delete noisy-rules folder. not needed anymore (#287)

rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml

@@ -1,20 +0,0 @@
-title: PowerShell Execution Remote Command
-title_jp: Powershellのリモートコマンドの実行
-description: Powershell command executed remotely.
-description_jp: Powershell command executed remotely.
-author: Eric Conrad, Zach Mathis
-mitre_attack: T1059
-level: medium
-detection:
-    selection:
-        Channel: Microsoft-Windows-PowerShell/Operational
-        EventID: 4104
-        Path: null
-        ScriptBlockText|re: '.+'
-    # condition: selection
-falsepositives:
-    - normal system usage
-output: 'Command: %ScriptBlockText%'
-output: 'コマンド: %ScriptBlockText%'
-creation_date: 2020/11/08
-updated_date:  2021/11/06

rules-noisy/Security/4688.yml

@@ -1,14 +0,0 @@
-title: Command Line Logging
-description: Command line logging.
-author: Eric Conrad, Zach Mathis
-detection:
-    selection:
-        Channel: Security
-        EventID: 4688
-        CommandLine|re: '.+'
-    # condition: selection
-falsepositives:
-    - unknown
-output: 'CommandLine:%CommandLine%  :  ParentProcessName:%ParentProcessName%'
-creation_date: 2020/11/8
-updated_date: 2021/11/8

rules-noisy/Sigma/already-have-hayabusa-rule/win_hidden_user_creation.yml

@@ -1,30 +0,0 @@
-title: Hidden Local User Creation
-author: Christian Burkard
-date: 2021/05/03
-description: Detects the creation of a local hidden user account which should not
-    happen for event ID 4720.
-detection:
-    SELECTION_1:
-        EventID: 4720
-    SELECTION_2:
-        TargetUserName: '*$'
-    condition: (SELECTION_1 and SELECTION_2)
-falsepositives:
-- unknown
-fields:
-- EventCode
-- AccountName
-id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
-level: high
-logsource:
-    product: windows
-    service: security
-references:
-- https://twitter.com/SBousseaden/status/1387743867663958021
-status: experimental
-tags:
-- attack.persistence
-- attack.t1136.001
-yml_filename: win_hidden_user_creation.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-

rules-noisy/Sigma/already-have-hayabusa-rule/win_user_added_to_local_administrators.yml

@@ -1,32 +0,0 @@
-title: User Added to Local Administrators
-author: Florian Roth
-date: 2017/03/14
-description: This rule triggers on user accounts that are added to the local Administrators
-    group, which could be legitimate activity or a sign of privilege escalation activity
-detection:
-    SELECTION_1:
-        EventID: 4732
-    SELECTION_2:
-        TargetUserName: Administr*
-    SELECTION_3:
-        TargetSid: S-1-5-32-544
-    SELECTION_4:
-        SubjectUserName: '*$'
-    condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and  not (SELECTION_4))
-falsepositives:
-- Legitimate administrative activity
-id: c265cf08-3f99-46c1-8d59-328247057d57
-level: medium
-logsource:
-    product: windows
-    service: security
-modified: 2021/07/07
-status: stable
-tags:
-- attack.privilege_escalation
-- attack.t1078
-- attack.persistence
-- attack.t1098
-yml_filename: win_user_added_to_local_administrators.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-

rules-noisy/Sigma/already-have-hayabusa-rule/win_user_creation.yml

@@ -1,33 +0,0 @@
-title: Local User Creation
-author: Patrick Bareiss
-date: 2019/04/18
-description: Detects local user creation on windows servers, which shouldn't happen
-    in an Active Directory environment. Apply this Sigma Use Case on your windows
-    server logs and not on your DC logs.
-detection:
-    SELECTION_1:
-        EventID: 4720
-    condition: SELECTION_1
-falsepositives:
-- Domain Controller Logs
-- Local accounts managed by privileged account management tools
-fields:
-- EventCode
-- AccountName
-- AccountDomain
-id: 66b6be3d-55d0-4f47-9855-d69df21740ea
-level: low
-logsource:
-    product: windows
-    service: security
-modified: 2020/08/23
-references:
-- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
-status: experimental
-tags:
-- attack.persistence
-- attack.t1136
-- attack.t1136.001
-yml_filename: win_user_creation.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-

rules-noisy/Sigma/sysmon_wmi_event_subscription.yml

@@ -1,27 +0,0 @@
-title: WMI Event Subscription
-author: Tom Ueltschi (@c_APT_ure)
-date: 2019/01/12
-description: Detects creation of WMI event subscription persistence method
-detection:
-    SELECTION_1:
-        EventID: 19
-    SELECTION_2:
-        EventID: 20
-    SELECTION_3:
-        EventID: 21
-    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3)
-falsepositives:
-- exclude legitimate (vetted) use of WMI event subscription in your network
-id: 0f06a3a5-6a09-413f-8743-e6cf35561297
-level: high
-logsource:
-    category: wmi_event
-    product: windows
-status: experimental
-tags:
-- attack.t1084
-- attack.persistence
-- attack.t1546.003
-yml_filename: sysmon_wmi_event_subscription.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/wmi_event
-

rules-noisy/Sigma/win_metasploit_authentication.yml

@@ -1,40 +0,0 @@
-title: Metasploit SMB Authentication
-author: Chakib Gzenayi (@Chak092), Hosni Mribah
-date: 2020/05/06
-description: Alerts on Metasploit host's authentications on the domain.
-detection:
-    SELECTION_1:
-        EventID: 4625
-    SELECTION_2:
-        EventID: 4624
-    SELECTION_3:
-        LogonType: 3
-    SELECTION_4:
-        AuthenticationPackageName: NTLM
-    SELECTION_5:
-        WorkstationName|re: ^[A-Za-z0-9]{16}$
-    SELECTION_6:
-        ProcessName|re: ^$
-    SELECTION_7:
-        EventID: 4776
-    SELECTION_8:
-        Workstation|re: ^[A-Za-z0-9]{16}$
-    condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and
-        SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8))
-falsepositives:
-- Linux hostnames composed of 16 characters.
-id: 72124974-a68b-4366-b990-d30e0b2a190d
-level: high
-logsource:
-    product: windows
-    service: security
-modified: 2021/07/07
-references:
-- https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
-tags:
-- attack.lateral_movement
-- attack.t1077
-- attack.t1021.002
-yml_filename: win_metasploit_authentication.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-

rules-noisy/Sigma/win_multiple_suspicious_cli.yml

@@ -1,109 +0,0 @@
-title: Quick Execution of a Series of Suspicious Commands
-author: juju4
-date: 2019/01/16
-description: Detects multiple suspicious process in a limited timeframe
-detection:
-    SELECTION_1:
-        EventID: 1
-    SELECTION_10:
-        CommandLine: '*nbtstat.exe*'
-    SELECTION_11:
-        CommandLine: '*net.exe*'
-    SELECTION_12:
-        CommandLine: '*netsh.exe*'
-    SELECTION_13:
-        CommandLine: '*nslookup.exe*'
-    SELECTION_14:
-        CommandLine: '*ping.exe*'
-    SELECTION_15:
-        CommandLine: '*quser.exe*'
-    SELECTION_16:
-        CommandLine: '*qwinsta.exe*'
-    SELECTION_17:
-        CommandLine: '*reg.exe*'
-    SELECTION_18:
-        CommandLine: '*runas.exe*'
-    SELECTION_19:
-        CommandLine: '*sc.exe*'
-    SELECTION_2:
-        CommandLine: '*arp.exe*'
-    SELECTION_20:
-        CommandLine: '*schtasks.exe*'
-    SELECTION_21:
-        CommandLine: '*ssh.exe*'
-    SELECTION_22:
-        CommandLine: '*systeminfo.exe*'
-    SELECTION_23:
-        CommandLine: '*taskkill.exe*'
-    SELECTION_24:
-        CommandLine: '*telnet.exe*'
-    SELECTION_25:
-        CommandLine: '*tracert.exe*'
-    SELECTION_26:
-        CommandLine: '*wscript.exe*'
-    SELECTION_27:
-        CommandLine: '*xcopy.exe*'
-    SELECTION_28:
-        CommandLine: '*pscp.exe*'
-    SELECTION_29:
-        CommandLine: '*copy.exe*'
-    SELECTION_3:
-        CommandLine: '*at.exe*'
-    SELECTION_30:
-        CommandLine: '*robocopy.exe*'
-    SELECTION_31:
-        CommandLine: '*certutil.exe*'
-    SELECTION_32:
-        CommandLine: '*vssadmin.exe*'
-    SELECTION_33:
-        CommandLine: '*powershell.exe*'
-    SELECTION_34:
-        CommandLine: '*wevtutil.exe*'
-    SELECTION_35:
-        CommandLine: '*psexec.exe*'
-    SELECTION_36:
-        CommandLine: '*bcedit.exe*'
-    SELECTION_37:
-        CommandLine: '*wbadmin.exe*'
-    SELECTION_38:
-        CommandLine: '*icacls.exe*'
-    SELECTION_39:
-        CommandLine: '*diskpart.exe*'
-    SELECTION_4:
-        CommandLine: '*attrib.exe*'
-    SELECTION_5:
-        CommandLine: '*cscript.exe*'
-    SELECTION_6:
-        CommandLine: '*dsquery.exe*'
-    SELECTION_7:
-        CommandLine: '*hostname.exe*'
-    SELECTION_8:
-        CommandLine: '*ipconfig.exe*'
-    SELECTION_9:
-        CommandLine: '*mimikatz.exe*'
-    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
-        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
-        or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
-        or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
-        or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
-        or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
-        or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
-        or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39))| count()
-        by MachineName > 5
-falsepositives:
-- False positives depend on scripts and administrative tools used in the monitored
-    environment
-id: 61ab5496-748e-4818-a92f-de78e20fe7f1
-level: low
-logsource:
-    category: process_creation
-    product: windows
-modified: 2021/06/13
-references:
-- https://car.mitre.org/wiki/CAR-2013-04-002
-status: experimental
-tags:
-- car.2013-04-002
-yml_filename: win_multiple_suspicious_cli.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
-

rules-noisy/Sigma/win_powershell_script_installed_as_service.yml

@@ -1,29 +0,0 @@
-title: PowerShell Scripts Installed as Services
-author: oscd.community, Natalia Shornikova
-date: 2020/10/06
-description: Detects powershell script installed as a Service
-detection:
-    SELECTION_1:
-        EventID: 7045
-    SELECTION_2:
-        ImagePath: '*powershell*'
-    SELECTION_3:
-        ImagePath: '*pwsh*'
-    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
-falsepositives:
-- Unknown
-id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
-level: high
-logsource:
-    product: windows
-    service: system
-modified: 2021/09/21
-references:
-- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
-status: experimental
-tags:
-- attack.execution
-- attack.t1569.002
-yml_filename: win_powershell_script_installed_as_service.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-

rules-noisy/Sigma/win_rare_schtasks_creations.yml

@@ -1,33 +0,0 @@
-title: Rare Schtasks Creations
-author: Florian Roth
-date: 2017/03/23
-description: Detects rare scheduled tasks creations that only appear a few times per
-    time frame and could reveal password dumpers, backdoor installs or other types
-    of malicious code
-detection:
-    SELECTION_1:
-        EventID: 4698
-    condition: SELECTION_1| count() by TaskName < 5
-falsepositives:
-- Software installation
-- Software updates
-id: b0d77106-7bb0-41fe-bd94-d1752164d066
-level: low
-logsource:
-    definition: The Advanced Audit Policy setting Object Access > Audit Other Object
-        Access Events has to be configured to allow this detection (not in the baseline
-        recommendations by Microsoft). We also recommend extracting the Command field
-        from the embedded XML in the event data.
-    product: windows
-    service: security
-status: experimental
-tags:
-- attack.execution
-- attack.privilege_escalation
-- attack.persistence
-- attack.t1053
-- car.2013-08-001
-- attack.t1053.005
-yml_filename: win_rare_schtasks_creations.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-

rules-noisy/Sigma/win_rare_service_installs.yml

@@ -1,28 +0,0 @@
-title: Rare Service Installs
-author: Florian Roth
-date: 2017/03/08
-description: Detects rare service installs that only appear a few times per time frame
-    and could reveal password dumpers, backdoor installs or other types of malicious
-    services
-detection:
-    SELECTION_1:
-        EventID: 7045
-    condition: SELECTION_1| count() by ServiceFileName < 5
-falsepositives:
-- Software installation
-- Software updates
-id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
-level: low
-logsource:
-    product: windows
-    service: system
-status: experimental
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.t1050
-- car.2013-09-005
-- attack.t1543.003
-yml_filename: win_rare_service_installs.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-

rules-noisy/Sigma/win_susp_failed_logons_single_source.yml

@@ -1,34 +0,0 @@
-title: Failed Logins with Different Accounts from Single Source System
-author: Florian Roth
-date: 2017/01/10
-description: Detects suspicious failed logins with different user accounts from a
-    single source system
-detection:
-    SELECTION_1:
-        EventID: 529
-    SELECTION_2:
-        EventID: 4625
-    SELECTION_3:
-        TargetUserName: '*'
-    SELECTION_4:
-        WorkstationName: '*'
-    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)| count(TargetUserName)
-        by WorkstationName > 3
-falsepositives:
-- Terminal servers
-- Jump servers
-- Other multiuser systems like Citrix server farms
-- Workstations with frequently changing users
-id: e98374a6-e2d9-4076-9b5c-11bdb2569995
-level: medium
-logsource:
-    product: windows
-    service: security
-modified: 2021/09/21
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.t1078
-yml_filename: win_susp_failed_logons_single_source.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-

rules-noisy/Sigma/win_susp_failed_logons_single_source2.yml

@@ -1,35 +0,0 @@
-title: Failed Logins with Different Accounts from Single Source System
-author: Florian Roth
-date: 2017/01/10
-description: Detects suspicious failed logins with different user accounts from a
-    single source system
-detection:
-    SELECTION_1:
-        EventID: 4776
-    SELECTION_2:
-        TargetUserName: '*'
-    SELECTION_3:
-        Workstation: '*'
-    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)| count(TargetUserName)
-        by Workstation > 3
-falsepositives:
-- Terminal servers
-- Jump servers
-- Other multiuser systems like Citrix server farms
-- Workstations with frequently changing users
-id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
-level: medium
-logsource:
-    product: windows
-    service: security
-modified: 2021/09/21
-related:
--   id: e98374a6-e2d9-4076-9b5c-11bdb2569995
-    type: derived
-tags:
-- attack.persistence
-- attack.privilege_escalation
-- attack.t1078
-yml_filename: win_susp_failed_logons_single_source2.yml
-yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
-

rules-noisy/System/7036.yml

@@ -1,15 +0,0 @@
-title: The ... service entered the stopped|running state
-description: hogehoge
-author: DeepblueCLI, Zach Mathis
-detection:
-    selection:
-        Channel: System
-        EventID: 7036
-        param1:
-            regexes: ./config/regex/regexes_suspicous_service.txt
-    condition: selection
-falsepositives:
-    - unknown
-output: 'Suspicious Service Name¥nService name: %ServiceName%'
-creation_date: 2020/11/8
-uodated_date: 2020/11/8