '*-500'
+    SELECTION_7:
+        ObjectName: '*-512'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and (SELECTION_6 or SELECTION_7))
+falsepositives:
+- Administrator activity
+- Penetration tests
+id: 968eef52-9cff-4454-8992-1e74b9cbad6c
+level: high
+logsource:
+    definition: The volume of Event ID 4661 is high on Domain Controllers and therefore
+        "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not
+        configured in the recommendations for server systems
+    product: windows
+    service: security
+modified: 2020/08/23
+references:
+- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087
+- attack.t1087.002
+- attack.t1069
+- attack.t1069.002
+- attack.s0039
+yml_filename: win_susp_net_recon_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_netsh_dll_persistence.yml b/rules/Sigma/win_susp_netsh_dll_persistence.yml
new file mode 100644
index 00000000..0b59dce9
--- /dev/null
+++ b/rules/Sigma/win_susp_netsh_dll_persistence.yml
@@ -0,0 +1,38 @@
+title: Suspicious Netsh DLL Persistence
+author: Victor Sergeev, oscd.community
+date: 2019/10/25
+description: Detects persitence via netsh helper
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\netsh.exe'
+    SELECTION_3:
+        CommandLine: '*add*'
+    SELECTION_4:
+        CommandLine: '*helper*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 56321594-9087-49d9-bf10-524fe8479452
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/30
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md
+- https://attack.mitre.org/software/S0108/
+status: test
+tags:
+- attack.privilege_escalation
+- attack.t1546.007
+- attack.s0108
+yml_filename: win_susp_netsh_dll_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_ngrok_pua.yml b/rules/Sigma/win_susp_ngrok_pua.yml
new file mode 100644
index 00000000..58937583
--- /dev/null
+++ b/rules/Sigma/win_susp_ngrok_pua.yml
@@ -0,0 +1,60 @@
+title: Ngrok Usage
+author: Florian Roth
+date: 2021/05/14
+description: Detects the use of Ngrok, a utility used for port forwarding and tunneling,
+    often used by threat actors to make local protected services publicly available.
+    Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*.yml*'
+    SELECTION_11:
+        Image: '*ngrok.exe'
+    SELECTION_12:
+        CommandLine: '* tcp *'
+    SELECTION_13:
+        CommandLine: '* http *'
+    SELECTION_14:
+        CommandLine: '* authtoken *'
+    SELECTION_2:
+        CommandLine: '* tcp 139*'
+    SELECTION_3:
+        CommandLine: '* tcp 445*'
+    SELECTION_4:
+        CommandLine: '* tcp 3389*'
+    SELECTION_5:
+        CommandLine: '* tcp 5985*'
+    SELECTION_6:
+        CommandLine: '* tcp 5986*'
+    SELECTION_7:
+        CommandLine: '* start *'
+    SELECTION_8:
+        CommandLine: '*--all*'
+    SELECTION_9:
+        CommandLine: '*--config*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10)
+        or ((SELECTION_11) and (SELECTION_12 or SELECTION_13 or SELECTION_14))))
+falsepositives:
+- Another tool that uses the command line switches of Ngrok
+- ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
+id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/07
+references:
+- https://ngrok.com/docs
+- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+- https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp
+- https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection
+- https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/.
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1572
+yml_filename: win_susp_ngrok_pua.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_ntdsutil.yml b/rules/Sigma/win_susp_ntdsutil.yml
new file mode 100644
index 00000000..dad09088
--- /dev/null
+++ b/rules/Sigma/win_susp_ntdsutil.yml
@@ -0,0 +1,29 @@
+title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
+author: Thomas Patzke
+date: 2019/01/16
+description: Detects execution of ntdsutil.exe, which can be used for various attacks
+    against the NTDS database (NTDS.DIT)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\ntdsutil.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- NTDS maintenance
+id: 2afafd61-6aae-4df4-baed-139fa1f4c345
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.003
+- attack.t1003
+yml_filename: win_susp_ntdsutil.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_ntlm_auth.yml b/rules/Sigma/win_susp_ntlm_auth.yml
new file mode 100644
index 00000000..f418d59a
--- /dev/null
+++ b/rules/Sigma/win_susp_ntlm_auth.yml
@@ -0,0 +1,30 @@
+title: NTLM Logon
+author: Florian Roth
+date: 2018/06/08
+description: Detects logons using NTLM, which could be caused by a legacy source or
+    attackers
+detection:
+    SELECTION_1:
+        EventID: 8002
+    SELECTION_2:
+        CallingProcessName: '*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legacy hosts
+id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
+level: low
+logsource:
+    definition: Requires events from Microsoft-Windows-NTLM/Operational
+    product: windows
+    service: ntlm
+references:
+- https://twitter.com/JohnLaTwC/status/1004895028995477505
+- https://goo.gl/PsqrhT
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1075
+- attack.t1550.002
+yml_filename: win_susp_ntlm_auth.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_ntlm_rdp.yml b/rules/Sigma/win_susp_ntlm_rdp.yml
new file mode 100644
index 00000000..73d3d3be
--- /dev/null
+++ b/rules/Sigma/win_susp_ntlm_rdp.yml
@@ -0,0 +1,35 @@
+title: Potential Remote Desktop Connection to Non-Domain Host
+author: James Pemberton
+date: 2020/05/22
+description: Detects logons using NTLM to hosts that are potentially not part of the
+    domain.
+detection:
+    SELECTION_1:
+        EventID: 8001
+    SELECTION_2:
+        TargetName: TERMSRV*
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Host connections to valid domains, exclude these.
+- Host connections not using host FQDN.
+- Host connections to external legitimate domains.
+fields:
+- Computer
+- UserName
+- DomainName
+- TargetName
+id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
+level: medium
+logsource:
+    definition: Requires events from Microsoft-Windows-NTLM/Operational
+    product: windows
+    service: ntlm
+references:
+- n/a
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1219
+yml_filename: win_susp_ntlm_rdp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_odbcconf.yml b/rules/Sigma/win_susp_odbcconf.yml
new file mode 100644
index 00000000..290c5afe
--- /dev/null
+++ b/rules/Sigma/win_susp_odbcconf.yml
@@ -0,0 +1,39 @@
+title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
+author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/25
+description: Detects defence evasion attempt via odbcconf.exe execution to load DLL
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\odbcconf.exe'
+    SELECTION_3:
+        CommandLine: '*-f*'
+    SELECTION_4:
+        CommandLine: '*regsvr*'
+    SELECTION_5:
+        ParentImage: '*\odbcconf.exe'
+    SELECTION_6:
+        Image: '*\rundll32.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4)) or
+        (SELECTION_5 and SELECTION_6)))
+falsepositives:
+- Legitimate use of odbcconf.exe by legitimate user
+id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/07
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml
+- https://twitter.com/Hexacorn/status/1187143326673330176
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.008
+- attack.execution
+- attack.t1218
+yml_filename: win_susp_odbcconf.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_openwith.yml b/rules/Sigma/win_susp_openwith.yml
new file mode 100644
index 00000000..3beb377b
--- /dev/null
+++ b/rules/Sigma/win_susp_openwith.yml
@@ -0,0 +1,31 @@
+title: OpenWith.exe Executes Specified Binary
+author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
+date: 2019/10/12
+description: The OpenWith.exe executes other binary
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\OpenWith.exe'
+    SELECTION_3:
+        CommandLine: '*/c*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of OpenWith.exe by legitimate user
+id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/04
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml
+- https://twitter.com/harr0ey/status/991670870384021504
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+- attack.execution
+yml_filename: win_susp_openwith.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_outlook.yml b/rules/Sigma/win_susp_outlook.yml
new file mode 100644
index 00000000..733b37bb
--- /dev/null
+++ b/rules/Sigma/win_susp_outlook.yml
@@ -0,0 +1,38 @@
+title: Suspicious Execution from Outlook
+author: Markus Neis
+date: 2018/12/27
+description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*EnableUnsafeClientMailRules*'
+    SELECTION_3:
+        ParentImage: '*\outlook.exe'
+    SELECTION_4:
+        CommandLine: '*\\\\\*'
+    SELECTION_5:
+        CommandLine: '*\\\*'
+    SELECTION_6:
+        CommandLine: '*.exe*'
+    condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6)))
+falsepositives:
+- unknown
+id: e212d415-0e93-435f-9e1a-f29005bb4723
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://github.com/sensepost/ruler
+- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
+- attack.t1202
+yml_filename: win_susp_outlook.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_outlook_temp.yml b/rules/Sigma/win_susp_outlook_temp.yml
new file mode 100644
index 00000000..49869fcd
--- /dev/null
+++ b/rules/Sigma/win_susp_outlook_temp.yml
@@ -0,0 +1,29 @@
+title: Execution in Outlook Temp Folder
+author: Florian Roth
+date: 2019/10/01
+description: Detects a suspicious program execution in Outlook temp folder
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\Temporary Internet Files\Content.Outlook\\*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1566.001
+- attack.t1193
+yml_filename: win_susp_outlook_temp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_pcwutl.yml b/rules/Sigma/win_susp_pcwutl.yml
new file mode 100644
index 00000000..9242866d
--- /dev/null
+++ b/rules/Sigma/win_susp_pcwutl.yml
@@ -0,0 +1,34 @@
+title: Code Execution via Pcwutl.dll
+author: Julia Fomina, oscd.community
+date: 2020/10/05
+description: Detects launch of executable by calling the LaunchApplication function
+    from pcwutl.dll library.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\rundll32.exe'
+    SELECTION_3:
+        CommandLine: '*pcwutl*'
+    SELECTION_4:
+        CommandLine: '*LaunchApplication*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Use of Program Compatibility Troubleshooter Helper
+id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/api0cradle/LOLBAS/blob/master/OSLibraries/Pcwutl.md
+- https://twitter.com/harr0ey/status/989617817849876488
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+- attack.execution
+- attack.t1218
+yml_filename: win_susp_pcwutl.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_pester.yml b/rules/Sigma/win_susp_pester.yml
new file mode 100644
index 00000000..0142228a
--- /dev/null
+++ b/rules/Sigma/win_susp_pester.yml
@@ -0,0 +1,47 @@
+title: Execute Code with Pester.bat
+author: Julia Fomina, oscd.community
+date: 2020/10/08
+description: Detects code execution via Pester.bat (Pester - Powershell Modulte for
+    testing)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*?*'
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        CommandLine: '*Pester*'
+    SELECTION_4:
+        CommandLine: '*Get-Help*'
+    SELECTION_5:
+        EventID: 1
+    SELECTION_6:
+        Image: '*\cmd.exe'
+    SELECTION_7:
+        CommandLine: '*pester*'
+    SELECTION_8:
+        CommandLine: '*;*'
+    SELECTION_9:
+        CommandLine: '*help*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or
+        (SELECTION_5 and SELECTION_6 and SELECTION_7 and SELECTION_8 and (SELECTION_9
+        or SELECTION_10))))
+falsepositives:
+- Legitimate use of Pester for writing tests for Powershell scripts and modules
+id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/Oddvarmoe/status/993383596244258816
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.defense_evasion
+- attack.t1216
+yml_filename: win_susp_pester.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_ping_hex_ip.yml b/rules/Sigma/win_susp_ping_hex_ip.yml
new file mode 100644
index 00000000..60de5ea8
--- /dev/null
+++ b/rules/Sigma/win_susp_ping_hex_ip.yml
@@ -0,0 +1,32 @@
+title: Ping Hex IP
+author: Florian Roth
+date: 2018/03/23
+description: Detects a ping command that uses a hex encoded IP address
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\ping.exe'
+    SELECTION_3:
+        CommandLine: '*0x*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely, because no sane admin pings IP addresses in a hexadecimal form
+fields:
+- ParentCommandLine
+id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.can
+- https://twitter.com/vysecurity/status/977198418354491392
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.t1027
+yml_filename: win_susp_ping_hex_ip.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_powershell_empire_launch.yml b/rules/Sigma/win_susp_powershell_empire_launch.yml
new file mode 100644
index 00000000..b174ead7
--- /dev/null
+++ b/rules/Sigma/win_susp_powershell_empire_launch.yml
@@ -0,0 +1,42 @@
+title: Empire PowerShell Launch Parameters
+author: Florian Roth
+date: 2019/04/20
+description: Detects suspicious powershell command line parameters used in Empire
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* -NoP -sta -NonI -W Hidden -Enc *'
+    SELECTION_3:
+        CommandLine: '* -noP -sta -w 1 -enc *'
+    SELECTION_4:
+        CommandLine: '* -NoP -NonI -W Hidden -enc *'
+    SELECTION_5:
+        CommandLine: '* -noP -sta -w 1 -enc*'
+    SELECTION_6:
+        CommandLine: '* -enc  SQB*'
+    SELECTION_7:
+        CommandLine: '* -nop -exec bypass -EncodedCommand *'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Other tools that incidentally use the same command line parameters
+id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/07/20
+references:
+- https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_susp_powershell_empire_launch.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_powershell_empire_uac_bypass.yml b/rules/Sigma/win_susp_powershell_empire_uac_bypass.yml
new file mode 100644
index 00000000..1e2a75ce
--- /dev/null
+++ b/rules/Sigma/win_susp_powershell_empire_uac_bypass.yml
@@ -0,0 +1,36 @@
+title: Empire PowerShell UAC Bypass
+author: Ecco
+date: 2019/08/30
+description: Detects some Empire PowerShell UAC bypass methods
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows
+            Update).Update)*'
+    SELECTION_3:
+        CommandLine: '* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3268b746-88d8-4cd3-bffc-30077d02c787
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
+- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1088
+- car.2019-04-001
+yml_filename: win_susp_powershell_empire_uac_bypass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_powershell_enc_cmd.yml b/rules/Sigma/win_susp_powershell_enc_cmd.yml
new file mode 100644
index 00000000..7afe4d05
--- /dev/null
+++ b/rules/Sigma/win_susp_powershell_enc_cmd.yml
@@ -0,0 +1,70 @@
+title: Suspicious Encoded PowerShell Command Line
+author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton
+    Kutepov, oscd.community
+date: 2018/09/03
+description: Detects suspicious powershell process starts with base64 encoded commands
+    (e.g. Emotet)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '* BA^J*'
+    SELECTION_11:
+        CommandLine: '* SUVYI*'
+    SELECTION_12:
+        CommandLine: '* SQBFAFgA*'
+    SELECTION_13:
+        CommandLine: '* aQBlAHgA*'
+    SELECTION_14:
+        CommandLine: '* aWV4I*'
+    SELECTION_15:
+        CommandLine: '* IAA*'
+    SELECTION_16:
+        CommandLine: '* IAB*'
+    SELECTION_17:
+        CommandLine: '* UwB*'
+    SELECTION_18:
+        CommandLine: '* cwB*'
+    SELECTION_19:
+        CommandLine: '*.exe -ENCOD *'
+    SELECTION_2:
+        EventID: 1
+    SELECTION_20:
+        CommandLine: '* -ExecutionPolicy*'
+    SELECTION_21:
+        CommandLine: '*remotesigned *'
+    SELECTION_3:
+        EventID: 1
+    SELECTION_4:
+        CommandLine: '* -e*'
+    SELECTION_5:
+        CommandLine: '* JAB*'
+    SELECTION_6:
+        CommandLine: '* -w*'
+    SELECTION_7:
+        CommandLine: '* hidden *'
+    SELECTION_8:
+        EventID: 1
+    SELECTION_9:
+        CommandLine: '* -e*'
+    condition: (SELECTION_1 and (SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+        SELECTION_5 and SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9
+        and (SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18)) or (SELECTION_19)))
+        and  not (SELECTION_20 and SELECTION_21))
+id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/03/02
+references:
+- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_susp_powershell_enc_cmd.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_powershell_encoded_param.yml b/rules/Sigma/win_susp_powershell_encoded_param.yml
new file mode 100644
index 00000000..93d75ec2
--- /dev/null
+++ b/rules/Sigma/win_susp_powershell_encoded_param.yml
@@ -0,0 +1,29 @@
+title: PowerShell Encoded Character Syntax
+author: Florian Roth
+date: 2020/07/09
+description: Detects suspicious encoded character syntax often used for defense evasion
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*(WCHAR)0x*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: e312efd0-35a1-407f-8439-b8d434b438a6
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/0gtweet/status/1281103918693482496
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.defense_evasion
+- attack.t1027
+yml_filename: win_susp_powershell_encoded_param.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_powershell_getprocess_lsass.yml b/rules/Sigma/win_susp_powershell_getprocess_lsass.yml
new file mode 100644
index 00000000..47281857
--- /dev/null
+++ b/rules/Sigma/win_susp_powershell_getprocess_lsass.yml
@@ -0,0 +1,27 @@
+title: PowerShell Get-Process LSASS
+author: Florian Roth
+date: 2021/04/23
+description: Detects a Get-Process command on lsass process, which is in almost all
+    cases a sign of malicious activity
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*Get-Process lsass*'
+    condition: (SELECTION_1 and (SELECTION_2))
+falsepositives:
+- Unknown
+id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/PythonResponder/status/1385064506049630211
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.004
+yml_filename: win_susp_powershell_getprocess_lsass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_powershell_hidden_b64_cmd.yml b/rules/Sigma/win_susp_powershell_hidden_b64_cmd.yml
new file mode 100644
index 00000000..66dfde9b
--- /dev/null
+++ b/rules/Sigma/win_susp_powershell_hidden_b64_cmd.yml
@@ -0,0 +1,136 @@
+title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
+author: John Lambert (rule)
+date: 2019/01/16
+description: Detects base64 encoded strings used in hidden malicious PowerShell command
+    lines
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*'
+    SELECTION_11:
+        CommandLine: '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*'
+    SELECTION_12:
+        CommandLine: '*JGNodW5rX3Npem*'
+    SELECTION_13:
+        CommandLine: '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*'
+    SELECTION_14:
+        CommandLine: '*RjaHVua19zaXpl*'
+    SELECTION_15:
+        CommandLine: '*Y2h1bmtfc2l6Z*'
+    SELECTION_16:
+        CommandLine: '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*'
+    SELECTION_17:
+        CommandLine: '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*'
+    SELECTION_18:
+        CommandLine: '*lPLkNvbXByZXNzaW9u*'
+    SELECTION_19:
+        CommandLine: '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*'
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_20:
+        CommandLine: '*SU8uQ29tcHJlc3Npb2*'
+    SELECTION_21:
+        CommandLine: '*Ty5Db21wcmVzc2lvb*'
+    SELECTION_22:
+        CommandLine: '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*'
+    SELECTION_23:
+        CommandLine: '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*'
+    SELECTION_24:
+        CommandLine: '*lPLk1lbW9yeVN0cmVhb*'
+    SELECTION_25:
+        CommandLine: '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*'
+    SELECTION_26:
+        CommandLine: '*SU8uTWVtb3J5U3RyZWFt*'
+    SELECTION_27:
+        CommandLine: '*Ty5NZW1vcnlTdHJlYW*'
+    SELECTION_28:
+        CommandLine: '*4ARwBlAHQAQwBoAHUAbgBrA*'
+    SELECTION_29:
+        CommandLine: '*5HZXRDaHVua*'
+    SELECTION_3:
+        CommandLine: '* hidden *'
+    SELECTION_30:
+        CommandLine: '*AEcAZQB0AEMAaAB1AG4Aaw*'
+    SELECTION_31:
+        CommandLine: '*LgBHAGUAdABDAGgAdQBuAGsA*'
+    SELECTION_32:
+        CommandLine: '*LkdldENodW5r*'
+    SELECTION_33:
+        CommandLine: '*R2V0Q2h1bm*'
+    SELECTION_34:
+        CommandLine: '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*'
+    SELECTION_35:
+        CommandLine: '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*'
+    SELECTION_36:
+        CommandLine: '*RIUkVBRF9JTkZPNj*'
+    SELECTION_37:
+        CommandLine: '*SFJFQURfSU5GTzY0*'
+    SELECTION_38:
+        CommandLine: '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*'
+    SELECTION_39:
+        CommandLine: '*VEhSRUFEX0lORk82N*'
+    SELECTION_4:
+        CommandLine: '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*'
+    SELECTION_40:
+        CommandLine: '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*'
+    SELECTION_41:
+        CommandLine: '*cmVhdGVSZW1vdGVUaHJlYW*'
+    SELECTION_42:
+        CommandLine: '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*'
+    SELECTION_43:
+        CommandLine: '*NyZWF0ZVJlbW90ZVRocmVhZ*'
+    SELECTION_44:
+        CommandLine: '*Q3JlYXRlUmVtb3RlVGhyZWFk*'
+    SELECTION_45:
+        CommandLine: '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*'
+    SELECTION_46:
+        CommandLine: '*0AZQBtAG0AbwB2AGUA*'
+    SELECTION_47:
+        CommandLine: '*1lbW1vdm*'
+    SELECTION_48:
+        CommandLine: '*AGUAbQBtAG8AdgBlA*'
+    SELECTION_49:
+        CommandLine: '*bQBlAG0AbQBvAHYAZQ*'
+    SELECTION_5:
+        CommandLine: '*aXRzYWRtaW4gL3RyYW5zZmVy*'
+    SELECTION_50:
+        CommandLine: '*bWVtbW92Z*'
+    SELECTION_51:
+        CommandLine: '*ZW1tb3Zl*'
+    SELECTION_6:
+        CommandLine: '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*'
+    SELECTION_7:
+        CommandLine: '*JpdHNhZG1pbiAvdHJhbnNmZX*'
+    SELECTION_8:
+        CommandLine: '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*'
+    SELECTION_9:
+        CommandLine: '*Yml0c2FkbWluIC90cmFuc2Zlc*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
+        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
+        or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
+        or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
+        or SELECTION_51))
+falsepositives:
+- Penetration tests
+id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_susp_powershell_hidden_b64_cmd.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_powershell_parent_combo.yml b/rules/Sigma/win_susp_powershell_parent_combo.yml
new file mode 100644
index 00000000..92f4ed3b
--- /dev/null
+++ b/rules/Sigma/win_susp_powershell_parent_combo.yml
@@ -0,0 +1,40 @@
+title: Suspicious PowerShell Invocation Based on Parent Process
+author: Florian Roth
+date: 2019/01/16
+description: Detects suspicious powershell invocations from interpreters or unusual
+    programs
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\wscript.exe'
+    SELECTION_3:
+        ParentImage: '*\cscript.exe'
+    SELECTION_4:
+        Image: '*\powershell.exe'
+    SELECTION_5:
+        CurrentDirectory: '*\Health Service State\\*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) and SELECTION_4) and  not
+        (SELECTION_5))
+falsepositives:
+- Microsoft Operations Manager (MOM)
+- Other scripts
+fields:
+- CommandLine
+- ParentCommandLine
+id: 95eadcb2-92e4-4ed1-9031-92547773a6db
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_susp_powershell_parent_combo.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_powershell_parent_process.yml b/rules/Sigma/win_susp_powershell_parent_process.yml
new file mode 100644
index 00000000..9a63bf7e
--- /dev/null
+++ b/rules/Sigma/win_susp_powershell_parent_process.yml
@@ -0,0 +1,102 @@
+title: Suspicious PowerShell Parent Process
+author: Teymur Kheirkhabarov, Harish Segar (rule)
+date: 2020/03/20
+description: Detects a suspicious parents of powershell.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        ParentImage: '*\msaccess.exe'
+    SELECTION_11:
+        ParentImage: '*\mspub.exe'
+    SELECTION_12:
+        ParentImage: '*\visio.exe'
+    SELECTION_13:
+        ParentImage: '*\outlook.exe'
+    SELECTION_14:
+        ParentImage: '*\amigo.exe'
+    SELECTION_15:
+        ParentImage: '*\chrome.exe'
+    SELECTION_16:
+        ParentImage: '*\firefox.exe'
+    SELECTION_17:
+        ParentImage: '*\iexplore.exe'
+    SELECTION_18:
+        ParentImage: '*\microsoftedgecp.exe'
+    SELECTION_19:
+        ParentImage: '*\microsoftedge.exe'
+    SELECTION_2:
+        ParentImage: '*\mshta.exe'
+    SELECTION_20:
+        ParentImage: '*\browser.exe'
+    SELECTION_21:
+        ParentImage: '*\vivaldi.exe'
+    SELECTION_22:
+        ParentImage: '*\safari.exe'
+    SELECTION_23:
+        ParentImage: '*\sqlagent.exe'
+    SELECTION_24:
+        ParentImage: '*\sqlserver.exe'
+    SELECTION_25:
+        ParentImage: '*\sqlservr.exe'
+    SELECTION_26:
+        ParentImage: '*\w3wp.exe'
+    SELECTION_27:
+        ParentImage: '*\httpd.exe'
+    SELECTION_28:
+        ParentImage: '*\nginx.exe'
+    SELECTION_29:
+        ParentImage: '*\php-cgi.exe'
+    SELECTION_3:
+        ParentImage: '*\rundll32.exe'
+    SELECTION_30:
+        ParentImage: '*\jbosssvc.exe'
+    SELECTION_31:
+        ParentImage: '*MicrosoftEdgeSH.exe'
+    SELECTION_32:
+        ParentImage: '*tomcat*'
+    SELECTION_33:
+        CommandLine: '*powershell*'
+    SELECTION_34:
+        CommandLine: '*pwsh*'
+    SELECTION_35:
+        Description: Windows PowerShell
+    SELECTION_36:
+        Product: PowerShell Core 6
+    SELECTION_4:
+        ParentImage: '*\regsvr32.exe'
+    SELECTION_5:
+        ParentImage: '*\services.exe'
+    SELECTION_6:
+        ParentImage: '*\winword.exe'
+    SELECTION_7:
+        ParentImage: '*\wmiprvse.exe'
+    SELECTION_8:
+        ParentImage: '*\powerpnt.exe'
+    SELECTION_9:
+        ParentImage: '*\excel.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
+        or SELECTION_31) or SELECTION_32) and ((SELECTION_33 or SELECTION_34) or SELECTION_35
+        or SELECTION_36))
+falsepositives:
+- Other scripts
+id: 754ed792-634f-40ae-b3bc-e0448d33f695
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_susp_powershell_parent_process.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_powershell_sam_access.yml b/rules/Sigma/win_susp_powershell_sam_access.yml
new file mode 100644
index 00000000..3414ba75
--- /dev/null
+++ b/rules/Sigma/win_susp_powershell_sam_access.yml
@@ -0,0 +1,40 @@
+title: PowerShell SAM Copy
+author: Florian Roth
+date: 2021/07/29
+description: Detects suspicious PowerShell scripts accessing SAM hives
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\HarddiskVolumeShadowCopy*'
+    SELECTION_3:
+        CommandLine: '*ystem32\config\sam*'
+    SELECTION_4:
+        CommandLine: '*Copy-Item*'
+    SELECTION_5:
+        CommandLine: '*cp $_.*'
+    SELECTION_6:
+        CommandLine: '*cpi $_.*'
+    SELECTION_7:
+        CommandLine: '*copy $_.*'
+    SELECTION_8:
+        CommandLine: '*.File]::Copy(*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8))
+falsepositives:
+- Some rare backup scenarios
+- PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs
+id: 1af57a4b-460a-4738-9034-db68b880c665
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/splinter_code/status/1420546784250769408
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
+yml_filename: win_susp_powershell_sam_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_print.yml b/rules/Sigma/win_susp_print.yml
new file mode 100644
index 00000000..24ad27fb
--- /dev/null
+++ b/rules/Sigma/win_susp_print.yml
@@ -0,0 +1,36 @@
+title: Abusing Print Executable
+author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
+date: 2020/10/05
+description: Attackers can use print.exe for remote file copy
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\print.exe'
+    SELECTION_3:
+        CommandLine: print*
+    SELECTION_4:
+        CommandLine: '*/D*'
+    SELECTION_5:
+        CommandLine: '*.exe*'
+    SELECTION_6:
+        CommandLine: '*print.exe*'
+    condition: (SELECTION_1 and ((SELECTION_2) and (SELECTION_3) and (SELECTION_4)
+        and (SELECTION_5)) and  not ((SELECTION_6)))
+falsepositives:
+- Unknown
+id: bafac3d6-7de9-4dd9-8874-4a1194b493ed
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml
+- https://twitter.com/Oddvarmoe/status/985518877076541440
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_susp_print.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_procdump.yml b/rules/Sigma/win_susp_procdump.yml
new file mode 100644
index 00000000..351b6c09
--- /dev/null
+++ b/rules/Sigma/win_susp_procdump.yml
@@ -0,0 +1,34 @@
+title: Suspicious Use of Procdump
+author: Florian Roth
+date: 2021/02/02
+description: Detects suspicious uses of the SysInternals Procdump utility by using
+    a special command line parameter ' -ma ' and ' -accepteula' in a single step.
+    This way we're also able to catch cases in which the attacker has renamed the
+    procdump executable.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* -ma *'
+    SELECTION_3:
+        CommandLine: '* -accepteula *'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Another tool that uses the command line switches of Procdump
+- Legitimate use of procdump by a developer or administrator
+id: 03795938-1387-481b-9f4c-3f6241e604fe
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/16
+references:
+- Internal Research
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1003.001
+yml_filename: win_susp_procdump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_procdump_lsass.yml b/rules/Sigma/win_susp_procdump_lsass.yml
new file mode 100644
index 00000000..ec86df1b
--- /dev/null
+++ b/rules/Sigma/win_susp_procdump_lsass.yml
@@ -0,0 +1,42 @@
+title: Suspicious Use of Procdump on LSASS
+author: Florian Roth
+date: 2018/10/30
+description: Detects suspicious uses of the SysInternals Procdump utility by using
+    a special command line parameter in combination with the lsass.exe process. This
+    way we're also able to catch cases in which the attacker has renamed the procdump
+    executable.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* -ma *'
+    SELECTION_3:
+        EventID: 1
+    SELECTION_4:
+        CommandLine: '* lsass*'
+    SELECTION_5:
+        CommandLine: '* ls*'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or
+        SELECTION_5))
+falsepositives:
+- Unlikely, because no one should dump an lsass process memory
+- Another tool that uses the command line switches of Procdump
+id: 5afee48e-67dd-4e03-a783-f74259dcf998
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/02/02
+references:
+- Internal Research
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.credential_access
+- attack.t1003.001
+- attack.t1003
+- car.2013-05-009
+yml_filename: win_susp_procdump_lsass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_proceshacker.yml b/rules/Sigma/win_susp_proceshacker.yml
new file mode 100644
index 00000000..17e6b1df
--- /dev/null
+++ b/rules/Sigma/win_susp_proceshacker.yml
@@ -0,0 +1,30 @@
+title: ProcessHacker Privilege Elevation
+author: Florian Roth
+date: 2021/05/27
+description: Detects a ProcessHacker tool that elevated privileges to a very high
+    level
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ServiceName: ProcessHacker*
+    SELECTION_3:
+        AccountName: LocalSystem
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unlikely
+id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
+level: high
+logsource:
+    product: windows
+    service: system
+references:
+- https://twitter.com/1kwpeter/status/1397816101455765504
+tags:
+- attack.execution
+- attack.privilege_escalation
+- attack.t1543.003
+- attack.t1569.002
+yml_filename: win_susp_proceshacker.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_ps_appdata.yml b/rules/Sigma/win_susp_ps_appdata.yml
new file mode 100644
index 00000000..d946466c
--- /dev/null
+++ b/rules/Sigma/win_susp_ps_appdata.yml
@@ -0,0 +1,39 @@
+title: PowerShell Script Run in AppData
+author: Florian Roth, Jonhnathan Ribeiro, oscd.community
+date: 2019/01/09
+description: Detects a suspicious command line execution that invokes PowerShell with
+    reference to an AppData folder
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*/c*'
+    SELECTION_3:
+        CommandLine: '*powershell*'
+    SELECTION_4:
+        CommandLine: '*\AppData\\*'
+    SELECTION_5:
+        CommandLine: '*Local\\*'
+    SELECTION_6:
+        CommandLine: '*Roaming\\*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Administrative scripts
+id: ac175779-025a-4f12-98b0-acdaeb77ea85
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://twitter.com/JohnLaTwC/status/1082851155481288706
+- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: win_susp_ps_appdata.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_ps_downloadfile.yml b/rules/Sigma/win_susp_ps_downloadfile.yml
new file mode 100644
index 00000000..961e5c5d
--- /dev/null
+++ b/rules/Sigma/win_susp_ps_downloadfile.yml
@@ -0,0 +1,35 @@
+title: PowerShell DownloadFile
+author: Florian Roth
+date: 2020/08/28
+description: Detects the execution of powershell, a WebClient object creation and
+    the invocation of DownloadFile in a single command line
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*powershell*'
+    SELECTION_3:
+        CommandLine: '*.DownloadFile*'
+    SELECTION_4:
+        CommandLine: '*System.Net.WebClient*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.command_and_control
+- attack.t1104
+- attack.t1105
+yml_filename: win_susp_ps_downloadfile.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_psexec.yml b/rules/Sigma/win_susp_psexec.yml
new file mode 100644
index 00000000..185868f0
--- /dev/null
+++ b/rules/Sigma/win_susp_psexec.yml
@@ -0,0 +1,43 @@
+title: Suspicious PsExec Execution
+author: Samir Bousseaden
+date: 2019/04/03
+description: detects execution of psexec or paexec with renamed service name, this
+    rule helps to filter out the noise if psexec is used for legit purposes or if
+    attacker uses a different psexec client other than sysinternal one
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        ShareName: \\*\IPC$
+    SELECTION_3:
+        RelativeTargetName: '*-stdin'
+    SELECTION_4:
+        RelativeTargetName: '*-stdout'
+    SELECTION_5:
+        RelativeTargetName: '*-stderr'
+    SELECTION_6:
+        EventID: 5145
+    SELECTION_7:
+        ShareName: \\*\IPC$
+    SELECTION_8:
+        RelativeTargetName: PSEXESVC*
+    condition: ((SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
+        and  not (SELECTION_6 and SELECTION_7 and SELECTION_8))
+falsepositives:
+- nothing observed so far
+id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
+level: high
+logsource:
+    definition: The advanced audit policy setting "Object Access > Audit Detailed
+        File Share" must be configured for Success/Failure
+    product: windows
+    service: security
+references:
+- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
+tags:
+- attack.lateral_movement
+- attack.t1077
+- attack.t1021.002
+yml_filename: win_susp_psexec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_psexec_eula.yml b/rules/Sigma/win_susp_psexec_eula.yml
new file mode 100644
index 00000000..b782c3b1
--- /dev/null
+++ b/rules/Sigma/win_susp_psexec_eula.yml
@@ -0,0 +1,31 @@
+title: Psexec Accepteula Condition
+author: omkar72 - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+date: 2020/10/30
+description: Detect ed user accept agreement execution in psexec commandline
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\psexec.exe'
+    SELECTION_3:
+        CommandLine: '*accepteula*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative scripts.
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 730fc21b-eaff-474b-ad23-90fd265d4988
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+status: experimental
+tags:
+- attack.execution
+- attack.t1569
+- attack.t1021
+yml_filename: win_susp_psexec_eula.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_psexex_paexec_flags.yml b/rules/Sigma/win_susp_psexex_paexec_flags.yml
new file mode 100644
index 00000000..754d73ee
--- /dev/null
+++ b/rules/Sigma/win_susp_psexex_paexec_flags.yml
@@ -0,0 +1,51 @@
+title: PsExec/PAExec Flags
+author: Florian Roth
+date: 2021/05/22
+description: Detects suspicious flags used by PsExec and PAExec but no usual program
+    name in command line
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*paexec*'
+    SELECTION_11:
+        CommandLine: '*PsExec*'
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        CommandLine: '*\\127.0.0.1*'
+    SELECTION_4:
+        CommandLine: '* -s *'
+    SELECTION_5:
+        CommandLine: '*cmd.exe*'
+    SELECTION_6:
+        CommandLine: '* /accepteula *'
+    SELECTION_7:
+        CommandLine: '*cmd /c *'
+    SELECTION_8:
+        CommandLine: '* -u *'
+    SELECTION_9:
+        CommandLine: '* -p *'
+    condition: (SELECTION_1 and (SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)))
+        and  not ((SELECTION_10 or SELECTION_11)))
+falsepositives:
+- Weird admins that rename their tools
+- Software companies that bundle PsExec/PAExec with their software and rename it,
+    so that it is less embarrassing
+id: 207b0396-3689-42d9-8399-4222658efc99
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
+- https://www.poweradmin.com/paexec/
+- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+status: experimental
+tags:
+- attack.develop_capabilities
+- attack.t1587.001
+yml_filename: win_susp_psexex_paexec_flags.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_psr_capture_screenshots.yml b/rules/Sigma/win_susp_psr_capture_screenshots.yml
new file mode 100644
index 00000000..e144db5b
--- /dev/null
+++ b/rules/Sigma/win_susp_psr_capture_screenshots.yml
@@ -0,0 +1,32 @@
+title: Psr.exe Capture Screenshots
+author: Beyu Denis, oscd.community
+date: 2019/10/12
+description: The psr.exe captures desktop screenshots and saves them on the local
+    machine
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\Psr.exe'
+    SELECTION_3:
+        CommandLine: '*/start*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 2158f96f-43c2-43cb-952a-ab4580f32382
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/28
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml
+- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1113
+yml_filename: win_susp_psr_capture_screenshots.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_raccess_sensitive_fext.yml b/rules/Sigma/win_susp_raccess_sensitive_fext.yml
new file mode 100644
index 00000000..12cda5b9
--- /dev/null
+++ b/rules/Sigma/win_susp_raccess_sensitive_fext.yml
@@ -0,0 +1,55 @@
+title: Suspicious Access to Sensitive File Extensions
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects known sensitive file extensions accessed on a network share
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_10:
+        RelativeTargetName: '*.dmp'
+    SELECTION_11:
+        RelativeTargetName: '*.kirbi'
+    SELECTION_12:
+        RelativeTargetName: '*\groups.xml'
+    SELECTION_13:
+        RelativeTargetName: '*.rdp'
+    SELECTION_2:
+        RelativeTargetName: '*.pst'
+    SELECTION_3:
+        RelativeTargetName: '*.ost'
+    SELECTION_4:
+        RelativeTargetName: '*.msg'
+    SELECTION_5:
+        RelativeTargetName: '*.nst'
+    SELECTION_6:
+        RelativeTargetName: '*.oab'
+    SELECTION_7:
+        RelativeTargetName: '*.edb'
+    SELECTION_8:
+        RelativeTargetName: '*.nsf'
+    SELECTION_9:
+        RelativeTargetName: '*.bak'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13))
+falsepositives:
+- Help Desk operator doing backup or re-imaging end user machine or pentest or backup
+    software
+- Users working with these data types or exchanging message files
+fields:
+- ComputerName
+- SubjectDomainName
+- SubjectUserName
+- RelativeTargetName
+id: 91c945bc-2ad1-4799-a591-4d00198a1215
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/08/09
+tags:
+- attack.collection
+- attack.t1039
+yml_filename: win_susp_raccess_sensitive_fext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_rar_flags.yml b/rules/Sigma/win_susp_rar_flags.yml
new file mode 100644
index 00000000..28932a1d
--- /dev/null
+++ b/rules/Sigma/win_susp_rar_flags.yml
@@ -0,0 +1,38 @@
+title: Rar with Password or Compression Level
+author: '@ROxPinTeddy'
+date: 2020/05/12
+description: Detects the use of rar.exe, on the command line, to create an archive
+    with password protection or with a specific compression level. This is pretty
+    indicative of malicious actions.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* -hp*'
+    SELECTION_3:
+        CommandLine: '* -m*'
+    SELECTION_4:
+        CommandLine: '* a *'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Legitimate use of Winrar command line version
+- Other command line tools, that use these flags
+id: faa48cae-6b25-4f00-a094-08947fef582f
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/27
+references:
+- https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
+- https://ss64.com/bash/rar.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1560.001
+- attack.exfiltration
+- attack.t1002
+yml_filename: win_susp_rar_flags.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_rasdial_activity.yml b/rules/Sigma/win_susp_rasdial_activity.yml
new file mode 100644
index 00000000..7bf4b7f7
--- /dev/null
+++ b/rules/Sigma/win_susp_rasdial_activity.yml
@@ -0,0 +1,29 @@
+title: Suspicious RASdial Activity
+author: juju4
+date: 2019/01/16
+description: Detects suspicious process related to rasdial.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*rasdial.exe'
+    condition: (SELECTION_1 and (SELECTION_2))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/subTee/status/891298217907830785
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059
+- attack.t1064
+yml_filename: win_susp_rasdial_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_razorinstaller_explorer.yml b/rules/Sigma/win_susp_razorinstaller_explorer.yml
new file mode 100644
index 00000000..5a65a0d7
--- /dev/null
+++ b/rules/Sigma/win_susp_razorinstaller_explorer.yml
@@ -0,0 +1,34 @@
+title: Suspicious RazerInstaller Explorer Subprocess
+author: Florian Roth, Maxime Thiebaut
+date: 2021/08/23
+description: Detects a explorer.exe sub process of the RazerInstaller software which
+    can be invoked from the installer to select a different installation folder but
+    can also be exploited to escalate privileges to LOCAL SYSTEM
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\RazerInstaller.exe'
+    SELECTION_3:
+        IntegrityLevel: System
+    SELECTION_4:
+        Image: C:\Windows\Installer\Razer\Installer\\*
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- User selecting a different installation folder (check for other sub processes of
+    this explorer.exe process)
+id: a4eaf250-7dc1-4842-862a-5e71cd59a167
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/24
+references:
+- https://twitter.com/j0nh4t/status/1429049506021138437
+- https://streamable.com/q2dsji
+status: experimental
+tags:
+- attack.privilege_escalation
+yml_filename: win_susp_razorinstaller_explorer.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_rc4_kerberos.yml b/rules/Sigma/win_susp_rc4_kerberos.yml
new file mode 100644
index 00000000..48f86997
--- /dev/null
+++ b/rules/Sigma/win_susp_rc4_kerberos.yml
@@ -0,0 +1,34 @@
+title: Suspicious Kerberos RC4 Ticket Encryption
+author: Florian Roth
+date: 2017/02/06
+description: Detects service ticket requests using RC4 encryption type
+detection:
+    SELECTION_1:
+        EventID: 4769
+    SELECTION_2:
+        TicketOptions: '0x40810000'
+    SELECTION_3:
+        TicketEncryptionType: '0x17'
+    SELECTION_4:
+        ServiceName: $*
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Service accounts used on legacy systems (e.g. NetApp)
+- Windows Domains with DFL 2003 and legacy systems
+id: 496a0e47-0a33-4dca-b009-9e6ca3591f39
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/08/14
+references:
+- https://adsecurity.org/?p=3458
+- https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1208
+- attack.t1558.003
+yml_filename: win_susp_rc4_kerberos.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_rclone_exec.yml b/rules/Sigma/win_susp_rclone_exec.yml
new file mode 100644
index 00000000..497d2d40
--- /dev/null
+++ b/rules/Sigma/win_susp_rclone_exec.yml
@@ -0,0 +1,52 @@
+title: Rclone Execution via Command Line or PowerShell
+author: Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/26
+description: Detects Rclone which is commonly used by ransomware groups for exfiltration
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '* ls *'
+    SELECTION_11:
+        Description: Rsync for cloud storage
+    SELECTION_12:
+        Image: '*\rclone.exe'
+    SELECTION_13:
+        ParentImage: '*\PowerShell.exe'
+    SELECTION_14:
+        ParentImage: '*\cmd.exe'
+    SELECTION_2:
+        CommandLine: '* pass *'
+    SELECTION_3:
+        CommandLine: '* user *'
+    SELECTION_4:
+        CommandLine: '* copy *'
+    SELECTION_5:
+        CommandLine: '* mega *'
+    SELECTION_6:
+        CommandLine: '* sync *'
+    SELECTION_7:
+        CommandLine: '* config *'
+    SELECTION_8:
+        CommandLine: '* lsd *'
+    SELECTION_9:
+        CommandLine: '* remote *'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
+        and (SELECTION_11 or (SELECTION_12 and (SELECTION_13 or SELECTION_14))))
+falsepositives:
+- Legitimate Rclone usage (rare)
+id: cb7286ba-f207-44ab-b9e6-760d82b84253
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+status: deprecated
+tags:
+- attack.exfiltration
+- attack.t1567.002
+yml_filename: win_susp_rclone_exec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
+
diff --git a/rules/Sigma/win_susp_rclone_execution.yml b/rules/Sigma/win_susp_rclone_execution.yml
new file mode 100644
index 00000000..aca76927
--- /dev/null
+++ b/rules/Sigma/win_susp_rclone_execution.yml
@@ -0,0 +1,92 @@
+title: Rclone Execution via Command Line or PowerShell
+author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
+date: 2021/05/10
+description: Detects execution of RClone utility for exfiltration as used by various
+    ransomwares strains like REvil, Conti, FiveHands, etc
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*lsd*'
+    SELECTION_11:
+        CommandLine: '*remote*'
+    SELECTION_12:
+        CommandLine: '*ls*'
+    SELECTION_13:
+        CommandLine: '*mega*'
+    SELECTION_14:
+        CommandLine: '*pcloud*'
+    SELECTION_15:
+        CommandLine: '*ftp*'
+    SELECTION_16:
+        CommandLine: '*ignore-existing*'
+    SELECTION_17:
+        CommandLine: '*auto-confirm*'
+    SELECTION_18:
+        CommandLine: '*transfers*'
+    SELECTION_19:
+        CommandLine: '*multi-thread-streams*'
+    SELECTION_2:
+        CommandLine: '*--config *'
+    SELECTION_20:
+        CommandLine: '*no-check-certificate *'
+    SELECTION_21:
+        EventID: 1
+    SELECTION_22:
+        Description: Rsync for cloud storage
+    SELECTION_23:
+        Image: '*\rclone.exe'
+    SELECTION_24:
+        ParentImage: '*\PowerShell.exe'
+    SELECTION_25:
+        ParentImage: '*\cmd.exe'
+    SELECTION_3:
+        CommandLine: '*--no-check-certificate *'
+    SELECTION_4:
+        CommandLine: '* copy *'
+    SELECTION_5:
+        CommandLine: '*pass*'
+    SELECTION_6:
+        CommandLine: '*user*'
+    SELECTION_7:
+        CommandLine: '*copy*'
+    SELECTION_8:
+        CommandLine: '*sync*'
+    SELECTION_9:
+        CommandLine: '*config*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or
+        ((SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20) and SELECTION_21 and (SELECTION_22 or (SELECTION_23 and (SELECTION_24
+        or SELECTION_25))))))
+falsepositives:
+- Legitimate RClone use
+fields:
+- CommandLine
+- ParentCommandLine
+- Details
+id: e37db05d-d1f9-49c8-b464-cee1a4b11638
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/10/24
+references:
+- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
+- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
+- https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
+- https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
+related:
+-   id: a0d63692-a531-4912-ad39-4393325b2a9c
+    type: obsoletes
+-   id: cb7286ba-f207-44ab-b9e6-760d82b84253
+    type: obsoletes
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1567.002
+yml_filename: win_susp_rclone_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_recon_activity.yml b/rules/Sigma/win_susp_recon_activity.yml
new file mode 100644
index 00000000..c37f6005
--- /dev/null
+++ b/rules/Sigma/win_susp_recon_activity.yml
@@ -0,0 +1,44 @@
+title: Suspicious Reconnaissance Activity
+analysis:
+    recommendation: Check if the user that executed the commands is suspicious (e.g.
+        service accounts, LOCAL_SYSTEM)
+author: Florian Roth, omkar72
+date: 2019/01/16
+description: Detects suspicious command line activity on Windows systems
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: net group "domain admins" /dom
+    SELECTION_3:
+        CommandLine: net localgroup administrators
+    SELECTION_4:
+        CommandLine: net group "enterprise admins" /dom
+    SELECTION_5:
+        CommandLine: net accounts /dom
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5))
+falsepositives:
+- Inventory tool runs
+- Penetration tests
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/09
+references:
+- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
+- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1087.001
+- attack.t1087.002
+- attack.t1087
+yml_filename: win_susp_recon_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_reg_disable_sec_services.yml b/rules/Sigma/win_susp_reg_disable_sec_services.yml
new file mode 100644
index 00000000..b50094b8
--- /dev/null
+++ b/rules/Sigma/win_susp_reg_disable_sec_services.yml
@@ -0,0 +1,59 @@
+title: Reg Disable Security Service
+author: Florian Roth, John Lambert (idea)
+date: 2021/07/14
+description: Detects a suspicious reg.exe invocation that looks as if it would disable
+    an important security service
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*\WdBoot *'
+    SELECTION_11:
+        CommandLine: '*\WdNisDrv*'
+    SELECTION_12:
+        CommandLine: '*\WdNisSvc*'
+    SELECTION_13:
+        CommandLine: '*\wscsvc *'
+    SELECTION_14:
+        CommandLine: '*\SecurityHealthService*'
+    SELECTION_15:
+        CommandLine: '*\wuauserv*'
+    SELECTION_16:
+        CommandLine: '*\UsoSvc *'
+    SELECTION_2:
+        CommandLine: '*reg*'
+    SELECTION_3:
+        CommandLine: '*add*'
+    SELECTION_4:
+        CommandLine: '* /d 4*'
+    SELECTION_5:
+        CommandLine: '* /v Start*'
+    SELECTION_6:
+        CommandLine: '*\Sense *'
+    SELECTION_7:
+        CommandLine: '*\WinDefend*'
+    SELECTION_8:
+        CommandLine: '*\MsMpSvc*'
+    SELECTION_9:
+        CommandLine: '*\NisSrv*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16))
+falsepositives:
+- Unknown
+- Other security solution installers
+id: 5e95028c-5229-4214-afae-d653d573d0ec
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/JohnLaTwC/status/1415295021041979392
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: win_susp_reg_disable_sec_services.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_regedit_trustedinstaller.yml b/rules/Sigma/win_susp_regedit_trustedinstaller.yml
new file mode 100644
index 00000000..55fadc45
--- /dev/null
+++ b/rules/Sigma/win_susp_regedit_trustedinstaller.yml
@@ -0,0 +1,29 @@
+title: Regedit as Trusted Installer
+author: Florian Roth
+date: 2021/05/27
+description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\regedit.exe'
+    SELECTION_3:
+        ParentImage: '*\TrustedInstaller.exe'
+    SELECTION_4:
+        ParentImage: '*\ProcessHacker.exe'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unlikely
+id: 883835a7-df45-43e4-bf1d-4268768afda4
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/1kwpeter/status/1397816101455765504
+tags:
+- attack.privilege_escalation
+- attack.t1548
+yml_filename: win_susp_regedit_trustedinstaller.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_register_cimprovider.yml b/rules/Sigma/win_susp_register_cimprovider.yml
new file mode 100644
index 00000000..4256c89c
--- /dev/null
+++ b/rules/Sigma/win_susp_register_cimprovider.yml
@@ -0,0 +1,35 @@
+title: DLL Execution Via Register-cimprovider.exe
+author: Ivan Dyachkov, Yulia Fomina, oscd.community
+date: 2020/10/07
+description: Detects using register-cimprovider.exe to execute arbitrary dll file.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\register-cimprovider.exe'
+    SELECTION_3:
+        CommandLine: '*-path*'
+    SELECTION_4:
+        CommandLine: '*dll*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: a2910908-e86f-4687-aeba-76a5f996e652
+level: medium
+logsource:
+    category: process_creation
+    definition: 'Requirements: Sysmon ProcessCreation logging must be activated and
+        Windows audit msut Include command line in process creation events'
+    product: windows
+references:
+- https://twitter.com/PhilipTsukerman/status/992021361106268161
+- https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1574
+yml_filename: win_susp_register_cimprovider.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_registration_via_cscript.yml b/rules/Sigma/win_susp_registration_via_cscript.yml
new file mode 100644
index 00000000..22ef2ee8
--- /dev/null
+++ b/rules/Sigma/win_susp_registration_via_cscript.yml
@@ -0,0 +1,39 @@
+title: Suspicious Registration via cscript.exe
+author: Austin Songer @austinsonger
+date: 2021/11/05
+description: Detects when the registration of a VSS/VDS Provider as a COM+ application.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\cscript.exe'
+    SELECTION_3:
+        CommandLine: '*-register*'
+    SELECTION_4:
+        CommandLine: '*\Windows Kits\10\bin\10.0.22000.0\x64*'
+    SELECTION_5:
+        CommandLine: '*\Windows Kits\10\bin\10.0.19041.0\x64*'
+    SELECTION_6:
+        CommandLine: '*\Windows Kits\10\bin\10.0.17763.0\x64*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- None
+fields:
+- CommandLine
+- ParentCommandLine
+id: 28c8f68b-098d-45af-8d43-8089f3e35403
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
+- https://ss64.com/vb/cscript.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_susp_registration_via_cscript.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_regsvr32_anomalies.yml b/rules/Sigma/win_susp_regsvr32_anomalies.yml
new file mode 100644
index 00000000..223a6171
--- /dev/null
+++ b/rules/Sigma/win_susp_regsvr32_anomalies.yml
@@ -0,0 +1,77 @@
+title: Regsvr32 Anomaly
+author: Florian Roth, oscd.community
+date: 2019/01/16
+description: Detects various anomalies in relation to regsvr32.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*http*'
+    SELECTION_11:
+        CommandLine: '*ftp*'
+    SELECTION_12:
+        CommandLine: '*scrobj.dll'
+    SELECTION_13:
+        Image: '*\wscript.exe'
+    SELECTION_14:
+        ParentImage: '*\regsvr32.exe'
+    SELECTION_15:
+        Image: '*\EXCEL.EXE'
+    SELECTION_16:
+        CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *'
+    SELECTION_17:
+        ParentImage: '*\mshta.exe'
+    SELECTION_18:
+        Image: '*\regsvr32.exe'
+    SELECTION_19:
+        Image: '*\regsvr32.exe'
+    SELECTION_2:
+        Image: '*\regsvr32.exe'
+    SELECTION_20:
+        CommandLine: '*\AppData\Local*'
+    SELECTION_21:
+        CommandLine: '*C:\Users\Public*'
+    SELECTION_3:
+        CommandLine: '*\Temp\\*'
+    SELECTION_4:
+        Image: '*\regsvr32.exe'
+    SELECTION_5:
+        ParentImage: '*\powershell.exe'
+    SELECTION_6:
+        Image: '*\regsvr32.exe'
+    SELECTION_7:
+        ParentImage: '*\cmd.exe'
+    SELECTION_8:
+        Image: '*\regsvr32.exe'
+    SELECTION_9:
+        CommandLine: '*/i:*'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9
+        and (SELECTION_10 or SELECTION_11) and SELECTION_12) or (SELECTION_13 and
+        SELECTION_14) or (SELECTION_15 and SELECTION_16) or (SELECTION_17 and SELECTION_18)
+        or (SELECTION_19 and (SELECTION_20 or SELECTION_21))))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/18
+references:
+- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
+- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.010
+- attack.execution
+- attack.t1117
+- car.2019-04-002
+- car.2019-04-003
+yml_filename: win_susp_regsvr32_anomalies.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_regsvr32_flags_anomaly.yml b/rules/Sigma/win_susp_regsvr32_flags_anomaly.yml
new file mode 100644
index 00000000..a5b72752
--- /dev/null
+++ b/rules/Sigma/win_susp_regsvr32_flags_anomaly.yml
@@ -0,0 +1,35 @@
+title: Regsvr32 Flags Anomaly
+author: Florian Roth
+date: 2019/07/13
+description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using
+    a /n flag at the same time
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\regsvr32.exe'
+    SELECTION_3:
+        CommandLine: '* /i:*'
+    SELECTION_4:
+        CommandLine: '* /n *'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/sbousseaden/status/1282441816986484737?s=12
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.010
+- attack.t1117
+yml_filename: win_susp_regsvr32_flags_anomaly.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_regsvr32_no_dll.yml b/rules/Sigma/win_susp_regsvr32_no_dll.yml
new file mode 100644
index 00000000..74e59c60
--- /dev/null
+++ b/rules/Sigma/win_susp_regsvr32_no_dll.yml
@@ -0,0 +1,49 @@
+title: Regsvr32 Command Line Without DLL
+author: Florian Roth
+date: 2019/07/17
+description: Detects a regsvr.exe execution that doesn't contain a DLL in the command
+    line
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: ''
+    SELECTION_2:
+        Image: '*\regsvr32.exe'
+    SELECTION_3:
+        CommandLine: '*.dll*'
+    SELECTION_4:
+        CommandLine: '*.ocx*'
+    SELECTION_5:
+        CommandLine: '*.cpl*'
+    SELECTION_6:
+        CommandLine: '*.ax*'
+    SELECTION_7:
+        CommandLine: '*.bav*'
+    SELECTION_8:
+        CommandLine: '*.ppl*'
+    SELECTION_9:
+        CommandLine|re: ^$
+    condition: (SELECTION_1 and ((SELECTION_2 and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8))) and  not (SELECTION_9))
+        and  not (SELECTION_10))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 50919691-7302-437f-8e10-1fe088afa145
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/10/19
+references:
+- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+yml_filename: win_susp_regsvr32_no_dll.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_renamed_dctask64.yml b/rules/Sigma/win_susp_renamed_dctask64.yml
new file mode 100644
index 00000000..a6220303
--- /dev/null
+++ b/rules/Sigma/win_susp_renamed_dctask64.yml
@@ -0,0 +1,39 @@
+title: Renamed ZOHO Dctask64
+author: Florian Roth
+date: 2020/01/28
+description: Detects a renamed dctask64.exe used for process injection, command execution,
+    process creation with a signed binary by ZOHO Corporation
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Imphash: 6834B1B94E49701D77CCB3C0895E1AFD
+    SELECTION_3:
+        Image: '*\dctask64.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown yet
+fields:
+- CommandLine
+- ParentCommandLine
+- ParentImage
+id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/28
+references:
+- https://twitter.com/gN3mes1s/status/1222088214581825540
+- https://twitter.com/gN3mes1s/status/1222095963789111296
+- https://twitter.com/gN3mes1s/status/1222095371175911424
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1055.001
+- attack.t1202
+- attack.t1218
+yml_filename: win_susp_renamed_dctask64.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_renamed_debugview.yml b/rules/Sigma/win_susp_renamed_debugview.yml
new file mode 100644
index 00000000..1477701f
--- /dev/null
+++ b/rules/Sigma/win_susp_renamed_debugview.yml
@@ -0,0 +1,33 @@
+title: Renamed SysInternals Debug View
+author: Florian Roth
+date: 2020/05/28
+description: Detects suspicious renamed SysInternals DebugView execution
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Product: Sysinternals DebugView
+    SELECTION_3:
+        Product: Sysinternals Debugview
+    SELECTION_4:
+        OriginalFileName: Dbgview.exe
+    SELECTION_5:
+        Image: '*\Dbgview.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and  not (SELECTION_4
+        and SELECTION_5))
+falsepositives:
+- Unknown
+id: cd764533-2e07-40d6-a718-cfeec7f2da7f
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.epicturla.com/blog/sysinturla
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.discovery
+yml_filename: win_susp_renamed_debugview.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_renamed_paexec.yml b/rules/Sigma/win_susp_renamed_paexec.yml
new file mode 100644
index 00000000..b9675adf
--- /dev/null
+++ b/rules/Sigma/win_susp_renamed_paexec.yml
@@ -0,0 +1,38 @@
+title: Renamed PAExec
+author: Florian Roth
+date: 2021/05/22
+description: Detects suspicious renamed PAExec execution as often used by attackers
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        Description: PAExec Application
+    SELECTION_4:
+        OriginalFileName: PAExec.exe
+    SELECTION_5:
+        Image: '*\PAexec.exe'
+    SELECTION_6:
+        Image: '*\paexec.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4)) and  not
+        ((SELECTION_5 or SELECTION_6)))
+falsepositives:
+- Weird admins that rename their tools
+- Software companies that bundle PAExec with their software and rename it, so that
+    it is less embarrassing
+id: c4e49831-1496-40cf-8ce1-b53f942b02f9
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/06
+references:
+- https://www.poweradmin.com/paexec/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
+yml_filename: win_susp_renamed_paexec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_rottenpotato.yml b/rules/Sigma/win_susp_rottenpotato.yml
new file mode 100644
index 00000000..6abaf7e8
--- /dev/null
+++ b/rules/Sigma/win_susp_rottenpotato.yml
@@ -0,0 +1,36 @@
+title: RottenPotato Like Attack Pattern
+author: '@SBousseaden, Florian Roth'
+date: 2019/11/15
+description: Detects logon events that have characteristics of events generated during
+    an attack with RottenPotato and the like
+detection:
+    SELECTION_1:
+        EventID: 4624
+    SELECTION_2:
+        LogonType: 3
+    SELECTION_3:
+        TargetUserName: ANONYMOUS_LOGON
+    SELECTION_4:
+        WorkstationName: '-'
+    SELECTION_5:
+        IpAddress: 127.0.0.1
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/07
+references:
+- https://twitter.com/SBousseaden/status/1195284233729777665
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.credential_access
+- attack.t1171
+- attack.t1557.001
+yml_filename: win_susp_rottenpotato.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_rpcping.yml b/rules/Sigma/win_susp_rpcping.yml
new file mode 100644
index 00000000..ce9c0e9d
--- /dev/null
+++ b/rules/Sigma/win_susp_rpcping.yml
@@ -0,0 +1,52 @@
+title: Capture Credentials with Rpcping.exe
+author: Julia Fomina, oscd.community
+date: 2020/10/09
+description: Detects using Rpcping.exe to send a RPC test connection to the target
+    server (-s) and force the NTLM hash to be sent in the process.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*ncacn_np*'
+    SELECTION_11:
+        CommandLine: '*/t*'
+    SELECTION_12:
+        CommandLine: '*ncacn_np*'
+    SELECTION_2:
+        Image: '*\rpcping.exe'
+    SELECTION_3:
+        CommandLine: '*-s*'
+    SELECTION_4:
+        CommandLine: '*/s*'
+    SELECTION_5:
+        CommandLine: '*-u*'
+    SELECTION_6:
+        CommandLine: '*NTLM*'
+    SELECTION_7:
+        CommandLine: '*/u*'
+    SELECTION_8:
+        CommandLine: '*NTLM*'
+    SELECTION_9:
+        CommandLine: '*-t*'
+    condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4)) and
+        ((SELECTION_5 and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9
+        and SELECTION_10) or (SELECTION_11 and SELECTION_12)))
+falsepositives:
+- Unlikely
+id: 93671f99-04eb-4ab4-a161-70d446a84003
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
+- https://twitter.com/vysecurity/status/974806438316072960
+- https://twitter.com/vysecurity/status/873181705024266241
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+yml_filename: win_susp_rpcping.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_run_locations.yml b/rules/Sigma/win_susp_run_locations.yml
new file mode 100644
index 00000000..b5024b3a
--- /dev/null
+++ b/rules/Sigma/win_susp_run_locations.yml
@@ -0,0 +1,49 @@
+title: Suspicious Process Start Locations
+author: juju4, Jonhnathan Ribeiro, oscd.community
+date: 2019/01/16
+description: Detects suspicious process run from unusual locations
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: C:\Windows\cursors\\*
+    SELECTION_11:
+        Image: C:\Windows\system32\tasks\\*
+    SELECTION_2:
+        Image: '*:\RECYCLER\\*'
+    SELECTION_3:
+        Image: '*:\SystemVolumeInformation\\*'
+    SELECTION_4:
+        Image: C:\Windows\Tasks\\*
+    SELECTION_5:
+        Image: C:\Windows\debug\\*
+    SELECTION_6:
+        Image: C:\Windows\fonts\\*
+    SELECTION_7:
+        Image: C:\Windows\help\\*
+    SELECTION_8:
+        Image: C:\Windows\drivers\\*
+    SELECTION_9:
+        Image: C:\Windows\addins\\*
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11)))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+id: 15b75071-74cc-47e0-b4c6-b43744a62a2b
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://car.mitre.org/wiki/CAR-2013-05-002
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- car.2013-05-002
+yml_filename: win_susp_run_locations.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_rundll32_activity.yml b/rules/Sigma/win_susp_rundll32_activity.yml
new file mode 100644
index 00000000..9222dfee
--- /dev/null
+++ b/rules/Sigma/win_susp_rundll32_activity.yml
@@ -0,0 +1,108 @@
+title: Suspicious Rundll32 Activity
+author: juju4, Jonhnathan Ribeiro, oscd.community
+date: 2019/01/16
+description: Detects suspicious process related to rundll32 based on arguments
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*zipfldr.dll*'
+    SELECTION_11:
+        CommandLine: '*RouteTheCall*'
+    SELECTION_12:
+        CommandLine: '*shell32.dll*'
+    SELECTION_13:
+        CommandLine: '*Control_RunDLL*'
+    SELECTION_14:
+        CommandLine: '*shell32.dll*'
+    SELECTION_15:
+        CommandLine: '*ShellExec_RunDLL*'
+    SELECTION_16:
+        CommandLine: '*mshtml.dll*'
+    SELECTION_17:
+        CommandLine: '*PrintHTML*'
+    SELECTION_18:
+        CommandLine: '*advpack.dll*'
+    SELECTION_19:
+        CommandLine: '*LaunchINFSection*'
+    SELECTION_2:
+        CommandLine: '*javascript:*'
+    SELECTION_20:
+        CommandLine: '*advpack.dll*'
+    SELECTION_21:
+        CommandLine: '*RegisterOCX*'
+    SELECTION_22:
+        CommandLine: '*ieadvpack.dll*'
+    SELECTION_23:
+        CommandLine: '*LaunchINFSection*'
+    SELECTION_24:
+        CommandLine: '*ieadvpack.dll*'
+    SELECTION_25:
+        CommandLine: '*RegisterOCX*'
+    SELECTION_26:
+        CommandLine: '*ieframe.dll*'
+    SELECTION_27:
+        CommandLine: '*OpenURL*'
+    SELECTION_28:
+        CommandLine: '*shdocvw.dll*'
+    SELECTION_29:
+        CommandLine: '*OpenURL*'
+    SELECTION_3:
+        CommandLine: '*.RegisterXLL*'
+    SELECTION_30:
+        CommandLine: '*syssetup.dll*'
+    SELECTION_31:
+        CommandLine: '*SetupInfObjectInstallAction''*'
+    SELECTION_32:
+        CommandLine: '*setupapi.dll*'
+    SELECTION_33:
+        CommandLine: '*InstallHinfSection*'
+    SELECTION_34:
+        CommandLine: '*pcwutl.dll*'
+    SELECTION_35:
+        CommandLine: '*LaunchApplication*'
+    SELECTION_36:
+        CommandLine: '*dfshim.dll*'
+    SELECTION_37:
+        CommandLine: '*ShOpenVerbApplication*'
+    SELECTION_4:
+        CommandLine: '*url.dll*'
+    SELECTION_5:
+        CommandLine: '*OpenURL*'
+    SELECTION_6:
+        CommandLine: '*url.dll*'
+    SELECTION_7:
+        CommandLine: '*OpenURLA*'
+    SELECTION_8:
+        CommandLine: '*url.dll*'
+    SELECTION_9:
+        CommandLine: '*FileProtocolHandler*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9)
+        or (SELECTION_10 and SELECTION_11) or (SELECTION_12 and SELECTION_13) or (SELECTION_14
+        and SELECTION_15) or (SELECTION_16 and SELECTION_17) or (SELECTION_18 and
+        SELECTION_19) or (SELECTION_20 and SELECTION_21) or (SELECTION_22 and SELECTION_23)
+        or (SELECTION_24 and SELECTION_25) or (SELECTION_26 and SELECTION_27) or (SELECTION_28
+        and SELECTION_29) or (SELECTION_30 and SELECTION_31) or (SELECTION_32 and
+        SELECTION_33) or (SELECTION_34 and SELECTION_35) or (SELECTION_36 and SELECTION_37)))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+id: e593cf51-88db-4ee1-b920-37e89012a3c9
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
+- https://twitter.com/Hexacorn/status/885258886428725250
+- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1218.011
+- attack.t1085
+yml_filename: win_susp_rundll32_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_rundll32_by_ordinal.yml b/rules/Sigma/win_susp_rundll32_by_ordinal.yml
new file mode 100644
index 00000000..ed951a6d
--- /dev/null
+++ b/rules/Sigma/win_susp_rundll32_by_ordinal.yml
@@ -0,0 +1,40 @@
+title: Suspicious Call by Ordinal
+author: Florian Roth
+date: 2019/10/22
+description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\rundll32.exe*'
+    SELECTION_3:
+        CommandLine: '*,#*'
+    SELECTION_4:
+        CommandLine: '*EDGEHTML.dll*'
+    SELECTION_5:
+        CommandLine: '*#141*'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4
+        and SELECTION_5))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+- Windows control panel elements have been identified as source (mmc)
+id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/04/29
+references:
+- https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
+- https://github.com/Neo23x0/DLLRunner
+- https://twitter.com/cyb3rops/status/1186631731543236608
+status: stable
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1218.011
+- attack.t1085
+yml_filename: win_susp_rundll32_by_ordinal.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_rundll32_inline_vbs.yml b/rules/Sigma/win_susp_rundll32_inline_vbs.yml
new file mode 100644
index 00000000..bf040367
--- /dev/null
+++ b/rules/Sigma/win_susp_rundll32_inline_vbs.yml
@@ -0,0 +1,33 @@
+title: Suspicious Rundll32 Invoking Inline VBScript
+author: Florian Roth
+date: 2021/03/05
+description: Detects suspicious process related to rundll32 based on command line
+    that invokes inline VBScript as seen being used by UNC2452
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*rundll32.exe*'
+    SELECTION_3:
+        CommandLine: '*Execute*'
+    SELECTION_4:
+        CommandLine: '*RegRead*'
+    SELECTION_5:
+        CommandLine: '*window.close*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055
+yml_filename: win_susp_rundll32_inline_vbs.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_rundll32_no_params.yml b/rules/Sigma/win_susp_rundll32_no_params.yml
new file mode 100644
index 00000000..792e4d6e
--- /dev/null
+++ b/rules/Sigma/win_susp_rundll32_no_params.yml
@@ -0,0 +1,37 @@
+title: Suspicious Rundll32 Without Any CommandLine Params
+author: Florian Roth
+date: 2021/05/27
+description: Detects suspicious start of rundll32.exe without any parameters as found
+    in CobaltStrike beacon activity
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\rundll32.exe'
+    SELECTION_3:
+        ParentImage: '*\svchost.exe'
+    SELECTION_4:
+        ParentImage: '*\AppData\Local\\*'
+    SELECTION_5:
+        ParentImage: '*\Microsoft\Edge\\*'
+    condition: (SELECTION_1 and (SELECTION_2 and  not (SELECTION_3)) and  not ((SELECTION_4
+        or SELECTION_5)))
+falsepositives:
+- Possible but rare
+fields:
+- ParentImage
+- ParentCommandLine
+id: 1775e15e-b61b-4d14-a1a3-80981298085a
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.cobaltstrike.com/help-opsec
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
+yml_filename: win_susp_rundll32_no_params.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/Sigma/win_susp_rundll32_setupapi_installhinfsection.yml
new file mode 100644
index 00000000..dd4e8b18
--- /dev/null
+++ b/rules/Sigma/win_susp_rundll32_setupapi_installhinfsection.yml
@@ -0,0 +1,46 @@
+title: Suspicious Rundll32 Setupapi.dll Activity
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/07
+description: setupapi.dll library provide InstallHinfSection function for processing
+    INF files. INF file may contain instructions allowing to create values in the
+    registry, modify files and install drivers. This technique could be used to obtain
+    persistence via modifying one of Run or RunOnce registry keys, run process or
+    use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll
+    calls runonce.exe executable regardless of actual content of INF file.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\runonce.exe'
+    SELECTION_3:
+        ParentImage: '*\rundll32.exe'
+    SELECTION_4:
+        ParentCommandLine: '*setupapi.dll*'
+    SELECTION_5:
+        ParentCommandLine: '*InstallHinfSection*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Scripts and administrative tools that use INF files for driver installation with
+    setupapi.dll
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 285b85b1-a555-4095-8652-a8a4106af63f
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml
+- https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
+- https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
+- https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+yml_filename: win_susp_rundll32_setupapi_installhinfsection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_rundll32_sys.yml b/rules/Sigma/win_susp_rundll32_sys.yml
new file mode 100644
index 00000000..e573b918
--- /dev/null
+++ b/rules/Sigma/win_susp_rundll32_sys.yml
@@ -0,0 +1,31 @@
+title: Suspicious Rundll32 Activity Invoking Sys File
+author: Florian Roth
+date: 2021/03/05
+description: Detects suspicious process related to rundll32 based on command line
+    that includes a *.sys file as seen being used by UNC2452
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*rundll32.exe*'
+    SELECTION_3:
+        CommandLine: '*.sys,*'
+    SELECTION_4:
+        CommandLine: '*.sys *'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: 731231b9-0b5d-4219-94dd-abb6959aa7ea
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218.011
+yml_filename: win_susp_rundll32_sys.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_runonce_execution.yml b/rules/Sigma/win_susp_runonce_execution.yml
new file mode 100644
index 00000000..b9db9648
--- /dev/null
+++ b/rules/Sigma/win_susp_runonce_execution.yml
@@ -0,0 +1,32 @@
+title: Run Once Task Execution as Configured in Registry
+author: Avneet Singh @v3t0_, oscd.community
+date: 2020/10/18
+description: This rule detects the execution of Run Once task as configured in the
+    registry
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\runonce.exe'
+    SELECTION_3:
+        Description: Run Once Wrapper
+    SELECTION_4:
+        CommandLine: '* /AlternateShellStartup*'
+    condition: (SELECTION_1 and ((SELECTION_2) or (SELECTION_3)) and (SELECTION_4))
+falsepositives:
+- Unknown
+id: 198effb6-6c98-4d0c-9ea3-451fa143c45c
+level: low
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/pabraeken/status/990717080805789697
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: win_susp_runonce_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_runscripthelper.yml b/rules/Sigma/win_susp_runscripthelper.yml
new file mode 100644
index 00000000..a5498563
--- /dev/null
+++ b/rules/Sigma/win_susp_runscripthelper.yml
@@ -0,0 +1,32 @@
+title: Suspicious Runscripthelper.exe
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+description: Detects execution of powershell scripts via Runscripthelper.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\Runscripthelper.exe'
+    SELECTION_3:
+        CommandLine: '*surfacecheck*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: eca49c87-8a75-4f13-9c73-a5a29e845f03
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runscripthelper.yml
+status: experimental
+tags:
+- attack.execution
+- attack.t1059
+- attack.defense_evasion
+- attack.t1202
+yml_filename: win_susp_runscripthelper.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_sam_dump.yml b/rules/Sigma/win_susp_sam_dump.yml
new file mode 100644
index 00000000..96082763
--- /dev/null
+++ b/rules/Sigma/win_susp_sam_dump.yml
@@ -0,0 +1,25 @@
+title: SAM Dump to AppData
+author: Florian Roth
+date: 2018/01/27
+description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other
+    password dumpers
+detection:
+    SELECTION_1:
+        EventID: 16
+    condition: (SELECTION_1 and \AppData\Local\Temp\SAM- and .dmp)
+falsepositives:
+- Penetration testing
+id: 839dd1e8-eda8-4834-8145-01beeee33acd
+level: high
+logsource:
+    definition: The source of this type of event is Kernel-General
+    product: windows
+    service: system
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+yml_filename: win_susp_sam_dump.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_schtask_creation.yml b/rules/Sigma/win_susp_schtask_creation.yml
new file mode 100644
index 00000000..71f6c6c1
--- /dev/null
+++ b/rules/Sigma/win_susp_schtask_creation.yml
@@ -0,0 +1,41 @@
+title: Scheduled Task Creation
+author: Florian Roth
+date: 2019/01/16
+description: Detects the creation of scheduled tasks in user session
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\schtasks.exe'
+    SELECTION_3:
+        CommandLine: '* /create *'
+    SELECTION_4:
+        User: NT AUTHORITY\SYSTEM*
+    SELECTION_5:
+        User: AUTORITE NT\Sys*
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5)))
+falsepositives:
+- Administrative activity
+- Software installation
+fields:
+- CommandLine
+- ParentCommandLine
+id: 92626ddd-662c-49e3-ac59-f6535f12d189
+level: low
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/26
+status: experimental
+tags:
+- attack.execution
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1053.005
+- attack.t1053
+- attack.s0111
+- car.2013-08-001
+yml_filename: win_susp_schtask_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_schtask_creation_temp_folder.yml b/rules/Sigma/win_susp_schtask_creation_temp_folder.yml
new file mode 100644
index 00000000..531a198a
--- /dev/null
+++ b/rules/Sigma/win_susp_schtask_creation_temp_folder.yml
@@ -0,0 +1,38 @@
+title: Suspicious Scheduled Task Creation Involving Temp Folder
+author: Florian Roth
+date: 2021/03/11
+description: Detects the creation of scheduled tasks that involves a temporary folder
+    and runs only once
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\schtasks.exe'
+    SELECTION_3:
+        CommandLine: '* /create *'
+    SELECTION_4:
+        CommandLine: '* /sc once *'
+    SELECTION_5:
+        CommandLine: '*\Temp\\*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Administrative activity
+- Software installation
+fields:
+- CommandLine
+- ParentCommandLine
+id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
+status: experimental
+tags:
+- attack.execution
+- attack.persistence
+- attack.t1053.005
+yml_filename: win_susp_schtask_creation_temp_folder.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_screenconnect_access.yml b/rules/Sigma/win_susp_screenconnect_access.yml
new file mode 100644
index 00000000..ba64e81a
--- /dev/null
+++ b/rules/Sigma/win_susp_screenconnect_access.yml
@@ -0,0 +1,36 @@
+title: ScreenConnect Remote Access
+author: Florian Roth
+date: 2021/02/11
+description: Detects ScreenConnect program starts that establish a remote access to
+    that system (not meeting, not remote support)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*e=Access&*'
+    SELECTION_3:
+        CommandLine: '*y=Guest&*'
+    SELECTION_4:
+        CommandLine: '*&p=*'
+    SELECTION_5:
+        CommandLine: '*&c=*'
+    SELECTION_6:
+        CommandLine: '*&k=*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Legitimate use by administrative staff
+id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1133
+yml_filename: win_susp_screenconnect_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_screensaver_reg.yml b/rules/Sigma/win_susp_screensaver_reg.yml
new file mode 100644
index 00000000..4dd5b590
--- /dev/null
+++ b/rules/Sigma/win_susp_screensaver_reg.yml
@@ -0,0 +1,57 @@
+title: Suspicious ScreenSave Change by Reg.exe
+author: frack113
+date: 2021/08/19
+description: |
+    Adversaries may establish persistence by executing malicious content triggered by user inactivity.
+    Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*/d *'
+    SELECTION_11:
+        CommandLine: '*/v ScreenSaverIsSecure*'
+    SELECTION_12:
+        CommandLine: '*/d 0*'
+    SELECTION_13:
+        CommandLine: '*/v SCRNSAVE.EXE*'
+    SELECTION_14:
+        CommandLine: '*/d *'
+    SELECTION_15:
+        CommandLine: '*.scr*'
+    SELECTION_2:
+        Image: '*reg.exe'
+    SELECTION_3:
+        CommandLine: '*HKEY_CURRENT_USER\Control Panel\Desktop*'
+    SELECTION_4:
+        CommandLine: '*HKCU\Control Panel\Desktop*'
+    SELECTION_5:
+        CommandLine: '*/t REG_SZ*'
+    SELECTION_6:
+        CommandLine: '*/f*'
+    SELECTION_7:
+        CommandLine: '*/v ScreenSaveActive*'
+    SELECTION_8:
+        CommandLine: '*/d 1*'
+    SELECTION_9:
+        CommandLine: '*/v ScreenSaveTimeout*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4) and SELECTION_5
+        and SELECTION_6 and ((SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)
+        or (SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15)))
+falsepositives:
+- GPO
+id: 0fc35fc3-efe6-4898-8a37-0b233339524f
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
+- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1546.002
+yml_filename: win_susp_screensaver_reg.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_script_exec_from_temp.yml b/rules/Sigma/win_susp_script_exec_from_temp.yml
new file mode 100644
index 00000000..259a3364
--- /dev/null
+++ b/rules/Sigma/win_susp_script_exec_from_temp.yml
@@ -0,0 +1,57 @@
+title: Suspicious Script Execution From Temp Folder
+author: Florian Roth, Max Altgelt
+date: 2021/07/14
+description: Detects a suspicious script executions from temporary folder
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*%TEMP%*'
+    SELECTION_11:
+        CommandLine: '*%TMP%*'
+    SELECTION_12:
+        CommandLine: '*%LocalAppData%\Temp*'
+    SELECTION_13:
+        CommandLine: '* >*'
+    SELECTION_14:
+        CommandLine: '*Out-File*'
+    SELECTION_15:
+        CommandLine: '*ConvertTo-Json*'
+    SELECTION_16:
+        CommandLine: '*-WindowStyle hidden -Verb runAs*'
+    SELECTION_2:
+        Image: '*\powershell.exe'
+    SELECTION_3:
+        Image: '*\mshta.exe'
+    SELECTION_4:
+        Image: '*\wscript.exe'
+    SELECTION_5:
+        Image: '*\cscript.exe'
+    SELECTION_6:
+        CommandLine: '*\Windows\Temp*'
+    SELECTION_7:
+        CommandLine: '*\Temporary Internet*'
+    SELECTION_8:
+        CommandLine: '*\AppData\Local\Temp*'
+    SELECTION_9:
+        CommandLine: '*\AppData\Roaming\Temp*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12)) and  not ((SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16)))
+falsepositives:
+- Administrative scripts
+id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/11/11
+references:
+- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
+status: experimental
+tags:
+- attack.execution
+yml_filename: win_susp_script_exec_from_temp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_script_execution.yml b/rules/Sigma/win_susp_script_execution.yml
new file mode 100644
index 00000000..eae17c57
--- /dev/null
+++ b/rules/Sigma/win_susp_script_execution.yml
@@ -0,0 +1,42 @@
+title: WSF/JSE/JS/VBA/VBE File Execution
+author: Michael Haag
+date: 2019/01/16
+description: Detects suspicious file execution by wscript and cscript
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\wscript.exe'
+    SELECTION_3:
+        Image: '*\cscript.exe'
+    SELECTION_4:
+        CommandLine: '*.jse*'
+    SELECTION_5:
+        CommandLine: '*.vbe*'
+    SELECTION_6:
+        CommandLine: '*.js*'
+    SELECTION_7:
+        CommandLine: '*.vba*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Will need to be tuned. I recommend adding the user profile path in CommandLine if
+    it is getting too noisy.
+fields:
+- CommandLine
+- ParentCommandLine
+id: 1e33157c-53b1-41ad-bbcc-780b80b58288
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/28
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1064
+yml_filename: win_susp_script_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_sdelete.yml b/rules/Sigma/win_susp_sdelete.yml
new file mode 100644
index 00000000..15704052
--- /dev/null
+++ b/rules/Sigma/win_susp_sdelete.yml
@@ -0,0 +1,42 @@
+title: Secure Deletion with SDelete
+author: Thomas Patzke
+date: 2017/06/14
+description: Detects renaming of file while deletion with SDelete tool.
+detection:
+    SELECTION_1:
+        EventID: 4656
+    SELECTION_2:
+        EventID: 4663
+    SELECTION_3:
+        EventID: 4658
+    SELECTION_4:
+        ObjectName: '*.AAA'
+    SELECTION_5:
+        ObjectName: '*.ZZZ'
+    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Legitimate usage of SDelete
+id: 39a80702-d7ca-4a83-b776-525b1f86a36d
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2020/08/02
+references:
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete
+status: experimental
+tags:
+- attack.impact
+- attack.defense_evasion
+- attack.t1107
+- attack.t1070.004
+- attack.t1066
+- attack.t1027.005
+- attack.t1485
+- attack.t1553.002
+- attack.s0195
+yml_filename: win_susp_sdelete.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_service_dacl_modification.yml b/rules/Sigma/win_susp_service_dacl_modification.yml
new file mode 100644
index 00000000..8bcd599f
--- /dev/null
+++ b/rules/Sigma/win_susp_service_dacl_modification.yml
@@ -0,0 +1,43 @@
+title: Suspicious Service DACL Modification
+author: Jonhnathan Ribeiro, oscd.community
+date: 2020/10/16
+description: Detects suspicious DACL modifications that can  be used to hide services
+    or make them unstopable
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\sc.exe'
+    SELECTION_3:
+        CommandLine: '*sdset*'
+    SELECTION_4:
+        CommandLine: '*D;;*'
+    SELECTION_5:
+        CommandLine: '*;;;IU*'
+    SELECTION_6:
+        CommandLine: '*;;;SU*'
+    SELECTION_7:
+        CommandLine: '*;;;BA*'
+    SELECTION_8:
+        CommandLine: '*;;;SY*'
+    SELECTION_9:
+        CommandLine: '*;;;WD*'
+    condition: (SELECTION_1 and (SELECTION_2) and SELECTION_3 and SELECTION_4 and
+        (SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- Unknown
+id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
+- https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
+status: experimental
+tags:
+- attack.persistence
+- attack.t1543.003
+yml_filename: win_susp_service_dacl_modification.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_service_dir.yml b/rules/Sigma/win_susp_service_dir.yml
new file mode 100644
index 00000000..62ffa9c9
--- /dev/null
+++ b/rules/Sigma/win_susp_service_dir.yml
@@ -0,0 +1,52 @@
+title: Suspicious Service Binary Directory
+author: Florian Roth
+date: 2021/03/09
+description: Detects a service binary running in a suspicious directory
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\Windows\Fonts\\*'
+    SELECTION_11:
+        Image: '*\Windows\IME\\*'
+    SELECTION_12:
+        Image: '*\Windows\addins\\*'
+    SELECTION_13:
+        ParentImage: '*\services.exe'
+    SELECTION_14:
+        ParentImage: '*\svchost.exe'
+    SELECTION_2:
+        Image: '*\Users\Public\\*'
+    SELECTION_3:
+        Image: '*\$Recycle.bin*'
+    SELECTION_4:
+        Image: '*\Users\All Users\\*'
+    SELECTION_5:
+        Image: '*\Users\Default\\*'
+    SELECTION_6:
+        Image: '*\Users\Contacts\\*'
+    SELECTION_7:
+        Image: '*\Users\Searches\\*'
+    SELECTION_8:
+        Image: '*C:\Perflogs\\*'
+    SELECTION_9:
+        Image: '*\config\systemprofile\\*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12) and (SELECTION_13 or SELECTION_14))
+falsepositives:
+- Unknown
+id: 883faa95-175a-4e22-8181-e5761aeb373c
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
+yml_filename: win_susp_service_dir.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_service_path_modification.yml b/rules/Sigma/win_susp_service_path_modification.yml
new file mode 100644
index 00000000..260e929c
--- /dev/null
+++ b/rules/Sigma/win_susp_service_path_modification.yml
@@ -0,0 +1,41 @@
+title: Suspicious Service Path Modification
+author: Victor Sergeev, oscd.community
+date: 2019/10/21
+description: Detects service path modification to PowerShell or cmd.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\sc.exe'
+    SELECTION_3:
+        CommandLine: '*config*'
+    SELECTION_4:
+        CommandLine: '*binpath*'
+    SELECTION_5:
+        CommandLine: '*powershell*'
+    SELECTION_6:
+        CommandLine: '*cmd*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 138d3531-8793-4f50-a2cd-f291b2863d78
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/28
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1543.003
+- attack.t1031
+yml_filename: win_susp_service_path_modification.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/Sigma/win_susp_servu_exploitation_cve_2021_35211.yml
new file mode 100644
index 00000000..9c1f8c2c
--- /dev/null
+++ b/rules/Sigma/win_susp_servu_exploitation_cve_2021_35211.yml
@@ -0,0 +1,35 @@
+title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
+author: Florian Roth
+date: 2021/07/14
+description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211
+    vulnerability by threat group DEV-0322
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*whoami*'
+    SELECTION_3:
+        CommandLine: '*./Client/Common/*'
+    SELECTION_4:
+        CommandLine: '*.\Client\Common\\*'
+    SELECTION_5:
+        CommandLine: '*C:\Windows\Temp\Serv-U.bat*'
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4)) or
+        SELECTION_5))
+falsepositives:
+- Unlikely
+id: 75578840-9526-4b2a-9462-af469a45e767
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136.001
+- cve.2021.35211
+yml_filename: win_susp_servu_exploitation_cve_2021_35211.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_servu_process_pattern.yml b/rules/Sigma/win_susp_servu_process_pattern.yml
new file mode 100644
index 00000000..f67712c2
--- /dev/null
+++ b/rules/Sigma/win_susp_servu_process_pattern.yml
@@ -0,0 +1,59 @@
+title: Suspicious Serv-U Process Pattern
+author: Florian Roth
+date: 2021/07/14
+description: Detects a suspicious process pattern which could be a sign of an exploited
+    Serv-U service
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\regsvr32.exe'
+    SELECTION_11:
+        Image: '*\wmic.exe'
+    SELECTION_12:
+        Image: '*\mshta.exe'
+    SELECTION_13:
+        Image: '*\rundll32.exe'
+    SELECTION_14:
+        Image: '*\msiexec.exe'
+    SELECTION_15:
+        Image: '*\forfiles.exe'
+    SELECTION_16:
+        Image: '*\scriptrunner.exe'
+    SELECTION_2:
+        ParentImage: '*\Serv-U.exe'
+    SELECTION_3:
+        Image: '*\cmd.exe'
+    SELECTION_4:
+        Image: '*\powershell.exe'
+    SELECTION_5:
+        Image: '*\wscript.exe'
+    SELECTION_6:
+        Image: '*\cscript.exe'
+    SELECTION_7:
+        Image: '*\sh.exe'
+    SELECTION_8:
+        Image: '*\bash.exe'
+    SELECTION_9:
+        Image: '*\schtasks.exe'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16))
+falsepositives:
+- Legitimate uses in which users or programs use the SSH service of Serv-U for remote
+    command execution
+id: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
+status: experimental
+tags:
+- attack.credential_access
+- cve.2021.35211
+yml_filename: win_susp_servu_process_pattern.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_shell_spawn_from_mssql.yml b/rules/Sigma/win_susp_shell_spawn_from_mssql.yml
new file mode 100644
index 00000000..77b16f3e
--- /dev/null
+++ b/rules/Sigma/win_susp_shell_spawn_from_mssql.yml
@@ -0,0 +1,39 @@
+title: Suspicious Shells Spawn by SQL Server
+author: FPT.EagleEye Team, wagga
+date: 2020/12/11
+description: Detects suspicious shell spawn from MSSQL process, this might be sight
+    of RCE or SQL Injection
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\sqlservr.exe'
+    SELECTION_3:
+        Image: '*\cmd.exe'
+    SELECTION_4:
+        Image: '*\sh.exe'
+    SELECTION_5:
+        Image: '*\bash.exe'
+    SELECTION_6:
+        Image: '*\powershell.exe'
+    SELECTION_7:
+        Image: '*\bitsadmin.exe'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+status: experimental
+tags:
+- attack.t1100
+- attack.t1505.003
+- attack.t1190
+- attack.initial_access
+- attack.persistence
+- attack.privilege_escalation
+yml_filename: win_susp_shell_spawn_from_mssql.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_shell_spawn_from_winrm.yml b/rules/Sigma/win_susp_shell_spawn_from_winrm.yml
new file mode 100644
index 00000000..6bfbb397
--- /dev/null
+++ b/rules/Sigma/win_susp_shell_spawn_from_winrm.yml
@@ -0,0 +1,44 @@
+title: Suspicious Shells Spawn by WinRM
+author: Andreas Hunkeler (@Karneades), Markus Neis
+date: 2021/05/20
+description: Detects suspicious shell spawn from WinRM host process
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\bitsadmin.exe'
+    SELECTION_2:
+        ParentImage: '*\wsmprovhost.exe'
+    SELECTION_3:
+        Image: '*\cmd.exe'
+    SELECTION_4:
+        Image: '*\sh.exe'
+    SELECTION_5:
+        Image: '*\bash.exe'
+    SELECTION_6:
+        Image: '*\powershell.exe'
+    SELECTION_7:
+        Image: '*\schtasks.exe'
+    SELECTION_8:
+        Image: '*\certutil.exe'
+    SELECTION_9:
+        Image: '*\whoami.exe'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10))
+falsepositives:
+- Legitimate WinRM usage
+id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/22
+status: experimental
+tags:
+- attack.t1190
+- attack.initial_access
+- attack.persistence
+- attack.privilege_escalation
+yml_filename: win_susp_shell_spawn_from_winrm.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
+
diff --git a/rules/Sigma/win_susp_shimcache_flush.yml b/rules/Sigma/win_susp_shimcache_flush.yml
new file mode 100644
index 00000000..60a98867
--- /dev/null
+++ b/rules/Sigma/win_susp_shimcache_flush.yml
@@ -0,0 +1,43 @@
+title: ShimCache Flush
+author: Florian Roth
+date: 2021/02/01
+description: Detects actions that clear the local ShimCache and remove forensic evidence
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*rundll32*'
+    SELECTION_3:
+        CommandLine: '*apphelp.dll*'
+    SELECTION_4:
+        CommandLine: '*ShimFlushCache*'
+    SELECTION_5:
+        CommandLine: '*#250*'
+    SELECTION_6:
+        CommandLine: '*kernel32.dll*'
+    SELECTION_7:
+        CommandLine: '*BaseFlushAppcompatCache*'
+    SELECTION_8:
+        CommandLine: '*#46*'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and (SELECTION_4 or
+        SELECTION_5)) or (SELECTION_6 and (SELECTION_7 or SELECTION_8))))
+falsepositives:
+- Unknown
+fields:
+- Image
+- CommandLine
+- ParentCommandLine
+id: b0524451-19af-4efa-a46f-562a977f792e
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: win_susp_shimcache_flush.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_splwow64.yml b/rules/Sigma/win_susp_splwow64.yml
new file mode 100644
index 00000000..5bf4de8d
--- /dev/null
+++ b/rules/Sigma/win_susp_splwow64.yml
@@ -0,0 +1,28 @@
+title: Suspicious Splwow64 Without Params
+author: Florian Roth
+date: 2021/08/23
+description: Detects suspicious Splwow64.exe process without any command line parameters
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\splwow64.exe'
+    SELECTION_3:
+        CommandLine: '*splwow64.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: 1f1a8509-2cbb-44f5-8751-8e1571518ce2
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/sbousseaden/status/1429401053229891590?s=12
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
+yml_filename: win_susp_splwow64.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_spoolsv_child_processes.yml b/rules/Sigma/win_susp_spoolsv_child_processes.yml
new file mode 100644
index 00000000..43cf32d7
--- /dev/null
+++ b/rules/Sigma/win_susp_spoolsv_child_processes.yml
@@ -0,0 +1,115 @@
+title: Suspicious Spool Service Child Process
+author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
+date: 2021/07/11
+description: Detects suspicious print spool service (spoolsv.exe) child processes.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\sc.exe'
+    SELECTION_11:
+        Image: '*\findstr.exe'
+    SELECTION_12:
+        Image: '*\curl.exe'
+    SELECTION_13:
+        Image: '*\wget.exe'
+    SELECTION_14:
+        Image: '*\certutil.exe'
+    SELECTION_15:
+        Image: '*\bitsadmin.exe'
+    SELECTION_16:
+        Image: '*\accesschk.exe'
+    SELECTION_17:
+        Image: '*\wevtutil.exe'
+    SELECTION_18:
+        Image: '*\bcdedit.exe'
+    SELECTION_19:
+        Image: '*\fsutil.exe'
+    SELECTION_2:
+        ParentImage: '*\\spoolsv.exe'
+    SELECTION_20:
+        Image: '*\cipher.exe'
+    SELECTION_21:
+        Image: '*\schtasks.exe'
+    SELECTION_22:
+        Image: '*\write.exe'
+    SELECTION_23:
+        Image: '*\wuauclt.exe'
+    SELECTION_24:
+        EventID: 1
+    SELECTION_25:
+        Image: '*\net.exe'
+    SELECTION_26:
+        CommandLine: '*start*'
+    SELECTION_27:
+        EventID: 1
+    SELECTION_28:
+        Image: '*\cmd.exe'
+    SELECTION_29:
+        CommandLine: '*.spl*'
+    SELECTION_3:
+        IntegrityLevel: System
+    SELECTION_30:
+        CommandLine: '*route add*'
+    SELECTION_31:
+        CommandLine: '*program files*'
+    SELECTION_32:
+        EventID: 1
+    SELECTION_33:
+        Image: '*\netsh.exe'
+    SELECTION_34:
+        CommandLine: '*add portopening*'
+    SELECTION_35:
+        CommandLine: '*rule name*'
+    SELECTION_36:
+        EventID: 1
+    SELECTION_37:
+        Image: '*\powershell.exe'
+    SELECTION_38:
+        CommandLine: '*.spl*'
+    SELECTION_39:
+        Image: '*\rundll32.exe'
+    SELECTION_4:
+        Image: '*\gpupdate.exe'
+    SELECTION_40:
+        CommandLine: '*rundll32.exe'
+    SELECTION_5:
+        Image: '*\whoami.exe'
+    SELECTION_6:
+        Image: '*\nltest.exe'
+    SELECTION_7:
+        Image: '*\taskkill.exe'
+    SELECTION_8:
+        Image: '*\wmic.exe'
+    SELECTION_9:
+        Image: '*\taskmgr.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and ((((((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
+        or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23) or (SELECTION_24
+        and SELECTION_25 and  not (SELECTION_26))) or (SELECTION_27 and SELECTION_28
+        and  not ((SELECTION_29 or SELECTION_30 or SELECTION_31)))) or (SELECTION_32
+        and SELECTION_33 and  not ((SELECTION_34 or SELECTION_35)))) or (SELECTION_36
+        and SELECTION_37 and  not (SELECTION_38))) or (SELECTION_39 and SELECTION_40)))
+falsepositives:
+- None known
+fields:
+- Image
+- CommandLine
+id: dcdbc940-0bff-46b2-95f3-2d73f848e33b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md
+status: stable
+tags:
+- attack.execution
+- attack.t1203
+- attack.privilege_escalation
+- attack.t1068
+yml_filename: win_susp_spoolsv_child_processes.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_sqldumper_activity.yml b/rules/Sigma/win_susp_sqldumper_activity.yml
new file mode 100644
index 00000000..ad2ad703
--- /dev/null
+++ b/rules/Sigma/win_susp_sqldumper_activity.yml
@@ -0,0 +1,33 @@
+title: Dumping Process via Sqldumper.exe
+author: Kirill Kiryanov, oscd.community
+date: 2020/10/08
+description: Detects process dump via legitimate sqldumper.exe binary
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\sqldumper.exe'
+    SELECTION_3:
+        CommandLine: '*0x0110*'
+    SELECTION_4:
+        CommandLine: '*0x01100:40*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Legitimate MSSQL Server actions
+id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml
+- https://twitter.com/countuponsec/status/910977826853068800
+- https://twitter.com/countuponsec/status/910969424215232518
+- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.001
+yml_filename: win_susp_sqldumper_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_squirrel_lolbin.yml b/rules/Sigma/win_susp_squirrel_lolbin.yml
new file mode 100644
index 00000000..f5735409
--- /dev/null
+++ b/rules/Sigma/win_susp_squirrel_lolbin.yml
@@ -0,0 +1,69 @@
+title: Squirrel Lolbin
+author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
+date: 2019/11/12
+description: Detects Possible Squirrel Packages Manager as Lolbin
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\update.exe'
+    SELECTION_3:
+        CommandLine: '*--processStart*'
+    SELECTION_4:
+        CommandLine: '*--processStartAndWait*'
+    SELECTION_5:
+        CommandLine: '*--createShortcut*'
+    SELECTION_6:
+        CommandLine: '*.exe*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and SELECTION_6)
+falsepositives:
+- 1Clipboard
+- Beaker Browser
+- Caret
+- Collectie
+- Discord
+- Figma
+- Flow
+- Ghost
+- GitHub Desktop
+- GitKraken
+- Hyper
+- Insomnia
+- JIBO
+- Kap
+- Kitematic
+- Now Desktop
+- Postman
+- PostmanCanary
+- Rambox
+- Simplenote
+- Skype
+- Slack
+- SourceTree
+- Stride
+- Svgsus
+- WebTorrent
+- WhatsApp
+- WordPress.com
+- atom
+- gitkraken
+- slack
+- teams
+id: fa4b21c9-0057-4493-b289-2556416ae4d7
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
+- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_susp_squirrel_lolbin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_svchost.yml b/rules/Sigma/win_susp_svchost.yml
new file mode 100644
index 00000000..6938a104
--- /dev/null
+++ b/rules/Sigma/win_susp_svchost.yml
@@ -0,0 +1,42 @@
+title: Suspicious Svchost Process
+author: Florian Roth
+date: 2017/08/15
+description: Detects a suspicious svchost process start
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\svchost.exe'
+    SELECTION_3:
+        ParentImage: '*\services.exe'
+    SELECTION_4:
+        ParentImage: '*\MsMpEng.exe'
+    SELECTION_5:
+        ParentImage: '*\Mrt.exe'
+    SELECTION_6:
+        ParentImage: '*\rpcnet.exe'
+    SELECTION_7:
+        ParentImage: '*\svchost.exe'
+    SELECTION_8:
+        ParentImage|re: ^$
+    condition: (SELECTION_1 and (SELECTION_2 and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7))) and  not (SELECTION_8))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/28
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036.005
+- attack.t1036
+yml_filename: win_susp_svchost.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_svchost_clfsw32.yml b/rules/Sigma/win_susp_svchost_clfsw32.yml
new file mode 100644
index 00000000..3c668a2b
--- /dev/null
+++ b/rules/Sigma/win_susp_svchost_clfsw32.yml
@@ -0,0 +1,26 @@
+title: APT PRIVATELOG Image Load Pattern
+author: Florian Roth
+date: 2021/09/07
+description: Detects an image load pattern as seen when a tool named PRIVATELOG is
+    used and rarely observed under legitimate circumstances
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_2:
+        Image: '*\svchost.exe'
+    SELECTION_3:
+        ImageLoaded: '*\clfsw32.dll'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Rarely observed
+id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
+level: high
+logsource:
+    category: image_load
+    product: windows
+references:
+- https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
+status: experimental
+yml_filename: win_susp_svchost_clfsw32.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/win_susp_svchost_no_cli.yml b/rules/Sigma/win_susp_svchost_no_cli.yml
new file mode 100644
index 00000000..ac8afa4b
--- /dev/null
+++ b/rules/Sigma/win_susp_svchost_no_cli.yml
@@ -0,0 +1,44 @@
+title: Suspect Svchost Activity
+author: David Burkett
+date: 2019/12/28
+description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments
+    and is normally observed when a malicious process spawns the process and injects
+    code into the process memory space.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        CommandLine: '*svchost.exe'
+    SELECTION_4:
+        Image: '*\svchost.exe'
+    SELECTION_5:
+        ParentImage: '*\rpcnet.exe'
+    SELECTION_6:
+        ParentImage: '*\rpcnetp.exe'
+    SELECTION_7:
+        CommandLine|re: ^$
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+        ((SELECTION_5 or SELECTION_6) or SELECTION_7))
+falsepositives:
+- rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf
+fields:
+- CommandLine
+- ParentCommandLine
+id: 16c37b52-b141-42a5-a3ea-bbe098444397
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/02/24
+references:
+- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055
+yml_filename: win_susp_svchost_no_cli.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_sysprep_appdata.yml b/rules/Sigma/win_susp_sysprep_appdata.yml
new file mode 100644
index 00000000..ba6f8e64
--- /dev/null
+++ b/rules/Sigma/win_susp_sysprep_appdata.yml
@@ -0,0 +1,31 @@
+title: Sysprep on AppData Folder
+author: Florian Roth
+date: 2018/06/22
+description: Detects suspicious sysprep process start with AppData folder as target
+    (as used by Trojan Syndicasec in Thrip report by Symantec)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\sysprep.exe'
+    SELECTION_3:
+        CommandLine: '*\AppData\\*'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+    environment
+id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2018/12/11
+references:
+- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
+- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
+status: experimental
+tags:
+- attack.execution
+yml_filename: win_susp_sysprep_appdata.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_sysvol_access.yml b/rules/Sigma/win_susp_sysvol_access.yml
new file mode 100644
index 00000000..75e3e549
--- /dev/null
+++ b/rules/Sigma/win_susp_sysvol_access.yml
@@ -0,0 +1,31 @@
+title: Suspicious SYSVOL Domain Group Policy Access
+author: Markus Neis, Jonhnathan Ribeiro, oscd.community
+date: 2018/04/09
+description: Detects Access to Domain Group Policies stored in SYSVOL
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*\SYSVOL\\*'
+    SELECTION_3:
+        CommandLine: '*\policies\\*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- administrative activity
+id: 05f3c945-dcc8-4393-9f3d-af65077a8f86
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://adsecurity.org/?p=2288
+- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1552.006
+- attack.t1003
+yml_filename: win_susp_sysvol_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_taskmgr_localsystem.yml b/rules/Sigma/win_susp_taskmgr_localsystem.yml
new file mode 100644
index 00000000..be8fc89f
--- /dev/null
+++ b/rules/Sigma/win_susp_taskmgr_localsystem.yml
@@ -0,0 +1,29 @@
+title: Taskmgr as LOCAL_SYSTEM
+author: Florian Roth
+date: 2018/03/18
+description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        User: NT AUTHORITY\SYSTEM*
+    SELECTION_3:
+        User: AUTORITE NT\Sys*
+    SELECTION_4:
+        Image: '*\taskmgr.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 9fff585c-c33e-4a86-b3cd-39312079a65f
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/26
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+yml_filename: win_susp_taskmgr_localsystem.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_taskmgr_parent.yml b/rules/Sigma/win_susp_taskmgr_parent.yml
new file mode 100644
index 00000000..b0bd99b7
--- /dev/null
+++ b/rules/Sigma/win_susp_taskmgr_parent.yml
@@ -0,0 +1,35 @@
+title: Taskmgr as Parent
+author: Florian Roth
+date: 2018/03/13
+description: Detects the creation of a process from Windows task manager
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\taskmgr.exe'
+    SELECTION_3:
+        Image: '*\resmon.exe'
+    SELECTION_4:
+        Image: '*\mmc.exe'
+    SELECTION_5:
+        Image: '*\taskmgr.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5)))
+falsepositives:
+- Administrative activity
+fields:
+- Image
+- CommandLine
+- ParentCommandLine
+id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
+level: low
+logsource:
+    category: process_creation
+    product: windows
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+yml_filename: win_susp_taskmgr_parent.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_time_modification.yml b/rules/Sigma/win_susp_time_modification.yml
new file mode 100644
index 00000000..cb29e0b6
--- /dev/null
+++ b/rules/Sigma/win_susp_time_modification.yml
@@ -0,0 +1,42 @@
+title: Unauthorized System Time Modification
+author: '@neu5ron'
+date: 2019/02/05
+description: Detect scenarios where a potentially unauthorized application or user
+    is modifying the system time.
+detection:
+    SELECTION_1:
+        EventID: 4616
+    SELECTION_2:
+        ProcessName: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
+    SELECTION_3:
+        ProcessName: C:\Windows\System32\VBoxService.exe
+    SELECTION_4:
+        ProcessName: C:\Windows\System32\svchost.exe
+    SELECTION_5:
+        SubjectUserSid: S-1-5-19
+    condition: (SELECTION_1 and  not (((SELECTION_2 or SELECTION_3) or (SELECTION_4
+        and SELECTION_5))))
+falsepositives:
+- HyperV or other virtualization technologies with binary not listed in filter portion
+    of detection
+id: faa031b5-21ed-4e02-8881-2591f98d82ed
+level: medium
+logsource:
+    definition: 'Requirements: Audit Policy : System > Audit Security State Change,
+        Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+        Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
+    product: windows
+    service: security
+modified: 2020/01/27
+references:
+- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
+- Live environment caused by malware
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1099
+- attack.t1070.006
+yml_filename: win_susp_time_modification.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_tracker_execution.yml b/rules/Sigma/win_susp_tracker_execution.yml
new file mode 100644
index 00000000..a351a13f
--- /dev/null
+++ b/rules/Sigma/win_susp_tracker_execution.yml
@@ -0,0 +1,33 @@
+title: DLL Injection with Tracker.exe
+author: Avneet Singh @v3t0_, oscd.community
+date: 2020/10/18
+description: This rule detects DLL injection and execution via LOLBAS - Tracker.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\tracker.exe'
+    SELECTION_3:
+        Description: Tracker
+    SELECTION_4:
+        CommandLine: '* /d *'
+    SELECTION_5:
+        CommandLine: '* /c *'
+    condition: (SELECTION_1 and ((SELECTION_2) or (SELECTION_3)) and (SELECTION_4)
+        and (SELECTION_5))
+falsepositives:
+- Unknown
+id: 148431ce-4b70-403d-8525-fcc2993f29ea
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Tracker.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055.001
+yml_filename: win_susp_tracker_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_tscon_localsystem.yml b/rules/Sigma/win_susp_tscon_localsystem.yml
new file mode 100644
index 00000000..d9c1197a
--- /dev/null
+++ b/rules/Sigma/win_susp_tscon_localsystem.yml
@@ -0,0 +1,32 @@
+title: Suspicious TSCON Start
+author: Florian Roth
+date: 2018/03/17
+description: Detects a tscon.exe start as LOCAL SYSTEM
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        User: NT AUTHORITY\SYSTEM*
+    SELECTION_3:
+        User: AUTORITE NT\Sys*
+    SELECTION_4:
+        Image: '*\tscon.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 9847f263-4a81-424f-970c-875dab15b79b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/26
+references:
+- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
+- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
+status: experimental
+tags:
+- attack.command_and_control
+- attack.t1219
+yml_filename: win_susp_tscon_localsystem.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_tscon_rdp_redirect.yml b/rules/Sigma/win_susp_tscon_rdp_redirect.yml
new file mode 100644
index 00000000..13022458
--- /dev/null
+++ b/rules/Sigma/win_susp_tscon_rdp_redirect.yml
@@ -0,0 +1,31 @@
+title: Suspicious RDP Redirect Using TSCON
+author: Florian Roth
+date: 2018/03/17
+description: Detects a suspicious RDP session redirect using tscon.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '* /dest:rdp-tcp:*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
+- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1563.002
+- attack.t1076
+- attack.t1021.001
+- car.2013-07-002
+yml_filename: win_susp_tscon_rdp_redirect.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_uac_bypass_trustedpath.yml b/rules/Sigma/win_susp_uac_bypass_trustedpath.yml
new file mode 100644
index 00000000..6c2dd3c4
--- /dev/null
+++ b/rules/Sigma/win_susp_uac_bypass_trustedpath.yml
@@ -0,0 +1,28 @@
+title: TrustedPath UAC Bypass Pattern
+author: Florian Roth
+date: 2021/08/27
+description: Detects indicators of a UAC bypass method by mocking directories
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*C:\Windows \System32\\*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
+- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
+- https://github.com/netero1010/TrustedPath-UACBypass-BOF
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1548.002
+yml_filename: win_susp_uac_bypass_trustedpath.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_use_of_csharp_console.yml b/rules/Sigma/win_susp_use_of_csharp_console.yml
new file mode 100644
index 00000000..eaf136e0
--- /dev/null
+++ b/rules/Sigma/win_susp_use_of_csharp_console.yml
@@ -0,0 +1,31 @@
+title: Suspicious Use of CSharp Interactive Console
+author: Michael R. (@nahamike01)
+date: 2020/03/08
+description: Detects the execution of CSharp interactive console by PowerShell
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\csi.exe'
+    SELECTION_3:
+        ParentImage: '*\powershell.exe'
+    SELECTION_4:
+        OriginalFileName: csi.exe
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Possible depending on environment. Pair with other factors such as net connections,
+    command-line args, etc.
+id: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
+status: experimental
+tags:
+- attack.execution
+- attack.t1127
+yml_filename: win_susp_use_of_csharp_console.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_use_of_sqlps_bin.yml b/rules/Sigma/win_susp_use_of_sqlps_bin.yml
new file mode 100644
index 00000000..cb932bbf
--- /dev/null
+++ b/rules/Sigma/win_susp_use_of_sqlps_bin.yml
@@ -0,0 +1,41 @@
+title: Detection of PowerShell Execution via Sqlps.exe
+author: Agro (@agro_sev) oscd.community
+date: 2020/10/10
+description: This rule detects execution of a PowerShell code through the sqlps.exe
+    utility, which is included in the standard set of utilities supplied with the
+    MSSQL Server. Script blocks are not logged in this case, so this utility helps
+    to bypass protection mechanisms based on the analysis of these logs.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\sqlps.exe'
+    SELECTION_3:
+        ParentImage: '*\sqlps.exe'
+    SELECTION_4:
+        OriginalFileName: \sqlps.exe
+    SELECTION_5:
+        ParentImage: '*\sqlagent.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and  not
+        (SELECTION_5))))
+falsepositives:
+- Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe
+    spawned by sqlagent.exe is a legitimate action.
+id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
+- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
+- https://twitter.com/bryon_/status/975835709587075072
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.defense_evasion
+- attack.t1127
+yml_filename: win_susp_use_of_sqlps_bin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_use_of_sqltoolsps_bin.yml b/rules/Sigma/win_susp_use_of_sqltoolsps_bin.yml
new file mode 100644
index 00000000..9266c830
--- /dev/null
+++ b/rules/Sigma/win_susp_use_of_sqltoolsps_bin.yml
@@ -0,0 +1,41 @@
+title: SQL Client Tools PowerShell Session Detection
+author: Agro (@agro_sev) oscd.communitly
+date: 2020/10/13
+description: This rule detects execution of a PowerShell code through the sqltoolsps.exe
+    utility, which is included in the standard set of utilities supplied with the
+    Microsoft SQL Server Management studio. Script blocks are not logged in this case,
+    so this utility helps to bypass protection mechanisms based on the analysis of
+    these logs.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\sqltoolsps.exe'
+    SELECTION_3:
+        ParentImage: '*\sqltoolsps.exe'
+    SELECTION_4:
+        OriginalFileName: \sqltoolsps.exe
+    SELECTION_5:
+        ParentImage: '*\smss.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and  not
+        (SELECTION_5))))
+falsepositives:
+- Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe
+    spawned by smss.exe is a legitimate action.
+id: a746c9b8-a2fb-4ee5-a428-92bee9e99060
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml
+- https://twitter.com/pabraeken/status/993298228840992768
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.defense_evasion
+- attack.t1127
+yml_filename: win_susp_use_of_sqltoolsps_bin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_use_of_te_bin.yml b/rules/Sigma/win_susp_use_of_te_bin.yml
new file mode 100644
index 00000000..05327d53
--- /dev/null
+++ b/rules/Sigma/win_susp_use_of_te_bin.yml
@@ -0,0 +1,34 @@
+title: Malicious Windows Script Components File Execution by TAEF Detection
+author: Agro (@agro_sev) oscd.community
+date: 2020/10/13
+description: Windows Test Authoring and Execution Framework (TAEF) framework allows
+    you to run automation by executing tests files written on different languages
+    (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious
+    code (such as WSC file with VBScript, dll and so on) directly by running te.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\te.exe'
+    SELECTION_3:
+        ParentImage: '*\te.exe'
+    SELECTION_4:
+        OriginalFileName: \te.exe
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4))
+falsepositives:
+- It's not an uncommon to use te.exe directly to execute legal TAEF tests
+id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
+level: low
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml
+- https://twitter.com/pabraeken/status/993298228840992768
+- https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/
+status: experimental
+tags:
+- attack.t1218
+yml_filename: win_susp_use_of_te_bin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_use_of_vsjitdebugger_bin.yml b/rules/Sigma/win_susp_use_of_vsjitdebugger_bin.yml
new file mode 100644
index 00000000..1b6bf6cd
--- /dev/null
+++ b/rules/Sigma/win_susp_use_of_vsjitdebugger_bin.yml
@@ -0,0 +1,39 @@
+title: Malicious PE Execution by Microsoft Visual Studio Debugger
+author: "Agro (@agro_sev), Ensar \u015Eamil (@sblmsrsn), oscd.community"
+date: 2020/10/14
+description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe"
+    to launch specified executable and attach a debugger. This option may be used
+    adversaries to execute malicious code by signed verified binary. The debugger
+    is installed alongside with Microsoft Visual Studio package.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\vsjitdebugger.exe'
+    SELECTION_3:
+        EventID: 1
+    SELECTION_4:
+        Image: '*\vsimmersiveactivatehelper*.exe'
+    SELECTION_5:
+        Image: '*\devenv.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not ((SELECTION_3 and (SELECTION_4
+        or SELECTION_5))))
+falsepositives:
+- the process spawned by vsjitdebugger.exe is uncommon.
+id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/06
+references:
+- https://twitter.com/pabraeken/status/990758590020452353
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Vsjitdebugger.yml
+- https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
+status: experimental
+tags:
+- attack.t1218
+- attack.defense_evasion
+yml_filename: win_susp_use_of_vsjitdebugger_bin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_userinit_child.yml b/rules/Sigma/win_susp_userinit_child.yml
new file mode 100644
index 00000000..3627fbc7
--- /dev/null
+++ b/rules/Sigma/win_susp_userinit_child.yml
@@ -0,0 +1,34 @@
+title: Suspicious Userinit Child Process
+author: Florian Roth (rule), Samir Bousseaden (idea)
+date: 2019/06/17
+description: Detects a suspicious child process of userinit
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\userinit.exe'
+    SELECTION_3:
+        CommandLine: '*\netlogon\\*'
+    SELECTION_4:
+        Image: '*\explorer.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and  not (SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Administrative scripts
+fields:
+- CommandLine
+- ParentCommandLine
+id: b655a06a-31c0-477a-95c2-3726b83d649d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/27
+references:
+- https://twitter.com/SBousseaden/status/1139811587760562176
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1055
+yml_filename: win_susp_userinit_child.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_vboxdrvinst.yml b/rules/Sigma/win_susp_vboxdrvinst.yml
new file mode 100644
index 00000000..38b86124
--- /dev/null
+++ b/rules/Sigma/win_susp_vboxdrvinst.yml
@@ -0,0 +1,40 @@
+title: Suspicious VBoxDrvInst.exe Parameters
+author: Konstantin Grishchenko, oscd.community
+date: 2020/10/06
+description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
+    This allows to create values in the registry and install drivers. For example
+    one could use this technique to obtain persistence via modifying one of Run or
+    RunOnce registry keys
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\VBoxDrvInst.exe'
+    SELECTION_3:
+        CommandLine: '*driver*'
+    SELECTION_4:
+        CommandLine: '*executeinf*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation
+    process
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
+- https://twitter.com/pabraeken/status/993497996179492864
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: win_susp_vboxdrvinst.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_vbscript_unc2452.yml b/rules/Sigma/win_susp_vbscript_unc2452.yml
new file mode 100644
index 00000000..79a00e88
--- /dev/null
+++ b/rules/Sigma/win_susp_vbscript_unc2452.yml
@@ -0,0 +1,37 @@
+title: Suspicious VBScript UN2452 Pattern
+author: Florian Roth
+date: 2021/03/05
+description: Detects suspicious inline VBScript keywords as used by UNC2452
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*Execute*'
+    SELECTION_3:
+        CommandLine: '*CreateObject*'
+    SELECTION_4:
+        CommandLine: '*RegRead*'
+    SELECTION_5:
+        CommandLine: '*window.close*'
+    SELECTION_6:
+        CommandLine: '*\Microsoft\Windows\CurrentVersion*'
+    SELECTION_7:
+        CommandLine: '*\Software\Microsoft\Windows\CurrentVersion\Run*'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6) and  not ((SELECTION_7)))
+falsepositives:
+- Unknown
+id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1547.001
+yml_filename: win_susp_vbscript_unc2452.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_volsnap_disable.yml b/rules/Sigma/win_susp_volsnap_disable.yml
new file mode 100644
index 00000000..1cec2508
--- /dev/null
+++ b/rules/Sigma/win_susp_volsnap_disable.yml
@@ -0,0 +1,32 @@
+title: Disabled Volume Snapshots
+author: Florian Roth
+date: 2021/01/28
+description: Detects commands that temporarily turn off Volume Snapshots
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*reg*'
+    SELECTION_3:
+        CommandLine: '* add *'
+    SELECTION_4:
+        CommandLine: '*\Services\VSS\Diag*'
+    SELECTION_5:
+        CommandLine: '*/d Disabled*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Legitimate administration
+id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/0gtweet/status/1354766164166115331
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: win_susp_volsnap_disable.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_vssadmin_ntds_activity.yml b/rules/Sigma/win_susp_vssadmin_ntds_activity.yml
new file mode 100644
index 00000000..3ddc3d25
--- /dev/null
+++ b/rules/Sigma/win_susp_vssadmin_ntds_activity.yml
@@ -0,0 +1,51 @@
+title: Activity Related to NTDS.dit Domain Hash Retrieval
+author: Florian Roth, Michael Haag
+date: 2019/01/16
+description: Detects suspicious commands that could be related to activity that uses
+    volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: esentutl.exe /y /vss *\SYSTEM
+    SELECTION_2:
+        CommandLine: vssadmin.exe Delete Shadows
+    SELECTION_3:
+        CommandLine: 'vssadmin create shadow /for=C:'
+    SELECTION_4:
+        CommandLine: copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit
+    SELECTION_5:
+        CommandLine: copy \\?\GLOBALROOT\Device\\*\config\SAM
+    SELECTION_6:
+        CommandLine: 'vssadmin delete shadows /for=C:'
+    SELECTION_7:
+        CommandLine: 'reg SAVE HKLM\SYSTEM '
+    SELECTION_8:
+        CommandLine: esentutl.exe /y /vss *\ntds.dit*
+    SELECTION_9:
+        CommandLine: esentutl.exe /y /vss *\SAM
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10))
+falsepositives:
+- Administrative activity
+fields:
+- CommandLine
+- ParentCommandLine
+id: b932b60f-fdda-4d53-8eda-a170c1d97bbd
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
+- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
+- https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
+- https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
+- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
+status: deprecated
+tags:
+- attack.credential_access
+- attack.t1003
+yml_filename: win_susp_vssadmin_ntds_activity.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
+
diff --git a/rules/Sigma/win_susp_whoami.yml b/rules/Sigma/win_susp_whoami.yml
new file mode 100644
index 00000000..0f38a45f
--- /dev/null
+++ b/rules/Sigma/win_susp_whoami.yml
@@ -0,0 +1,31 @@
+title: Whoami Execution
+author: Florian Roth
+date: 2018/08/13
+description: Detects the execution of whoami, which is often used by attackers after
+    exloitation / privilege escalation but rarely used by administrators
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\whoami.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Admin activity
+- Scripts and administrative tools used in the monitored environment
+- Monitoring activity
+id: e28a5a99-da44-436d-b7a0-2afc20a5f413
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
+- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1033
+- car.2016-03-001
+yml_filename: win_susp_whoami.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_whoami_anomaly.yml b/rules/Sigma/win_susp_whoami_anomaly.yml
new file mode 100644
index 00000000..bc81c7b4
--- /dev/null
+++ b/rules/Sigma/win_susp_whoami_anomaly.yml
@@ -0,0 +1,53 @@
+title: Whoami Execution Anomaly
+author: Florian Roth
+date: 2021/08/12
+description: Detects the execution of whoami with suspicious parents or parameters
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*whoami /all*'
+    SELECTION_11:
+        CommandLine: '*whoami.exe -all*'
+    SELECTION_12:
+        CommandLine: '*whoami.exe /all*'
+    SELECTION_2:
+        EventID: 1
+    SELECTION_3:
+        Image: '*\whoami.exe'
+    SELECTION_4:
+        ParentImage: '*\cmd.exe'
+    SELECTION_5:
+        ParentImage: '*\powershell.exe'
+    SELECTION_6:
+        ParentImage: C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
+    SELECTION_7:
+        ParentImage: ''
+    SELECTION_8:
+        ParentImage|re: ^$
+    SELECTION_9:
+        CommandLine: '*whoami -all*'
+    condition: (SELECTION_1 and ((SELECTION_2 and ((SELECTION_3 and  not ((SELECTION_4
+        or SELECTION_5))) and  not ((SELECTION_6 or SELECTION_7))) and  not (SELECTION_8))
+        or (SELECTION_9 or SELECTION_10 or SELECTION_11 or SELECTION_12)))
+falsepositives:
+- Admin activity
+- Scripts and administrative tools used in the monitored environment
+- Monitoring activity
+id: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/26
+references:
+- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
+- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
+status: experimental
+tags:
+- attack.discovery
+- attack.t1033
+- car.2016-03-001
+yml_filename: win_susp_whoami_anomaly.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_winrm_awl_bypass.yml b/rules/Sigma/win_susp_winrm_awl_bypass.yml
new file mode 100644
index 00000000..cb68499d
--- /dev/null
+++ b/rules/Sigma/win_susp_winrm_awl_bypass.yml
@@ -0,0 +1,41 @@
+title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
+author: Julia Fomina, oscd.community
+date: 2020/10/06
+description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via
+    winrm.vbs and copied cscript.exe (can be renamed)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*winrm*'
+    SELECTION_3:
+        CommandLine: '*format:pretty*'
+    SELECTION_4:
+        CommandLine: '*format:"pretty"*'
+    SELECTION_5:
+        CommandLine: '*format:"text"*'
+    SELECTION_6:
+        CommandLine: '*format:text*'
+    SELECTION_7:
+        Image: C:\Windows\System32\\*
+    SELECTION_8:
+        Image: C:\Windows\SysWOW64\\*
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6) and  not ((SELECTION_7 or SELECTION_8)))
+falsepositives:
+- Unlikely
+id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/19
+references:
+- https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
+yml_filename: win_susp_winrm_awl_bypass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_winrm_execution.yml b/rules/Sigma/win_susp_winrm_execution.yml
new file mode 100644
index 00000000..b4661f3c
--- /dev/null
+++ b/rules/Sigma/win_susp_winrm_execution.yml
@@ -0,0 +1,34 @@
+title: Remote Code Execute via Winrm.vbs
+author: Julia Fomina, oscd.community
+date: 2020/10/07
+description: Detects an attempt to execute code or create service on remote host via
+    winrm.vbs.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\cscript.exe'
+    SELECTION_3:
+        CommandLine: '*winrm*'
+    SELECTION_4:
+        CommandLine: '*invoke Create wmicimv2/Win32_*'
+    SELECTION_5:
+        CommandLine: '*-r:http*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Legitimate use for administartive purposes. Unlikely
+id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/bohops/status/994405551751815170
+- https://redcanary.com/blog/lateral-movement-winrm-wmi/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1216
+yml_filename: win_susp_winrm_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_wmi_execution.yml b/rules/Sigma/win_susp_wmi_execution.yml
new file mode 100644
index 00000000..0c119561
--- /dev/null
+++ b/rules/Sigma/win_susp_wmi_execution.yml
@@ -0,0 +1,52 @@
+title: Suspicious WMI Execution
+author: Michael Haag, Florian Roth, juju4, oscd.community
+date: 2019/01/16
+description: Detects WMI executing suspicious commands
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '* get *'
+    SELECTION_2:
+        Image: '*\wmic.exe'
+    SELECTION_3:
+        CommandLine: '*process*'
+    SELECTION_4:
+        CommandLine: '*call*'
+    SELECTION_5:
+        CommandLine: '*create *'
+    SELECTION_6:
+        CommandLine: '* path *'
+    SELECTION_7:
+        CommandLine: '*AntiVirus*'
+    SELECTION_8:
+        CommandLine: '*Firewall*'
+    SELECTION_9:
+        CommandLine: '*Product*'
+    condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and (SELECTION_7 or SELECTION_8) and SELECTION_9
+        and SELECTION_10)))
+falsepositives:
+- If using Splunk, we recommend | stats count by Computer,CommandLine following for
+    easy hunting by Computer/CommandLine
+fields:
+- CommandLine
+- ParentCommandLine
+id: 526be59f-a573-4eea-b5f7-f0973207634d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/11/28
+references:
+- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/
+- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
+- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- car.2016-03-002
+yml_filename: win_susp_wmi_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_wmi_login.yml b/rules/Sigma/win_susp_wmi_login.yml
new file mode 100644
index 00000000..af255420
--- /dev/null
+++ b/rules/Sigma/win_susp_wmi_login.yml
@@ -0,0 +1,25 @@
+title: Login with WMI
+author: Thomas Patzke
+date: 2019/12/04
+description: Detection of logins performed with WMI
+detection:
+    SELECTION_1:
+        EventID: 4624
+    SELECTION_2:
+        ProcessName: '*\WmiPrvSE.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Monitoring tools
+- Legitimate system administration
+id: 5af54681-df95-4c26-854f-2565e13cfab0
+level: low
+logsource:
+    product: windows
+    service: security
+status: stable
+tags:
+- attack.execution
+- attack.t1047
+yml_filename: win_susp_wmi_login.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_susp_wmic_eventconsumer_create.yml b/rules/Sigma/win_susp_wmic_eventconsumer_create.yml
new file mode 100644
index 00000000..1afa43b3
--- /dev/null
+++ b/rules/Sigma/win_susp_wmic_eventconsumer_create.yml
@@ -0,0 +1,33 @@
+title: Suspicious WMIC ActiveScriptEventConsumer Creation
+author: Florian Roth
+date: 2021/06/25
+description: Detects WMIC executions in which a event consumer gets created in order
+    to establish persistence
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*ActiveScriptEventConsumer*'
+    SELECTION_3:
+        CommandLine: '* CREATE *'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate software creating script event consumers
+fields:
+- CommandLine
+- ParentCommandLine
+id: ebef4391-1a81-4761-a40a-1db446c0e625
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/johnlatwc/status/1408062131321270282?s=12
+- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
+status: experimental
+tags:
+- attack.persistence
+- attack.t1546.003
+yml_filename: win_susp_wmic_eventconsumer_create.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_wmic_proc_create_rundll32.yml b/rules/Sigma/win_susp_wmic_proc_create_rundll32.yml
new file mode 100644
index 00000000..22e70044
--- /dev/null
+++ b/rules/Sigma/win_susp_wmic_proc_create_rundll32.yml
@@ -0,0 +1,31 @@
+title: Suspicious WMI Execution Using Rundll32
+author: Florian Roth
+date: 2020/10/12
+description: Detects WMI executing rundll32
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*process call create*'
+    SELECTION_3:
+        CommandLine: '*rundll32*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://thedfirreport.com/2020/10/08/ryuks-return/
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+yml_filename: win_susp_wmic_proc_create_rundll32.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_wmic_security_product_uninstall.yml b/rules/Sigma/win_susp_wmic_security_product_uninstall.yml
new file mode 100644
index 00000000..d9196fe9
--- /dev/null
+++ b/rules/Sigma/win_susp_wmic_security_product_uninstall.yml
@@ -0,0 +1,70 @@
+title: Wmic Uninstall Security Product
+author: Florian Roth
+date: 2021/01/30
+description: Detects deinstallation of security products using WMIC utility
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*Endpoint Detection*'
+    SELECTION_11:
+        CommandLine: '*Endpoint Protection*'
+    SELECTION_12:
+        CommandLine: '*Endpoint Security*'
+    SELECTION_13:
+        CommandLine: '*Endpoint Sensor*'
+    SELECTION_14:
+        CommandLine: '*ESET File Security*'
+    SELECTION_15:
+        CommandLine: '*Malwarebytes*'
+    SELECTION_16:
+        CommandLine: '*McAfee Agent*'
+    SELECTION_17:
+        CommandLine: '*Microsoft Security Client*'
+    SELECTION_18:
+        CommandLine: '*Threat Protection*'
+    SELECTION_19:
+        CommandLine: '*VirusScan*'
+    SELECTION_2:
+        CommandLine: '*wmic*'
+    SELECTION_20:
+        CommandLine: '*Webroot SecureAnywhere*'
+    SELECTION_21:
+        CommandLine: '*Windows Defender*'
+    SELECTION_3:
+        CommandLine: '*product where name=*'
+    SELECTION_4:
+        CommandLine: '*call uninstall*'
+    SELECTION_5:
+        CommandLine: '*/nointeractive*'
+    SELECTION_6:
+        CommandLine: '*Antivirus*'
+    SELECTION_7:
+        CommandLine: '*AVG *'
+    SELECTION_8:
+        CommandLine: '*Crowdstrike Sensor*'
+    SELECTION_9:
+        CommandLine: '*DLP Endpoint*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and (SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21))
+falsepositives:
+- Legitimate administration
+id: 847d5ff3-8a31-4737-a970-aeae8fe21765
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/10/18
+references:
+- https://twitter.com/cglyer/status/1355171195654709249
+- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: win_susp_wmic_security_product_uninstall.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_workfolders.yml b/rules/Sigma/win_susp_workfolders.yml
new file mode 100644
index 00000000..83718e7a
--- /dev/null
+++ b/rules/Sigma/win_susp_workfolders.yml
@@ -0,0 +1,31 @@
+title: Execution via WorkFolders.exe
+author: Maxime Thiebaut (@0xThiebaut)
+date: 2021/10/21
+description: Detects using WorkFolders.exe to execute an arbitrary control.exe
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\control.exe'
+    SELECTION_3:
+        ParentImage: '*\WorkFolders.exe'
+    SELECTION_4:
+        Image: C:\Windows\System32\control.exe
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Legitimate usage of the uncommon Windows Work Folders feature.
+id: 0bbc6369-43e3-453d-9944-cae58821c173
+level: high
+logsource:
+    category: process_creation
+    definition: 'Requirements: Sysmon ProcessCreation logging must be activated'
+    product: windows
+references:
+- https://twitter.com/elliotkillick/status/1449812843772227588
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_susp_workfolders.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_wsl_lolbin.yml b/rules/Sigma/win_susp_wsl_lolbin.yml
new file mode 100644
index 00000000..8e693718
--- /dev/null
+++ b/rules/Sigma/win_susp_wsl_lolbin.yml
@@ -0,0 +1,33 @@
+title: WSL Execution
+author: oscd.community, Zach Stanford @svch0st
+date: 2020/10/05
+description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as
+    a LOLBIN
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\wsl.exe'
+    SELECTION_3:
+        CommandLine: '* -e *'
+    SELECTION_4:
+        CommandLine: '* --exec *'
+    condition: (SELECTION_1 and (SELECTION_2) and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Automation and orchestration scripts may use this method execute scripts etc
+id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1218
+- attack.t1202
+yml_filename: win_susp_wsl_lolbin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_susp_wuauclt.yml b/rules/Sigma/win_susp_wuauclt.yml
new file mode 100644
index 00000000..69fa7bb5
--- /dev/null
+++ b/rules/Sigma/win_susp_wuauclt.yml
@@ -0,0 +1,33 @@
+title: Windows Update Client LOLBIN
+author: FPT.EagleEye Team
+date: 2020/10/17
+description: Detects code execution via the Windows Update client (wuauclt)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*/UpdateDeploymentProvider*'
+    SELECTION_3:
+        CommandLine: '*/RunHandlerComServer*'
+    SELECTION_4:
+        Image: '*\wuauclt.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4))
+falsepositives:
+- Unknown
+id: d7825193-b70a-48a4-b992-8b5b3015cc11
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/11/09
+references:
+- https://dtm.uk/wuauclt/
+status: experimental
+tags:
+- attack.command_and_control
+- attack.execution
+- attack.t1105
+- attack.t1218
+yml_filename: win_susp_wuauclt.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_suspicious_outbound_kerberos_connection.yml b/rules/Sigma/win_suspicious_outbound_kerberos_connection.yml
new file mode 100644
index 00000000..5d809195
--- /dev/null
+++ b/rules/Sigma/win_suspicious_outbound_kerberos_connection.yml
@@ -0,0 +1,38 @@
+title: Suspicious Outbound Kerberos Connection
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/24
+description: Detects suspicious outbound network activity via kerberos default port
+    indicating possible lateral movement or first stage PrivEsc via delegation.
+detection:
+    SELECTION_1:
+        EventID: 5156
+    SELECTION_2:
+        DestinationPort: 88
+    SELECTION_3:
+        Image: '*\lsass.exe'
+    SELECTION_4:
+        Image: '*\opera.exe'
+    SELECTION_5:
+        Image: '*\chrome.exe'
+    SELECTION_6:
+        Image: '*\firefox.exe'
+    condition: ((SELECTION_1 and SELECTION_2) and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5 or SELECTION_6)))
+falsepositives:
+- Other browsers
+id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2019/11/13
+references:
+- https://github.com/GhostPack/Rubeus
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1208
+- attack.t1558.003
+yml_filename: win_suspicious_outbound_kerberos_connection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_suspicious_vss_ps_load.yml b/rules/Sigma/win_suspicious_vss_ps_load.yml
new file mode 100644
index 00000000..99a8b926
--- /dev/null
+++ b/rules/Sigma/win_suspicious_vss_ps_load.yml
@@ -0,0 +1,53 @@
+title: Image Load of VSS_PS.dll by Uncommon Executable
+author: Markus Neis, @markus_neis
+date: 2021/07/07
+description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName
+    datapoint
+detection:
+    SELECTION_1:
+        EventID: 7
+    SELECTION_10:
+        Image: '*dismhost.exe'
+    SELECTION_11:
+        Image: '*taskhostw.exe'
+    SELECTION_12:
+        Image: '*\clussvc.exe'
+    SELECTION_13:
+        Image: '*c:\windows\\*'
+    SELECTION_2:
+        ImageLoaded: '*\vss_ps.dll'
+    SELECTION_3:
+        Image: '*\svchost.exe'
+    SELECTION_4:
+        Image: '*\msiexec.exe'
+    SELECTION_5:
+        Image: '*\vssvc.exe'
+    SELECTION_6:
+        Image: '*\srtasks.exe'
+    SELECTION_7:
+        Image: '*\tiworker.exe'
+    SELECTION_8:
+        Image: '*\dllhost.exe'
+    SELECTION_9:
+        Image: '*\searchindexer.exe'
+    condition: (SELECTION_1 and (SELECTION_2) and  not ((SELECTION_3 or SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12) and SELECTION_13))
+falsepositives:
+- unknown
+id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
+level: high
+logsource:
+    category: image_load
+    product: windows
+references:
+- 1bd85e1caa1415ebdc8852c91e37bbb7
+- https://twitter.com/am0nsec/status/1412232114980982787
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.impact
+- attack.t1490
+yml_filename: win_suspicious_vss_ps_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
+
diff --git a/rules/Sigma/win_svcctl_remote_service.yml b/rules/Sigma/win_svcctl_remote_service.yml
new file mode 100644
index 00000000..81eb9724
--- /dev/null
+++ b/rules/Sigma/win_svcctl_remote_service.yml
@@ -0,0 +1,34 @@
+title: Remote Service Activity via SVCCTL Named Pipe
+author: Samir Bousseaden
+date: 2019/04/03
+description: Detects remote service activity via remote access to the svcctl named
+    pipe
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        ShareName: \\*\IPC$
+    SELECTION_3:
+        RelativeTargetName: svcctl
+    SELECTION_4:
+        Accesses: '*WriteData*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- pentesting
+id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
+level: medium
+logsource:
+    definition: The advanced audit policy setting "Object Access > Audit Detailed
+        File Share" must be configured for Success/Failure
+    product: windows
+    service: security
+references:
+- https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
+tags:
+- attack.lateral_movement
+- attack.persistence
+- attack.t1077
+- attack.t1021.002
+yml_filename: win_svcctl_remote_service.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_syskey_registry_access.yml b/rules/Sigma/win_syskey_registry_access.yml
new file mode 100644
index 00000000..6fd2b4b5
--- /dev/null
+++ b/rules/Sigma/win_syskey_registry_access.yml
@@ -0,0 +1,39 @@
+title: SysKey Registry Keys Access
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/12
+description: Detects handle requests and access operations to specific registry keys
+    to calculate the SysKey
+detection:
+    SELECTION_1:
+        EventID: 4656
+    SELECTION_2:
+        EventID: 4663
+    SELECTION_3:
+        ObjectType: key
+    SELECTION_4:
+        ObjectName: '*lsa\JD'
+    SELECTION_5:
+        ObjectName: '*lsa\GBG'
+    SELECTION_6:
+        ObjectName: '*lsa\Skew1'
+    SELECTION_7:
+        ObjectName: '*lsa\Data'
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unknown
+id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
+level: critical
+logsource:
+    product: windows
+    service: security
+modified: 2019/11/10
+references:
+- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1012
+yml_filename: win_syskey_registry_access.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_sysmon_channel_reference_deletion.yml b/rules/Sigma/win_sysmon_channel_reference_deletion.yml
new file mode 100644
index 00000000..e12f48c1
--- /dev/null
+++ b/rules/Sigma/win_sysmon_channel_reference_deletion.yml
@@ -0,0 +1,41 @@
+title: Sysmon Channel Reference Deletion
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/07/14
+description: Potential threat actor tampering with Sysmon manifest and eventually
+    disabling it
+detection:
+    SELECTION_1:
+        ObjectName: '*WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}*'
+    SELECTION_2:
+        ObjectName: '*WINEVT\Channels\Microsoft-Windows-Sysmon/Operational*'
+    SELECTION_3:
+        EventID: 4657
+    SELECTION_4:
+        ObjectValueName: Enabled
+    SELECTION_5:
+        NewValue: '0'
+    SELECTION_6:
+        EventID: 4663
+    SELECTION_7:
+        AccessMask: 65536
+    condition: ((SELECTION_1 or SELECTION_2) and ((SELECTION_3 and SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- unknown
+id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
+level: critical
+logsource:
+    product: windows
+    service: security
+references:
+- https://twitter.com/Flangvik/status/1283054508084473861
+- https://twitter.com/SecurityJosh/status/1283027365770276866
+- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
+- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1112
+yml_filename: win_sysmon_channel_reference_deletion.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_sysmon_driver_unload.yml b/rules/Sigma/win_sysmon_driver_unload.yml
new file mode 100644
index 00000000..bc70f6df
--- /dev/null
+++ b/rules/Sigma/win_sysmon_driver_unload.yml
@@ -0,0 +1,36 @@
+title: Sysmon Driver Unload
+author: Kirill Kiryanov, oscd.community
+date: 2019/10/23
+description: Detect possible Sysmon driver unload
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\fltmc.exe'
+    SELECTION_3:
+        CommandLine: '*unload*'
+    SELECTION_4:
+        CommandLine: '*sys*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- Details
+id: 4d7cda18-1b12-4e52-b45c-d28653210df8
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/27
+references:
+- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.t1562
+- attack.t1562.002
+yml_filename: win_sysmon_driver_unload.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_system_defender_disabled.yml b/rules/Sigma/win_system_defender_disabled.yml
new file mode 100644
index 00000000..0fde27bd
--- /dev/null
+++ b/rules/Sigma/win_system_defender_disabled.yml
@@ -0,0 +1,30 @@
+title: Windows Defender Threat Detection Disabled
+author: "J\xE1n Tren\u010Dansk\xFD, frack113"
+date: 2020/07/28
+description: Detects disabling Windows Defender threat protection
+detection:
+    SELECTION_1:
+        EventID: 7036
+    condition: (SELECTION_1 and Windows Defender Antivirus Service and stopped)
+falsepositives:
+- Administrator actions
+id: 6c0a7755-6d31-44fa-80e1-133e57752680
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/11/09
+references:
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+related:
+-   id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
+    type: derived
+status: stable
+tags:
+- attack.defense_evasion
+- attack.t1089
+- attack.t1562.001
+yml_filename: win_system_defender_disabled.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_system_exe_anomaly.yml b/rules/Sigma/win_system_exe_anomaly.yml
new file mode 100644
index 00000000..435489dc
--- /dev/null
+++ b/rules/Sigma/win_system_exe_anomaly.yml
@@ -0,0 +1,97 @@
+title: System File Execution Location Anomaly
+author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community
+date: 2017/11/27
+description: Detects a Windows program executable started in a suspicious folder
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\csrss.exe'
+    SELECTION_11:
+        Image: '*\conhost.exe'
+    SELECTION_12:
+        Image: '*\wininit.exe'
+    SELECTION_13:
+        Image: '*\lsm.exe'
+    SELECTION_14:
+        Image: '*\winlogon.exe'
+    SELECTION_15:
+        Image: '*\explorer.exe'
+    SELECTION_16:
+        Image: '*\taskhost.exe'
+    SELECTION_17:
+        Image: '*\Taskmgr.exe'
+    SELECTION_18:
+        Image: '*\sihost.exe'
+    SELECTION_19:
+        Image: '*\RuntimeBroker.exe'
+    SELECTION_2:
+        Image: '*\svchost.exe'
+    SELECTION_20:
+        Image: '*\smartscreen.exe'
+    SELECTION_21:
+        Image: '*\dllhost.exe'
+    SELECTION_22:
+        Image: '*\audiodg.exe'
+    SELECTION_23:
+        Image: '*\wlanext.exe'
+    SELECTION_24:
+        Image: C:\Windows\System32\\*
+    SELECTION_25:
+        Image: C:\Windows\system32\\*
+    SELECTION_26:
+        Image: C:\Windows\SysWow64\\*
+    SELECTION_27:
+        Image: C:\Windows\SysWOW64\\*
+    SELECTION_28:
+        Image: C:\Windows\winsxs\\*
+    SELECTION_29:
+        Image: C:\Windows\WinSxS\\*
+    SELECTION_3:
+        Image: '*\rundll32.exe'
+    SELECTION_30:
+        Image: C:\avast! sandbox*
+    SELECTION_31:
+        Image: '*\SystemRoot\System32\\*'
+    SELECTION_32:
+        Image: C:\Windows\explorer.exe
+    SELECTION_4:
+        Image: '*\services.exe'
+    SELECTION_5:
+        Image: '*\powershell.exe'
+    SELECTION_6:
+        Image: '*\regsvr32.exe'
+    SELECTION_7:
+        Image: '*\spoolsv.exe'
+    SELECTION_8:
+        Image: '*\lsass.exe'
+    SELECTION_9:
+        Image: '*\smss.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23) and  not ((SELECTION_24 or
+        SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29
+        or SELECTION_30) or SELECTION_31 or SELECTION_32))
+falsepositives:
+- Exotic software
+fields:
+- ComputerName
+- User
+- Image
+id: e4a6b256-3e47-40fc-89d2-7a477edd6915
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/03/02
+references:
+- https://twitter.com/GelosSnake/status/934900723426439170
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+yml_filename: win_system_exe_anomaly.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_system_susp_eventlog_cleared.yml b/rules/Sigma/win_system_susp_eventlog_cleared.yml
new file mode 100644
index 00000000..71fd4740
--- /dev/null
+++ b/rules/Sigma/win_system_susp_eventlog_cleared.yml
@@ -0,0 +1,37 @@
+title: Eventlog Cleared
+author: Florian Roth
+date: 2017/01/10
+description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil
+    cl" command execution
+detection:
+    SELECTION_1:
+        EventID: 104
+    SELECTION_2:
+        Provider_Name: Microsoft-Windows-Eventlog
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Rollout of log collection agents (the setup routine often includes a reset of the
+    local Eventlog)
+- System provisioning (system reset before the golden image creation)
+id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/10/13
+references:
+- https://twitter.com/deviouspolack/status/832535435960209408
+- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+related:
+-   id: f2f01843-e7b8-4f95-a35a-d23584476423
+    type: obsoletes
+-   id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
+    type: derived
+tags:
+- attack.defense_evasion
+- attack.t1070
+- attack.t1070.001
+- car.2016-04-002
+yml_filename: win_system_susp_eventlog_cleared.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_tap_driver_installation.yml b/rules/Sigma/win_tap_driver_installation.yml
new file mode 100644
index 00000000..dcf6a1d7
--- /dev/null
+++ b/rules/Sigma/win_tap_driver_installation.yml
@@ -0,0 +1,26 @@
+title: Tap Driver Installation
+author: Daniil Yugoslavskiy, Ian Davis, oscd.community
+date: 2019/10/24
+description: Well-known TAP software installation. Possible preparation for data exfiltration
+    using tunnelling techniques
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ImagePath: '*tap0901*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate OpenVPN TAP insntallation
+id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
+level: medium
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/21
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048
+yml_filename: win_tap_driver_installation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_tap_installer_execution.yml b/rules/Sigma/win_tap_installer_execution.yml
new file mode 100644
index 00000000..32386b0c
--- /dev/null
+++ b/rules/Sigma/win_tap_installer_execution.yml
@@ -0,0 +1,25 @@
+title: Tap Installer Execution
+author: Daniil Yugoslavskiy, Ian Davis, oscd.community
+date: 2019/10/24
+description: Well-known TAP software installation. Possible preparation for data exfiltration
+    using tunneling techniques
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\tapinstall.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate OpenVPN TAP insntallation
+id: 99793437-3e16-439b-be0f-078782cf953d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+status: experimental
+tags:
+- attack.exfiltration
+- attack.t1048
+yml_filename: win_tap_installer_execution.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_task_folder_evasion.yml b/rules/Sigma/win_task_folder_evasion.yml
new file mode 100644
index 00000000..5a2a86d9
--- /dev/null
+++ b/rules/Sigma/win_task_folder_evasion.yml
@@ -0,0 +1,49 @@
+title: Tasks Folder Evasion
+author: Sreeman
+date: 2020/01/13
+description: The Tasks folder in system32 and syswow64 are globally writable paths.
+    Adversaries can take advantage of this and load or influence any script hosts
+    or ANY .NET Application in Tasks to load and execute a custom assembly into cscript,
+    wscript, regsvr32, mshta, eventvwr
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*echo *'
+    SELECTION_3:
+        CommandLine: '*copy *'
+    SELECTION_4:
+        CommandLine: '*type *'
+    SELECTION_5:
+        CommandLine: '*file createnew*'
+    SELECTION_6:
+        CommandLine: '* C:\Windows\System32\Tasks\\*'
+    SELECTION_7:
+        CommandLine: '* C:\Windows\SysWow64\Tasks\\*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7))
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+- ParentProcess
+id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/11/06
+references:
+- https://twitter.com/subTee/status/1216465628946563073
+- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.persistence
+- attack.execution
+- attack.t1574.002
+- attack.t1059
+- attack.t1064
+yml_filename: win_task_folder_evasion.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_termserv_proc_spawn.yml b/rules/Sigma/win_termserv_proc_spawn.yml
new file mode 100644
index 00000000..99375478
--- /dev/null
+++ b/rules/Sigma/win_termserv_proc_spawn.yml
@@ -0,0 +1,35 @@
+title: Terminal Service Process Spawn
+author: Florian Roth
+date: 2019/05/22
+description: Detects a process spawned by the terminal service server process (this
+    could be an indicator for an exploitation of CVE-2019-0708)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentCommandLine: '*\svchost.exe*'
+    SELECTION_3:
+        ParentCommandLine: '*termsvcs*'
+    SELECTION_4:
+        Image: '*\rdpclip.exe'
+    condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Unknown
+id: 1012f107-b8f1-4271-af30-5aed2de89b39
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
+- attack.lateral_movement
+- attack.t1210
+- car.2013-07-002
+yml_filename: win_termserv_proc_spawn.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_tool_psexec.yml b/rules/Sigma/win_tool_psexec.yml
new file mode 100644
index 00000000..c3d1c7fe
--- /dev/null
+++ b/rules/Sigma/win_tool_psexec.yml
@@ -0,0 +1,43 @@
+title: PsExec Tool Execution
+author: Thomas Patzke
+date: 2017/06/12
+description: Detects PsExec service installation and execution events (service and
+    Sysmon)
+detection:
+    SELECTION_1:
+        ServiceName: PSEXESVC
+    SELECTION_2:
+        EventID: 7045
+    SELECTION_3:
+        ServiceFileName: '*\PSEXESVC.exe'
+    SELECTION_4:
+        EventID: 7036
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- unknown
+fields:
+- EventID
+- CommandLine
+- ParentCommandLine
+- ServiceName
+- ServiceFileName
+- TargetFilename
+- PipeName
+id: 42c575ea-e41e-41f1-b248-8093c3e82a28
+level: low
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/21
+references:
+- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+- https://jpcertcc.github.io/ToolAnalysisResultSheet
+status: experimental
+tags:
+- attack.execution
+- attack.t1035
+- attack.t1569.002
+- attack.s0029
+yml_filename: win_tool_psexec.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_tools_relay_attacks.yml b/rules/Sigma/win_tools_relay_attacks.yml
new file mode 100644
index 00000000..d89cb1a1
--- /dev/null
+++ b/rules/Sigma/win_tools_relay_attacks.yml
@@ -0,0 +1,70 @@
+title: SMB Relay Attack Tools
+author: Florian Roth
+date: 2021/07/24
+description: Detects different hacktools used for relay attacks on Windows for privilege
+    escalation
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\SpoolSample.exe*'
+    SELECTION_11:
+        Image: '*\Responder.exe*'
+    SELECTION_12:
+        Image: '*\smbrelayx*'
+    SELECTION_13:
+        Image: '*\ntlmrelayx*'
+    SELECTION_14:
+        CommandLine: '*Invoke-Tater*'
+    SELECTION_15:
+        CommandLine: '* smbrelay*'
+    SELECTION_16:
+        CommandLine: '* ntlmrelay*'
+    SELECTION_17:
+        CommandLine: '*cme smb *'
+    SELECTION_18:
+        CommandLine: '* /ntlm:NTLMhash *'
+    SELECTION_19:
+        CommandLine: '*Invoke-PetitPotam*'
+    SELECTION_2:
+        Image: '*PetitPotam*'
+    SELECTION_3:
+        Image: '*RottenPotato*'
+    SELECTION_4:
+        Image: '*HotPotato*'
+    SELECTION_5:
+        Image: '*JuicyPotato*'
+    SELECTION_6:
+        Image: '*\just_dce_*'
+    SELECTION_7:
+        Image: '*Juicy Potato*'
+    SELECTION_8:
+        Image: '*\temp\rot.exe*'
+    SELECTION_9:
+        Image: '*\Potato.exe*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12 or SELECTION_13) or (SELECTION_14 or SELECTION_15
+        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19)))
+falsepositives:
+- Legitimate files with these rare hacktool names
+id: 5589ab4f-a767-433c-961d-c91f3f704db1
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/26
+references:
+- https://attack.mitre.org/techniques/T1557/001/
+- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
+- https://pentestlab.blog/2017/04/13/hot-potato/
+- https://github.com/ohpe/juicy-potato
+- https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
+- https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
+status: experimental
+tags:
+- attack.execution
+- attack.t1557.001
+yml_filename: win_tools_relay_attacks.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/Sigma/win_transferring_files_with_credential_data_via_network_shares.yml
new file mode 100644
index 00000000..ab29dbfc
--- /dev/null
+++ b/rules/Sigma/win_transferring_files_with_credential_data_via_network_shares.yml
@@ -0,0 +1,45 @@
+title: Transferring Files with Credential Data via Network Shares
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/22
+description: Transferring files with well-known filenames (sensitive files with credential
+    data) using network shares
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        RelativeTargetName: '*\mimidrv*'
+    SELECTION_3:
+        RelativeTargetName: '*\lsass*'
+    SELECTION_4:
+        RelativeTargetName: '*\windows\minidump\\*'
+    SELECTION_5:
+        RelativeTargetName: '*\hiberfil*'
+    SELECTION_6:
+        RelativeTargetName: '*\sqldmpr*'
+    SELECTION_7:
+        RelativeTargetName: '*\sam*'
+    SELECTION_8:
+        RelativeTargetName: '*\ntds.dit*'
+    SELECTION_9:
+        RelativeTargetName: '*\security*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9))
+falsepositives:
+- Transferring sensitive files for legitimate administration work by legitimate administrator
+id: 910ab938-668b-401b-b08c-b596e80fdca5
+level: medium
+logsource:
+    product: windows
+    service: security
+references:
+- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.002
+- attack.t1003.001
+- attack.t1003.003
+yml_filename: win_transferring_files_with_credential_data_via_network_shares.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_trust_discovery.yml b/rules/Sigma/win_trust_discovery.yml
new file mode 100644
index 00000000..58b80eeb
--- /dev/null
+++ b/rules/Sigma/win_trust_discovery.yml
@@ -0,0 +1,56 @@
+title: Domain Trust Discovery
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community,
+    omkar72
+date: 2019/10/24
+description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery.
+    This technique is used by attackers to enumerate Active Directory trusts.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*-filter*'
+    SELECTION_11:
+        CommandLine: '*trustedDomain*'
+    SELECTION_2:
+        Image: '*\nltest.exe'
+    SELECTION_3:
+        CommandLine: '*domain_trusts*'
+    SELECTION_4:
+        CommandLine: '*all_trusts*'
+    SELECTION_5:
+        CommandLine: '*/trusted_domains*'
+    SELECTION_6:
+        CommandLine: '*/dclist*'
+    SELECTION_7:
+        Image: '*\dsquery.exe'
+    SELECTION_8:
+        CommandLine: '*trustedDomain*'
+    SELECTION_9:
+        Image: '*\dsquery.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6)) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10
+        and SELECTION_11)))
+falsepositives:
+- Legitimate use of the utilities by legitimate user for legitimate reason
+id: 3bad990e-4848-4a78-9530-b427d854aac0
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/09
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
+- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
+- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
+- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
+- https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
+related:
+-   id: 77815820-246c-47b8-9741-e0def3f57308
+    type: obsoletes
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
+yml_filename: win_trust_discovery.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_changepk_slui.yml b/rules/Sigma/win_uac_bypass_changepk_slui.yml
new file mode 100644
index 00000000..9b3b13e3
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_changepk_slui.yml
@@ -0,0 +1,35 @@
+title: UAC Bypass Using ChangePK and SLUI
+author: Christian Burkard
+date: 2021/08/23
+description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\changepk.exe'
+    SELECTION_3:
+        ParentImage: '*\slui.exe'
+    SELECTION_4:
+        IntegrityLevel: High
+    SELECTION_5:
+        IntegrityLevel: System
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 503d581c-7df0-4bbe-b9be-5840c0ecc1fc
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b
+- https://github.com/hfiref0x/UACME
+- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_changepk_slui.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_cleanmgr.yml b/rules/Sigma/win_uac_bypass_cleanmgr.yml
new file mode 100644
index 00000000..86eb9eb1
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_cleanmgr.yml
@@ -0,0 +1,34 @@
+title: UAC Bypass Using Disk Cleanup
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using scheduled tasks and variable
+    expansion of cleanmgr.exe (UACMe 34)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*"\system32\cleanmgr.exe /autoclean /d C:'
+    SELECTION_3:
+        ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
+    SELECTION_4:
+        IntegrityLevel: High
+    SELECTION_5:
+        IntegrityLevel: System
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: b697e69c-746f-4a86-9f59-7bfff8eab881
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_cleanmgr.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_computerdefaults.yml b/rules/Sigma/win_uac_bypass_computerdefaults.yml
new file mode 100644
index 00000000..e0f3b5ef
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_computerdefaults.yml
@@ -0,0 +1,36 @@
+title: UAC Bypass Using ComputerDefaults
+author: Christian Burkard
+date: 2021/08/31
+description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        IntegrityLevel: High
+    SELECTION_3:
+        IntegrityLevel: System
+    SELECTION_4:
+        Image: C:\Windows\System32\ComputerDefaults.exe
+    SELECTION_5:
+        ParentImage: '*:\Windows\System32*'
+    SELECTION_6:
+        ParentImage: '*:\Program Files*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) and SELECTION_4) and  not
+        ((SELECTION_5 or SELECTION_6)))
+falsepositives:
+- Unknown
+id: 3c05e90d-7eba-4324-9972-5d7f711a60a8
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_computerdefaults.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_consent_comctl32.yml b/rules/Sigma/win_uac_bypass_consent_comctl32.yml
new file mode 100644
index 00000000..2b8e120f
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_consent_comctl32.yml
@@ -0,0 +1,34 @@
+title: UAC Bypass Using Consent and Comctl32 - Process
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll
+    (UACMe 22)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\consent.exe'
+    SELECTION_3:
+        Image: '*\werfault.exe'
+    SELECTION_4:
+        IntegrityLevel: High
+    SELECTION_5:
+        IntegrityLevel: System
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: 1ca6bd18-0ba0-44ca-851c-92ed89a61085
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_consent_comctl32.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_dismhost.yml b/rules/Sigma/win_uac_bypass_dismhost.yml
new file mode 100644
index 00000000..3604e9db
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_dismhost.yml
@@ -0,0 +1,37 @@
+title: UAC Bypass Using DismHost
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe
+    63)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*C:\Users\\*'
+    SELECTION_3:
+        ParentImage: '*\AppData\Local\Temp\\*'
+    SELECTION_4:
+        ParentImage: '*\DismHost.exe*'
+    SELECTION_5:
+        IntegrityLevel: High
+    SELECTION_6:
+        IntegrityLevel: System
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
+        or SELECTION_6))
+falsepositives:
+- Unknown
+id: 853e74f9-9392-4935-ad3b-2e8c040dae86
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_dismhost.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_ieinstal.yml b/rules/Sigma/win_uac_bypass_ieinstal.yml
new file mode 100644
index 00000000..4fb97d05
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_ieinstal.yml
@@ -0,0 +1,36 @@
+title: UAC Bypass Using IEInstal - Process
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        IntegrityLevel: High
+    SELECTION_3:
+        IntegrityLevel: System
+    SELECTION_4:
+        ParentImage: '*\ieinstal.exe'
+    SELECTION_5:
+        Image: '*\AppData\Local\Temp\\*'
+    SELECTION_6:
+        Image: '*consent.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Unknown
+id: 80fc36aa-945e-4181-89f2-2f907ab6775d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_ieinstal.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_msconfig_gui.yml b/rules/Sigma/win_uac_bypass_msconfig_gui.yml
new file mode 100644
index 00000000..451f9ae6
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_msconfig_gui.yml
@@ -0,0 +1,33 @@
+title: UAC Bypass Using MSConfig Token Modification - Process
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        IntegrityLevel: High
+    SELECTION_3:
+        IntegrityLevel: System
+    SELECTION_4:
+        ParentImage: '*\AppData\Local\Temp\pkgmgr.exe'
+    SELECTION_5:
+        CommandLine: '"C:\Windows\system32\msconfig.exe" -5'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: ad92e3f9-7eb6-460e-96b1-582b0ccbb980
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_msconfig_gui.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_ntfs_reparse_point.yml b/rules/Sigma/win_uac_bypass_ntfs_reparse_point.yml
new file mode 100644
index 00000000..a4c05b09
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_ntfs_reparse_point.yml
@@ -0,0 +1,47 @@
+title: UAC Bypass Using NTFS Reparse Point - Process
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe
+    DLL hijacking (UACMe 36)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\DismHost.exe'
+    SELECTION_2:
+        IntegrityLevel: High
+    SELECTION_3:
+        IntegrityLevel: System
+    SELECTION_4:
+        CommandLine: '"C:\Windows\system32\wusa.exe"  /quiet C:\Users\\*'
+    SELECTION_5:
+        CommandLine: '*\AppData\Local\Temp\update.msu'
+    SELECTION_6:
+        ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart
+            /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck'
+    SELECTION_7:
+        CommandLine: '*C:\Users\\*'
+    SELECTION_8:
+        CommandLine: '*\AppData\Local\Temp\\*'
+    SELECTION_9:
+        CommandLine: '*\dismhost.exe {*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and ((SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9
+        and SELECTION_10)))
+falsepositives:
+- Unknown
+id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_ntfs_reparse_point.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_pkgmgr_dism.yml b/rules/Sigma/win_uac_bypass_pkgmgr_dism.yml
new file mode 100644
index 00000000..85c66da6
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_pkgmgr_dism.yml
@@ -0,0 +1,34 @@
+title: UAC Bypass Using PkgMgr and DISM
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe
+    23)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\pkgmgr.exe'
+    SELECTION_3:
+        Image: '*\dism.exe'
+    SELECTION_4:
+        IntegrityLevel: High
+    SELECTION_5:
+        IntegrityLevel: System
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
+falsepositives:
+- Unknown
+id: a743ceba-c771-4d75-97eb-8a90f7f4844c
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_pkgmgr_dism.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_winsat.yml b/rules/Sigma/win_uac_bypass_winsat.yml
new file mode 100644
index 00000000..b6cc16c5
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_winsat.yml
@@ -0,0 +1,34 @@
+title: UAC Bypass Abusing Winsat Path Parsing - Process
+author: Christian Burkard
+date: 2021/08/30
+description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe
+    (UACMe 52)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        IntegrityLevel: High
+    SELECTION_3:
+        IntegrityLevel: System
+    SELECTION_4:
+        ParentImage: '*\AppData\Local\Temp\system32\winsat.exe'
+    SELECTION_5:
+        ParentCommandLine: '*C:\Windows \system32\winsat.exe*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
+falsepositives:
+- Unknown
+id: 7a01183d-71a2-46ad-ad5c-acd989ac1793
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_winsat.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_wmp.yml b/rules/Sigma/win_uac_bypass_wmp.yml
new file mode 100644
index 00000000..43887b1f
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_wmp.yml
@@ -0,0 +1,38 @@
+title: UAC Bypass Using Windows Media Player - Process
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll
+    (UACMe 32)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        IntegrityLevel: High
+    SELECTION_3:
+        IntegrityLevel: System
+    SELECTION_4:
+        Image: C:\Program Files\Windows Media Player\osk.exe
+    SELECTION_5:
+        Image: C:\Windows\System32\cmd.exe
+    SELECTION_6:
+        ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
+            /s'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 or (SELECTION_5
+        and SELECTION_6)))
+falsepositives:
+- Unknown
+id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/hfiref0x/UACME
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_wmp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_bypass_wsreset.yml b/rules/Sigma/win_uac_bypass_wsreset.yml
new file mode 100644
index 00000000..3b6bab8a
--- /dev/null
+++ b/rules/Sigma/win_uac_bypass_wsreset.yml
@@ -0,0 +1,33 @@
+title: UAC Bypass WSReset
+author: Christian Burkard
+date: 2021/08/23
+description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\wsreset.exe'
+    SELECTION_3:
+        IntegrityLevel: High
+    SELECTION_4:
+        IntegrityLevel: System
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Unknown
+id: 89a9a0e0-f61a-42e5-8957-b1479565a658
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
+- https://github.com/hfiref0x/UACME
+- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1548.002
+yml_filename: win_uac_bypass_wsreset.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_cmstp.yml b/rules/Sigma/win_uac_cmstp.yml
new file mode 100644
index 00000000..2a3ea213
--- /dev/null
+++ b/rules/Sigma/win_uac_cmstp.yml
@@ -0,0 +1,41 @@
+title: Bypass UAC via CMSTP
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
+date: 2019/10/24
+description: Detect child processes of automatically elevated instances of Microsoft
+    Connection Manager Profile Installer (cmstp.exe).
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\cmstp.exe'
+    SELECTION_3:
+        CommandLine: '*/s*'
+    SELECTION_4:
+        CommandLine: '*/au*'
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Legitimate use of cmstp.exe utility by legitimate user
+fields:
+- ComputerName
+- User
+- CommandLine
+id: e66779cc-383e-4224-a3a4-267eeb585c40
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1548.002
+- attack.t1218.003
+- attack.t1191
+- attack.t1088
+yml_filename: win_uac_cmstp.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_fodhelper.yml b/rules/Sigma/win_uac_fodhelper.yml
new file mode 100644
index 00000000..8be3c2fa
--- /dev/null
+++ b/rules/Sigma/win_uac_fodhelper.yml
@@ -0,0 +1,34 @@
+title: Bypass UAC via Fodhelper.exe
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries
+    use this technique to execute privileged processes.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\fodhelper.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use of fodhelper.exe utility by legitimate user
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 7f741dcf-fc22-4759-87b4-9ae8376676a2
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1088
+yml_filename: win_uac_fodhelper.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_uac_wsreset.yml b/rules/Sigma/win_uac_wsreset.yml
new file mode 100644
index 00000000..0fd8d610
--- /dev/null
+++ b/rules/Sigma/win_uac_wsreset.yml
@@ -0,0 +1,31 @@
+title: Bypass UAC via WSReset.exe
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries
+    use this technique to execute privileged processes.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\wsreset.exe'
+    SELECTION_3:
+        Image: '*\conhost.exe'
+    condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: d797268e-28a9-49a7-b9a8-2f5039011c5c
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/11
+references:
+- https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548.002
+- attack.t1088
+yml_filename: win_uac_wsreset.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_usb_device_plugged.yml b/rules/Sigma/win_usb_device_plugged.yml
new file mode 100644
index 00000000..73d6828e
--- /dev/null
+++ b/rules/Sigma/win_usb_device_plugged.yml
@@ -0,0 +1,29 @@
+title: USB Device Plugged
+author: Florian Roth
+date: 2017/11/09
+description: Detects plugged USB devices
+detection:
+    SELECTION_1:
+        EventID: 2003
+    SELECTION_2:
+        EventID: 2100
+    SELECTION_3:
+        EventID: 2102
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
+falsepositives:
+- Legitimate administrative activity
+id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4
+level: low
+logsource:
+    product: windows
+    service: driver-framework
+references:
+- https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
+- https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1200
+yml_filename: win_usb_device_plugged.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_user_added_to_local_administrators.yml b/rules/Sigma/win_user_added_to_local_administrators.yml
new file mode 100644
index 00000000..d7bb1f24
--- /dev/null
+++ b/rules/Sigma/win_user_added_to_local_administrators.yml
@@ -0,0 +1,32 @@
+title: User Added to Local Administrators
+author: Florian Roth
+date: 2017/03/14
+description: This rule triggers on user accounts that are added to the local Administrators
+    group, which could be legitimate activity or a sign of privilege escalation activity
+detection:
+    SELECTION_1:
+        EventID: 4732
+    SELECTION_2:
+        TargetUserName: Administr*
+    SELECTION_3:
+        TargetSid: S-1-5-32-544
+    SELECTION_4:
+        SubjectUserName: '*$'
+    condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and  not (SELECTION_4))
+falsepositives:
+- Legitimate administrative activity
+id: c265cf08-3f99-46c1-8d59-328247057d57
+level: medium
+logsource:
+    product: windows
+    service: security
+modified: 2021/07/07
+status: stable
+tags:
+- attack.privilege_escalation
+- attack.t1078
+- attack.persistence
+- attack.t1098
+yml_filename: win_user_added_to_local_administrators.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/Sigma/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
new file mode 100644
index 00000000..db82ea40
--- /dev/null
+++ b/rules/Sigma/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
@@ -0,0 +1,33 @@
+title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+description: The 'LsaRegisterLogonProcess' function verifies that the application
+    making the function call is a logon process by checking that it has the SeTcbPrivilege
+    privilege set. Possible Rubeus tries to get a handle to LSA.
+detection:
+    SELECTION_1:
+        EventID: 4673
+    SELECTION_2:
+        Service: LsaRegisterLogonProcess()
+    SELECTION_3:
+        Keywords: '0x8010000000000000'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54
+level: high
+logsource:
+    product: windows
+    service: security
+modified: 2021/08/14
+references:
+- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.privilege_escalation
+- attack.t1208
+- attack.t1558.003
+yml_filename: win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_user_creation.yml b/rules/Sigma/win_user_creation.yml
new file mode 100644
index 00000000..fb8f5d46
--- /dev/null
+++ b/rules/Sigma/win_user_creation.yml
@@ -0,0 +1,33 @@
+title: Local User Creation
+author: Patrick Bareiss
+date: 2019/04/18
+description: Detects local user creation on windows servers, which shouldn't happen
+    in an Active Directory environment. Apply this Sigma Use Case on your windows
+    server logs and not on your DC logs.
+detection:
+    SELECTION_1:
+        EventID: 4720
+    condition: SELECTION_1
+falsepositives:
+- Domain Controller Logs
+- Local accounts managed by privileged account management tools
+fields:
+- EventCode
+- AccountName
+- AccountDomain
+id: 66b6be3d-55d0-4f47-9855-d69df21740ea
+level: low
+logsource:
+    product: windows
+    service: security
+modified: 2020/08/23
+references:
+- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
+status: experimental
+tags:
+- attack.persistence
+- attack.t1136
+- attack.t1136.001
+yml_filename: win_user_creation.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_user_driver_loaded.yml b/rules/Sigma/win_user_driver_loaded.yml
new file mode 100644
index 00000000..87d60f86
--- /dev/null
+++ b/rules/Sigma/win_user_driver_loaded.yml
@@ -0,0 +1,66 @@
+title: Suspicious Driver Loaded By User
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
+date: 2019/04/08
+description: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to
+    load or unload a device driver. With this privilege, the user can dynamically
+    load and unload device drivers or other code in to kernel mode. This user right
+    does not apply to Plug and Play device drivers. If you exclude privileged users/admins
+    and processes, which are allowed to do so, you are maybe left with bad programs
+    trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs)
+    and the usage of Sysinternals and various other tools. So you have to work with
+    a whitelist to find the bad stuff.
+detection:
+    SELECTION_1:
+        EventID: 4673
+    SELECTION_10:
+        ProcessName: '*\Windows\System32\wimserv.exe'
+    SELECTION_11:
+        ProcessName: '*\procexp64.exe'
+    SELECTION_12:
+        ProcessName: '*\procexp.exe'
+    SELECTION_13:
+        ProcessName: '*\procmon64.exe'
+    SELECTION_14:
+        ProcessName: '*\procmon.exe'
+    SELECTION_15:
+        ProcessName: '*\Google\Chrome\Application\chrome.exe'
+    SELECTION_2:
+        PrivilegeList: SeLoadDriverPrivilege
+    SELECTION_3:
+        Service: '-'
+    SELECTION_4:
+        ProcessName: '*\Windows\System32\Dism.exe'
+    SELECTION_5:
+        ProcessName: '*\Windows\System32\rundll32.exe'
+    SELECTION_6:
+        ProcessName: '*\Windows\System32\fltMC.exe'
+    SELECTION_7:
+        ProcessName: '*\Windows\HelpPane.exe'
+    SELECTION_8:
+        ProcessName: '*\Windows\System32\mmc.exe'
+    SELECTION_9:
+        ProcessName: '*\Windows\System32\svchost.exe'
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
+        or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
+        or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
+        or SELECTION_15)))
+falsepositives:
+- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs
+    etc. - but not much. You have to baseline this according to your used products
+    and allowed tools. Also try to exclude users, which are allowed to load drivers.'
+id: f63508a0-c809-4435-b3be-ed819394d612
+level: medium
+logsource:
+    product: windows
+    service: security
+references:
+- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
+status: experimental
+tags:
+- attack.t1089
+- attack.defense_evasion
+- attack.t1562.001
+yml_filename: win_user_driver_loaded.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/Sigma/win_using_sc_to_change_sevice_image_path_by_non_admin.yml
new file mode 100644
index 00000000..df3c406c
--- /dev/null
+++ b/rules/Sigma/win_using_sc_to_change_sevice_image_path_by_non_admin.yml
@@ -0,0 +1,42 @@
+title: Possible Privilege Escalation via Weak Service Permissions
+author: Teymur Kheirkhabarov
+date: 2019/10/26
+description: Detection of sc.exe utility spawning by user with Medium integrity level
+    to change service ImagePath or FailureCommand
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\sc.exe'
+    SELECTION_3:
+        IntegrityLevel: Medium
+    SELECTION_4:
+        CommandLine: '*config*'
+    SELECTION_5:
+        CommandLine: '*binPath*'
+    SELECTION_6:
+        CommandLine: '*failure*'
+    SELECTION_7:
+        CommandLine: '*command*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and ((SELECTION_4 and
+        SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- Unknown
+id: d937b75f-a665-4480-88a5-2f20e9f9b22a
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+- https://pentestlab.blog/2017/03/30/weak-service-permissions/
+status: experimental
+tags:
+- attack.persistence
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1574.011
+yml_filename: win_using_sc_to_change_sevice_image_path_by_non_admin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_using_settingsynchost_as_lolbin.yml b/rules/Sigma/win_using_settingsynchost_as_lolbin.yml
new file mode 100644
index 00000000..96480f4e
--- /dev/null
+++ b/rules/Sigma/win_using_settingsynchost_as_lolbin.yml
@@ -0,0 +1,40 @@
+title: Using SettingSyncHost.exe as LOLBin
+author: Anton Kutepov, oscd.community
+date: 2020/02/05
+description: Detects using SettingSyncHost.exe to run hijacked binary
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: C:\Windows\System32\\*
+    SELECTION_3:
+        Image: C:\Windows\SysWOW64\\*
+    SELECTION_4:
+        ParentCommandLine: '*cmd.exe /c*'
+    SELECTION_5:
+        ParentCommandLine: '*RoamDiag.cmd*'
+    SELECTION_6:
+        ParentCommandLine: '*-outputpath*'
+    condition: (SELECTION_1 and  not ((SELECTION_2 or SELECTION_3)) and (SELECTION_4
+        and SELECTION_5 and SELECTION_6))
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+- Image
+id: b2ddd389-f676-4ac4-845a-e00781a48e5f
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/10/10
+references:
+- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
+status: experimental
+tags:
+- attack.execution
+- attack.defense_evasion
+- attack.t1574.008
+yml_filename: win_using_settingsynchost_as_lolbin.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_verclsid_runs_com.yml b/rules/Sigma/win_verclsid_runs_com.yml
new file mode 100644
index 00000000..9b5c12cc
--- /dev/null
+++ b/rules/Sigma/win_verclsid_runs_com.yml
@@ -0,0 +1,34 @@
+title: Verclsid.exe Runs COM Object
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+description: Detects when verclsid.exe is used to run COM object via GUID
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\verclsid.exe'
+    SELECTION_3:
+        CommandLine: '*/C*'
+    SELECTION_4:
+        CommandLine: '*/S*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: d06be4b9-8045-428b-a567-740a26d9db25
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml
+- https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
+- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: win_verclsid_runs_com.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_visual_basic_compiler.yml b/rules/Sigma/win_visual_basic_compiler.yml
new file mode 100644
index 00000000..a27b55dc
--- /dev/null
+++ b/rules/Sigma/win_visual_basic_compiler.yml
@@ -0,0 +1,29 @@
+title: Visual Basic Command Line Compiler Usage
+author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative"
+date: 2020/10/07
+description: Detects successful code compilation via Visual Basic Command Line Compiler
+    that utilizes Windows Resource to Object Converter.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\vbc.exe'
+    SELECTION_3:
+        Image: '*\cvtres.exe'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Utilization of this tool should not be seen in enterprise environment
+id: 7b10f171-7f04-47c7-9fa2-5be43c76e535
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Vbc/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027.004
+yml_filename: win_visual_basic_compiler.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_volume_shadow_copy_mount.yml b/rules/Sigma/win_volume_shadow_copy_mount.yml
new file mode 100644
index 00000000..29358b96
--- /dev/null
+++ b/rules/Sigma/win_volume_shadow_copy_mount.yml
@@ -0,0 +1,29 @@
+title: Volume Shadow Copy Mount
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/20
+description: Detects volume shadow copy mount
+detection:
+    SELECTION_1:
+        Provider_Name: Microsoft-Windows-Ntfs
+    SELECTION_2:
+        EventID: 98
+    SELECTION_3:
+        DeviceName: '*HarddiskVolumeShadowCopy*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate use of volume shadow copy mounts (backups maybe).
+id: f512acbf-e662-4903-843e-97ce4652b740
+level: medium
+logsource:
+    product: windows
+    service: system
+modified: 2021/10/13
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
+yml_filename: win_volume_shadow_copy_mount.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_vssaudit_secevent_source_registration.yml b/rules/Sigma/win_vssaudit_secevent_source_registration.yml
new file mode 100644
index 00000000..18e1d10c
--- /dev/null
+++ b/rules/Sigma/win_vssaudit_secevent_source_registration.yml
@@ -0,0 +1,29 @@
+title: VSSAudit Security Event Source Registration
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/20
+description: Detects the registration of the security event source VSSAudit. It would
+    usually trigger when volume shadow copy operations happen.
+detection:
+    SELECTION_1:
+        AuditSourceName: VSSAudit
+    SELECTION_2:
+        EventID: 4904
+    SELECTION_3:
+        EventID: 4905
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe.
+id: e9faba72-4974-4ab2-a4c5-46e25ad59e9b
+level: medium
+logsource:
+    product: windows
+    service: security
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+status: experimental
+tags:
+- attack.credential_access
+- attack.t1003.002
+yml_filename: win_vssaudit_secevent_source_registration.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_vul_cve_2020_0688.yml b/rules/Sigma/win_vul_cve_2020_0688.yml
new file mode 100644
index 00000000..ad0fc83f
--- /dev/null
+++ b/rules/Sigma/win_vul_cve_2020_0688.yml
@@ -0,0 +1,31 @@
+title: CVE-2020-0688 Exploitation via Eventlog
+author: Florian Roth, wagga
+date: 2020/02/29
+description: Detects the exploitation of Microsoft Exchange vulnerability as described
+    in CVE-2020-0688
+detection:
+    SELECTION_1:
+        EventID: 4
+    SELECTION_2:
+        Provider_Name: MSExchange Control Panel
+    SELECTION_3:
+        Level: Error
+    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and &__VIEWSTATE=)
+falsepositives:
+- Unknown
+id: d6266bf5-935e-4661-b477-78772735a7cb
+level: high
+logsource:
+    product: windows
+    service: application
+modified: 2021/10/13
+references:
+- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
+- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
+status: experimental
+tags:
+- attack.initial_access
+- attack.t1190
+yml_filename: win_vul_cve_2020_0688.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_vul_cve_2020_1472.yml b/rules/Sigma/win_vul_cve_2020_1472.yml
new file mode 100644
index 00000000..e18fd4a1
--- /dev/null
+++ b/rules/Sigma/win_vul_cve_2020_1472.yml
@@ -0,0 +1,27 @@
+title: Vulnerable Netlogon Secure Channel Connection Allowed
+author: NVISO
+date: 2020/09/15
+description: Detects that a vulnerable Netlogon secure channel connection was allowed,
+    which could be an indicator of CVE-2020-1472.
+detection:
+    SELECTION_1:
+        EventID: 5829
+    condition: SELECTION_1
+falsepositives:
+- Unknown
+fields:
+- SAMAccountName
+id: a0cb7110-edf0-47a4-9177-541a4083128a
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/08/09
+references:
+- https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
+status: experimental
+tags:
+- attack.privilege_escalation
+yml_filename: win_vul_cve_2020_1472.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_vul_java_remote_debugging.yml b/rules/Sigma/win_vul_java_remote_debugging.yml
new file mode 100644
index 00000000..281739ee
--- /dev/null
+++ b/rules/Sigma/win_vul_java_remote_debugging.yml
@@ -0,0 +1,32 @@
+title: Java Running with Remote Debugging
+author: Florian Roth
+date: 2019/01/16
+description: Detects a JAVA process running with remote debugging allowing more than
+    just localhost to connect
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*transport=dt_socket,address=*'
+    SELECTION_3:
+        CommandLine: '*address=127.0.0.1*'
+    SELECTION_4:
+        CommandLine: '*address=localhost*'
+    condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3 or SELECTION_4))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+tags:
+- attack.t1203
+- attack.execution
+yml_filename: win_vul_java_remote_debugging.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_webshell_detection.yml b/rules/Sigma/win_webshell_detection.yml
new file mode 100644
index 00000000..70cb15bc
--- /dev/null
+++ b/rules/Sigma/win_webshell_detection.yml
@@ -0,0 +1,102 @@
+title: Webshell Detection With Command Line Keywords
+author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community
+date: 2017/01/01
+description: Detects certain command line parameters often used during reconnaissance
+    activity via web shells
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\net1.exe'
+    SELECTION_11:
+        CommandLine: '* user *'
+    SELECTION_12:
+        CommandLine: '* use *'
+    SELECTION_13:
+        CommandLine: '* group *'
+    SELECTION_14:
+        Image: '*\ping.exe'
+    SELECTION_15:
+        CommandLine: '* -n *'
+    SELECTION_16:
+        CommandLine: '*&cd&echo*'
+    SELECTION_17:
+        CommandLine: '*cd /d *'
+    SELECTION_18:
+        Image: '*\wmic.exe'
+    SELECTION_19:
+        CommandLine: '* /node:*'
+    SELECTION_2:
+        ParentImage: '*\w3wp.exe'
+    SELECTION_20:
+        Image: '*\whoami.exe'
+    SELECTION_21:
+        Image: '*\systeminfo.exe'
+    SELECTION_22:
+        Image: '*\quser.exe'
+    SELECTION_23:
+        Image: '*\ipconfig.exe'
+    SELECTION_24:
+        Image: '*\pathping.exe'
+    SELECTION_25:
+        Image: '*\tracert.exe'
+    SELECTION_26:
+        Image: '*\netstat.exe'
+    SELECTION_27:
+        Image: '*\schtasks.exe'
+    SELECTION_28:
+        Image: '*\vssadmin.exe'
+    SELECTION_29:
+        Image: '*\wevtutil.exe'
+    SELECTION_3:
+        ParentImage: '*\php-cgi.exe'
+    SELECTION_30:
+        Image: '*\tasklist.exe'
+    SELECTION_31:
+        CommandLine: '* Test-NetConnection *'
+    SELECTION_32:
+        CommandLine: '*dir \\*'
+    SELECTION_4:
+        ParentImage: '*\nginx.exe'
+    SELECTION_5:
+        ParentImage: '*\httpd.exe'
+    SELECTION_6:
+        ParentImage: '*\apache*'
+    SELECTION_7:
+        ParentImage: '*\tomcat*'
+    SELECTION_8:
+        EventID: 1
+    SELECTION_9:
+        Image: '*\net.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5)
+        or (SELECTION_6 or SELECTION_7)) and (SELECTION_8 and ((((SELECTION_9 or SELECTION_10)
+        and (SELECTION_11 or SELECTION_12 or SELECTION_13)) or (SELECTION_14 and SELECTION_15)
+        or (SELECTION_16 or SELECTION_17)) or (SELECTION_18 and SELECTION_19) or (SELECTION_20
+        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
+        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30)
+        or (SELECTION_31 or SELECTION_32))))
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: bed2a484-9348-4143-8a8a-b801c979301c
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/03/02
+references:
+- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
+- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.t1018
+- attack.t1033
+- attack.t1087
+- attack.privilege_escalation
+- attack.t1100
+yml_filename: win_webshell_detection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_webshell_recon_detection.yml b/rules/Sigma/win_webshell_recon_detection.yml
new file mode 100644
index 00000000..7ee9005c
--- /dev/null
+++ b/rules/Sigma/win_webshell_recon_detection.yml
@@ -0,0 +1,56 @@
+title: Webshell Recon Detection Via CommandLine & Processes
+author: Cian Heasley
+date: 2020/07/22
+description: Looking for processes spawned by web server components that indicate
+    reconnaissance by popular public domain webshells for whether perl, python or
+    wget are installed.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        CommandLine: '*python --help*'
+    SELECTION_11:
+        CommandLine: '*wget --help*'
+    SELECTION_12:
+        CommandLine: '*perl -h*'
+    SELECTION_2:
+        ParentImage: '*\apache*'
+    SELECTION_3:
+        ParentImage: '*\tomcat*'
+    SELECTION_4:
+        ParentImage: '*\w3wp.exe'
+    SELECTION_5:
+        ParentImage: '*\php-cgi.exe'
+    SELECTION_6:
+        ParentImage: '*\nginx.exe'
+    SELECTION_7:
+        ParentImage: '*\httpd.exe'
+    SELECTION_8:
+        Image: '*\cmd.exe'
+    SELECTION_9:
+        CommandLine: '*perl --help*'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7)) and ((SELECTION_8) and (SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12)))
+falsepositives:
+- unknown
+fields:
+- Image
+- CommandLine
+- ParentCommandLine
+id: f64e5c19-879c-4bae-b471-6d84c8339677
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.privilege_escalation
+- attack.t1100
+yml_filename: win_webshell_recon_detection.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_webshell_spawn.yml b/rules/Sigma/win_webshell_spawn.yml
new file mode 100644
index 00000000..0be77496
--- /dev/null
+++ b/rules/Sigma/win_webshell_spawn.yml
@@ -0,0 +1,53 @@
+title: Shells Spawned by Web Servers
+author: Thomas Patzke
+date: 2019/01/16
+description: Web servers that spawn shell processes could be the result of a successfully
+    placed web shell or an other attack
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\bash.exe'
+    SELECTION_11:
+        Image: '*\powershell.exe'
+    SELECTION_12:
+        Image: '*\bitsadmin.exe'
+    SELECTION_2:
+        ParentImage: '*\w3wp.exe'
+    SELECTION_3:
+        ParentImage: '*\httpd.exe'
+    SELECTION_4:
+        ParentImage: '*\nginx.exe'
+    SELECTION_5:
+        ParentImage: '*\php-cgi.exe'
+    SELECTION_6:
+        ParentImage: '*\tomcat.exe'
+    SELECTION_7:
+        ParentImage: '*\UMWorkerProcess.exe'
+    SELECTION_8:
+        Image: '*\cmd.exe'
+    SELECTION_9:
+        Image: '*\sh.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7) and (SELECTION_8 or SELECTION_9 or SELECTION_10
+        or SELECTION_11 or SELECTION_12))
+falsepositives:
+- Particular web applications may spawn a shell process legitimately
+fields:
+- CommandLine
+- ParentCommandLine
+id: 8202070f-edeb-4d31-a010-a26c72ac5600
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/03/25
+status: experimental
+tags:
+- attack.persistence
+- attack.t1505.003
+- attack.privilege_escalation
+- attack.t1190
+yml_filename: win_webshell_spawn.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_whoami_as_system.yml b/rules/Sigma/win_whoami_as_system.yml
new file mode 100644
index 00000000..956b798f
--- /dev/null
+++ b/rules/Sigma/win_whoami_as_system.yml
@@ -0,0 +1,33 @@
+title: Run Whoami as SYSTEM
+author: Teymur Kheirkhabarov
+date: 2019/10/23
+description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of
+    a successful local privilege escalation.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        User: NT AUTHORITY\SYSTEM*
+    SELECTION_3:
+        User: AUTORITE NT\Sys*
+    SELECTION_4:
+        Image: '*\whoami.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Unknown
+id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/08/26
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.discovery
+- attack.t1033
+yml_filename: win_whoami_as_system.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_whoami_priv.yml b/rules/Sigma/win_whoami_priv.yml
new file mode 100644
index 00000000..b86e3eb1
--- /dev/null
+++ b/rules/Sigma/win_whoami_priv.yml
@@ -0,0 +1,31 @@
+title: Run Whoami Showing Privileges
+author: Florian Roth
+date: 2021/05/05
+description: Detects a whoami.exe executed with the /priv command line flag instructing
+    the tool to show all current user privieleges. This is often used after a privilege
+    escalation attempt.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\whoami.exe'
+    SELECTION_3:
+        CommandLine: '*/priv*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Administrative activity (rare lookups on current privileges)
+id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.discovery
+- attack.t1033
+yml_filename: win_whoami_priv.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_win10_sched_task_0day.yml b/rules/Sigma/win_win10_sched_task_0day.yml
new file mode 100644
index 00000000..a58a046b
--- /dev/null
+++ b/rules/Sigma/win_win10_sched_task_0day.yml
@@ -0,0 +1,38 @@
+title: Windows 10 Scheduled Task SandboxEscaper 0-day
+author: Olaf Hartong
+date: 2019/05/22
+description: Detects Task Scheduler .job import arbitrary DACL write\par
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\schtasks.exe'
+    SELECTION_3:
+        CommandLine: '*/change*'
+    SELECTION_4:
+        CommandLine: '*/TN*'
+    SELECTION_5:
+        CommandLine: '*/RU*'
+    SELECTION_6:
+        CommandLine: '*/RP*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
+        and SELECTION_6)
+falsepositives:
+- Unknown
+id: 931b6802-d6a6-4267-9ffa-526f57f22aaf
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1053.005
+- attack.t1053
+- car.2013-08-001
+yml_filename: win_win10_sched_task_0day.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_winword_dll_load.yml b/rules/Sigma/win_winword_dll_load.yml
new file mode 100644
index 00000000..8501081e
--- /dev/null
+++ b/rules/Sigma/win_winword_dll_load.yml
@@ -0,0 +1,30 @@
+title: Winword.exe Loads Suspicious DLL
+author: Victor Sergeev, oscd.community
+date: 2020/10/09
+description: Detects Winword.exe loading of custmom dll via /l cmd switch
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\winword.exe'
+    SELECTION_3:
+        CommandLine: '*/l*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+fields:
+- CommandLine
+id: 2621b3a6-3840-4810-ac14-a02426086171
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherMSBinaries/Winword.yml
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1202
+yml_filename: win_winword_dll_load.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_wmi_backdoor_exchange_transport_agent.yml b/rules/Sigma/win_wmi_backdoor_exchange_transport_agent.yml
new file mode 100644
index 00000000..3b8726dc
--- /dev/null
+++ b/rules/Sigma/win_wmi_backdoor_exchange_transport_agent.yml
@@ -0,0 +1,28 @@
+title: WMI Backdoor Exchange Transport Agent
+author: Florian Roth
+date: 2019/10/11
+description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\EdgeTransport.exe'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
+level: critical
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://twitter.com/cglyer/status/1182389676876980224
+- https://twitter.com/cglyer/status/1182391019633029120
+status: experimental
+tags:
+- attack.persistence
+- attack.t1546.003
+- attack.t1084
+yml_filename: win_wmi_backdoor_exchange_transport_agent.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_wmi_persistence.yml b/rules/Sigma/win_wmi_persistence.yml
new file mode 100644
index 00000000..1f01a07f
--- /dev/null
+++ b/rules/Sigma/win_wmi_persistence.yml
@@ -0,0 +1,34 @@
+title: WMI Persistence
+author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
+date: 2017/08/22
+description: Detects suspicious WMI event filter and command line event consumer based
+    on WMI and Security Logs.
+detection:
+    SELECTION_1:
+        EventID: 5861
+    SELECTION_2:
+        EventID: 5859
+    condition: ((SELECTION_1 and (ActiveScriptEventConsumer or CommandLineEventConsumer
+        or CommandLineTemplate)) or SELECTION_2)
+falsepositives:
+- Unknown (data set is too small; further testing needed)
+id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
+level: medium
+logsource:
+    definition: WMI Namespaces Auditing and SACL should be configured, EventID 5861
+        and 5859 detection requires Windows 10, 2012 and higher
+    product: windows
+    service: wmi
+modified: 2021/09/21
+references:
+- https://twitter.com/mattifestation/status/899646620148539397
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1084
+- attack.t1546.003
+yml_filename: win_wmi_persistence.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
+
diff --git a/rules/Sigma/win_wmi_persistence_script_event_consumer.yml b/rules/Sigma/win_wmi_persistence_script_event_consumer.yml
new file mode 100644
index 00000000..0a05ca55
--- /dev/null
+++ b/rules/Sigma/win_wmi_persistence_script_event_consumer.yml
@@ -0,0 +1,31 @@
+title: WMI Persistence - Script Event Consumer
+author: Thomas Patzke
+date: 2018/03/07
+description: Detects WMI script event consumers
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: C:\WINDOWS\system32\wbem\scrcons.exe
+    SELECTION_3:
+        ParentImage: C:\Windows\System32\svchost.exe
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Legitimate event consumers
+id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+status: experimental
+tags:
+- attack.persistence
+- attack.privilege_escalation
+- attack.t1546.003
+- attack.t1047
+yml_filename: win_wmi_persistence_script_event_consumer.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_wmi_spwns_powershell.yml b/rules/Sigma/win_wmi_spwns_powershell.yml
new file mode 100644
index 00000000..64bb562b
--- /dev/null
+++ b/rules/Sigma/win_wmi_spwns_powershell.yml
@@ -0,0 +1,39 @@
+title: WMI Spawning Windows PowerShell
+author: Markus Neis / @Karneades
+date: 2019/04/03
+description: Detects WMI spawning PowerShell
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\wmiprvse.exe'
+    SELECTION_3:
+        Image: '*\powershell.exe'
+    SELECTION_4:
+        CommandLine: 'null'
+    SELECTION_5:
+        CommandLine|re: ^$
+    condition: (SELECTION_1 and (((SELECTION_2) and (SELECTION_3)) and  not (SELECTION_4))
+        and  not (SELECTION_5))
+falsepositives:
+- AppvClient
+- CCM
+id: 692f0bec-83ba-4d04-af7e-e884a96059b6
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/02/24
+references:
+- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml
+- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.t1059.001
+- attack.defense_evasion
+- attack.t1064
+yml_filename: win_wmi_spwns_powershell.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_wmiprvse_spawning_process.yml b/rules/Sigma/win_wmiprvse_spawning_process.yml
new file mode 100644
index 00000000..69937146
--- /dev/null
+++ b/rules/Sigma/win_wmiprvse_spawning_process.yml
@@ -0,0 +1,43 @@
+title: Wmiprvse Spawning Process
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/15
+description: Detects wmiprvse spawning processes
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\WmiPrvSe.exe'
+    SELECTION_3:
+        LogonId: '0x3e7'
+    SELECTION_4:
+        LogonId: 'null'
+    SELECTION_5:
+        User: NT AUTHORITY\SYSTEM*
+    SELECTION_6:
+        User: AUTORITE NT\Sys*
+    SELECTION_7:
+        Image: '*\WmiPrvSE.exe'
+    SELECTION_8:
+        Image: '*\WerFault.exe'
+    SELECTION_9:
+        LogonId|re: ^$
+    condition: (SELECTION_1 and (SELECTION_2 and  not ((SELECTION_3 or SELECTION_4)
+        or (SELECTION_5 or SELECTION_6) or (SELECTION_7 or SELECTION_8))) and  not
+        (SELECTION_9))
+falsepositives:
+- Unknown
+id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/11/10
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+yml_filename: win_wmiprvse_spawning_process.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/Sigma/win_wmiprvse_wbemcomn_dll_hijack.yml
new file mode 100644
index 00000000..bfa706cf
--- /dev/null
+++ b/rules/Sigma/win_wmiprvse_wbemcomn_dll_hijack.yml
@@ -0,0 +1,31 @@
+title: T1047 Wmiprvse Wbemcomn DLL Hijack
+author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
+date: 2020/10/12
+description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\`
+    directory over the network for a WMI DLL Hijack scenario.
+detection:
+    SELECTION_1:
+        EventID: 5145
+    SELECTION_2:
+        RelativeTargetName: '*\wbem\wbemcomn.dll'
+    SELECTION_3:
+        SubjectUserName: '*$'
+    condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3))
+falsepositives:
+- Unknown
+id: f6c68d5f-e101-4b86-8c84-7d96851fd65c
+level: critical
+logsource:
+    product: windows
+    service: security
+references:
+- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1047
+- attack.lateral_movement
+- attack.t1021.002
+yml_filename: win_wmiprvse_wbemcomn_dll_hijack.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+
diff --git a/rules/Sigma/win_workflow_compiler.yml b/rules/Sigma/win_workflow_compiler.yml
new file mode 100644
index 00000000..74c48fe0
--- /dev/null
+++ b/rules/Sigma/win_workflow_compiler.yml
@@ -0,0 +1,38 @@
+title: Microsoft Workflow Compiler
+author: Nik Seetharaman, frack113
+date: 2019/01/16
+description: Detects invocation of Microsoft Workflow Compiler, which may permit the
+    execution of arbitrary unsigned code.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\Microsoft.Workflow.Compiler.exe'
+    SELECTION_3:
+        OriginalFileName: Microsoft.Workflow.Compiler.exe
+    SELECTION_4:
+        CommandLine: '*.xml*'
+    condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- Legitimate MWC use (unlikely in modern enterprise environments)
+fields:
+- CommandLine
+- ParentCommandLine
+id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/07/13
+references:
+- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1127
+- attack.t1218
+yml_filename: win_workflow_compiler.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_write_protect_for_storage_disabled.yml b/rules/Sigma/win_write_protect_for_storage_disabled.yml
new file mode 100644
index 00000000..a9d5ba96
--- /dev/null
+++ b/rules/Sigma/win_write_protect_for_storage_disabled.yml
@@ -0,0 +1,28 @@
+title: Write Protect For Storage Disabled
+author: Sreeman
+date: 2021/06/11
+description: Looks for changes to registry to disable any write-protect property for
+    storage devices. This could be a precursor to a ransomware attack and has been
+    an observed technique used by cypherpunk group.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine|re: (?i).*reg add.*hklm\\\\system\\\\currentcontrolset\\\\control.*(storage|storagedevicepolicies).*write
+            protection.*0.*
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- none observed
+id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/06/11
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1562
+yml_filename: win_write_protect_for_storage_disabled.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_wsreset_uac_bypass.yml b/rules/Sigma/win_wsreset_uac_bypass.yml
new file mode 100644
index 00000000..6a9e32de
--- /dev/null
+++ b/rules/Sigma/win_wsreset_uac_bypass.yml
@@ -0,0 +1,34 @@
+title: Wsreset UAC Bypass
+author: Florian Roth
+date: 2020/01/30
+description: Detects a method that uses Wsreset.exe tool that can be used to reset
+    the Windows Store to bypass UAC
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        ParentImage: '*\WSreset.exe'
+    condition: (SELECTION_1 and (SELECTION_2))
+falsepositives:
+- Unknown sub processes of Wsreset.exe
+fields:
+- CommandLine
+id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae
+level: high
+logsource:
+    category: process_creation
+    product: windows
+modified: 2020/08/29
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
+- https://www.activecyber.us/activelabs/windows-uac-bypass
+- https://twitter.com/ReaQta/status/1222548288731217921
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.defense_evasion
+- attack.t1548.002
+- attack.t1088
+yml_filename: win_wsreset_uac_bypass.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+
diff --git a/rules/Sigma/win_xsl_script_processing.yml b/rules/Sigma/win_xsl_script_processing.yml
new file mode 100644
index 00000000..65136ef0
--- /dev/null
+++ b/rules/Sigma/win_xsl_script_processing.yml
@@ -0,0 +1,36 @@
+title: XSL Script Processing
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: Extensible Stylesheet Language (XSL) files are commonly used to describe
+    the processing and rendering of data within XML files. Rule detects when adversaries
+    abuse this functionality to execute arbitrary files while potentially bypassing
+    application whitelisting defenses.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\wmic.exe'
+    SELECTION_3:
+        CommandLine: '*/format*'
+    SELECTION_4:
+        Image: '*\msxsl.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
+- msxsl.exe is not installed by default, so unlikely.
+id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1220
+- attack.execution
+yml_filename: win_xsl_script_processing.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+