From b48f774b93353fa5a7136f8d2f39d475b814913e Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 24 Nov 2021 21:15:43 +0900 Subject: [PATCH 01/13] Feature/output unique detection#209 (#225) * checked contributors #141 - because RustyBlue code contributor(not hayabusa contributor) was mixed in hayabusa contributor * changed yaml count name * changed ruletype string #157 * fixed output of parse error #157 * fixed output * added level unique detection output #209 --- contributors.txt | 4 --- src/afterfact.rs | 2 +- src/detections/configs.rs | 2 +- src/detections/detection.rs | 52 +++++++++++++++++++++++++++++-------- src/detections/print.rs | 2 +- src/detections/rule/mod.rs | 3 +++ src/main.rs | 2 +- src/yaml.rs | 26 +++++++------------ 8 files changed, 57 insertions(+), 36 deletions(-) diff --git a/contributors.txt b/contributors.txt index 6b8fe43e..927b19a0 100644 --- a/contributors.txt +++ b/contributors.txt @@ -1,16 +1,12 @@ Hayabusa was possible thanks to the following people (in alphabetical order): Akira Nishikawa (@nishikawaakira): Previous lead developer, core hayabusa rule support, etc... -Dai (@__da13__): Developer DustInDark(@hitenkoku): Core developer, project management, sigma count implementation, rule creation, countless feature additions and fixes, etc… Garigariganzy (@garigariganzy31): Developer, event ID statistics implementation, etc... ItiB (@itiB_S144) : Core developer, sigmac hayabusa backend, rule creation, etc... James Takai / hachiyone(@hach1yon): Current lead developer, tokio multi-threading, sigma aggregation logic, sigmac backend, rule creation, etc… Kazuminn (@k2warugaki): Developer -Mimura (@mimura1133): Developer Yusuke Matsui (@apt773): AD hacking working group leader, rule testing, documentation, research, support, etc... -Siam (@siamease): Developer -Tsubokku (@ytsuboi0322): Japanese translations Zach Mathis (@yamatosecurity, Yamato Security Founder): Project leader, tool and concept design, rule creation and tuning, etc… diff --git a/src/afterfact.rs b/src/afterfact.rs index 15fd0fdf..47d4457b 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -82,7 +82,7 @@ fn emit_csv(writer: &mut W) -> Result<(), Box> { wtr.flush()?; println!(""); - println!("Events Detected:{:?}", detect_count); + println!("Total Events Detected:{:?}", detect_count); Ok(()) } diff --git a/src/detections/configs.rs b/src/detections/configs.rs index d3a8db51..b4b18c21 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -5,7 +5,7 @@ use std::collections::HashMap; use std::sync::RwLock; lazy_static! { pub static ref CONFIG: RwLock = RwLock::new(ConfigReader::new()); - pub static ref LEVELMAP: HashMap = { + pub static ref LEVELMAP: HashMap = { let mut levelmap = HashMap::new(); levelmap.insert("INFO".to_owned(), 1); levelmap.insert("LOW".to_owned(), 2); diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 2b435835..3f02c616 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -5,6 +5,7 @@ use serde_json::Value; use std::collections::HashMap; use tokio::{runtime::Runtime, spawn, task::JoinHandle}; +use crate::detections::configs; use crate::detections::print::AlertMessage; use crate::detections::print::MESSAGES; use crate::detections::rule; @@ -54,11 +55,6 @@ impl Detection { // ルールファイルのパースを実行 let mut rulefile_loader = ParseYaml::new(); let result_readdir = rulefile_loader.read_dir(rulespath.unwrap_or(DIRPATH_RULES), &level); - Detection::print_rule_load_info( - rulefile_loader.rulecounter, - rulefile_loader.parseerror_count, - rulefile_loader.ignore_count, - ); if result_readdir.is_err() { AlertMessage::alert( &mut std::io::stderr().lock(), @@ -67,7 +63,7 @@ impl Detection { .ok(); return vec![]; } - + let mut parseerror_count = rulefile_loader.errorrule_count; let return_if_success = |mut rule: RuleNode| { let err_msgs_result = rule.init(); if err_msgs_result.is_ok() { @@ -83,18 +79,24 @@ impl Detection { err_msgs.iter().for_each(|err_msg| { AlertMessage::warn(&mut std::io::stdout().lock(), err_msg.to_string()).ok(); }); + parseerror_count += 1; println!(""); // 一行開けるためのprintln }); return Option::None; }; - // parse rule files - return rulefile_loader + let ret = rulefile_loader .files .into_iter() .map(|rule_file_tuple| rule::create_rule(rule_file_tuple.0, rule_file_tuple.1)) .filter_map(return_if_success) .collect(); + Detection::print_rule_load_info( + &rulefile_loader.rulecounter, + &parseerror_count, + &rulefile_loader.ignorerule_count, + ); + return ret; } // 複数のイベントレコードに対して、複数のルールを1個実行します。 @@ -141,6 +143,34 @@ impl Detection { } } + pub fn print_unique_results(&self) { + let rules = &self.rules; + let levellabel = Vec::from(["Critical", "High", "Medium", "Low", "Info", "Undeifned"]); + // levclcounts is [(Undeifned), (Info), (Low),(Medium),(High),(Critical)] + let mut levelcounts = Vec::from([0, 0, 0, 0, 0, 0]); + for rule in rules.into_iter() { + if rule.check_exist_countdata() { + let suffix = configs::LEVELMAP + .get( + &rule.yaml["level"] + .as_str() + .unwrap_or("") + .to_owned() + .to_uppercase(), + ) + .unwrap_or(&0); + levelcounts[*suffix as usize] += 1; + } + } + let mut total_unique = 0; + levelcounts.reverse(); + for (i, value) in levelcounts.iter().enumerate() { + println!("{} alerts {}", levellabel[i], value); + total_unique += value; + } + println!("Unique Events Detected: {}", total_unique); + } + // 複数のイベントレコードに対して、ルールを1個実行します。 fn execute_rule(mut rule: RuleNode, records: Arc>) -> RuleNode { let records = &*records; @@ -210,9 +240,9 @@ impl Detection { return ret; } pub fn print_rule_load_info( - rc: HashMap, - parseerror_count: u128, - ignore_count: u128, + rc: &HashMap, + parseerror_count: &u128, + ignore_count: &u128, ) { let mut total = parseerror_count + ignore_count; rc.into_iter().for_each(|(key, value)| { diff --git a/src/detections/print.rs b/src/detections/print.rs index 708f183f..95563ecc 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -161,7 +161,7 @@ impl Message { detect_count += detect_infos.len(); } println!(""); - println!("Events Detected:{:?}", detect_count); + println!("Total Events Detected:{:?}", detect_count); } pub fn iter(&self) -> &BTreeMap, Vec> { diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs index b636bc10..11f2eda8 100644 --- a/src/detections/rule/mod.rs +++ b/src/detections/rule/mod.rs @@ -102,6 +102,9 @@ impl RuleNode { } return ret; } + pub fn check_exist_countdata(&self) -> bool { + self.countdata.len() > 0 + } } /// Ruleファイルのdetectionを表すノード diff --git a/src/main.rs b/src/main.rs index 9db674d1..081ff838 100644 --- a/src/main.rs +++ b/src/main.rs @@ -130,8 +130,8 @@ fn analysis_files(evtx_files: Vec) { } detection = analysis_file(evtx_file, detection); } - after_fact(); + detection.print_unique_results(); } // Windowsイベントログファイルを1ファイル分解析する。 diff --git a/src/yaml.rs b/src/yaml.rs index 47044bbb..792d7790 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -15,8 +15,8 @@ use yaml_rust::YamlLoader; pub struct ParseYaml { pub files: Vec<(String, yaml_rust::Yaml)>, pub rulecounter: HashMap, - pub ignore_count: u128, - pub parseerror_count: u128, + pub ignorerule_count: u128, + pub errorrule_count: u128, } impl ParseYaml { @@ -24,8 +24,8 @@ impl ParseYaml { ParseYaml { files: Vec::new(), rulecounter: HashMap::new(), - ignore_count: 0, - parseerror_count: 0, + ignorerule_count: 0, + errorrule_count: 0, } } @@ -73,7 +73,7 @@ impl ParseYaml { read_content.unwrap_err() ), )?; - self.parseerror_count += 1; + self.errorrule_count += 1; return io::Result::Ok(ret); } @@ -88,7 +88,7 @@ impl ParseYaml { yaml_contents.unwrap_err() ), )?; - self.parseerror_count += 1; + self.errorrule_count += 1; return io::Result::Ok(ret); } @@ -105,21 +105,13 @@ impl ParseYaml { .filter_map(|(filepath, yaml_doc)| { // ignoreフラグがONになっているルールは無視する。 if yaml_doc["ignore"].as_bool().unwrap_or(false) { - self.ignore_count += 1; + self.ignorerule_count += 1; return Option::None; } self.rulecounter.insert( - yaml_doc["rulesection"] - .as_str() - .unwrap_or("other") - .to_string(), + yaml_doc["ruletype"].as_str().unwrap_or("other").to_string(), self.rulecounter - .get( - &yaml_doc["rulesection"] - .as_str() - .unwrap_or("other") - .to_string(), - ) + .get(&yaml_doc["ruletype"].as_str().unwrap_or("other").to_string()) .unwrap_or(&0) + 1, ); From df0279c4d11a51b398c91b9bab60794ae33d5c69 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Fri, 26 Nov 2021 15:34:16 +0900 Subject: [PATCH 02/13] rule updates-2021-11-26 (#233) * rule updates-2021-11-26 * adjust trivial change in pull request issue coment Co-authored-by: DustInDark --- config/eventkey_alias.txt | 90 +++++++------------ ...radeAttack_PowershellV2DowngradeAttack.yml | 24 +++-- ...PowerShell_PowershellExecutionPipeline.yml | 22 ----- ...earWindowsEventLogs_SecurityLogCleared.yml | 18 ++-- ...eralMovement_LogonFailure-UnknownError.yml | 28 ++++++ ...ralMovement_LogonFailure-WrongPassword.yml | 25 ++++++ ...ralMovement_LogonFailure-WrongUsername.yml | 25 ++++++ ...ltiple_UnknownProcessUsedHighPrivilege.yml | 48 ++++++++++ ...nt-LocalAccount_ComputerAccountCreated.yml | 16 ++-- ...ccount-LocalAccount_UserAccountCreated.yml | 12 ++- ...pulation_UserAddedToGlobalDomainAdmins.yml | 31 +++++++ ...ulation_UserAddedToGlobalSecurityGroup.yml | 30 +++++++ ...n_UserAddedToLocalAdministratorsGroup.yml} | 19 ++-- ...tion_UserAddedToLocalDomainAdminsGroup.yml | 29 ++++++ ...pulation_UserAddedToLocalSecurityGroup.yml | 32 +++++++ .../4732-useraddedtolocaladmingroup.yml | 15 ---- ...OrForgeKerberosTickets_AS-REP-Roasting.yml | 11 +-- ...alOrForgeKerberosTickets_Kerberoasting.yml | 7 +- ...ClearWindowsEventLogs_SystemLogCleared.yml | 15 ++-- ...Logging_EventLogServiceStartupDisabled.yml | 4 +- ...ndowsService_MaliciousServiceInstalled.yml | 4 +- .../59_BITS-Jobs_BitsJobCreation.yml | 11 +-- ...PowerShell_PowershellExecutionPipeline.yml | 30 +++++++ .../Logons/4624_LogonType-0-System.yml | 22 +++-- .../4624_LogonType-10-RemoteInteractive.yml | 22 +++-- .../4624_LogonType-11-CachedInteractive.yml | 22 +++-- ...4_LogonType-12-CachedRemoteInteractive.yml | 22 +++-- .../Logons/4624_LogonType-13-CachedUnlock.yml | 22 +++-- .../Logons/4624_LogonType-2-Interactive.yml | 22 +++-- .../Logons/4624_LogonType-3-Network.yml | 24 +++-- .../Logons/4624_LogonType-4-Batch.yml | 22 +++-- .../Logons/4624_LogonType-5-Service.yml | 26 ++++-- .../Logons/4624_LogonType-7-Unlock.yml | 22 +++-- .../4624_LogonType-8-NetworkCleartext.yml | 24 +++-- .../4624_LogonType-9-NewInteractive.yml | 22 +++-- .../Security/Logons/4625_LogonFailure.yml | 14 --- .../events/Security/Logons/4634_Logoff.yml | 24 +++-- .../Logons/4647_LogoffUserInitiated.yml | 22 +++-- .../Security/Logons/4672_AdminLogon.yml | 24 +++-- .../Logons/4768_KerberosTGT-Request.yml | 22 +++-- .../4769_KerberosServiceTicketRequest.yml | 22 +++-- .../Logons/4776_NTLM-LogonToLocalAccount.yml | 22 +++-- .../8001_WirelessAP-Connect.yml | 24 +++++ 43 files changed, 688 insertions(+), 304 deletions(-) delete mode 100644 rules/hayabusa/alerts/PowershellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml create mode 100644 rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml create mode 100644 rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml create mode 100644 rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml create mode 100644 rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml create mode 100644 rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml create mode 100644 rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml rename rules/hayabusa/alerts/Security/{4728_AccountManipulation_UserAddedToLocalAdministratorsGroup.yml => 4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml} (56%) create mode 100644 rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml create mode 100644 rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml delete mode 100644 rules/hayabusa/alerts/Security/4732-useraddedtolocaladmingroup.yml create mode 100644 rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml delete mode 100644 rules/hayabusa/events/Security/Logons/4625_LogonFailure.yml create mode 100644 rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index 26fa1c93..d7ea313a 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -1,79 +1,40 @@ -alias,event_key -EventID,Event.System.EventID -Channel,Event.System.Channel -CommandLine,Event.EventData.CommandLine -ParentProcessName,Event.EventData.ParentProcessName -Signed,Event.EventData.Signed -ProcessName,Event.EventData.ProcessName -AccessMask,Event.EventData.AccessMask -TargetUserName,Event.EventData.TargetUserName -param1,Event.EventData.param1 -param2,Event.EventData.param2 -ServiceName,Event.EventData.ServiceName -ImagePath,Event.EventData.ImagePath -ContextInfo,Event.EventData.ContextInfo -Path,Event.EventData.Path -ScriptBlockText,Event.EventData.ScriptBlockText -MemberName,Event.EventData.MemberName -MemberSid,Event.EventData.MemberSid -TargetSid,Event.EventData.TargetSid -LogFileCleared,Event.UserData.LogFileCleared.SubjectUserName -LogFileClearedSubjectUserName,Event.UserData.SubjectUserName -SubjectUserName,Event.EventData.SubjectUserName -SubjectUserSid,Event.EventData.SubjectUserSid -DomainName,Event.EventData.SubjectDomainName -TicketEncryptionType,Event.EventData.TicketEncryptionType -PreAuthType,Event.EventData.PreAuthType -TaskName,Event.EventData.TaskName -WorkStationName,Event.EventData.WorkStationName -Workstation,Event.EventData.WorkstationName -UserName,Event.EventData.UserName -ServiceFileName,Event.EventData.ServiceFileName -ComputerName,Event.System.Computer -Account_Name,Event.EventData.Account_Name -Source_Network_Address,Event.EventData.Source_Network_Address -Caller_Process_Name,Event.EventData.Caller_Process_Name -Computer,Event.System.Computer -Client_Address,Event.EventData.Client_Address -Logon_Account,Event.EventData.Logon_Account -Source_WorkStation,Event.EventData.Source_WorkStation -SourceAddress,Event.EventData.SourceAddress -SubjectLogonId,Event.EventData.SubjectLogonId -Image,Event.EventData.Image -ParentImage,Event.EventData.ParentImage -MachineName,Event.EventData.MachineName -QueryName,Event.EventData.QueryName -Accesses,Event.EventData.Accesses AccessList,Event.EventData.AccessList AccessMask,Event.EventData.AccessMask +Accesses,Event.EventData.Accesses AccountName,Event.EventData.AccountName +Account_Name,Event.EventData.Account_Name AllowedToDelegateTo,Event.EventData.AllowedToDelegateTo AttributeLDAPDisplayName,Event.EventData.AttributeLDAPDisplayName AttributeValue,Event.EventData.AttributeValue AuditPolicyChanges,Event.EventData.AuditPolicyChanges AuditSourceName,Event.EventData.AuditSourceName AuthenticationPackageName,Event.EventData.AuthenticationPackageName -AuthenticationPackageName,Event.EventData.AuthenticationPackageName -CallingProcessName,Event.EventData.CallingProcessName CallTrace,Event.EventData.CallTrace +Caller_Process_Name,Event.EventData.Caller_Process_Name +CallingProcessName,Event.EventData.CallingProcessName +Channel,Event.System.Channel +Client_Address,Event.EventData.Client_Address CommandLine,Event.EventData.CommandLine Company,Event.EventData.Company +Computer,Event.System.Computer +ComputerName,Event.System.Computer ContextInfo,Event.EventData.ContextInfo CurrentDirectory,Event.EventData.CurrentDirectory Description,Event.EventData.Description +DestPort,Event.EventData.DestPort Destination,Event.EventData.Destination DestinationAddress,Event.EventData.DestinationAddress DestinationHostname,Event.EventData.DestinationHostname DestinationIp,Event.EventData.DestinationIp DestinationIsIpv6,Event.EventData.DestinationIsIpv6 DestinationPort,Event.EventData.DestinationPort -DestPort,Event.EventData.DestPort Details,Event.EventData.Details DetectionSource,Event.EventData.DetectionSource Device,Event.EventData.Device DeviceClassName,Event.EventData.DeviceClassName DeviceDescription,Event.EventData.DeviceDescription DeviceName,Event.EventData.DeviceName +DomainName,Event.EventData.SubjectDomainName EngineVersion,Event.EventData.EngineVersion EventID,Event.System.EventID EventType,Event.EventData.EventType @@ -94,15 +55,21 @@ Imphash,Event.EventData.Hashes Initiated,Event.EventData.Initiated IntegrityLevel,Event.EventData.IntegrityLevel IpAddress,Event.EventData.IpAddress +IpPort,Event.EventData.IpPort +JobTitle,Event.EventData.name KeyLength,Event.EventData.KeyLength Keywords,Event.System.Keywords -keywords,Event.System.Keywords -LayerRTID,Event.EventData.LayerRTID LDAPDisplayName,Event.EventData.LDAPDisplayName +LayerRTID,Event.EventData.LayerRTID Level,Event.System.Level +LogFileClearedSubjectUserName,Event.UserData.LogFileCleared.SubjectUserName LogonId,Event.EventData.LogonId LogonProcessName,Event.EventData.LogonProcessName LogonType,Event.EventData.LogonType +Logon_Account,Event.EventData.Logon_Account +MachineName,Event.EventData.MachineName +MemberName,Event.EventData.MemberName +MemberSid,Event.EventData.MemberSid Message,Event.EventData NewName,Event.EventData.NewName NewValue,Event.EventData.NewValue @@ -112,16 +79,18 @@ ObjectServer,Event.EventData.ObjectServer ObjectType,Event.EventData.ObjectType ObjectValueName,Event.EventData.ObjectValueName Origin,Event.EventData.Origin -OriginalFilename,Event.EventData.OriginalFileName OriginalFileName,Event.EventData.OriginalFileName +OriginalFilename,Event.EventData.OriginalFileName ParentCommandLine,Event.EventData.ParentCommandLine ParentImage,Event.EventData.ParentImage ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel +ParentProcessName,Event.EventData.ParentProcessName ParentUser,Event.EventData.ParentUser PasswordLastSet,Event.EventData.PasswordLastSet Path,Event.EventData.Path Payload,Event.EventData.Payload PipeName,Event.EventData.PipeName +PreAuthType,Event.EventData.PreAuthType PrivilegeList,Event.EventData.PrivilegeList ProcessCommandLine,Event.EventData.ProcessCommandLine ProcessName,Event.EventData.ProcessName @@ -134,7 +103,6 @@ QueryStatus,Event.EventData.QueryStatus RelativeTargetName,Event.EventData.RelativeTargetName SAMAccountName,Event.EventData.SamAccountName ScriptBlockText,Event.EventData.ScriptBlockText -service,Event.EventData.Service Service,Event.EventData.Service ServiceFileName,Event.EventData.ServiceFileName ServiceName,Event.EventData.ServiceName @@ -148,28 +116,34 @@ SourceAddress,Event.EventData.SourceAddress SourceImage,Event.EventData.SourceImage SourceNetworkAddress,Event.EventData.SourceNetworkAddress SourcePort,Event.EventData.SourcePort +Source_Network_Address,Event.EventData.Source_Network_Address +Source_WorkStation,Event.EventData.Source_WorkStation StartFunction,Event.EventData.StartFunction StartModule,Event.EventData.StartModule Status,Event.EventData.Status +SubStatus,Event.EventData.SubStatus SubjectDomainName,Event.EventData.SubjectDomainName SubjectLogonId,Event.EventData.SubjectLogonId SubjectUserName,Event.EventData.SubjectUserName SubjectUserSid,Event.EventData.SubjectUserSid +TargetDomainName,Event.EventData.TargetDomainName TargetFilename,Event.EventData.TargetFilename TargetImage,Event.EventData.TargetImage TargetLogonId,Event.EventData.TargetLogonId TargetName,Event.EventData.TargetServerName TargetObject,Event.EventData.TargetObject TargetProcessAddress,Event.EventData.TargetProcessAddress +TargetSid,Event.EventData.TargetSid TargetUserName,Event.EventData.TargetUserName TaskName,Event.EventData.TaskName TicketEncryptionType,Event.EventData.TicketEncryptionType TicketOptions,Event.EventData.TicketOptions +Url,Event.EventData.url User,Event.EventData.User +UserName,Event.EventData.UserName Workstation,Event.EventData.Workstation WorkstationName,Event.EventData.WorkstationName -JobTitle,Event.EventData.name -Url,Event.EventData.url -IpPort,Event.EventData.IpPort -SubStatus,Event.EventData.SubStatus -TargetDomainName,Event.EventData.TargetDomainName \ No newline at end of file +keywords,Event.System.Keywords +param1,Event.EventData.param1 +param2,Event.EventData.param2 +service,Event.EventData.Service diff --git a/rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml b/rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml index 0161bd76..ec1f5fd6 100644 --- a/rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml +++ b/rules/hayabusa/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml @@ -1,11 +1,17 @@ +author: Yusuke Matsui, Yamato Security +date: 2020/11/08 +modified: 2021/11/22 + title: Powershell 2.0 Downgrade Attack title_jp: Powershell 2.0へのダウングレード攻撃 +output: 'Powershell 2.0 downgrade attack detected!' +output_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!' description: An attacker may have started Powershell 2.0 to evade detection. description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。 -author: Yuskue Matsui, Zach Mathis -contributor: James Takai, itiB -mitre_attack: T1562.010 + +id: bc082394-73e6-4d00-a9af-e7b524ef5085 level: medium +status: test detection: selection: Channel: Microsoft-Windows-PowerShell/Operational @@ -13,7 +19,11 @@ detection: EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*' falsepositives: - legacy application -output: 'Powershell 2.0 downgrade attack detected!' -output_jp: 'Powershell 2.0へんおダウングレード攻撃は検知された!' -creation_date: 2020/11/08 -updated_date: 2021/11/06 +tags: + - attack.defense_evasion + - attack.t1562.010 + - lolbas +references: + - https://attack.mitre.org/techniques/T1562/010/ + - https://kurtroggen.wordpress.com/2017/05/17/powershell-security-powershell-downgrade-attacks/ +ruletype: hayabusa diff --git a/rules/hayabusa/alerts/PowershellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml b/rules/hayabusa/alerts/PowershellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml deleted file mode 100644 index 24253e10..00000000 --- a/rules/hayabusa/alerts/PowershellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: PowerShell Execution Pipeline -title_jp: PowerShell実行 -description: Displays powershell execution -description_jp: Powershellの実行を出力する。 -author: Eric Conrad -contributor: Zach Mathis -mitre_attack: T1059.001 -level: medium -detection: - selection: - Channel: Microsoft-Windows-PowerShell/Operational - EventID: 4103 - ContextInfo: - - Host Application - - ホスト アプリケーション - # condition: selection -falsepositives: - - normal system usage -output: 'Command:%CommandLine%' -output_jp: 'コマンド:%CommandLine%' -creation_date: 2020/11/08 -updated_date: 2021/11/18 diff --git a/rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml b/rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml index 28bbb408..d206de9a 100644 --- a/rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml +++ b/rules/hayabusa/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml @@ -1,18 +1,14 @@ -#Author info -author: Eric Conrad, Zach Mathis -contributor: Akira Nishikawa, James Takai -creation_date: 2020/11/08 -uodated_date: 2021/11/22 +author: Eric Conrad, Yamato Security +date: 2020/11/08 +modified: 2021/11/25 -#Alert messages title: Security log was cleared title_jp: セキュリティログがクリアされた -output: "User: %LogFileCleared%%SubjectUserName%" -output_jp: "ユーザ名: %LogFileCleared%%SubjectUserName%" +output: "User: %LogFileClearedSubjectUserName%" +output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" description: Somebody has cleared the Security event log. description_jp: 誰かがセキュリティログをクリアした。 -#Detection rule id: c2f690ac-53f8-4745-8cfe-7127dda28c74 level: high status: stable @@ -27,4 +23,6 @@ tags: - attack.defense_evasion - attack.t1070.001 references: - - https://attack.mitre.org/techniques/T1070/001/ \ No newline at end of file + - https://attack.mitre.org/techniques/T1070/001/ +sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml new file mode 100644 index 00000000..171c3387 --- /dev/null +++ b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml @@ -0,0 +1,28 @@ +author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Failure - Unknown Reason +title_jp: ログオンに失敗 - 不明な理由 +output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' +output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%' +description: Prints logon information. +description_jp: Prints logon information. + +id: a85096da-be85-48d7-8ad5-2f957cd74daa +level: low +status: stable +detection: + selection: + Channel: Security + EventID: 4625 + filter: + - SubStatus: "0xc0000064" + - SubStatus: "0xc000006a" + condition: selection and not filter +falsepositives: + - normal system usage +tags: +references: +sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +ruletype: hayabusa diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml new file mode 100644 index 00000000..e9f587ab --- /dev/null +++ b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml @@ -0,0 +1,25 @@ +author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Failure - Wrong Password +title_jp: ログオンに失敗 - パスワードが間違っている +output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%' +output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%' +description: Prints logon information. +description_jp: Prints logon information. + +id: a85096da-be85-48d7-8ad5-2f957cd74daa +level: low +status: stable +detection: + selection: + Channel: Security + EventID: 4625 + SubStatus: "0xc000006a" +falsepositives: + - normal system usage +tags: +references: +sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx +ruletype: hayabusa diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml new file mode 100644 index 00000000..35c7936b --- /dev/null +++ b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml @@ -0,0 +1,25 @@ +author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Failure - Username does not exist +title_jp: ログオンに失敗 - ユーザ名は存在しない +output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' +output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : サブステータス: %SubStatus% : 認証パッケージ: %AuthenticationPackageName%' +description: Prints logon information. +description_jp: Prints logon information. + +id: a85096da-be85-48d7-8ad5-2f957cd74daa +level: informational +status: stable +detection: + selection: + Channel: Security + EventID: 4625 + SubStatus: "0xc0000064" +falsepositives: + - normal system usage +tags: +references: +sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx +ruletype: hayabusa diff --git a/rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml b/rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml new file mode 100644 index 00000000..01c79f75 --- /dev/null +++ b/rules/hayabusa/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml @@ -0,0 +1,48 @@ +author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Unknown process used a high privilege +title_jp: 不明なプロセスが高い権限を使った +output: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%' +output_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%' +description: | + Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk. + For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.) + Disk wipers like bcwipe will also generate this. + More legitimate filepaths may have to be added to the filter. + This is marked as a medium alert as there is a high possibility for false positives. +description_jp: + +id: 5b6e58ee-c231-4a54-9eee-af2577802e08 +level: medium +status: stable +detection: + selection: + Channel: Security + EventID: 4673 + filter: + - ProcessName: C:\Windows\System32\net.exe + - ProcessName: C:\Windows\System32\lsass.exe + - ProcessName: C:\Windows\System32\audiodg.exe + - ProcessName: C:\Windows\System32\svchost.exe + - ProcessName: C:\Windows\System32\mmc.exe + - ProcessName: C:\Windows\System32\net.exe + - ProcessName: C:\Windows\explorer.exe + - ProcessName: C:\Windows\System32\SettingSyncHost.exe + - ProcessName: C:\Windows\System32\sdiagnhost.exe + - ProcessName|startswith: C:\Program Files + - SubjectUserName: LOCAL SERVICE + condition: selection and not filter +falsepositives: + - normal system usage +tags: + - attack.credential_access + - attack.t1003.001 + - attack.t1561 + - attack.impact +references: + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673 + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 +sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml b/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml index 0f841e65..ff4d1519 100644 --- a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml +++ b/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml @@ -1,18 +1,14 @@ -#Author info -author: Eric Conrad, Zach Mathis -contributor: Akira Nishikawa, James Takai +author: Eric Conrad, Yamato Security creation_date: 2020/11/08 -uodated_date: 2021/11/22 +uodated_date: 2021/11/26 -#Alert messages -title: Hidden computer account created! (Possible Backdoor) -title_jp: セキュリティログがクリアされた +title: Hidden user account created! (Possible Backdoor) +title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり) output: 'User: %TargetUserName% : SID:%TargetSid%' output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%' description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden. description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden. -#Detection rule id: 70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a level: high status: stable @@ -27,4 +23,6 @@ tags: - attack.persistence - attack.11136.001 references: - - https://attack.mitre.org/techniques/T1136/001/ \ No newline at end of file + - https://attack.mitre.org/techniques/T1136/001/ +sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml b/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml index 53492dcf..1bafa9d0 100644 --- a/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml +++ b/rules/hayabusa/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml @@ -1,10 +1,7 @@ -#Author info -author: Eric Conrad, Zach Mathis -contributor: Akira Nishikawa, James Takai +author: Eric Conrad, Yamato Security creation_date: 2020/11/08 -uodated_date: 2021/11/22 +uodated_date: 2021/11/26 -#Alert messages title: Local user account created title_jp: ローカルユーザアカウントが作成された output: 'User: %TargetUserName% : SID:%TargetSid%' @@ -12,9 +9,8 @@ output_jp: 'ユーザ名: %TargetUserName% : SID:%TargetSid%' description: A local user account was created. description_jp: ローカルユーザアカウントが作成された. -#Detection rule id: 13edce80-2b02-4469-8de4-a3e37271dcdb -level: low +level: medium status: stable detection: selection: @@ -30,3 +26,5 @@ tags: - attack.11136.001 references: - https://attack.mitre.org/techniques/T1136/001/ +sample-evtx: ./sample-evtx/DeepBlueCLI/new-user-security.evtx +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml b/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml new file mode 100644 index 00000000..6302e534 --- /dev/null +++ b/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml @@ -0,0 +1,31 @@ +author: Zach Mathis +creation_date: 2020/11/08 +updated_date: 2021/11/26 + +title: User added to the global Domain Admins group +title_jp: ユーザがグローバルドメイン管理者グループに追加された +output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%' +output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%' +description: A user was added to the Domain Admins group. +description_jp: ユーザがドメイン管理者グループに追加された。 + +id: 4bb89c86-a138-42a0-baaf-fc2f777a4506 +level: high +status: stable +detection: + selection: + Channel: Security + EventID: 4728 + TargetUserName: Domain Admins + filter: + SubjectUserName|endswith: $ + condition: selection and not filter +falsepositives: + - system administrator +tags: + - attack.persistence + - attack.t1098 +references: + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 +sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml b/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml new file mode 100644 index 00000000..5cc4fcbc --- /dev/null +++ b/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml @@ -0,0 +1,30 @@ +author: Eric Conrad, Zach Mathis +creation_date: 2020/11/08 +updated_date: 2021/11/22 + +title: User added to global security group +title_jp: ユーザがグローバルセキュリティグループに追加された +output: 'Member added: %MemberName% : SID: %MemberSid% : Group: %TargetUserName% : Subject user: %SubjectUserName% : Subject domain: %SubjectDomainName%' +output_jp: '追加されたメンバー: %MemberName% : SID: %MemberSid% : グループ: %TargetUserName% : サブジェクトユーザ: %SubjectUserName% : サブジェクトドメイン: %SubjectDomainName%' +description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action. +description_jp: ユーザがグローバルのセキュリティグループに追加された。 + +id: 0db443ba-561c-4a04-b349-d74ce1c5fc8b +level: medium +status: stable +detection: + selection: + Channel: Security + EventID: 4728 + filter: + SubjectUserName|endswith: $ + condition: selection and not filter +falsepositives: + - system administrator +tags: + - attack.persistence + - attack.t1098 +references: + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 +sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToLocalAdministratorsGroup.yml b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml similarity index 56% rename from rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToLocalAdministratorsGroup.yml rename to rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml index 91127b40..ab188cfa 100644 --- a/rules/hayabusa/alerts/Security/4728_AccountManipulation_UserAddedToLocalAdministratorsGroup.yml +++ b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml @@ -1,24 +1,21 @@ -#Author info author: Eric Conrad, Zach Mathis creation_date: 2020/11/08 -updated_date: 2021/11/22 +updated_date: 2021/11/26 -#Alert messages title: User added to local Administrators group title_jp: ユーザがローカル管理者グループに追加された -output: 'User: %MemberName% : SID: %MemberSid%' -output_jp: 'ユーザ: %MemberName% : SID: %MemberSid%' +output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' +output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' description: A user was added to the local Administrators group. -description_jp: ユーザがローカル管理者グループに追加された +description_jp: ユーザがローカル管理者グループに追加された。 -#Detection rule -id: cf8ee684-1634-4eac-826d-1155b5b421a6 +id: 611e2e76-a28f-4255-812c-eb8836b2f5bb level: high status: stable detection: selection: Channel: Security - EventID: 4728 + EventID: 4732 TargetUserName: Administrators condition: selection falsepositives: @@ -27,4 +24,6 @@ tags: - attack.persistence - attack.t1098 references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 \ No newline at end of file + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732 +sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml new file mode 100644 index 00000000..2112fa3c --- /dev/null +++ b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml @@ -0,0 +1,29 @@ +author: Zach Mathis +creation_date: 2020/11/08 +updated_date: 2021/11/26 + +title: User added to local Domain Admins group +title_jp: ユーザがローカルドメイン管理者グループに追加された +output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' +output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' +description: A user was added to the local Domain Admins group. +description_jp: ユーザがドメイン管理者グループに追加された。 + +id: bc58e432-959f-464d-812e-d60ce5d46fa1 +level: high +status: stable +detection: + selection: + Channel: Security + EventID: 4728 + TargetUserName: Domain Admins + condition: selection +falsepositives: + - system administrator +tags: + - attack.persistence + - attack.t1098 +references: + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732 +sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml new file mode 100644 index 00000000..859d37db --- /dev/null +++ b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml @@ -0,0 +1,32 @@ +author: Eric Conrad, Zach Mathis +creation_date: 2020/11/08 +updated_date: 2021/11/26 + +title: User added to local security group +title_jp: ユーザがローカルセキュリティグループに追加された +output: 'User: %MemberName% : SID: %MemberSid% : Group: %TargetUserName%' +output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %TargetUserName%' +description: A user was added to a security-enabled local group. +description_jp: ユーザがローカルセキュリティグループに追加された。 + +id: 611e2e76-a28f-4255-812c-eb8836b2f5bb +level: low +status: stable +detection: + selection: + Channel: Security + EventID: 4728 + filter: + - TargetUserName: Administrators + - TargetUserName: None + - TargetUserName: Domain Admins + condition: selection and not filter +falsepositives: + - system administrator +tags: + - attack.persistence + - attack.t1098 +references: + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732 +sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4732-useraddedtolocaladmingroup.yml b/rules/hayabusa/alerts/Security/4732-useraddedtolocaladmingroup.yml deleted file mode 100644 index 009f986a..00000000 --- a/rules/hayabusa/alerts/Security/4732-useraddedtolocaladmingroup.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: User added to local Administrators group -description: User added to local Administrators group -author: Eric Conrad, Zach Mathis -level: high -detection: - selection: - Channel: Security - EventID: 4732 - TargetUserName: Administrators - # condition: selection -falsepositives: - - unknown -output: 'UserName: %MemberName% : SID: %MemberSid%' -creation_date: 2020/11/8 -updated_date: 2021/11/18 diff --git a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml b/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml index 8e247667..c263438e 100644 --- a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml +++ b/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml @@ -1,10 +1,7 @@ -#Author info -author: Yusuke Matsui -contributor: Zach Mathis, James Takai, DustInDark +author: Yusuke Matsui, Yamato Security creation_date: 2020/11/08 -updated_date: 2021/11/22 +updated_date: 2021/11/26 -#Alert messages title: Possible AS-REP Roasting title_jp: AS-REPロースティングの可能性 output: 'Possible AS-REP Roasting' @@ -12,7 +9,6 @@ output_jp: 'AS-REPロースティングのリスクがある' description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. -#Detection rule id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a level: medium status: test @@ -29,4 +25,5 @@ tags: - attack.credential_access - attack.t1558.004 references: - - https://attack.mitre.org/techniques/T1558/004/ \ No newline at end of file + - https://attack.mitre.org/techniques/T1558/004/ +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml b/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml index 99d5a765..3ea40566 100644 --- a/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml +++ b/rules/hayabusa/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml @@ -1,10 +1,7 @@ -#Author info -author: Yusuke Matsui -contributor: Zach Mathis, James Takai, DustInDark +author: Yusuke Matsui, Yamato Security creation_date: 2020/11/08 updated_date: 2021/11/22 -#Alert messages title: Kerberoasting title_jp: Kerberoast攻撃 output: 'Possible Kerberoasting Risk Activity.' @@ -12,7 +9,6 @@ output_jp: 'Kerberoast攻撃のリスクがある' description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. -#Detection rule id: f19849e7-b5ba-404b-a731-9b624d7f6d19 level: medium status: test @@ -30,3 +26,4 @@ tags: - attack.t1558.003 references: - https://attack.mitre.org/techniques/T1558/003/ +ruletype: hayabusa diff --git a/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml b/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml index c6dc9e74..91fa9280 100644 --- a/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml +++ b/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml @@ -1,18 +1,14 @@ -#Author info -author: Eric Conrad, Zach Mathis -contributor: Akira Nishikawa, James Takai -creation_date: 2020/11/08 -uodated_date: 2021/11/22 +author: Eric Conrad, Yamato Security +date: 2020/11/08 +modified: 2021/11/25 -#Alert messages title: System log file was cleared title_jp: システムログがクリアされた -output: "User: %LogFileCleared%%SubjectUserName%" -output_jp: "ユーザ名: %LogFileCleared%%SubjectUserName%" +output: "User: %LogFileClearedSubjectUserName%" +output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" description: Somebody has cleared the System event log. description_jp: 誰かがシステムログをクリアした。 -#Detection rule id: c2f690ac-53f8-4745-8cfe-7127dda28c74 level: high status: stable @@ -28,3 +24,4 @@ tags: - attack.t1070.001 references: - https://attack.mitre.org/techniques/T1070/001/ +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml b/rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml index 9cbfe70c..03ee4e3e 100644 --- a/rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml +++ b/rules/hayabusa/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml @@ -1,15 +1,12 @@ -#Author info author: Eric Conrad, Zach Mathis creation_date: 2020/11/08 updated_date: 2021/11/22 -#Alert messages title: Event log service startup type changed to disabled title_jp: イベントログサービスのスタートアップの種類が無効に変更された output: 'Old setting: %param2% : New setting: %param3%' output: '設定前: %param2% : 設定後: %param3%' -#Detection rule id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5 level: medium status: test @@ -27,3 +24,4 @@ tags: - attack.t1562.002 references: - https://attack.mitre.org/techniques/T1562/002/ +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml b/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml index e1f6db68..78b13842 100644 --- a/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml +++ b/rules/hayabusa/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml @@ -1,9 +1,7 @@ -#Author info author: Eric Conrad, Zach Mathis creation_date: 2020/11/08 updated_date: 2021/11/23 -#Alert messages title: Malicious service installed title_jp: 悪意のあるサービスがインストールされた output: 'Service: %ServiceName% : Image path: %ImagePath' @@ -11,7 +9,6 @@ output_jp: 'サービス名: %ServiceName% : Imageパス: %ImagePath' description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt -#Detection rule id: dbbfd9f3-9508-478b-887e-03ddb9236909 level: high status: test @@ -32,3 +29,4 @@ tags: - attack.t1543.003 references: - https://attack.mitre.org/techniques/T1543/003/ +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml b/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml index afc9a10f..50ed1553 100644 --- a/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml +++ b/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml @@ -1,10 +1,7 @@ -#Author info -author: James Takai, itiB -contributor: Zach Mathis -creation_date: 2020/11/08 -updated_date: 2021/11/22 +author: Yamato Security +date: 2020/11/08 +modified: 2021/11/22 -#Alert messages title: Bits Job Creation title_jp: Bits Jobの作成 output: 'Job Title: %JobTitle% : URL: %Url%' @@ -12,7 +9,6 @@ output_jp: 'Job名: %JobTitle% : URL: %Url%' description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. -#Detection rule id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031 level: informational status: stable @@ -31,3 +27,4 @@ tags: references: - https://attack.mitre.org/techniques/T1197/ - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml b/rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml new file mode 100644 index 00000000..3ff9d7e4 --- /dev/null +++ b/rules/hayabusa/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml @@ -0,0 +1,30 @@ +author: Eric Conrad, Yamato Security +date: 2020/11/08 +modified: 2021/11/22 + +title: PowerShell Execution Pipeline +title_jp: PowerShellパイプライン実行 +output: 'Command: %CommandLine%' +output_jp: 'コマンド: %CommandLine%' +description: Displays powershell execution +description_jp: Powershellの実行を出力する。 + +id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031 +level: informational +status: stable +detection: + selection: + Channel: Microsoft-Windows-PowerShell/Operational + EventID: 4103 + ContextInfo: + - Host Application + - ホスト アプリケーション + condition: selection +falsepositives: + - normal system usage +tags: + - attack.defense_evasion + - attack.t1059.001 + - lolbas +references: +ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml index 7fdc6500..fac3f62b 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-0-System.yml @@ -1,15 +1,25 @@ -title: Logon Type 0 - System -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 0 - System +title_jp: ログオンタイプ 0 - System +output: 'Bootup' +output_jp: 'システム起動' +description: Prints logon information +description_jp: Prints logon information + +id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4 level: informational +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 0 - falsepositives: - normal system usage -output: 'Bootup' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml index c5e69909..334c86e1 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml @@ -1,15 +1,25 @@ -title: Logon Type 10 - RDP (Remote Interactive) -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 10 - RDP (Remote Interactive) +title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ) +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +description: Prints logon information. +description_jp: Prints logon information. + +id: a4e05f05-ff88-48b9-8524-a88c1c32fe19 level: informational +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 10 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml index 8cfa15ec..0d70a81f 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml @@ -1,15 +1,25 @@ -title: Logon Type 11 - CachedInteractive -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 11 - CachedInteractive +title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +description: Prints logon information. +description_jp: Prints logon information. + +id: e50e3952-06d9-44a8-ab07-7a41c9801d78 level: informational +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 11 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml index 2c751eb2..31d17a0d 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml @@ -1,15 +1,25 @@ -title: Logon Type 12 - CachedRemoteInteractive -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 12 - CachedRemoteInteractive +title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +description: Prints logon information. +description_jp: Prints logon information. + +id: e50e3952-06d9-44a8-ab07-7a41c9801d78 level: informational +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 12 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml index 8f61f3ce..06d7a123 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml @@ -1,15 +1,25 @@ -title: Logon Type 13 - CachedUnlock -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 13 - CachedUnlock +title_jp: ログオンタイプ 13 - キャッシュされたアンロック +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +description: Prints logon information. +description_jp: Prints logon information. + +id: e50e3952-06d9-44a8-ab07-7a41c9801d78 level: informational +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 13 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml index f5c52e7b..62c8f35e 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml @@ -1,15 +1,25 @@ -title: Logon Type 2 - Interactive -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 2 - Interactive +title_jp: ログオンタイプ 2 - インタラクティブ +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +description: Prints logon information +description_jp: Prints logon information + +id: c7b22878-e5d8-4c30-b245-e51fd354359e level: informational +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 2 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml index c8781e31..6612ee6f 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-3-Network.yml @@ -1,22 +1,30 @@ -title: Logon Type 3 - Network -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 3 - Network +title_jp: ログオンタイプ 3 - ネットワーク +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +description: Prints logon information +description_jp: Prints logon information + +id: c7b22878-e5d8-4c30-b245-e51fd354359e level: informational +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 3 - filter: - IpAddress: "-" - IpAddress: "127.0.0.1" - IpAddress: "::1" - condition: selection and not filter - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml index cab347aa..41bddeb3 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml @@ -1,15 +1,25 @@ -title: Logon Type 4 - Batch -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 4 - Batch +title_jp: ログオンタイプ 4 - バッチ +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +description: Prints logon information +description_jp: Prints logon information + +id: 408e1304-51d7-4d3e-ab31-afd07192400b level: informational +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 4 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml index a668fdc8..e0120d5d 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-5-Service.yml @@ -1,22 +1,30 @@ -title: Logon Type 5 - Service -description: Prints logon information author: Zach Mathis -level: informational +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 5 - Service +title_jp: ログオンタイプ 5 - サービス +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +description: Prints logon information +description_jp: Prints logon information + +id: 408e1304-51d7-4d3e-ab31-afd07192400b +level: low +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 5 - filter: - TargetUserName: "SYSTEM" - TargetUserName: "NETWORK SERVICE" - TargetUserName: "LOCAL SERVICE" - condition: selection and not filter - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml index 0892cba9..df6a2716 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-7-Unlock.yml @@ -1,15 +1,25 @@ -title: Logon Type 7 - Unlock -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 7 - Unlock +title_jp: ログオンタイプ 7 - アンロック +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +description: Prints logon information +description_jp: Prints logon information + +id: b61bfa39-48ec-4bdf-9d4e-e7205f49acd2 level: informational +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 7 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml index 0e7f2533..2070d324 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml @@ -1,15 +1,25 @@ -title: Logon Type 8 - NetworkCleartext -description: Prints logon information author: Zach Mathis -level: low +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 8 - NetworkCleartext +title_jp: ログオンタイプ 8 - ネットワーク平文 +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId%' +description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication. +description_jp: Prints logon information + +id: 7ff51227-6a10-49e6-a58b-b9f4ac32b138 +level: informational +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 8 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml index 970ed461..5148ef63 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-9-NewInteractive.yml @@ -1,15 +1,25 @@ -title: Logon Type 9 - NewCredentials -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logon Type 9 - NewCredentials +title_jp: ログオンタイプ 9 - 新しい資格情報 +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ポート番号: %IpPort% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)' +description: Prints logon information. +description_jp: Prints logon information. + +id: d80facaa-ca97-47bb-aed2-66362416eb49 level: informational +status: stable detection: selection: Channel: Security EventID: 4624 LogonType: 9 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4625_LogonFailure.yml b/rules/hayabusa/events/Security/Logons/4625_LogonFailure.yml deleted file mode 100644 index 3b693890..00000000 --- a/rules/hayabusa/events/Security/Logons/4625_LogonFailure.yml +++ /dev/null @@ -1,14 +0,0 @@ -title: Logon Failure -description: Prints logon information -author: Zach Mathis -level: low -detection: - selection: - Channel: Security - EventID: 4625 - -falsepositives: - - normal system usage -output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %Workstation% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4634_Logoff.yml b/rules/hayabusa/events/Security/Logons/4634_Logoff.yml index 2ab4be6d..e7fafe50 100644 --- a/rules/hayabusa/events/Security/Logons/4634_Logoff.yml +++ b/rules/hayabusa/events/Security/Logons/4634_Logoff.yml @@ -1,19 +1,27 @@ -title: Logoff -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logoff +title_jp: ログオフ +output: 'User: %TargetUserName% : LogonID: %TargetLogonId%' +output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' +description: Prints logon information. +description_jp: Prints logon information. + +id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf level: informational +status: stable detection: selection: Channel: Security EventID: 4634 - filter: TargetUserName|endswith: "$" - condition: selection and not filter - falsepositives: - normal system usage -output: 'Username: %TargetUserName% : LogonID: %TargetLogonId%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml b/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml index 22185d51..202bc2d8 100644 --- a/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml +++ b/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml @@ -1,14 +1,24 @@ -title: Logoff - User Initiated -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Logoff - User Initiated +title_jp: ログオフ - ユーザが行った +output: 'User: %TargetUserName% : LogonID: %TargetLogonId%' +output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' +description: Prints logon information. +description_jp: Prints logon information. + +id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf level: informational +status: stable detection: selection: Channel: Security EventID: 4647 - falsepositives: - normal system usage -output: 'Username: %TargetUserName% : LogonID: %TargetLogonId%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml b/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml index d0d0e881..cd2ad1d3 100644 --- a/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml +++ b/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml @@ -1,22 +1,30 @@ -title: Admin Logon -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Admin Logon +title_jp: 管理者ログオン +output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%' +output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%' +description: Prints logon information. +description_jp: Prints logon information. + +id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf level: informational +status: stable detection: selection: Channel: Security EventID: 4672 - filter: - SubjectUserName: "SYSTEM" - SubjectUserName: "LOCAL SERVICE" - SubjectUserName: "NETWORK SERVICE" - SubjectUserName|endswith: "$" - condition: selection and not filter - falsepositives: - normal system usage -output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml b/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml index c66d4468..2e199fd0 100644 --- a/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml +++ b/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml @@ -1,14 +1,24 @@ -title: Kerberos TGT was requested -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Kerberos TGT was requested +title_jp: Kerberos TGTが要求された +output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%' +output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%' +description: Prints logon information. +description_jp: Prints logon information. + +id: da6257f3-cf49-464a-96fc-c84a7ce20636 level: informational +status: stable detection: selection: Channel: Security EventID: 4768 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa diff --git a/rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml b/rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml index 66c732ac..87e7a13c 100644 --- a/rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml +++ b/rules/hayabusa/events/Security/Logons/4769_KerberosServiceTicketRequest.yml @@ -1,14 +1,24 @@ -title: Kerberos Service Ticket Requested -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Kerberos Service Ticket Requested +title_jp: Kerberosサービスチケットが要求された +output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%' +output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%' +description: Prints logon information. +description_jp: Prints logon information. + +id: da6257f3-cf49-464a-96fc-c84a7ce20636 level: informational +status: stable detection: selection: Channel: Security EventID: 4769 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml b/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml index e8d63479..e459d48a 100644 --- a/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml +++ b/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml @@ -1,14 +1,24 @@ -title: NTLM Logon to Local Account -description: Prints logon information author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: NTLM Logon to Local Account +title_jp: ローカルアカウントへのNTLMログオン +output: 'User: %TargetUserName% : Workstation %WorkstationName% : Status: %Status%' +output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : ステータス: %Status%' +description: Prints logon information. +description_jp: Prints logon information. + +id: 4fbe94b0-577a-4f77-9b13-250e27d440fa level: informational +status: stable detection: selection: Channel: Security EventID: 4776 - falsepositives: - normal system usage -output: 'User: %TargetUserName% : Workstation %WorkstationName% : Status: %Status%' -creation_date: 2021/11/17 -updated_date: 2021/11/17 \ No newline at end of file +tags: +references: +sample-evtx: +ruletype: hayabusa \ No newline at end of file diff --git a/rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml b/rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml new file mode 100644 index 00000000..4e0d4f88 --- /dev/null +++ b/rules/hayabusa/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml @@ -0,0 +1,24 @@ +author: Zach Mathis +date: 2020/11/08 +modified: 2021/11/26 + +title: Connection to wireless access point +title_jp: ローカルアカウントへのNTLMログオン +output: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%' +output_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%' +description: Prints connection info to wireless access points. +description_jp: Prints connection info to wireless access points. + +id: 90dd0797-f481-453d-a97e-dd78436893f9 +level: informational +status: stable +detection: + selection: + Channel: Microsoft-Windows-WLAN-AutoConfig + EventID: 8001 +falsepositives: + - normal system usage +tags: +references: +sample-evtx: +ruletype: hayabusa \ No newline at end of file From cc7767a9608440b74d3763828657562ae93c8eeb Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 27 Nov 2021 00:33:19 +0900 Subject: [PATCH 03/13] changed output format header #213 (#228) * changed output format header #213 * fixed test parameter #213 --- src/afterfact.rs | 54 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 15 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 47d4457b..95012876 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -21,6 +21,17 @@ pub struct CsvFormat<'a> { filepath: &'a str, } +#[derive(Debug, Serialize)] +#[serde(rename_all = "PascalCase")] +pub struct DisplayFormat<'a> { + time: &'a str, + computername: &'a str, + eventid: &'a str, + level: &'a str, + alert: &'a str, + details: &'a str, +} + pub fn after_fact() { let fn_emit_csv_err = |err: Box| { AlertMessage::alert( @@ -30,7 +41,7 @@ pub fn after_fact() { .ok(); process::exit(1); }; - + let mut displayflag = false; let mut target: Box = if let Some(csv_path) = configs::CONFIG .read() .unwrap() @@ -50,31 +61,44 @@ pub fn after_fact() { } } } else { + displayflag = true; // 標準出力に出力する場合 Box::new(io::stdout()) }; - if let Err(err) = emit_csv(&mut target) { - fn_emit_csv_err(err); + if let Err(err) = emit_csv(&mut target, displayflag) { + fn_emit_csv_err(Box::new(err)); } } -fn emit_csv(writer: &mut W) -> Result<(), Box> { +fn emit_csv(writer: &mut W, displayflag: bool) -> io::Result<()> { let mut wtr = csv::WriterBuilder::new().from_writer(writer); let messages = print::MESSAGES.lock().unwrap(); let mut detect_count = 0; for (time, detect_infos) in messages.iter() { for detect_info in detect_infos { - wtr.serialize(CsvFormat { - time: &format_time(time), - filepath: &detect_info.filepath, - rulepath: &detect_info.rulepath, - level: &detect_info.level, - computername: &detect_info.computername, - eventid: &detect_info.eventid, - alert: &detect_info.alert, - details: &detect_info.detail, - })?; + if displayflag { + wtr.serialize(DisplayFormat { + time: &format_time(time), + level: &detect_info.level, + computername: &detect_info.computername, + eventid: &detect_info.eventid, + alert: &detect_info.alert, + details: &detect_info.detail, + })?; + } else { + // csv出力時フォーマット + wtr.serialize(CsvFormat { + time: &format_time(time), + filepath: &detect_info.filepath, + rulepath: &detect_info.rulepath, + level: &detect_info.level, + computername: &detect_info.computername, + eventid: &detect_info.eventid, + alert: &detect_info.alert, + details: &detect_info.detail, + })?; + } } detect_count += detect_infos.len(); } @@ -175,7 +199,7 @@ fn test_emit_csv() { let mut file: Box = Box::new(File::create("./test_emit_csv.csv".to_string()).unwrap()); - assert!(emit_csv(&mut file).is_ok()); + assert!(emit_csv(&mut file, false).is_ok()); match read_to_string("./test_emit_csv.csv") { Err(_) => panic!("Failed to open file"), From bc230f7cd55c7466ea46a76dc71b0759d0b94474 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 27 Nov 2021 11:21:55 +0900 Subject: [PATCH 04/13] =?UTF-8?q?=E8=8B=B1=E8=AA=9E=E4=BF=AE=E6=AD=A3=20(#?= =?UTF-8?q?236)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 英語修正 * cargo fmt * fixed test assertion string data Co-authored-by: DustInDark --- src/afterfact.rs | 4 +- src/detections/configs.rs | 24 ++++---- src/detections/detection.rs | 18 +++--- src/detections/rule/aggregation_parser.rs | 40 +++++++------ src/detections/rule/condition_parser.rs | 64 ++++++++++++--------- src/detections/rule/count.rs | 8 +-- src/detections/rule/matchers.rs | 68 +++++++++++------------ src/detections/rule/mod.rs | 34 ++++++------ src/detections/rule/selectionnodes.rs | 12 ++-- src/detections/utils.rs | 4 +- src/main.rs | 8 +-- src/yaml.rs | 8 +-- 12 files changed, 153 insertions(+), 139 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 95012876..dd1ae5fb 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -106,7 +106,7 @@ fn emit_csv(writer: &mut W, displayflag: bool) -> io::Result< wtr.flush()?; println!(""); - println!("Total Events Detected:{:?}", detect_count); + println!("Total events detected: {:?}", detect_count); Ok(()) } @@ -202,7 +202,7 @@ fn test_emit_csv() { assert!(emit_csv(&mut file, false).is_ok()); match read_to_string("./test_emit_csv.csv") { - Err(_) => panic!("Failed to open file"), + Err(_) => panic!("Failed to open file."), Ok(s) => { assert_eq!(s, expect); } diff --git a/src/detections/configs.rs b/src/detections/configs.rs index b4b18c21..02499876 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -47,23 +47,23 @@ fn build_app<'a>() -> ArgMatches<'a> { return ArgMatches::default(); } - let usages = "-f --filepath=[FILEPATH] 'Event file path' - --csv-timeline=[CSV_TIMELINE] 'Csv output timeline' + let usages = "-f --filepath=[FILEPATH] 'File path to one .evtx file' + --csv-timeline=[CSV_TIMELINE] 'Save the timeline in CSV format' --rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600' --rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00' - --verbose 'Output check information to target event file path and rule file.' - -q 'Quiet Output Logo' - -r --rules=[RULEDIRECTORY] 'using target of rule file directory' - -L --level=[LEVEL] 'Specified execute rule level(default: LOW)' - -u --utc 'Output time in UTC format(default: local time)' - -d --directory=[DIRECTORY] 'Event log files directory' - -s --statistics 'Prints statistics for event logs' - -t --threadnum=[NUM] 'Thread number' + --verbose 'Output verbose information to target event file path and rule file' + -q 'Quiet mode. Do not display the launch banner' + -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)' + -L --level=[LEVEL] 'Minimum level for rules (default: low)' + -u --utc 'Output time in UTC format (default: local time)' + -d --directory=[DIRECTORY] 'Directory of multiple .evtx files' + -s --statistics 'Prints statistics of event IDs' + -t --threadnum=[NUM] 'Thread number (default: optimal number for performance)' --contributors 'Prints the list of contributors'"; App::new(&program) - .about("hayabusa. Aiming to be the world's greatest Windows event log analysis tool!") + .about("Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!") .version("1.0.0") - .author("Author name Yamato-Security(https://github.com/Yamato-Security/hayabusa)") + .author("Yamato-Security(https://github.com/Yamato-Security/hayabusa)") .setting(AppSettings::VersionlessSubcommands) .usage(usages) .args_from_usage(usages) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 3f02c616..b6233769 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -73,7 +73,7 @@ impl Detection { // ruleファイルのパースに失敗した場合はエラー出力 err_msgs_result.err().iter().for_each(|err_msgs| { let errmsg_body = - format!("Failed to parse Rule file. (FilePath : {})", rule.rulepath); + format!("Failed to parse rule file. (FilePath : {})", rule.rulepath); AlertMessage::warn(&mut std::io::stdout().lock(), errmsg_body).ok(); err_msgs.iter().for_each(|err_msg| { @@ -145,8 +145,8 @@ impl Detection { pub fn print_unique_results(&self) { let rules = &self.rules; - let levellabel = Vec::from(["Critical", "High", "Medium", "Low", "Info", "Undeifned"]); - // levclcounts is [(Undeifned), (Info), (Low),(Medium),(High),(Critical)] + let levellabel = Vec::from(["Critical", "High", "Medium", "Low", "Info", "Undefined"]); + // levels are [(Undeifned), (Info), (Low),(Medium),(High),(Critical)] let mut levelcounts = Vec::from([0, 0, 0, 0, 0, 0]); for rule in rules.into_iter() { if rule.check_exist_countdata() { @@ -165,10 +165,10 @@ impl Detection { let mut total_unique = 0; levelcounts.reverse(); for (i, value) in levelcounts.iter().enumerate() { - println!("{} alerts {}", levellabel[i], value); + println!("{} alerts: {}", levellabel[i], value); total_unique += value; } - println!("Unique Events Detected: {}", total_unique); + println!("Unique events detected: {}", total_unique); } // 複数のイベントレコードに対して、ルールを1個実行します。 @@ -246,12 +246,12 @@ impl Detection { ) { let mut total = parseerror_count + ignore_count; rc.into_iter().for_each(|(key, value)| { - println!("{} Rules: {}", key, value); + println!("{} rules: {}", key, value); total += value; }); - println!("Ignored Rule Count: {}", ignore_count); - println!("Rule Parse Errors Count: {}", parseerror_count); - println!("Total Detection Rules: {}", total); + println!("Ignored rules: {}", ignore_count); + println!("Rule parsing errors: {}", parseerror_count); + println!("Total detection rules: {}", total); println!(""); } } diff --git a/src/detections/rule/aggregation_parser.rs b/src/detections/rule/aggregation_parser.rs index bcc84bf1..92fd56ff 100644 --- a/src/detections/rule/aggregation_parser.rs +++ b/src/detections/rule/aggregation_parser.rs @@ -52,7 +52,7 @@ impl AggegationConditionCompiler { let result = self.compile_body(condition_str); if let Result::Err(msg) = result { return Result::Err(format!( - "aggregation condition parse error has occurred. {}", + "An aggregation condition parse error has occurred. {}", msg )); } else { @@ -137,7 +137,7 @@ impl AggegationConditionCompiler { ) -> Result, String> { if tokens.is_empty() { // パイプしか無いのはおかしいのでエラー - return Result::Err("There are no strings after pipe(|).".to_string()); + return Result::Err("There are no strings after the pipe(|).".to_string()); } let mut token_ite = tokens.into_iter(); @@ -150,14 +150,14 @@ impl AggegationConditionCompiler { } } else { // いろんなパターンがあるので難しいが、countというキーワードしか使えないことを説明しておく。 - return Result::Err("aggregation condition can use count only.".to_string()); + return Result::Err("The aggregation condition can only use count.".to_string()); } let token = token_ite.next(); if token.is_none() { // 論理演算子がないのはだめ return Result::Err( - "count keyword needs compare operator and number like '> 3'".to_string(), + "The count keyword needs a compare operator and number like '> 3'".to_string(), ); } @@ -168,14 +168,18 @@ impl AggegationConditionCompiler { let after_by = token_ite.next(); if after_by.is_none() { // BYの後に何もないのはだめ - return Result::Err("by keyword needs field name like 'by EventID'".to_string()); + return Result::Err( + "The by keyword needs a field name like 'by EventID'".to_string(), + ); } if let AggregationConditionToken::KEYWORD(keyword) = after_by.unwrap() { by_field_name = Option::Some(keyword); token_ite.next() } else { - return Result::Err("by keyword needs field name like 'by EventID'".to_string()); + return Result::Err( + "The by keyword needs a field name like 'by EventID'".to_string(), + ); } } else { Option::Some(token) @@ -185,14 +189,14 @@ impl AggegationConditionCompiler { if token.is_none() { // 論理演算子がないのはだめ return Result::Err( - "count keyword needs compare operator and number like '> 3'".to_string(), + "The count keyword needs a compare operator and number like '> 3'".to_string(), ); } let cmp_token = token.unwrap(); if !self.is_cmp_op(&cmp_token) { return Result::Err( - "count keyword needs compare operator and number like '> 3'".to_string(), + "The count keyword needs a compare operator and number like '> 3'".to_string(), ); } @@ -201,17 +205,17 @@ impl AggegationConditionCompiler { let number: Result = number.parse(); if number.is_err() { // 比較演算子の後に数値が無い。 - return Result::Err("compare operator needs a number like '> 3'.".to_string()); + return Result::Err("The compare operator needs a number like '> 3'.".to_string()); } else { number.unwrap() } } else { // 比較演算子の後に数値が無い。 - return Result::Err("compare operator needs a number like '> 3'.".to_string()); + return Result::Err("The compare operator needs a number like '> 3'.".to_string()); }; if token_ite.next().is_some() { - return Result::Err("unnecessary word was found.".to_string()); + return Result::Err("An unnecessary word was found.".to_string()); } let info = AggregationParseInfo { @@ -379,7 +383,7 @@ mod tests { assert_eq!(true, result.is_err()); assert_eq!( - "aggregation condition parse error has occurred. There are no strings after pipe(|)." + "An aggregation condition parse error has occurred. There are no strings after the pipe(|)." .to_string(), result.unwrap_err() ); @@ -393,7 +397,7 @@ mod tests { assert_eq!(true, result.is_err()); assert_eq!( - "aggregation condition parse error has occurred. An unusable character was found." + "An aggregation condition parse error has occurred. An unusable character was found." .to_string(), result.unwrap_err() ); @@ -407,7 +411,7 @@ mod tests { compiler.compile("select1 or select2 | by count( hogehoge) by snsn > 3".to_string()); assert_eq!(true, result.is_err()); - assert_eq!("aggregation condition parse error has occurred. aggregation condition can use count only.".to_string(),result.unwrap_err()); + assert_eq!("An aggregation condition parse error has occurred. The aggregation condition can only use count.".to_string(),result.unwrap_err()); } #[test] @@ -417,7 +421,7 @@ mod tests { let result = compiler.compile("select1 or select2 | count( hogehoge) 3".to_string()); assert_eq!(true, result.is_err()); - assert_eq!("aggregation condition parse error has occurred. count keyword needs compare operator and number like '> 3'".to_string(),result.unwrap_err()); + assert_eq!("An aggregation condition parse error has occurred. The count keyword needs a compare operator and number like '> 3'".to_string(),result.unwrap_err()); } #[test] @@ -427,7 +431,7 @@ mod tests { let result = compiler.compile("select1 or select2 | count( hogehoge) by".to_string()); assert_eq!(true, result.is_err()); - assert_eq!("aggregation condition parse error has occurred. by keyword needs field name like 'by EventID'".to_string(),result.unwrap_err()); + assert_eq!("An aggregation condition parse error has occurred. The by keyword needs a field name like 'by EventID'".to_string(),result.unwrap_err()); } #[test] @@ -438,7 +442,7 @@ mod tests { compiler.compile("select1 or select2 | count( hogehoge ) by hoe >".to_string()); assert_eq!(true, result.is_err()); - assert_eq!("aggregation condition parse error has occurred. compare operator needs a number like '> 3'.".to_string(),result.unwrap_err()); + assert_eq!("An aggregation condition parse error has occurred. The compare operator needs a number like '> 3'.".to_string(),result.unwrap_err()); } #[test] @@ -450,7 +454,7 @@ mod tests { assert_eq!(true, result.is_err()); assert_eq!( - "aggregation condition parse error has occurred. unnecessary word was found." + "An aggregation condition parse error has occurred. An unnecessary word was found." .to_string(), result.unwrap_err() ); diff --git a/src/detections/rule/condition_parser.rs b/src/detections/rule/condition_parser.rs index c7958b14..3a1e3af4 100644 --- a/src/detections/rule/condition_parser.rs +++ b/src/detections/rule/condition_parser.rs @@ -130,7 +130,7 @@ impl ConditionCompiler { let result = self.compile_condition_body(condition_str, name_2_node); if let Result::Err(msg) = result { - return Result::Err(format!("condition parse error has occured. {}", msg)); + return Result::Err(format!("A condition parse error has occured. {}", msg)); } else { return result; } @@ -269,7 +269,7 @@ impl ConditionCompiler { } // 最後までついても対応する右括弧が見つからないことを表している if left_cnt != right_cnt { - return Result::Err("expected ')'. but not found.".to_string()); + return Result::Err("')' was expected but not found.".to_string()); } // ここで再帰的に呼び出す。 @@ -284,7 +284,7 @@ impl ConditionCompiler { }; }); if is_right_left { - return Result::Err("expected '('. but not found.".to_string()); + return Result::Err("'(' was expected but not found.".to_string()); } return Result::Ok(ret); @@ -294,7 +294,7 @@ impl ConditionCompiler { fn parse_and_or_operator(&self, tokens: Vec) -> Result { if tokens.len() == 0 { // 長さ0は呼び出してはいけない - return Result::Err("unknown error.".to_string()); + return Result::Err("Unknown error.".to_string()); } // まず、selection1 and not selection2みたいな式のselection1やnot selection2のように、ANDやORでつながるトークンをまとめる。 @@ -302,7 +302,7 @@ impl ConditionCompiler { // 先頭又は末尾がAND/ORなのはだめ if self.is_logical(&tokens[0]) || self.is_logical(&tokens[tokens.len() - 1]) { - return Result::Err("illegal Logical Operator(and, or) was found.".to_string()); + return Result::Err("An illegal logical operator(and, or) was found.".to_string()); } // OperandContainerとLogicalOperator(AndとOR)が交互に並んでいるので、それぞれリストに投入 @@ -311,7 +311,9 @@ impl ConditionCompiler { for (i, token) in tokens.into_iter().enumerate() { if (i % 2 == 1) != self.is_logical(&token) { // インデックスが奇数の時はLogicalOperatorで、インデックスが偶数のときはOperandContainerになる - return Result::Err("The use of logical operator(and, or) was wrong.".to_string()); + return Result::Err( + "The use of a logical operator(and, or) was wrong.".to_string(), + ); } if i % 2 == 0 { @@ -354,21 +356,21 @@ impl ConditionCompiler { // 上記の通り、3つ以上入っていることはないはず。 if sub_tokens.len() >= 3 { return Result::Err( - "unknown error. maybe it's because there are multiple name of selection node." + "Unknown error. Maybe it is because there are multiple names of selection nodes." .to_string(), ); } // 0はありえないはず if sub_tokens.len() == 0 { - return Result::Err("unknown error.".to_string()); + return Result::Err("Unknown error.".to_string()); } // 1つだけ入っている場合、NOTはありえない。 if sub_tokens.len() == 1 { let operand_subtoken = sub_tokens.into_iter().next().unwrap(); if let ConditionToken::Not = operand_subtoken { - return Result::Err("illegal not was found.".to_string()); + return Result::Err("An illegal not was found.".to_string()); } return Result::Ok(operand_subtoken); @@ -380,14 +382,14 @@ impl ConditionCompiler { let second_token = sub_tokens_ite.next().unwrap(); if let ConditionToken::Not = first_token { if let ConditionToken::Not = second_token { - return Result::Err("not is continuous.".to_string()); + return Result::Err("Not is continuous.".to_string()); } else { let not_container = ConditionToken::NotContainer(vec![second_token]); return Result::Ok(not_container); } } else { return Result::Err( - "unknown error. maybe it's because there are multiple name of selection node." + "Unknown error. Maybe it is because there are multiple names of selection nodes." .to_string(), ); } @@ -450,7 +452,7 @@ impl ConditionCompiler { // NotSelectionNodeに変換 if let ConditionToken::NotContainer(sub_tokens) = token { if sub_tokens.len() > 1 { - return Result::Err("unknown error".to_string()); + return Result::Err("Unknown error".to_string()); } let select_sub_node = @@ -459,7 +461,7 @@ impl ConditionCompiler { return Result::Ok(Box::new(select_not_node)); } - return Result::Err("unknown error".to_string()); + return Result::Err("Unknown error".to_string()); } /// ConditionTokenがAndまたはOrTokenならばTrue @@ -549,7 +551,7 @@ mod tests { ); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -595,7 +597,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -642,7 +644,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1204,7 +1206,7 @@ mod tests { assert_eq!( rule_node.init(), Err(vec![ - "There are no condition node under detection.".to_string() + "There is no condition node under detection.".to_string() ]) ); } @@ -1226,7 +1228,9 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. An unusable character was found.".to_string()], + vec![ + "A condition parse error has occured. An unusable character was found.".to_string(), + ], ); } @@ -1247,7 +1251,9 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. expected ')'. but not found.".to_string()], + vec![ + "A condition parse error has occured. ')' was expected but not found.".to_string(), + ], ); } @@ -1268,7 +1274,9 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. expected '('. but not found.".to_string()], + vec![ + "A condition parse error has occured. '(' was expected but not found.".to_string(), + ], ); } @@ -1289,7 +1297,9 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. expected ')'. but not found.".to_string()], + vec![ + "A condition parse error has occured. ')' was expected but not found.".to_string(), + ], ); } @@ -1308,7 +1318,7 @@ mod tests { output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; - check_rule_parse_error(rule_str,vec!["condition parse error has occured. unknown error. maybe it\'s because there are multiple name of selection node.".to_string()]); + check_rule_parse_error(rule_str,vec!["A condition parse error has occured. Unknown error. Maybe it is because there are multiple names of selection nodes.".to_string()]); } #[test] @@ -1329,7 +1339,7 @@ mod tests { check_rule_parse_error( rule_str, vec![ - "condition parse error has occured. illegal Logical Operator(and, or) was found." + "A condition parse error has occured. An illegal logical operator(and, or) was found." .to_string(), ], ); @@ -1353,7 +1363,7 @@ mod tests { check_rule_parse_error( rule_str, vec![ - "condition parse error has occured. illegal Logical Operator(and, or) was found." + "A condition parse error has occured. An illegal logical operator(and, or) was found." .to_string(), ], ); @@ -1374,7 +1384,7 @@ mod tests { output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; - check_rule_parse_error(rule_str,vec!["condition parse error has occured. The use of logical operator(and, or) was wrong.".to_string()]); + check_rule_parse_error(rule_str,vec!["A condition parse error has occured. The use of a logical operator(and, or) was wrong.".to_string()]); } #[test] @@ -1394,7 +1404,7 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. illegal not was found.".to_string()], + vec!["A condition parse error has occured. An illegal not was found.".to_string()], ); } @@ -1415,7 +1425,7 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. not is continuous.".to_string()], + vec!["A condition parse error has occured. Not is continuous.".to_string()], ); } } diff --git a/src/detections/rule/count.rs b/src/detections/rule/count.rs index 849cf951..5a65de2c 100644 --- a/src/detections/rule/count.rs +++ b/src/detections/rule/count.rs @@ -175,7 +175,7 @@ impl TimeFrameInfo { } else { AlertMessage::alert( &mut std::io::stderr().lock(), - format!("timeframe is invalid.input value:{}", value), + format!("Timeframe is invalid. Input value:{}", value), ) .ok(); } @@ -207,7 +207,7 @@ pub fn get_sec_timeframe(timeframe: &Option) -> Option { Err(err) => { AlertMessage::alert( &mut std::io::stderr().lock(), - format!("timeframe num is invalid. timeframe.{}", err), + format!("Timeframe number is invalid. timeframe.{}", err), ) .ok(); return Option::None; @@ -755,7 +755,7 @@ mod tests { let mut rule_node = create_rule("testpath".to_string(), test); let error_checker = rule_node.init(); if error_checker.is_err() { - assert!(false, "failed to init rulenode"); + assert!(false, "Failed to init rulenode"); } for record_str in records_str { match serde_json::from_str(record_str) { @@ -769,7 +769,7 @@ mod tests { assert_eq!(result, &true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index 022594f5..fe778e53 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -50,7 +50,7 @@ impl LeafMatcher for MinlengthMatcher { let min_length = select_value.as_i64(); if min_length.is_none() { let errmsg = format!( - "min_length value should be Integer. [key:{}]", + "min_length value should be an integer. [key:{}]", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -99,7 +99,7 @@ impl LeafMatcher for RegexesFileMatcher { }; if value.is_none() { let errmsg = format!( - "regexes value should be String. [key:{}]", + "regexes value should be a string. [key:{}]", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -158,7 +158,7 @@ impl LeafMatcher for AllowlistFileMatcher { }; if value.is_none() { let errmsg = format!( - "allowlist value should be String. [key:{}]", + "allowlist value should be a string. [key:{}]", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -253,7 +253,7 @@ impl LeafMatcher for DefaultMatcher { }; if yaml_value.is_none() { let errmsg = format!( - "unknown error occured. [key:{}]", + "An unknown error occured. [key:{}]", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -275,7 +275,7 @@ impl LeafMatcher for DefaultMatcher { }; if pipe_element.is_none() { let errmsg = format!( - "unknown pipe element was specified. key:{}", + "An unknown pipe element was specified. key:{}", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -286,7 +286,7 @@ impl LeafMatcher for DefaultMatcher { if self.pipes.len() >= 2 { // 現状では複数のパイプは対応していない let errmsg = format!( - "multiple pipe element can't be used. key:{}", + "Multiple pipe elements cannot be used. key:{}", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -309,7 +309,7 @@ impl LeafMatcher for DefaultMatcher { let re_result = Regex::new(&pattern); if re_result.is_err() { let errmsg = format!( - "cannot parse regex. [regex:{}, key:{}]", + "Cannot parse regex. [regex:{}, key:{}]", pattern, utils::concat_selection_key(key_list) ); @@ -779,7 +779,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -846,7 +846,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -880,7 +880,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -913,7 +913,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -946,7 +946,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -980,7 +980,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1014,7 +1014,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1048,7 +1048,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1082,7 +1082,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1116,7 +1116,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1149,7 +1149,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1186,7 +1186,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1223,7 +1223,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1259,7 +1259,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1304,7 +1304,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1349,7 +1349,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1394,7 +1394,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1439,7 +1439,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1484,7 +1484,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1529,7 +1529,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1562,7 +1562,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1595,7 +1595,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1628,7 +1628,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1721,7 +1721,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1756,7 +1756,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1791,7 +1791,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1826,7 +1826,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs index 11f2eda8..c4d3150d 100644 --- a/src/detections/rule/mod.rs +++ b/src/detections/rule/mod.rs @@ -144,7 +144,7 @@ impl DetectionNode { let mut keys = self.name_to_selection.keys().clone(); if keys.len() >= 2 { return Result::Err(vec![ - "There are no condition node under detection.".to_string() + "There is no condition node under detection.".to_string() ]); } @@ -191,7 +191,7 @@ impl DetectionNode { fn parse_name_to_selection(&mut self, detection_yaml: &Yaml) -> Result<(), Vec> { let detection_hash = detection_yaml.as_hash(); if detection_hash.is_none() { - return Result::Err(vec!["not found detection node".to_string()]); + return Result::Err(vec!["Detection node was not found.".to_string()]); } // selectionをパースする。 @@ -229,7 +229,7 @@ impl DetectionNode { // selectionノードが無いのはエラー if self.name_to_selection.len() == 0 { return Result::Err(vec![ - "There are no selection node under detection.".to_string() + "There is no selection node under detection.".to_string() ]); } @@ -360,7 +360,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -393,7 +393,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -426,7 +426,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -512,7 +512,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -574,7 +574,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -643,7 +643,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -690,7 +690,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -738,7 +738,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -805,7 +805,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -872,7 +872,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -921,7 +921,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -943,7 +943,7 @@ mod tests { assert_eq!( rule_node.init(), Err(vec![ - "unknown pipe element was specified. key:detection -> selection -> Channel|failed" + "An unknown pipe element was specified. key:detection -> selection -> Channel|failed" .to_string() ]) ); @@ -962,7 +962,7 @@ mod tests { assert_eq!( rule_node.init(), - Err(vec!["not found detection node".to_string()]) + Err(vec!["Detection node was not found.".to_string()]) ); } @@ -997,7 +997,7 @@ mod tests { ); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } diff --git a/src/detections/rule/selectionnodes.rs b/src/detections/rule/selectionnodes.rs index 78dc3ea4..030d832c 100644 --- a/src/detections/rule/selectionnodes.rs +++ b/src/detections/rule/selectionnodes.rs @@ -392,7 +392,7 @@ impl SelectionNode for LeafSelectionNode { if self.select_value.is_badvalue() { return Result::Err(vec![format!( - "Cannot parse yaml file. key:{}", + "Cannot parse yml file. key:{}", utils::concat_selection_key(&match_key_list) )]); } @@ -446,7 +446,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -482,7 +482,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -517,7 +517,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -552,7 +552,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -587,7 +587,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 59331832..1bacfe10 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -49,7 +49,7 @@ pub fn check_allowlist(target: &str, regexes: &Vec) -> bool { pub fn read_txt(filename: &str) -> Result, String> { let f = File::open(filename); if f.is_err() { - let errmsg = format!("cannot open file. [file:{}]", filename); + let errmsg = format!("Cannot open file. [file:{}]", filename); return Result::Err(errmsg); } let reader = BufReader::new(f.unwrap()); @@ -62,7 +62,7 @@ pub fn read_txt(filename: &str) -> Result, String> { } pub fn read_csv(filename: &str) -> Result>, String> { - let mut f = File::open(filename).expect("file not found!!!"); + let mut f = File::open(filename).expect("File not found!!!"); let mut contents: String = String::new(); let mut ret = vec![]; let read_res = f.read_to_string(&mut contents); diff --git a/src/main.rs b/src/main.rs index 081ff838..6b6b34c0 100644 --- a/src/main.rs +++ b/src/main.rs @@ -36,7 +36,7 @@ fn main() { if !filepath.ends_with(".evtx") { AlertMessage::alert( &mut std::io::stderr().lock(), - "--filepath is only accepted evtx file.".to_owned(), + "--filepath only accepts .evtx files.".to_owned(), ) .ok(); return; @@ -47,7 +47,7 @@ fn main() { if evtx_files.len() == 0 { AlertMessage::alert( &mut std::io::stderr().lock(), - "No exist evtx file.".to_owned(), + "No .evtx files were found.".to_owned(), ) .ok(); return; @@ -118,7 +118,7 @@ fn analysis_files(evtx_files: Vec) { .value_of("level") .unwrap_or("INFO") .to_uppercase(); - println!("Analyzing Event Files: {:?}", evtx_files.len()); + println!("Analyzing event files: {:?}", evtx_files.len()); let rule_files = detection::Detection::parse_rule_files( level, configs::CONFIG.read().unwrap().args.value_of("rules"), @@ -126,7 +126,7 @@ fn analysis_files(evtx_files: Vec) { let mut detection = detection::Detection::new(rule_files); for evtx_file in evtx_files { if configs::CONFIG.read().unwrap().args.is_present("verbose") { - println!("check target evtx FilePath: {:?}", &evtx_file); + println!("Checking target evtx FilePath: {:?}", &evtx_file); } detection = analysis_file(evtx_file, detection); } diff --git a/src/yaml.rs b/src/yaml.rs index 792d7790..b0ef5065 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -83,7 +83,7 @@ impl ParseYaml { AlertMessage::warn( &mut std::io::stdout().lock(), format!( - "fail to parse as yaml: {}\n{} ", + "Failed to parse yml: {}\n{} ", entry.path().display(), yaml_contents.unwrap_err() ), @@ -109,14 +109,14 @@ impl ParseYaml { return Option::None; } self.rulecounter.insert( - yaml_doc["ruletype"].as_str().unwrap_or("other").to_string(), + yaml_doc["ruletype"].as_str().unwrap_or("Other").to_string(), self.rulecounter - .get(&yaml_doc["ruletype"].as_str().unwrap_or("other").to_string()) + .get(&yaml_doc["ruletype"].as_str().unwrap_or("Other").to_string()) .unwrap_or(&0) + 1, ); if configs::CONFIG.read().unwrap().args.is_present("verbose") { - println!("Loaded yml FilePath: {}", filepath); + println!("Loaded yml file path: {}", filepath); } // 指定されたレベルより低いルールは無視する let doc_level = &yaml_doc["level"] From 0cfa806baf9e4aaa847b55b5feebee7a83ba592c Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sun, 28 Nov 2021 18:14:51 +0900 Subject: [PATCH 05/13] Feature/addruletype to sigma rule#230 (#235) * added ruletype to SIGMA rule #230 * added ruletype to SIGMA rule converter tool #231 --- .../win_aadhealth_mon_agent_regkey_access.yml | 1 + .../win_aadhealth_svc_agent_regkey_access.yml | 1 + .../win_account_backdoor_dcsync_rights.yml | 1 + rules/sigma/builtin/win_account_discovery.yml | 1 + .../builtin/win_ad_object_writedac_access.yml | 1 + ...win_ad_replication_non_machine_account.yml | 1 + .../sigma/builtin/win_ad_user_enumeration.yml | 1 + ...e_template_configuration_vulnerability.yml | 1 + ...mplate_configuration_vulnerability_eku.yml | 1 + rules/sigma/builtin/win_admin_rdp_login.yml | 1 + .../sigma/builtin/win_admin_share_access.yml | 1 + ...in_alert_active_directory_user_control.yml | 1 + .../builtin/win_alert_ad_user_backdoors.yml | 1 + .../win_alert_enable_weak_encryption.yml | 1 + .../sigma/builtin/win_alert_lsass_access.yml | 1 + .../builtin/win_alert_mimikatz_keywords.yml | 1 + rules/sigma/builtin/win_alert_ruler.yml | 1 + ..._applocker_file_was_not_allowed_to_run.yml | 1 + .../builtin/win_apt_carbonpaper_turla.yml | 1 + .../builtin/win_apt_chafer_mar18_security.yml | 1 + .../builtin/win_apt_chafer_mar18_system.yml | 1 + rules/sigma/builtin/win_apt_gallium.yml | 1 + rules/sigma/builtin/win_apt_slingshot.yml | 1 + rules/sigma/builtin/win_apt_stonedrill.yml | 1 + .../builtin/win_apt_turla_service_png.yml | 1 + rules/sigma/builtin/win_apt_wocao.yml | 1 + ...ary_shell_execution_via_settingcontent.yml | 1 + .../builtin/win_asr_bypass_via_appvlp_re.yml | 1 + rules/sigma/builtin/win_atsvc_task.yml | 1 + rules/sigma/builtin/win_audit_cve.yml | 1 + rules/sigma/builtin/win_av_relevant_match.yml | 1 + .../builtin/win_camera_microphone_access.yml | 1 + .../win_cobaltstrike_service_installs.yml | 1 + .../win_dce_rpc_smb_spoolss_named_pipe.yml | 1 + .../builtin/win_dcom_iertutil_dll_hijack.yml | 1 + rules/sigma/builtin/win_dcsync.yml | 1 + .../builtin/win_disable_event_logging.yml | 1 + .../win_dpapi_domain_backupkey_extraction.yml | 1 + ..._dpapi_domain_masterkey_backup_attempt.yml | 1 + rules/sigma/builtin/win_etw_modification.yml | 1 + rules/sigma/builtin/win_event_log_cleared.yml | 1 + .../builtin/win_exchange_transportagent.yml | 1 + ...win_exploit_cve_2021_1675_printspooler.yml | 1 + ...cve_2021_1675_printspooler_operational.yml | 1 + ...it_cve_2021_1675_printspooler_security.yml | 1 + rules/sigma/builtin/win_external_device.yml | 1 + .../win_global_catalog_enumeration.yml | 1 + .../sigma/builtin/win_gpo_scheduledtasks.yml | 1 + rules/sigma/builtin/win_hack_smbexec.yml | 1 + .../builtin/win_hidden_user_creation.yml | 1 + ...n_hybridconnectionmgr_svc_installation.yml | 1 + .../win_hybridconnectionmgr_svc_running.yml | 1 + rules/sigma/builtin/win_impacket_psexec.yml | 1 + .../sigma/builtin/win_impacket_secretdump.yml | 1 + .../win_invoke_obfuscation_clip_services.yml | 1 + ...oke_obfuscation_clip_services_security.yml | 1 + ...ke_obfuscation_obfuscated_iex_services.yml | 1 + ...ation_obfuscated_iex_services_security.yml | 1 + .../win_invoke_obfuscation_stdin_services.yml | 1 + ...ke_obfuscation_stdin_services_security.yml | 1 + .../win_invoke_obfuscation_var_services.yml | 1 + ...voke_obfuscation_var_services_security.yml | 1 + ...voke_obfuscation_via_compress_services.yml | 1 + ...scation_via_compress_services_security.yml | 1 + ...invoke_obfuscation_via_rundll_services.yml | 1 + ...fuscation_via_rundll_services_security.yml | 1 + ..._invoke_obfuscation_via_stdin_services.yml | 1 + ...bfuscation_via_stdin_services_security.yml | 1 + ...voke_obfuscation_via_use_clip_services.yml | 1 + ...scation_via_use_clip_services_security.yml | 1 + ...oke_obfuscation_via_use_mshta_services.yml | 1 + ...cation_via_use_mshta_services_security.yml | 1 + ..._obfuscation_via_use_rundll32_services.yml | 1 + ...ion_via_use_rundll32_services_security.yml | 1 + ...in_invoke_obfuscation_via_var_services.yml | 1 + ..._obfuscation_via_var_services_security.yml | 1 + rules/sigma/builtin/win_iso_mount.yml | 1 + rules/sigma/builtin/win_lm_namedpipe.yml | 1 + .../win_lolbas_execution_of_nltest.yml | 1 + .../win_lsass_access_non_system_account.yml | 1 + rules/sigma/builtin/win_mal_creddumper.yml | 1 + rules/sigma/builtin/win_mal_wceaux_dll.yml | 1 + .../builtin/win_metasploit_authentication.yml | 1 + ...tstrike_getsystem_service_installation.yml | 1 + .../builtin/win_mmc20_lateral_movement.yml | 1 + rules/sigma/builtin/win_moriya_rootkit.yml | 1 + .../sigma/builtin/win_net_ntlm_downgrade.yml | 1 + .../sigma/builtin/win_net_use_admin_share.yml | 1 + ..._renamed_user_account_with_dollar_sign.yml | 1 + .../builtin/win_not_allowed_rdp_access.yml | 1 + rules/sigma/builtin/win_ntfs_vuln_exploit.yml | 1 + rules/sigma/builtin/win_overpass_the_hash.yml | 1 + rules/sigma/builtin/win_pass_the_hash.yml | 1 + rules/sigma/builtin/win_pass_the_hash_2.yml | 1 + .../builtin/win_petitpotam_network_share.yml | 1 + .../win_petitpotam_susp_tgt_request.yml | 1 + .../sigma/builtin/win_possible_dc_shadow.yml | 1 + ...powershell_script_installed_as_service.yml | 1 + .../builtin/win_privesc_cve_2020_1472.yml | 1 + .../win_protected_storage_service_access.yml | 1 + ...rkspwdump_clearing_hive_access_history.yml | 1 + .../builtin/win_rare_schtasks_creations.yml | 1 + .../builtin/win_rare_service_installs.yml | 1 + .../builtin/win_rdp_bluekeep_poc_scanner.yml | 1 + .../sigma/builtin/win_rdp_localhost_login.yml | 1 + .../win_rdp_potential_cve_2019_0708.yml | 1 + .../sigma/builtin/win_rdp_reverse_tunnel.yml | 1 + ...n_register_new_logon_process_by_rubeus.yml | 1 + .../builtin/win_remote_powershell_session.yml | 1 + ..._registry_management_using_reg_utility.yml | 1 + .../win_root_certificate_installed.yml | 1 + .../win_sam_registry_hive_handle_request.yml | 1 + .../builtin/win_scheduled_task_deletion.yml | 1 + .../win_scm_database_handle_failure.yml | 1 + .../win_scm_database_privileged_operation.yml | 1 + ...scrcons_remote_wmi_scripteventconsumer.yml | 1 + ...security_cobaltstrike_service_installs.yml | 1 + .../builtin/win_security_mal_creddumper.yml | 1 + .../win_security_mal_service_installs.yml | 1 + ...or_impacket_smb_psexec_service_install.yml | 1 + ...cobaltstrike_getsystem_service_install.yml | 1 + ...powershell_script_installed_as_service.yml | 1 + .../win_security_tap_driver_installation.yml | 1 + ...in_set_oabvirtualdirectory_externalurl.yml | 1 + .../win_smb_file_creation_admin_shares.yml | 1 + .../win_software_atera_rmm_agent_install.yml | 1 + .../builtin/win_susp_add_domain_trust.yml | 1 + .../builtin/win_susp_add_sid_history.yml | 1 + .../sigma/builtin/win_susp_backup_delete.yml | 1 + .../win_susp_codeintegrity_check_failure.yml | 1 + rules/sigma/builtin/win_susp_dhcp_config.yml | 1 + .../builtin/win_susp_dhcp_config_failed.yml | 1 + rules/sigma/builtin/win_susp_dns_config.yml | 1 + .../builtin/win_susp_dsrm_password_change.yml | 1 + .../builtin/win_susp_eventlog_cleared.yml | 1 + .../builtin/win_susp_failed_guest_logon.yml | 1 + .../builtin/win_susp_failed_logon_reasons.yml | 1 + .../builtin/win_susp_failed_logon_source.yml | 1 + ...usp_failed_logons_explicit_credentials.yml | 1 + .../win_susp_failed_logons_single_process.yml | 1 + .../win_susp_failed_logons_single_source.yml | 1 + .../win_susp_failed_logons_single_source2.yml | 1 + ...p_failed_logons_single_source_kerberos.yml | 1 + ..._failed_logons_single_source_kerberos2.yml | 1 + ..._failed_logons_single_source_kerberos3.yml | 1 + ..._susp_failed_logons_single_source_ntlm.yml | 1 + ...susp_failed_logons_single_source_ntlm2.yml | 1 + ...usp_failed_remote_logons_single_source.yml | 1 + .../builtin/win_susp_interactive_logons.yml | 1 + .../win_susp_kerberos_manipulation.yml | 1 + .../builtin/win_susp_ldap_dataexchange.yml | 1 + .../win_susp_local_anon_logon_created.yml | 1 + .../win_susp_logon_explicit_credentials.yml | 1 + rules/sigma/builtin/win_susp_lsass_dump.yml | 1 + .../builtin/win_susp_lsass_dump_generic.yml | 1 + .../builtin/win_susp_mshta_execution.yml | 1 + .../sigma/builtin/win_susp_msmpeng_crash.yml | 1 + ...susp_multiple_files_renamed_or_deleted.yml | 1 + .../builtin/win_susp_net_recon_activity.yml | 1 + rules/sigma/builtin/win_susp_ntlm_auth.yml | 1 + rules/sigma/builtin/win_susp_ntlm_rdp.yml | 1 + rules/sigma/builtin/win_susp_proceshacker.yml | 1 + rules/sigma/builtin/win_susp_psexec.yml | 1 + .../win_susp_raccess_sensitive_fext.yml | 1 + rules/sigma/builtin/win_susp_rc4_kerberos.yml | 1 + rules/sigma/builtin/win_susp_rottenpotato.yml | 1 + rules/sigma/builtin/win_susp_sam_dump.yml | 1 + rules/sigma/builtin/win_susp_sdelete.yml | 1 + .../builtin/win_susp_time_modification.yml | 1 + rules/sigma/builtin/win_susp_wmi_login.yml | 1 + ...uspicious_outbound_kerberos_connection.yml | 1 + .../builtin/win_svcctl_remote_service.yml | 1 + .../builtin/win_syskey_registry_access.yml | 1 + .../win_sysmon_channel_reference_deletion.yml | 1 + .../win_system_susp_eventlog_cleared.yml | 1 + .../builtin/win_tap_driver_installation.yml | 1 + ...ith_credential_data_via_network_shares.yml | 1 + .../sigma/builtin/win_usb_device_plugged.yml | 1 + ...win_user_added_to_local_administrators.yml | 1 + ...ileged_service_lsaregisterlogonprocess.yml | 1 + rules/sigma/builtin/win_user_creation.yml | 1 + .../sigma/builtin/win_user_driver_loaded.yml | 1 + .../builtin/win_volume_shadow_copy_mount.yml | 1 + ..._vssaudit_secevent_source_registration.yml | 1 + rules/sigma/builtin/win_vul_cve_2020_0688.yml | 1 + rules/sigma/builtin/win_vul_cve_2020_1472.yml | 1 + .../win_wmiprvse_wbemcomn_dll_hijack.yml | 1 + .../sysmon_cactustorch.yml | 1 + .../sysmon_cobaltstrike_process_injection.yml | 1 + .../sysmon_createremotethread_loadlibrary.yml | 1 + .../sysmon_password_dumper_lsass.yml | 1 + .../sysmon_powershell_code_injection.yml | 1 + .../sysmon_susp_powershell_rundll32.yml | 1 + .../sysmon_suspicious_remote_thread.yml | 1 + .../sysmon_ads_executable.yml | 1 + .../sysmon_regedit_export_to_ads.yml | 1 + .../dns_query/dns_net_mal_cobaltstrike.yml | 1 + rules/sigma/dns_query/dns_net_susp_ipify.yml | 1 + ...s_query_hybridconnectionmgr_servicebus.yml | 1 + rules/sigma/dns_query/dns_query_mega_nz.yml | 1 + .../dns_query_possible_dns_rebinding.yml | 1 + .../dns_query_regsvr32_network_activity.yml | 1 + .../driver_load_mal_creddumper.yml | 1 + ...tstrike_getsystem_service_installation.yml | 1 + ...powershell_script_installed_as_service.yml | 1 + .../driver_load/driver_load_susp_temp_use.yml | 1 + .../driver_load_vuln_dell_driver.yml | 1 + .../driver_load/driver_load_windivert.yml | 1 + ...mmand_execution_by_office_applications.yml | 1 + .../file_delete/sysmon_delete_prefetch.yml | 1 + ...mon_sysinternals_sdelete_file_deletion.yml | 1 + .../win_cve_2021_1675_printspooler_del.yml | 1 + .../file_event_advanced_ip_scanner.yml | 1 + .../file_event_apt_unidentified_nov_18.yml | 1 + ...cve_2021_31979_cve_2021_33771_exploits.yml | 1 + .../file_event/file_event_hack_dumpert.yml | 1 + .../file_event_hktl_createminidump.yml | 1 + .../file_event/file_event_lsass_dump.yml | 1 + .../file_event/file_event_mal_adwind.yml | 1 + .../file_event_mal_vhd_download.yml | 1 + ...ile_event_mimikatz_kirbi_file_creation.yml | 1 + .../file_event/file_event_moriya_rootkit.yml | 1 + .../file_event_pingback_backdoor.yml | 1 + ...ript_creation_by_office_using_file_ext.yml | 1 + .../file_event/file_event_susp_task_write.yml | 1 + .../file_event/file_event_tool_psexec.yml | 1 + .../file_event_uac_bypass_winsat.yml | 1 + .../file_event/file_event_uac_bypass_wmp.yml | 1 + ...e_event_win_shell_write_susp_directory.yml | 1 + .../file_event_winrm_awl_bypass.yml | 1 + ...ile_event_wmiprvse_wbemcomn_dll_hijack.yml | 1 + .../sysmon_creation_system_file.yml | 1 + .../sysmon_cred_dump_tools_dropped_files.yml | 1 + .../sysmon_cve_2021_26858_msexchange.yml | 1 + .../sysmon_detect_powerup_dllhijacking.yml | 1 + .../sysmon_ghostpack_safetykatz.yml | 1 + ...sysmon_lsass_memory_dump_file_creation.yml | 1 + .../file_event/sysmon_office_persistence.yml | 1 + .../file_event/sysmon_outlook_newform.yml | 1 + .../file_event/sysmon_pcre_net_temp_file.yml | 1 + .../sysmon_powershell_exploit_scripts.yml | 1 + .../sysmon_powershell_startup_shortcuts.yml | 1 + .../file_event/sysmon_quarkspw_filedump.yml | 1 + .../sysmon_redmimicry_winnti_filedrop.yml | 1 + .../sysmon_startup_folder_file_write.yml | 1 + .../sysmon_susp_adsi_cache_usage.yml | 1 + .../sigma/file_event/sysmon_susp_clr_logs.yml | 1 + .../file_event/sysmon_susp_desktop_ini.yml | 1 + .../sysmon_susp_pfx_file_creation.yml | 1 + ...cexplorer_driver_created_in_tmp_folder.yml | 1 + ...n_suspicious_powershell_profile_create.yml | 1 + .../sysmon_tsclient_filewrite_startup.yml | 1 + .../sysmon_uac_bypass_consent_comctl32.yml | 1 + .../sysmon_uac_bypass_dotnet_profiler.yml | 1 + .../file_event/sysmon_uac_bypass_ieinstal.yml | 1 + .../sysmon_uac_bypass_msconfig_gui.yml | 1 + .../sysmon_uac_bypass_ntfs_reparse_point.yml | 1 + .../sysmon_webshell_creation_detect.yml | 1 + ...ersistence_script_event_consumer_write.yml | 1 + .../win_cve_2021_1675_printspooler.yml | 1 + .../win_file_winword_cve_2021_40444.yml | 1 + .../win_hivenightmare_file_exports.yml | 1 + .../win_outlook_c2_macro_creation.yml | 1 + .../sigma/file_event/win_rclone_exec_file.yml | 1 + .../win_susp_desktopimgdownldr_file.yml | 1 + .../image_load_pingback_backdoor.yml | 1 + .../image_load_silenttrinity_stage_use.yml | 1 + ...mage_load_wmiprvse_wbemcomn_dll_hijack.yml | 1 + .../process_creation_tttracer_mod_load.yml | 1 + .../sysmon_abusing_azure_browser_sso.yml | 1 + ..._alternate_powershell_hosts_moduleload.yml | 1 + .../image_load/sysmon_foggyweb_nobelium.yml | 1 + .../sysmon_in_memory_powershell.yml | 1 + .../sigma/image_load/sysmon_pcre_net_load.yml | 1 + ...cons_imageload_wmi_scripteventconsumer.yml | 1 + .../image_load/sysmon_spoolsv_dll_load.yml | 1 + .../sigma/image_load/sysmon_susp_fax_dll.yml | 1 + .../image_load/sysmon_susp_image_load.yml | 1 + ...n_susp_office_dotnet_assembly_dll_load.yml | 1 + ...sysmon_susp_office_dotnet_clr_dll_load.yml | 1 + ...sysmon_susp_office_dotnet_gac_dll_load.yml | 1 + .../sysmon_susp_office_dsparse_dll_load.yml | 1 + .../sysmon_susp_office_kerberos_dll_load.yml | 1 + .../sysmon_susp_python_image_load.yml | 1 + ...sysmon_susp_script_dotnet_clr_dll_load.yml | 1 + .../sysmon_susp_system_drawing_load.yml | 1 + .../sysmon_susp_winword_vbadll_load.yml | 1 + .../sysmon_susp_winword_wmidll_load.yml | 1 + ...sysmon_suspicious_dbghelp_dbgcore_load.yml | 1 + ...sysmon_svchost_dll_search_order_hijack.yml | 1 + .../image_load/sysmon_tttracer_mod_load.yml | 1 + .../image_load/sysmon_uac_bypass_via_dism.yml | 1 + .../sysmon_uipromptforcreds_dlls.yml | 1 + ...ysmon_unsigned_image_loaded_into_lsass.yml | 1 + .../image_load/sysmon_wmi_module_load.yml | 1 + ...persistence_commandline_event_consumer.yml | 1 + .../sysmon_wmic_remote_xsl_scripting_dlls.yml | 1 + .../sysmon_wsman_provider_image_load.yml | 1 + .../image_load/win_susp_svchost_clfsw32.yml | 1 + .../image_load/win_suspicious_vss_ps_load.yml | 1 + rules/sigma/malware/av_exploiting.yml | 1 + rules/sigma/malware/av_hacktool.yml | 1 + rules/sigma/malware/av_password_dumper.yml | 1 + .../av_printernightmare_cve_2021_34527.yml | 1 + rules/sigma/malware/av_relevant_files.yml | 1 + rules/sigma/malware/av_webshell.yml | 1 + .../file_event_mal_octopus_scanner.yml | 1 + .../process_creation_mal_blue_mockingbird.yml | 1 + ...ocess_creation_mal_darkside_ransomware.yml | 1 + ...ess_creation_mal_lockergoga_ransomware.yml | 1 + .../malware/process_creation_mal_ryuk.yml | 1 + .../malware/registry_event_mal_azorult.yml | 1 + .../registry_event_mal_blue_mockingbird.yml | 1 + .../malware/registry_event_mal_flowcloud.yml | 1 + .../malware/registry_event_mal_netwire.yml | 1 + .../malware/registry_event_mal_ursnif.yml | 1 + .../silenttrinity_stager_msbuild_activity.yml | 1 + .../sysmon_dllhost_net_connections.yml | 1 + ...smon_excel_outbound_network_connection.yml | 1 + .../sysmon_malware_backconnect_ports.yml | 1 + .../sysmon_notepad_network_connection.yml | 1 + .../sysmon_powershell_network_connection.yml | 1 + .../sysmon_rdp_reverse_tunnel.yml | 1 + .../sysmon_regsvr32_network_activity.yml | 1 + ...smon_remote_powershell_session_network.yml | 1 + .../sysmon_rundll32_net_connections.yml | 1 + ..._susp_prog_location_network_connection.yml | 1 + .../network_connection/sysmon_susp_rdp.yml | 1 + ...uspicious_outbound_kerberos_connection.yml | 1 + .../sysmon_win_binary_github_com.yml | 1 + .../sysmon_win_binary_susp_com.yml | 1 + .../sysmon_wuauclt_network_connection.yml | 1 + .../win_net_crypto_mining.yml | 1 + .../sigma/other/win_defender_amsi_trigger.yml | 1 + rules/sigma/other/win_defender_bypass.yml | 1 + rules/sigma/other/win_defender_disabled.yml | 1 + rules/sigma/other/win_defender_exclusions.yml | 1 + .../other/win_defender_history_delete.yml | 1 + .../other/win_defender_psexec_wmi_asr.yml | 1 + ...win_defender_tamper_protection_trigger.yml | 1 + rules/sigma/other/win_defender_threat.yml | 1 + .../other/win_exchange_cve_2021_42321.yml | 1 + .../win_exchange_proxylogon_oabvirtualdir.yml | 1 + ...ange_proxyshell_certificate_generation.yml | 1 + ...win_exchange_proxyshell_mailbox_export.yml | 1 + ...hange_proxyshell_remove_mailbox_export.yml | 1 + .../win_exchange_transportagent_failed.yml | 1 + .../other/win_lateral_movement_condrv.yml | 1 + rules/sigma/other/win_ldap_recon.yml | 1 + rules/sigma/other/win_pcap_drivers.yml | 1 + ...gon_exploitation_using_wellknown_tools.yml | 1 + .../sigma/other/win_rare_schtask_creation.yml | 1 + .../other/win_security_wmi_persistence.yml | 1 + .../other/win_system_defender_disabled.yml | 1 + rules/sigma/other/win_tool_psexec.yml | 1 + rules/sigma/other/win_wmi_persistence.yml | 1 + .../pipe_created/pipe_created_tool_psexec.yml | 1 + ...sysmon_alternate_powershell_hosts_pipe.yml | 1 + .../sysmon_apt_turla_namedpipes.yml | 1 + .../sysmon_cred_dump_tools_named_pipes.yml | 1 + .../sysmon_efspotato_namedpipe.yml | 1 + .../pipe_created/sysmon_mal_cobaltstrike.yml | 1 + .../sysmon_mal_cobaltstrike_re.yml | 1 + .../pipe_created/sysmon_mal_namedpipes.yml | 1 + .../sysmon_powershell_execution_pipe.yml | 1 + .../sysmon_psexec_pipes_artifacts.yml | 1 + .../sysmon_susp_adfs_namedpipe_connection.yml | 1 + ...sysmon_susp_cobaltstrike_pipe_patterns.yml | 1 + .../sysmon_susp_wmi_consumer_namedpipe.yml | 1 + ...ell_classic_alternate_powershell_hosts.yml | 1 + .../powershell_classic_powercat.yml | 1 + ...hell_classic_remote_powershell_session.yml | 1 + ...susp_athremotefxvgpudisablementcommand.yml | 1 + .../powershell_classic_susp_zip_compress.yml | 1 + ...powershell_classic_suspicious_download.yml | 1 + ...powershell_delete_volume_shadow_copies.yml | 1 + .../powershell_downgrade_attack.yml | 1 + .../powershell_exe_calling_ps.yml | 1 + .../powershell_renamed_powershell.yml | 1 + ...owershell_tamper_with_windows_defender.yml | 1 + ...shell_wsman_com_provider_no_powershell.yml | 1 + .../powershell_xor_commandline.yml | 1 + .../powershell_alternate_powershell_hosts.yml | 1 + .../powershell_bad_opsec_artifacts.yml | 1 + .../powershell_clear_powershell_history.yml | 1 + .../powershell_decompress_commands.yml | 1 + .../powershell_get_clipboard.yml | 1 + .../powershell_invoke_obfuscation_clip.yml | 1 + ...hell_invoke_obfuscation_obfuscated_iex.yml | 1 + .../powershell_invoke_obfuscation_stdin.yml | 1 + .../powershell_invoke_obfuscation_var.yml | 1 + ...rshell_invoke_obfuscation_via_compress.yml | 1 + ...wershell_invoke_obfuscation_via_rundll.yml | 1 + ...owershell_invoke_obfuscation_via_stdin.yml | 1 + ...rshell_invoke_obfuscation_via_use_clip.yml | 1 + ...shell_invoke_obfuscation_via_use_mhsta.yml | 1 + ...ll_invoke_obfuscation_via_use_rundll32.yml | 1 + .../powershell_invoke_obfuscation_via_var.yml | 1 + .../powershell_module/powershell_powercat.yml | 1 + .../powershell_remote_powershell_session.yml | 1 + ...susp_athremotefxvgpudisablementcommand.yml | 1 + .../powershell_susp_zip_compress.yml | 1 + ...ell_suspicious_download_in_contextinfo.yml | 1 + ...ious_invocation_generic_in_contextinfo.yml | 1 + ...ous_invocation_specific_in_contextinfo.yml | 1 + ...ppvpublishingserver_exe_in_contextinfo.yml | 1 + .../powershell_accessing_win_api.yml | 1 + .../powershell_adrecon_execution.yml | 1 + .../powershell_automated_collection.yml | 1 + .../powershell_azurehound_commands.yml | 1 + .../powershell_cl_invocation_lolscript.yml | 1 + ...wershell_cl_invocation_lolscript_count.yml | 1 + ...powershell_cl_mutexverifiers_lolscript.yml | 1 + ...hell_cl_mutexverifiers_lolscript_count.yml | 1 + .../powershell_create_local_user.yml | 1 + .../powershell_data_compressed.yml | 1 + .../powershell_detect_vm_env.yml | 1 + .../powershell_dnscat_execution.yml | 1 + .../powershell_icmp_exfiltration.yml | 1 + .../powershell_invoke_nightmare.yml | 1 + ...ke_obfuscation_clip_in_scriptblocktext.yml | 1 + ...tion_obfuscated_iex_in_scriptblocktext.yml | 1 + ...e_obfuscation_stdin_in_scriptblocktext.yml | 1 + ...oke_obfuscation_var_in_scriptblocktext.yml | 1 + ...cation_via_compress_in_scriptblocktext.yml | 1 + ...uscation_via_rundll_in_scriptblocktext.yml | 1 + ...fuscation_via_stdin_in_scriptblocktext.yml | 1 + ...cation_via_use_clip_in_scriptblocktext.yml | 1 + ...ation_via_use_mhsta_in_scriptblocktext.yml | 1 + ...on_via_use_rundll32_in_scriptblocktext.yml | 1 + ...obfuscation_via_var_in_scriptblocktext.yml | 1 + .../powershell_keylogging.yml | 1 + .../powershell_malicious_commandlets.yml | 1 + .../powershell_malicious_keywords.yml | 1 + ...ll_memorydump_getstoragediagnosticinfo.yml | 1 + ...wershell_nishang_malicious_commandlets.yml | 1 + .../powershell_ntfs_ads_access.yml | 1 + ...rshell_powerview_malicious_commandlets.yml | 1 + .../powershell_prompt_credentials.yml | 1 + .../powershell_script/powershell_psattack.yml | 1 + ...ershell_set_policies_to_unsecure_level.yml | 1 + .../powershell_shellcode_b64.yml | 1 + ...shell_shellintel_malicious_commandlets.yml | 1 + .../powershell_software_discovery.yml | 1 + ...ll_store_file_in_alternate_data_stream.yml | 1 + ...l_susp_zip_compress_in_scriptblocktext.yml | 1 + ...suspicious_download_in_scriptblocktext.yml | 1 + ...shell_suspicious_export_pfxcertificate.yml | 1 + ...powershell_suspicious_getprocess_lsass.yml | 1 + ..._invocation_generic_in_scriptblocktext.yml | 1 + ..._invocation_specific_in_scripblocktext.yml | 1 + .../powershell_suspicious_keywords.yml | 1 + .../powershell_suspicious_mail_acces.yml | 1 + ...hell_suspicious_mounted_share_deletion.yml | 1 + .../powershell_suspicious_recon.yml | 1 + .../powershell_suspicious_win32_pnpentity.yml | 1 + .../powershell_suspicious_windowstyle.yml | 1 + ...ublishingserver_exe_in_scriptblocktext.yml | 1 + .../powershell_timestomp.yml | 1 + .../powershell_trigger_profiles.yml | 1 + .../powershell_web_request.yml | 1 + ...hell_windows_firewall_profile_disabled.yml | 1 + .../powershell_winlogon_helper_dll.yml | 1 + .../powershell_wmi_persistence.yml | 1 + .../powershell_wmimplant.yml | 1 + .../sysmon_cmstp_execution_by_access.yml | 1 + ...mon_cobaltstrike_bof_injection_pattern.yml | 1 + .../sysmon_cred_dump_lsass_access.yml | 1 + .../sysmon_direct_syscall_ntopenprocess.yml | 1 + .../sysmon_in_memory_assembly_execution.yml | 1 + .../process_access/sysmon_invoke_phantom.yml | 1 + .../sysmon_lazagne_cred_dump_lsass_access.yml | 1 + ...sysmon_littlecorporal_generated_maldoc.yml | 1 + ...ndocumented_autoelevated_com_interface.yml | 1 + .../sysmon_lsass_dump_comsvcs_dll.yml | 1 + .../process_access/sysmon_lsass_memdump.yml | 1 + .../sysmon_malware_verclsid_shellcode.yml | 1 + .../sysmon_mimikatz_trough_winrm.yml | 1 + ...sysmon_pypykatz_cred_dump_lsass_access.yml | 1 + .../sysmon_svchost_cred_dump.yml | 1 + .../sysmon_uac_bypass_wow64_logger.yml | 1 + .../win_susp_shell_spawn_from_winrm.yml | 1 + ...sing_windows_telemetry_for_persistence.yml | 1 + .../process_creation_advanced_ip_scanner.yml | 1 + ...rocess_creation_alternate_data_streams.yml | 1 + .../process_creation_apt_gallium.yml | 1 + .../process_creation_apt_gallium_sha1.yml | 1 + .../process_creation_apt_pandemic.yml | 1 + .../process_creation_apt_slingshot.yml | 1 + ...s_creation_apt_turla_commands_critical.yml | 1 + .../process_creation_apt_wocao.yml | 1 + .../process_creation_automated_collection.yml | 1 + .../process_creation_c3_load_by_rundll32.yml | 1 + .../process_creation_certoc_execution.yml | 1 + .../process_creation_clip.yml | 1 + ...creation_cobaltstrike_load_by_rundll32.yml | 1 + .../process_creation_conti_cmd_ransomware.yml | 1 + .../process_creation_coti_sqlcmd.yml | 1 + ...process_creation_discover_private_keys.yml | 1 + ...cess_creation_dns_serverlevelplugindll.yml | 1 + .../process_creation_dotnet.yml | 1 + .../process_creation_hack_dumpert.yml | 1 + .../process_creation_infdefaultinstall.yml | 1 + ...data_exfiltration_by_using_datasvcutil.yml | 1 + ...reation_lolbins_by_office_applications.yml | 1 + ...suspicious_driver_installed_by_pnputil.yml | 1 + ...n_lolbins_with_wmiprvse_parent_process.yml | 1 + .../process_creation_msdeploy.yml | 1 + ..._applications_spawning_wmi_commandline.yml | 1 + ..._from_proxy_executing_regsvr32_payload.yml | 1 + ...from_proxy_executing_regsvr32_payload2.yml | 1 + ...eation_office_spawning_wmi_commandline.yml | 1 + .../process_creation_pingback_backdoor.yml | 1 + ...eation_protocolhandler_suspicious_file.yml | 1 + ...ss_creation_root_certificate_installed.yml | 1 + .../process_creation_sdelete.yml | 1 + .../process_creation_software_discovery.yml | 1 + ...ocess_creation_stickykey_like_backdoor.yml | 1 + .../process_creation_stordiag_execution.yml | 1 + .../process_creation_susp_7z.yml | 1 + ...susp_athremotefxvgpudisablementcommand.yml | 1 + .../process_creation_susp_del.yml | 1 + .../process_creation_susp_recon.yml | 1 + .../process_creation_susp_web_request_cmd.yml | 1 + .../process_creation_susp_winzip.yml | 1 + .../process_creation_susp_zip_compress.yml | 1 + ...ingserver_execute_arbitrary_powershell.yml | 1 + ...ublishingserver_vbs_execute_powershell.yml | 1 + ...ss_creation_sysinternals_eula_accepted.yml | 1 + ...ss_creation_sysmon_uac_bypass_eventvwr.yml | 1 + .../process_creation_tool_psexec.yml | 1 + ...s_creation_win_exchange_transportagent.yml | 1 + .../process_mailboxexport_share.yml | 1 + .../process_susp_esentutl_params.yml | 1 + .../sysmon_abusing_debug_privilege.yml | 1 + ..._accesschk_usage_after_priv_escalation.yml | 1 + ...levated_msi_spawned_cmd_and_powershell.yml | 1 + ...ays_install_elevated_windows_installer.yml | 1 + .../sysmon_apt_muddywater_dnstunnel.yml | 1 + .../process_creation/sysmon_apt_sourgrum.yml | 1 + ...sian_confluence_cve_2021_26084_exploit.yml | 1 + .../sysmon_cmstp_execution_by_creation.yml | 1 + .../sysmon_creation_mavinject_dll.yml | 1 + .../sysmon_cve_2021_26857_msexchange.yml | 1 + .../sysmon_expand_cabinet_files.yml | 1 + .../process_creation/sysmon_hack_wce.yml | 1 + .../sysmon_high_integrity_sdclt.yml | 1 + ...on_scripts_userinitmprlogonscript_proc.yml | 1 + .../sysmon_long_powershell_commandline.yml | 1 + .../sysmon_netcat_execution.yml | 1 + .../sysmon_proxy_execution_wuauclt.yml | 1 + ...move_windows_defender_definition_files.yml | 1 + .../sysmon_sdclt_child_process.yml | 1 + .../sysmon_susp_plink_remote_forward.yml | 1 + .../sysmon_susp_service_modification.yml | 1 + .../sysmon_susp_webdav_client_execution.yml | 1 + .../sysmon_uninstall_crowdstrike_falcon.yml | 1 + .../sysmon_vmtoolsd_susp_child_process.yml | 1 + .../wim_pc_apt_chafer_mar18.yml | 1 + .../win_ad_find_discovery.yml | 1 + .../win_anydesk_silent_install.yml | 1 + .../win_apt_apt29_thinktanks.yml | 1 + .../process_creation/win_apt_babyshark.yml | 1 + .../win_apt_bear_activity_gtr19.yml | 1 + .../process_creation/win_apt_bluemashroom.yml | 1 + .../process_creation/win_apt_cloudhopper.yml | 1 + .../process_creation/win_apt_dragonfly.yml | 1 + .../sigma/process_creation/win_apt_elise.yml | 1 + .../win_apt_emissarypanda_sep19.yml | 1 + .../process_creation/win_apt_empiremonkey.yml | 1 + .../win_apt_equationgroup_dll_u_load.yml | 1 + .../win_apt_evilnum_jul20.yml | 1 + .../win_apt_greenbug_may20.yml | 1 + .../process_creation/win_apt_hafnium.yml | 1 + .../win_apt_hurricane_panda.yml | 1 + .../win_apt_judgement_panda_gtr19.yml | 1 + .../win_apt_ke3chang_regadd.yml | 1 + .../win_apt_lazarus_activity_apr21.yml | 1 + .../win_apt_lazarus_activity_dec20.yml | 1 + .../win_apt_lazarus_loader.yml | 1 + .../win_apt_lazarus_session_highjack.yml | 1 + .../process_creation/win_apt_mustangpanda.yml | 1 + .../process_creation/win_apt_revil_kaseya.yml | 1 + .../sigma/process_creation/win_apt_sofacy.yml | 1 + .../process_creation/win_apt_ta17_293a_ps.yml | 1 + .../win_apt_ta505_dropper.yml | 1 + .../process_creation/win_apt_taidoor.yml | 1 + .../win_apt_tropictrooper.yml | 1 + .../win_apt_turla_comrat_may20.yml | 1 + .../process_creation/win_apt_unc2452_cmds.yml | 1 + .../process_creation/win_apt_unc2452_ps.yml | 1 + .../win_apt_unidentified_nov_18.yml | 1 + .../win_apt_winnti_mal_hk_jan20.yml | 1 + .../win_apt_winnti_pipemon.yml | 1 + .../process_creation/win_apt_zxshell.yml | 1 + .../win_attrib_hiding_files.yml | 1 + .../win_bad_opsec_sacrificial_processes.yml | 1 + .../process_creation/win_bootconf_mod.yml | 1 + .../win_bypass_squiblytwo.yml | 1 + .../win_change_default_file_association.yml | 1 + .../win_cl_invocation_lolscript.yml | 1 + .../win_cl_mutexverifiers_lolscript.yml | 1 + .../win_class_exec_xwizard.yml | 1 + .../process_creation/win_cmdkey_recon.yml | 1 + .../win_cmstp_com_object_access.yml | 1 + .../win_cobaltstrike_process_patterns.yml | 1 + .../win_commandline_path_traversal.yml | 1 + ...win_commandline_path_traversal_evasion.yml | 1 + .../win_control_panel_item.yml | 1 + ...g_sensitive_files_with_credential_data.yml | 1 + ..._credential_access_via_password_filter.yml | 1 + .../process_creation/win_crime_fireball.yml | 1 + .../win_crime_maze_ransomware.yml | 1 + .../win_crime_snatch_ransomware.yml | 1 + .../win_crypto_mining_monero.yml | 1 + .../win_data_compressed_with_rar.yml | 1 + .../win_detecting_fake_instances_of_hxtsr.yml | 1 + .../win_dll_sideload_xwizard.yml | 1 + .../win_dns_exfiltration_tools_execution.yml | 1 + .../win_dnscat2_powershell_implementation.yml | 1 + .../win_encoded_frombase64string.yml | 1 + .../process_creation/win_encoded_iex.yml | 1 + .../win_etw_modification_cmdline.yml | 1 + .../win_etw_trace_evasion.yml | 1 + ...ltration_and_tunneling_tools_execution.yml | 1 + .../win_exploit_cve_2015_1641.yml | 1 + .../win_exploit_cve_2017_0261.yml | 1 + .../win_exploit_cve_2017_11882.yml | 1 + .../win_exploit_cve_2017_8759.yml | 1 + .../win_exploit_cve_2019_1378.yml | 1 + .../win_exploit_cve_2019_1388.yml | 1 + .../win_exploit_cve_2020_10189.yml | 1 + .../win_exploit_cve_2020_1048.yml | 1 + .../win_exploit_cve_2020_1350.yml | 1 + .../win_exploit_systemnightmare.yml | 1 + .../win_file_permission_modifications.yml | 1 + .../win_grabbing_sensitive_hives_via_reg.yml | 1 + .../process_creation/win_hack_adcspwn.yml | 1 + .../process_creation/win_hack_bloodhound.yml | 1 + .../process_creation/win_hack_koadic.yml | 1 + .../process_creation/win_hack_rubeus.yml | 1 + .../win_hack_secutyxploded.yml | 1 + rules/sigma/process_creation/win_hh_chm.yml | 1 + .../win_hiding_malware_in_fonts_folder.yml | 1 + .../win_hktl_createminidump.yml | 1 + .../win_hktl_uacme_uac_bypass.yml | 1 + .../process_creation/win_html_help_spawn.yml | 1 + .../process_creation/win_hwp_exploits.yml | 1 + .../win_impacket_compiled_tools.yml | 1 + .../win_impacket_lateralization.yml | 1 + .../process_creation/win_indirect_cmd.yml | 1 + ...n_indirect_cmd_compatibility_assistant.yml | 1 + .../win_install_reg_debugger_backdoor.yml | 1 + .../process_creation/win_interactive_at.yml | 1 + .../win_invoke_obfuscation_clip.yml | 1 + ...obfuscation_obfuscated_iex_commandline.yml | 1 + .../win_invoke_obfuscation_stdin.yml | 1 + .../win_invoke_obfuscation_var.yml | 1 + .../win_invoke_obfuscation_via_compress.yml | 1 + .../win_invoke_obfuscation_via_rundll.yml | 1 + .../win_invoke_obfuscation_via_stdin.yml | 1 + .../win_invoke_obfuscation_via_use_clip.yml | 1 + .../win_invoke_obfuscation_via_use_mhsta.yml | 1 + ...in_invoke_obfuscation_via_use_rundll32.yml | 1 + .../win_invoke_obfuscation_via_var.yml | 1 + .../sigma/process_creation/win_lethalhta.yml | 1 + ...n_local_system_owner_account_discovery.yml | 1 + .../win_lolbas_execution_of_wuauclt.yml | 1 + .../win_lolbin_execution_via_winget.yml | 1 + .../sigma/process_creation/win_lsass_dump.yml | 1 + .../sigma/process_creation/win_mal_adwind.yml | 1 + .../process_creation/win_malware_conti.yml | 1 + .../win_malware_conti_7zip.yml | 1 + .../win_malware_conti_shadowcopy.yml | 1 + .../process_creation/win_malware_dridex.yml | 1 + .../process_creation/win_malware_dtrack.yml | 1 + .../process_creation/win_malware_emotet.yml | 1 + .../process_creation/win_malware_formbook.yml | 1 + .../process_creation/win_malware_notpetya.yml | 1 + .../process_creation/win_malware_qbot.yml | 1 + .../process_creation/win_malware_ryuk.yml | 1 + .../win_malware_script_dropper.yml | 1 + .../win_malware_trickbot_recon_activity.yml | 1 + .../win_malware_trickbot_wermgr.yml | 1 + .../process_creation/win_malware_wannacry.yml | 1 + .../win_manage_bde_lolbas.yml | 1 + .../win_mavinject_proc_inj.yml | 1 + ...r_cobaltstrike_getsystem_service_start.yml | 1 + .../win_mimikatz_command_line.yml | 1 + .../process_creation/win_mmc_spawn_shell.yml | 1 + ..._modif_of_services_for_via_commandline.yml | 1 + ...in_monitoring_for_persistence_via_bits.yml | 1 + .../sigma/process_creation/win_mouse_lock.yml | 1 + .../process_creation/win_mshta_javascript.yml | 1 + .../win_mshta_spawn_shell.yml | 1 + .../win_multiple_suspicious_cli.yml | 1 + rules/sigma/process_creation/win_net_enum.yml | 1 + .../process_creation/win_net_user_add.yml | 1 + .../win_netsh_allow_port_rdp.yml | 1 + .../process_creation/win_netsh_fw_add.yml | 1 + .../win_netsh_fw_add_susp_image.yml | 1 + .../win_netsh_packet_capture.yml | 1 + .../process_creation/win_netsh_port_fwd.yml | 1 + .../win_netsh_port_fwd_3389.yml | 1 + .../win_netsh_wifi_credential_harvesting.yml | 1 + .../process_creation/win_network_sniffing.yml | 1 + .../win_new_service_creation.yml | 1 + .../process_creation/win_nltest_recon.yml | 1 + .../win_non_interactive_powershell.yml | 1 + .../win_non_priv_reg_or_ps.yml | 1 + .../process_creation/win_office_shell.yml | 1 + ..._office_spawn_exe_from_users_directory.yml | 1 + .../win_pc_set_policies_to_unsecure_level.yml | 1 + .../win_pc_susp_cmdl32_lolbas.yml | 1 + .../win_pc_susp_reg_bitlocker.yml | 1 + .../win_pc_susp_schtasks_user_temp.yml | 1 + .../process_creation/win_pc_susp_zipexec.yml | 1 + .../win_plugx_susp_exe_locations.yml | 1 + .../win_possible_applocker_bypass.yml | 1 + ...ation_via_service_registry_permissions.yml | 1 + .../win_powershell_amsi_bypass.yml | 1 + .../win_powershell_audio_capture.yml | 1 + .../win_powershell_b64_shellcode.yml | 1 + .../win_powershell_bitsjob.yml | 1 + ...in_powershell_cmdline_reversed_strings.yml | 1 + ..._powershell_cmdline_special_characters.yml | 1 + ...wershell_cmdline_specific_comb_methods.yml | 1 + .../win_powershell_defender_exclusion.yml | 1 + .../win_powershell_disable_windef_av.yml | 1 + .../win_powershell_dll_execution.yml | 1 + .../win_powershell_downgrade_attack.yml | 1 + .../win_powershell_download.yml | 1 + .../win_powershell_frombase64string.yml | 1 + ...in_powershell_reverse_shell_connection.yml | 1 + ...ershell_suspicious_parameter_variation.yml | 1 + .../win_powershell_xor_commandline.yml | 1 + .../win_powersploit_empire_schtasks.yml | 1 + .../win_proc_wrong_parent.yml | 1 + rules/sigma/process_creation/win_procdump.yml | 1 + ...in_process_creation_bitsadmin_download.yml | 1 + .../win_process_dump_rdrleakdiag.yml | 1 + .../win_process_dump_rundll32_comsvcs.yml | 1 + .../process_creation/win_psexesvc_start.yml | 1 + .../win_purplesharp_indicators.yml | 1 + .../process_creation/win_query_registry.yml | 1 + .../win_rasautou_dll_execution.yml | 1 + .../win_rdp_hijack_shadowing.yml | 1 + .../win_redmimicry_winnti_proc.yml | 1 + .../process_creation/win_reg_add_run_key.yml | 1 + .../win_regedit_export_critical_keys.yml | 1 + .../win_regedit_export_keys.yml | 1 + .../win_regedit_import_keys.yml | 1 + .../win_regedit_import_keys_ads.yml | 1 + rules/sigma/process_creation/win_regini.yml | 1 + .../sigma/process_creation/win_regini_ads.yml | 1 + .../win_remote_powershell_session_process.yml | 1 + .../win_remote_time_discovery.yml | 1 + .../process_creation/win_renamed_binary.yml | 1 + .../win_renamed_binary_highly_relevant.yml | 1 + .../process_creation/win_renamed_jusched.yml | 1 + .../process_creation/win_renamed_megasync.yml | 1 + .../process_creation/win_renamed_paexec.yml | 1 + .../win_renamed_powershell.yml | 1 + .../process_creation/win_renamed_procdump.yml | 1 + .../process_creation/win_renamed_psexec.yml | 1 + .../process_creation/win_renamed_whoami.yml | 1 + .../win_run_powershell_script_from_ads.yml | 1 + ...un_powershell_script_from_input_stream.yml | 1 + .../process_creation/win_run_virtualbox.yml | 1 + .../win_rundll32_without_parameters.yml | 1 + .../win_script_event_consumer_spawn.yml | 1 + .../win_sdbinst_shim_persistence.yml | 1 + .../win_service_execution.yml | 1 + .../process_creation/win_service_stop.yml | 1 + .../win_shadow_copies_access_symlink.yml | 1 + .../win_shadow_copies_creation.yml | 1 + .../win_shadow_copies_deletion.yml | 1 + .../win_shell_spawn_mshta.yml | 1 + .../win_shell_spawn_susp_program.yml | 1 + .../win_silenttrinity_stage_use.yml | 1 + .../win_soundrec_audio_capture.yml | 1 + rules/sigma/process_creation/win_spn_enum.yml | 1 + ...uthenticated_privileged_console_access.yml | 1 + .../win_sus_auditpol_usage.yml | 1 + .../process_creation/win_susp_adfind.yml | 1 + .../process_creation/win_susp_atbroker.yml | 1 + .../process_creation/win_susp_bcdedit.yml | 1 + .../process_creation/win_susp_bginfo.yml | 1 + .../win_susp_bitstransfer.yml | 1 + .../sigma/process_creation/win_susp_calc.yml | 1 + rules/sigma/process_creation/win_susp_cdb.yml | 1 + .../win_susp_certutil_command.yml | 1 + .../win_susp_certutil_encode.yml | 1 + .../win_susp_child_process_as_system_.yml | 1 + .../process_creation/win_susp_cli_escape.yml | 1 + .../win_susp_cmd_http_appdata.yml | 1 + .../win_susp_cmd_shadowcopy_access.yml | 1 + .../win_susp_codepage_switch.yml | 1 + .../win_susp_commands_recon_activity.yml | 1 + .../win_susp_compression_params.yml | 1 + .../win_susp_comsvcs_procdump.yml | 1 + .../process_creation/win_susp_conhost.yml | 1 + .../win_susp_control_cve_2021_40444.yml | 1 + .../win_susp_control_dll_load.yml | 1 + .../win_susp_copy_lateral_movement.yml | 1 + .../win_susp_copy_system32.yml | 1 + .../process_creation/win_susp_covenant.yml | 1 + .../win_susp_crackmapexec_execution.yml | 1 + ...sp_crackmapexec_powershell_obfuscation.yml | 1 + rules/sigma/process_creation/win_susp_csc.yml | 1 + .../process_creation/win_susp_csc_folder.yml | 1 + rules/sigma/process_creation/win_susp_csi.yml | 1 + .../win_susp_curl_download.yml | 1 + .../win_susp_curl_fileupload.yml | 1 + .../win_susp_curl_start_combo.yml | 1 + .../win_susp_dctask64_proc_inject.yml | 1 + .../win_susp_desktopimgdownldr.yml | 1 + .../win_susp_devtoolslauncher.yml | 1 + ...susp_direct_asep_reg_keys_modification.yml | 1 + .../win_susp_disable_eventlog.yml | 1 + .../win_susp_disable_ie_features.yml | 1 + .../win_susp_disable_raccine.yml | 1 + .../process_creation/win_susp_diskshadow.yml | 1 + .../process_creation/win_susp_ditsnap.yml | 1 + rules/sigma/process_creation/win_susp_dnx.yml | 1 + .../win_susp_double_extension.yml | 1 + .../sigma/process_creation/win_susp_dxcap.yml | 1 + .../win_susp_emotet_rundll32_execution.yml | 1 + .../win_susp_eventlog_clear.yml | 1 + .../win_susp_execution_path.yml | 1 + .../win_susp_execution_path_webserver.yml | 1 + .../process_creation/win_susp_explorer.yml | 1 + .../win_susp_explorer_break_proctree.yml | 1 + .../win_susp_file_characteristics.yml | 1 + ...p_file_download_via_gfxdownloadwrapper.yml | 1 + .../process_creation/win_susp_findstr.yml | 1 + .../process_creation/win_susp_findstr_lnk.yml | 1 + .../win_susp_finger_usage.yml | 1 + .../win_susp_firewall_disable.yml | 1 + .../win_susp_fsutil_usage.yml | 1 + rules/sigma/process_creation/win_susp_ftp.yml | 1 + rules/sigma/process_creation/win_susp_gup.yml | 1 + .../win_susp_iss_module_install.yml | 1 + .../win_susp_mounted_share_deletion.yml | 1 + .../win_susp_mpcmdrun_download.yml | 1 + .../win_susp_mshta_pattern.yml | 1 + .../process_creation/win_susp_msiexec_cwd.yml | 1 + .../win_susp_msiexec_web_install.yml | 1 + .../process_creation/win_susp_msoffice.yml | 1 + .../win_susp_net_execution.yml | 1 + .../win_susp_netsh_dll_persistence.yml | 1 + .../process_creation/win_susp_ngrok_pua.yml | 1 + .../process_creation/win_susp_ntdsutil.yml | 1 + .../process_creation/win_susp_odbcconf.yml | 1 + .../process_creation/win_susp_openwith.yml | 1 + .../process_creation/win_susp_outlook.yml | 1 + .../win_susp_outlook_temp.yml | 1 + .../process_creation/win_susp_pcwutl.yml | 1 + .../process_creation/win_susp_pester.yml | 1 + .../process_creation/win_susp_ping_hex_ip.yml | 1 + .../win_susp_powershell_empire_launch.yml | 1 + .../win_susp_powershell_empire_uac_bypass.yml | 1 + .../win_susp_powershell_enc_cmd.yml | 1 + .../win_susp_powershell_encoded_param.yml | 1 + .../win_susp_powershell_getprocess_lsass.yml | 1 + .../win_susp_powershell_hidden_b64_cmd.yml | 1 + .../win_susp_powershell_parent_combo.yml | 1 + .../win_susp_powershell_parent_process.yml | 1 + .../win_susp_powershell_sam_access.yml | 1 + .../sigma/process_creation/win_susp_print.yml | 1 + .../process_creation/win_susp_procdump.yml | 1 + .../win_susp_procdump_lsass.yml | 1 + .../process_creation/win_susp_ps_appdata.yml | 1 + .../win_susp_ps_downloadfile.yml | 1 + .../process_creation/win_susp_psexec_eula.yml | 1 + .../win_susp_psexex_paexec_flags.yml | 1 + .../win_susp_psr_capture_screenshots.yml | 1 + .../process_creation/win_susp_rar_flags.yml | 1 + .../win_susp_rasdial_activity.yml | 1 + .../win_susp_razorinstaller_explorer.yml | 1 + .../win_susp_rclone_execution.yml | 1 + .../win_susp_recon_activity.yml | 1 + .../win_susp_reg_disable_sec_services.yml | 1 + .../win_susp_regedit_trustedinstaller.yml | 1 + .../win_susp_register_cimprovider.yml | 1 + .../win_susp_registration_via_cscript.yml | 1 + .../win_susp_regsvr32_anomalies.yml | 1 + .../win_susp_regsvr32_flags_anomaly.yml | 1 + .../win_susp_regsvr32_no_dll.yml | 1 + .../win_susp_renamed_dctask64.yml | 1 + .../win_susp_renamed_debugview.yml | 1 + .../win_susp_renamed_paexec.yml | 1 + .../process_creation/win_susp_rpcping.yml | 1 + .../win_susp_run_locations.yml | 1 + .../win_susp_rundll32_activity.yml | 1 + .../win_susp_rundll32_by_ordinal.yml | 1 + .../win_susp_rundll32_inline_vbs.yml | 1 + .../win_susp_rundll32_no_params.yml | 1 + ...p_rundll32_setupapi_installhinfsection.yml | 1 + .../win_susp_rundll32_sys.yml | 1 + .../win_susp_runonce_execution.yml | 1 + .../win_susp_runscripthelper.yml | 1 + .../win_susp_schtask_creation.yml | 1 + .../win_susp_schtask_creation_temp_folder.yml | 1 + .../win_susp_screenconnect_access.yml | 1 + .../win_susp_screensaver_reg.yml | 1 + .../win_susp_script_exec_from_temp.yml | 1 + .../win_susp_script_execution.yml | 1 + .../win_susp_service_dacl_modification.yml | 1 + .../process_creation/win_susp_service_dir.yml | 1 + .../win_susp_service_path_modification.yml | 1 + ...susp_servu_exploitation_cve_2021_35211.yml | 1 + .../win_susp_servu_process_pattern.yml | 1 + .../win_susp_shell_spawn_from_mssql.yml | 1 + .../win_susp_shimcache_flush.yml | 1 + .../process_creation/win_susp_splwow64.yml | 1 + .../win_susp_spoolsv_child_processes.yml | 1 + .../win_susp_sqldumper_activity.yml | 1 + .../win_susp_squirrel_lolbin.yml | 1 + .../process_creation/win_susp_svchost.yml | 1 + .../win_susp_svchost_no_cli.yml | 1 + .../win_susp_sysprep_appdata.yml | 1 + .../win_susp_sysvol_access.yml | 1 + .../win_susp_taskmgr_localsystem.yml | 1 + .../win_susp_taskmgr_parent.yml | 1 + .../win_susp_tracker_execution.yml | 1 + .../win_susp_tscon_localsystem.yml | 1 + .../win_susp_tscon_rdp_redirect.yml | 1 + .../win_susp_uac_bypass_trustedpath.yml | 1 + .../win_susp_use_of_csharp_console.yml | 1 + .../win_susp_use_of_sqlps_bin.yml | 1 + .../win_susp_use_of_sqltoolsps_bin.yml | 1 + .../win_susp_use_of_te_bin.yml | 1 + .../win_susp_use_of_vsjitdebugger_bin.yml | 1 + .../win_susp_userinit_child.yml | 1 + .../process_creation/win_susp_vboxdrvinst.yml | 1 + .../win_susp_vbscript_unc2452.yml | 1 + .../win_susp_volsnap_disable.yml | 1 + .../process_creation/win_susp_whoami.yml | 1 + .../win_susp_whoami_anomaly.yml | 1 + .../win_susp_winrar_execution.yml | 1 + .../win_susp_winrm_awl_bypass.yml | 1 + .../win_susp_winrm_execution.yml | 1 + .../win_susp_wmi_execution.yml | 1 + .../win_susp_wmic_eventconsumer_create.yml | 1 + .../win_susp_wmic_proc_create_rundll32.yml | 1 + ...n_susp_wmic_security_product_uninstall.yml | 1 + .../process_creation/win_susp_workfolders.yml | 1 + .../process_creation/win_susp_wsl_lolbin.yml | 1 + .../process_creation/win_susp_wuauclt.yml | 1 + .../win_sysmon_driver_unload.yml | 1 + .../win_system_exe_anomaly.yml | 1 + .../win_tap_installer_execution.yml | 1 + .../win_task_folder_evasion.yml | 1 + .../win_termserv_proc_spawn.yml | 1 + .../win_tools_relay_attacks.yml | 1 + .../process_creation/win_trust_discovery.yml | 1 + .../win_uac_bypass_changepk_slui.yml | 1 + .../win_uac_bypass_cleanmgr.yml | 1 + .../win_uac_bypass_computerdefaults.yml | 1 + .../win_uac_bypass_consent_comctl32.yml | 1 + .../win_uac_bypass_dismhost.yml | 1 + .../win_uac_bypass_ieinstal.yml | 1 + .../win_uac_bypass_msconfig_gui.yml | 1 + .../win_uac_bypass_ntfs_reparse_point.yml | 1 + .../win_uac_bypass_pkgmgr_dism.yml | 1 + .../win_uac_bypass_winsat.yml | 1 + .../process_creation/win_uac_bypass_wmp.yml | 1 + .../win_uac_bypass_wsreset.yml | 1 + .../sigma/process_creation/win_uac_cmstp.yml | 1 + .../process_creation/win_uac_fodhelper.yml | 1 + .../process_creation/win_uac_wsreset.yml | 1 + ..._change_sevice_image_path_by_non_admin.yml | 1 + .../win_using_settingsynchost_as_lolbin.yml | 1 + .../win_verclsid_runs_com.yml | 1 + .../win_visual_basic_compiler.yml | 1 + .../win_vul_java_remote_debugging.yml | 1 + .../win_webshell_detection.yml | 1 + .../win_webshell_recon_detection.yml | 1 + .../process_creation/win_webshell_spawn.yml | 1 + .../process_creation/win_whoami_as_system.yml | 1 + .../process_creation/win_whoami_priv.yml | 1 + .../win_win10_sched_task_0day.yml | 1 + .../process_creation/win_winword_dll_load.yml | 1 + ..._wmi_backdoor_exchange_transport_agent.yml | 1 + ..._wmi_persistence_script_event_consumer.yml | 1 + .../win_wmi_spwns_powershell.yml | 1 + .../win_wmiprvse_spawning_process.yml | 1 + .../win_workflow_compiler.yml | 1 + ...win_write_protect_for_storage_disabled.yml | 1 + .../win_wsreset_uac_bypass.yml | 1 + .../win_xsl_script_processing.yml | 1 + ...w_disk_access_using_illegitimate_tools.yml | 1 + ...sing_windows_telemetry_for_persistence.yml | 1 + .../registry_event_apt_chafer_mar18.yml | 1 + .../registry_event_apt_pandemic.yml | 1 + ...cve_2021_31979_cve_2021_33771_exploits.yml | 1 + .../registry_event_defender_disabled.yml | 1 + .../registry_event_defender_exclusions.yml | 1 + ..._defender_realtime_protection_disabled.yml | 1 + ...egistry_event_dns_serverlevelplugindll.yml | 1 + .../registry_event_mal_adwind.yml | 1 + .../registry_event_mstsc_history_cleared.yml | 1 + .../registry_event_net_ntlm_downgrade.yml | 1 + ...registry_event_stickykey_like_backdoor.yml | 1 + ...istry_event_sysinternals_eula_accepted.yml | 1 + .../registry_event_uac_bypass_eventvwr.yml | 1 + .../registry_event_uac_bypass_winsat.yml | 1 + .../registry_event_uac_bypass_wmp.yml | 1 + .../registry_event/sysmon_apt_leviathan.yml | 1 + .../sysmon_apt_oceanlotus_registry.yml | 1 + .../sysmon_asep_reg_keys_modification.yml | 1 + .../sysmon_bypass_via_wsreset.yml | 1 + .../sysmon_cmstp_execution_by_registry.yml | 1 + .../sysmon_cobaltstrike_service_installs.yml | 1 + .../registry_event/sysmon_comhijack_sdclt.yml | 1 + .../registry_event/sysmon_cve_2020_1048.yml | 1 + .../registry_event/sysmon_dhcp_calloutdll.yml | 1 + ...ble_microsoft_office_security_features.yml | 1 + ...y_events_logging_adding_reg_key_minint.yml | 1 + ...ysmon_disable_wdigest_credential_guard.yml | 1 + ...twork_protection_on_microsoft_defender.yml | 1 + ...d_pua_protection_on_microsoft_defender.yml | 1 + ...amper_protection_on_microsoft_defender.yml | 1 + .../sysmon_dns_over_https_enabled.yml | 1 + ...on_enabling_cor_profiler_env_variables.yml | 1 + .../registry_event/sysmon_etw_disabled.yml | 1 + .../registry_event/sysmon_hack_wce_reg.yml | 1 + ...n_hybridconnectionmgr_svc_installation.yml | 1 + ...gon_scripts_userinitmprlogonscript_reg.yml | 1 + .../sysmon_modify_screensaver_binary_path.yml | 1 + .../sysmon_narrator_feedback_persistance.yml | 1 + .../sysmon_new_application_appcompat.yml | 1 + ..._dll_added_to_appcertdlls_registry_key.yml | 1 + ...dll_added_to_appinit_dlls_registry_key.yml | 1 + .../sysmon_office_test_regadd.yml | 1 + .../sysmon_office_vsto_persistence.yml | 1 + .../sysmon_powershell_as_service.yml | 1 + .../sysmon_rdp_registry_modification.yml | 1 + .../sysmon_rdp_settings_hijack.yml | 1 + .../sysmon_redmimicry_winnti_reg.yml | 1 + .../sysmon_reg_office_security.yml | 1 + .../sysmon_reg_silentprocessexit.yml | 1 + .../sysmon_reg_silentprocessexit_lsass.yml | 1 + .../sysmon_reg_vbs_payload_stored.yml | 1 + .../sysmon_registry_add_local_hidden_user.yml | 1 + ...ysmon_registry_persistence_key_linking.yml | 1 + ...smon_registry_persistence_search_order.yml | 1 + .../sysmon_registry_susp_printer_driver.yml | 1 + ...mon_registry_trust_record_modification.yml | 1 + .../sysmon_removal_amsi_registry_key.yml | 1 + ...mon_removal_com_hijacking_registry_key.yml | 1 + .../registry_event/sysmon_runkey_winekey.yml | 1 + .../sysmon_runonce_persistence.yml | 1 + .../sysmon_ssp_added_lsa_config.yml | 1 + .../sysmon_susp_atbroker_change.yml | 1 + .../sysmon_susp_download_run_key.yml | 1 + .../sysmon_susp_lsass_dll_load.yml | 1 + .../sysmon_susp_mic_cam_access.yml | 1 + .../sysmon_susp_reg_persist_explorer_run.yml | 1 + .../sysmon_susp_run_key_img_folder.yml | 1 + .../sysmon_susp_service_installed.yml | 1 + ...sysmon_suspicious_keyboard_layout_load.yml | 1 + ...mon_sysinternals_sdelete_registry_keys.yml | 1 + .../registry_event/sysmon_taskcache_entry.yml | 1 + .../sysmon_uac_bypass_sdclt.yml | 1 + ...sysmon_volume_shadow_copy_service_keys.yml | 1 + .../sysmon_wab_dllpath_reg_change.yml | 1 + ...smon_wdigest_enable_uselogoncredential.yml | 1 + .../sysmon_win_reg_persistence.yml | 1 + ...sysmon_win_reg_persistence_recycle_bin.yml | 1 + .../sysmon_win_reg_telemetry_persistence.yml | 1 + .../win_outlook_c2_registry_key.yml | 1 + .../win_outlook_registry_todaypage.yml | 1 + .../win_outlook_registry_webview.yml | 1 + .../win_portproxy_registry_key.yml | 1 + .../win_registry_file_association_exefile.yml | 1 + ...win_registry_mimikatz_printernightmare.yml | 1 + ..._registry_shell_open_keys_manipulation.yml | 1 + ...napi_in_powershell_credentials_dumping.yml | 1 + .../sysmon_config_modification_error.yml | 1 + .../sysmon_config_modification_status.yml | 1 + .../sysmon_dcom_iertutil_dll_hijack.yml | 1 + .../sysmon_wmi_event_subscription.yml | 1 + .../sysmon_wmi_susp_encoded_scripts.yml | 1 + .../wmi_event/sysmon_wmi_susp_scripting.yml | 1 + tools/sigmac/hayabusa.py | 190 +++++++++--------- 1087 files changed, 1186 insertions(+), 90 deletions(-) diff --git a/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml b/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml index 2606218c..f95c5efa 100644 --- a/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml +++ b/rules/sigma/builtin/win_aadhealth_mon_agent_regkey_access.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.discovery - attack.t1012 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml b/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml index fc58977e..21db7456 100644 --- a/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml +++ b/rules/sigma/builtin/win_aadhealth_svc_agent_regkey_access.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.discovery - attack.t1012 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml b/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml index 14368dbb..68bea3d8 100644 --- a/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml +++ b/rules/sigma/builtin/win_account_backdoor_dcsync_rights.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.persistence - attack.t1098 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_account_discovery.yml b/rules/sigma/builtin/win_account_discovery.yml index ef8b4bb5..05caa275 100644 --- a/rules/sigma/builtin/win_account_discovery.yml +++ b/rules/sigma/builtin/win_account_discovery.yml @@ -41,3 +41,4 @@ tags: - attack.discovery - attack.t1087 - attack.t1087.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_object_writedac_access.yml b/rules/sigma/builtin/win_ad_object_writedac_access.yml index d186b4be..15733227 100644 --- a/rules/sigma/builtin/win_ad_object_writedac_access.yml +++ b/rules/sigma/builtin/win_ad_object_writedac_access.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1222 - attack.t1222.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_replication_non_machine_account.yml b/rules/sigma/builtin/win_ad_replication_non_machine_account.yml index 9ba3f9f4..5bd9e091 100644 --- a/rules/sigma/builtin/win_ad_replication_non_machine_account.yml +++ b/rules/sigma/builtin/win_ad_replication_non_machine_account.yml @@ -39,3 +39,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.006 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ad_user_enumeration.yml b/rules/sigma/builtin/win_ad_user_enumeration.yml index e294af0b..d0b4ef44 100644 --- a/rules/sigma/builtin/win_ad_user_enumeration.yml +++ b/rules/sigma/builtin/win_ad_user_enumeration.yml @@ -32,3 +32,4 @@ tags: - attack.discovery - attack.t1087 - attack.t1087.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml index 642fb109..8dca1652 100644 --- a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml +++ b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.privilege_escalation - attack.credential_access +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml index b6aa5de9..13145824 100644 --- a/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml +++ b/rules/sigma/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml @@ -46,3 +46,4 @@ status: experimental tags: - attack.privilege_escalation - attack.credential_access +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_admin_rdp_login.yml b/rules/sigma/builtin/win_admin_rdp_login.yml index 8f957093..9bfb6c01 100644 --- a/rules/sigma/builtin/win_admin_rdp_login.yml +++ b/rules/sigma/builtin/win_admin_rdp_login.yml @@ -34,3 +34,4 @@ tags: - attack.t1078.002 - attack.t1078.003 - car.2016-04-005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_admin_share_access.yml b/rules/sigma/builtin/win_admin_share_access.yml index cc1bcf4e..b884e1fe 100644 --- a/rules/sigma/builtin/win_admin_share_access.yml +++ b/rules/sigma/builtin/win_admin_share_access.yml @@ -26,3 +26,4 @@ tags: - attack.lateral_movement - attack.t1077 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_active_directory_user_control.yml b/rules/sigma/builtin/win_alert_active_directory_user_control.yml index aa8c091a..882c68ea 100644 --- a/rules/sigma/builtin/win_alert_active_directory_user_control.yml +++ b/rules/sigma/builtin/win_alert_active_directory_user_control.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.persistence - attack.t1098 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_ad_user_backdoors.yml b/rules/sigma/builtin/win_alert_ad_user_backdoors.yml index 21836995..6d556326 100644 --- a/rules/sigma/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/sigma/builtin/win_alert_ad_user_backdoors.yml @@ -50,3 +50,4 @@ status: experimental tags: - attack.t1098 - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_enable_weak_encryption.yml b/rules/sigma/builtin/win_alert_enable_weak_encryption.yml index ce96e227..ab6468e1 100644 --- a/rules/sigma/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/sigma/builtin/win_alert_enable_weak_encryption.yml @@ -88,3 +88,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_lsass_access.yml b/rules/sigma/builtin/win_alert_lsass_access.yml index ea7e6e0b..d93aece5 100644 --- a/rules/sigma/builtin/win_alert_lsass_access.yml +++ b/rules/sigma/builtin/win_alert_lsass_access.yml @@ -28,3 +28,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_mimikatz_keywords.yml b/rules/sigma/builtin/win_alert_mimikatz_keywords.yml index b9665fb9..f462131e 100644 --- a/rules/sigma/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/sigma/builtin/win_alert_mimikatz_keywords.yml @@ -43,3 +43,4 @@ tags: - attack.t1003.004 - attack.t1003.001 - attack.t1003.006 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_alert_ruler.yml b/rules/sigma/builtin/win_alert_ruler.yml index 63e22a64..4aaf7869 100644 --- a/rules/sigma/builtin/win_alert_ruler.yml +++ b/rules/sigma/builtin/win_alert_ruler.yml @@ -38,3 +38,4 @@ tags: - attack.t1114 - attack.t1059 - attack.t1550.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml index 27e0f507..438305cd 100644 --- a/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml +++ b/rules/sigma/builtin/win_applocker_file_was_not_allowed_to_run.yml @@ -45,3 +45,4 @@ tags: - attack.t1059.005 - attack.t1059.006 - attack.t1059.007 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_carbonpaper_turla.yml b/rules/sigma/builtin/win_apt_carbonpaper_turla.yml index 7de917a7..4b762d27 100644 --- a/rules/sigma/builtin/win_apt_carbonpaper_turla.yml +++ b/rules/sigma/builtin/win_apt_carbonpaper_turla.yml @@ -28,3 +28,4 @@ tags: - attack.g0010 - attack.t1050 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_chafer_mar18_security.yml b/rules/sigma/builtin/win_apt_chafer_mar18_security.yml index 81795ac2..ec02fb45 100644 --- a/rules/sigma/builtin/win_apt_chafer_mar18_security.yml +++ b/rules/sigma/builtin/win_apt_chafer_mar18_security.yml @@ -39,3 +39,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_chafer_mar18_system.yml b/rules/sigma/builtin/win_apt_chafer_mar18_system.yml index 7712ff0e..f7d9a946 100644 --- a/rules/sigma/builtin/win_apt_chafer_mar18_system.yml +++ b/rules/sigma/builtin/win_apt_chafer_mar18_system.yml @@ -36,3 +36,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_gallium.yml b/rules/sigma/builtin/win_apt_gallium.yml index 3ea520f6..a85c5c9b 100644 --- a/rules/sigma/builtin/win_apt_gallium.yml +++ b/rules/sigma/builtin/win_apt_gallium.yml @@ -36,3 +36,4 @@ tags: - attack.credential_access - attack.command_and_control - attack.t1071 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_slingshot.yml b/rules/sigma/builtin/win_apt_slingshot.yml index eaf56c37..3824cb83 100644 --- a/rules/sigma/builtin/win_apt_slingshot.yml +++ b/rules/sigma/builtin/win_apt_slingshot.yml @@ -29,3 +29,4 @@ tags: - attack.persistence - attack.t1053 - attack.s0111 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_stonedrill.yml b/rules/sigma/builtin/win_apt_stonedrill.yml index 75be6807..9a58cd58 100644 --- a/rules/sigma/builtin/win_apt_stonedrill.yml +++ b/rules/sigma/builtin/win_apt_stonedrill.yml @@ -27,3 +27,4 @@ tags: - attack.g0064 - attack.t1050 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_turla_service_png.yml b/rules/sigma/builtin/win_apt_turla_service_png.yml index c53a6c1d..6d3424e9 100644 --- a/rules/sigma/builtin/win_apt_turla_service_png.yml +++ b/rules/sigma/builtin/win_apt_turla_service_png.yml @@ -25,3 +25,4 @@ tags: - attack.g0010 - attack.t1050 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_apt_wocao.yml b/rules/sigma/builtin/win_apt_wocao.yml index 8bcc4956..75c0a3b6 100644 --- a/rules/sigma/builtin/win_apt_wocao.yml +++ b/rules/sigma/builtin/win_apt_wocao.yml @@ -35,3 +35,4 @@ tags: - attack.t1053 - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml index fee0c894..870ee845 100644 --- a/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/sigma/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -32,3 +32,4 @@ tags: - attack.t1566.001 - attack.execution - attack.initial_access +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml b/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml index cd230cdf..966f66be 100644 --- a/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml +++ b/rules/sigma/builtin/win_asr_bypass_via_appvlp_re.yml @@ -27,3 +27,4 @@ tags: - attack.t1218 - attack.defense_evasion - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_atsvc_task.yml b/rules/sigma/builtin/win_atsvc_task.yml index 3ff53480..e15f4db2 100644 --- a/rules/sigma/builtin/win_atsvc_task.yml +++ b/rules/sigma/builtin/win_atsvc_task.yml @@ -33,3 +33,4 @@ tags: - car.2013-05-004 - car.2015-04-001 - attack.t1053.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_audit_cve.yml b/rules/sigma/builtin/win_audit_cve.yml index 226ea2fc..e5a726e8 100644 --- a/rules/sigma/builtin/win_audit_cve.yml +++ b/rules/sigma/builtin/win_audit_cve.yml @@ -36,3 +36,4 @@ tags: - attack.t1210 - attack.impact - attack.t1499.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_av_relevant_match.yml b/rules/sigma/builtin/win_av_relevant_match.yml index 678694fd..6b50e7f4 100644 --- a/rules/sigma/builtin/win_av_relevant_match.yml +++ b/rules/sigma/builtin/win_av_relevant_match.yml @@ -41,3 +41,4 @@ status: experimental tags: - attack.resource_development - attack.t1588 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_camera_microphone_access.yml b/rules/sigma/builtin/win_camera_microphone_access.yml index 37ef15db..14f0bf85 100644 --- a/rules/sigma/builtin/win_camera_microphone_access.yml +++ b/rules/sigma/builtin/win_camera_microphone_access.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.collection - attack.t1123 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_cobaltstrike_service_installs.yml b/rules/sigma/builtin/win_cobaltstrike_service_installs.yml index 16794d2a..13d65f62 100644 --- a/rules/sigma/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/sigma/builtin/win_cobaltstrike_service_installs.yml @@ -46,3 +46,4 @@ tags: - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml index a09fdfcf..e1b45c52 100644 --- a/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/sigma/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml b/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml index bd963770..ad7b67a4 100644 --- a/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml +++ b/rules/sigma/builtin/win_dcom_iertutil_dll_hijack.yml @@ -27,3 +27,4 @@ tags: - attack.lateral_movement - attack.t1021.002 - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dcsync.yml b/rules/sigma/builtin/win_dcsync.yml index 1415f4f1..0486e61f 100644 --- a/rules/sigma/builtin/win_dcsync.yml +++ b/rules/sigma/builtin/win_dcsync.yml @@ -38,3 +38,4 @@ tags: - attack.s0002 - attack.t1003 - attack.t1003.006 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_disable_event_logging.yml b/rules/sigma/builtin/win_disable_event_logging.yml index f7f4dc13..e641c5dc 100644 --- a/rules/sigma/builtin/win_disable_event_logging.yml +++ b/rules/sigma/builtin/win_disable_event_logging.yml @@ -37,3 +37,4 @@ tags: - attack.defense_evasion - attack.t1054 - attack.t1562.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml index 0c80adc9..5665cfed 100644 --- a/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/sigma/builtin/win_dpapi_domain_backupkey_extraction.yml @@ -28,3 +28,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml index 8ebc6b42..2d83f8a0 100644 --- a/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/sigma/builtin/win_dpapi_domain_masterkey_backup_attempt.yml @@ -26,3 +26,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_etw_modification.yml b/rules/sigma/builtin/win_etw_modification.yml index 1ecdce1d..e9c22434 100644 --- a/rules/sigma/builtin/win_etw_modification.yml +++ b/rules/sigma/builtin/win_etw_modification.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_event_log_cleared.yml b/rules/sigma/builtin/win_event_log_cleared.yml index b76a87ed..13eedec4 100644 --- a/rules/sigma/builtin/win_event_log_cleared.yml +++ b/rules/sigma/builtin/win_event_log_cleared.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.t1107 - attack.t1070.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exchange_transportagent.yml b/rules/sigma/builtin/win_exchange_transportagent.yml index be3d4154..45b86cf0 100644 --- a/rules/sigma/builtin/win_exchange_transportagent.yml +++ b/rules/sigma/builtin/win_exchange_transportagent.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.persistence - attack.t1505.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml index 7c0b99db..50c5cb01 100644 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -43,3 +43,4 @@ tags: - attack.execution - attack.t1569 - cve.2021.1675 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml index 74a37459..208ccbbf 100644 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -29,3 +29,4 @@ tags: - attack.execution - attack.t1569 - cve.2021.1675 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml index 0517bf55..e27b3a11 100644 --- a/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules/sigma/builtin/win_exploit_cve_2021_1675_printspooler_security.yml @@ -32,3 +32,4 @@ tags: - attack.t1569 - cve.2021.1675 - cve.2021.34527 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_external_device.yml b/rules/sigma/builtin/win_external_device.yml index 6eefe6ba..e381b4bc 100644 --- a/rules/sigma/builtin/win_external_device.yml +++ b/rules/sigma/builtin/win_external_device.yml @@ -26,3 +26,4 @@ tags: - attack.t1200 - attack.lateral_movement - attack.initial_access +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_global_catalog_enumeration.yml b/rules/sigma/builtin/win_global_catalog_enumeration.yml index 8d6cd9ac..4d7e1d49 100644 --- a/rules/sigma/builtin/win_global_catalog_enumeration.yml +++ b/rules/sigma/builtin/win_global_catalog_enumeration.yml @@ -31,3 +31,4 @@ tags: - attack.discovery - attack.t1087 - attack.t1087.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_gpo_scheduledtasks.yml b/rules/sigma/builtin/win_gpo_scheduledtasks.yml index 1a920e18..b264d962 100644 --- a/rules/sigma/builtin/win_gpo_scheduledtasks.yml +++ b/rules/sigma/builtin/win_gpo_scheduledtasks.yml @@ -35,3 +35,4 @@ tags: - attack.lateral_movement - attack.t1053 - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hack_smbexec.yml b/rules/sigma/builtin/win_hack_smbexec.yml index a2c20d78..99faa199 100644 --- a/rules/sigma/builtin/win_hack_smbexec.yml +++ b/rules/sigma/builtin/win_hack_smbexec.yml @@ -33,3 +33,4 @@ tags: - attack.t1021.002 - attack.t1035 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hidden_user_creation.yml b/rules/sigma/builtin/win_hidden_user_creation.yml index fb45ac19..526c96dd 100644 --- a/rules/sigma/builtin/win_hidden_user_creation.yml +++ b/rules/sigma/builtin/win_hidden_user_creation.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.persistence - attack.t1136.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml index 114e9c62..747f4c44 100644 --- a/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml +++ b/rules/sigma/builtin/win_hybridconnectionmgr_svc_installation.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.persistence - attack.t1554 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml index 7ae7232e..e1baa865 100644 --- a/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml +++ b/rules/sigma/builtin/win_hybridconnectionmgr_svc_running.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.persistence - attack.t1554 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_impacket_psexec.yml b/rules/sigma/builtin/win_impacket_psexec.yml index 69ef7dd7..2ae66da8 100644 --- a/rules/sigma/builtin/win_impacket_psexec.yml +++ b/rules/sigma/builtin/win_impacket_psexec.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_impacket_secretdump.yml b/rules/sigma/builtin/win_impacket_secretdump.yml index ceeed743..702db365 100644 --- a/rules/sigma/builtin/win_impacket_secretdump.yml +++ b/rules/sigma/builtin/win_impacket_secretdump.yml @@ -32,3 +32,4 @@ tags: - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml index 8d0a93a9..3708781f 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_clip_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml index 482b842d..8dede200 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_clip_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml index 42d9636b..fa8d939f 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml index 150d48ff..f833b779 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml index c60be129..7fbb3b31 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml index c8cf3603..a92fbad5 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_stdin_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml index d95a8dbe..b4e189fb 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_var_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml index f07168f1..9882cbdf 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_var_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml index a581eb99..d5ca47b4 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml index 7c92c4db..d667dba5 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_compress_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml index 87b33028..01ab25fd 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml index 381f2ff6..0ba84a39 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_rundll_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml index 2525c04a..89378b77 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml index 2ac6c448..bd8b9f94 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_stdin_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml index aff3bd8b..3ec75741 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml index 6147cc92..aecd5454 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index 741f0654..ed66aa8e 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml index 80ae5c5e..7ccc780b 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index 639bbc88..b51c72f8 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml index 7d5b1b16..750beec7 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml index 42ae63e1..80b11728 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services.yml @@ -25,3 +25,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml index 8aa3705b..a639a197 100644 --- a/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml +++ b/rules/sigma/builtin/win_invoke_obfuscation_via_var_services_security.yml @@ -28,3 +28,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_iso_mount.yml b/rules/sigma/builtin/win_iso_mount.yml index 1b61e18c..26102f86 100644 --- a/rules/sigma/builtin/win_iso_mount.yml +++ b/rules/sigma/builtin/win_iso_mount.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.initial_access - attack.t1566.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lm_namedpipe.yml b/rules/sigma/builtin/win_lm_namedpipe.yml index 5391ab75..5075f9fc 100644 --- a/rules/sigma/builtin/win_lm_namedpipe.yml +++ b/rules/sigma/builtin/win_lm_namedpipe.yml @@ -51,3 +51,4 @@ tags: - attack.lateral_movement - attack.t1077 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml b/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml index c2434bb1..a87f181a 100644 --- a/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml +++ b/rules/sigma/builtin/win_lolbas_execution_of_nltest.yml @@ -32,3 +32,4 @@ tags: - attack.t1482 - attack.t1018 - attack.t1016 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_lsass_access_non_system_account.yml b/rules/sigma/builtin/win_lsass_access_non_system_account.yml index bff50322..87e87b3d 100644 --- a/rules/sigma/builtin/win_lsass_access_non_system_account.yml +++ b/rules/sigma/builtin/win_lsass_access_non_system_account.yml @@ -67,3 +67,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mal_creddumper.yml b/rules/sigma/builtin/win_mal_creddumper.yml index 0daf1500..e9f4807a 100644 --- a/rules/sigma/builtin/win_mal_creddumper.yml +++ b/rules/sigma/builtin/win_mal_creddumper.yml @@ -40,3 +40,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mal_wceaux_dll.yml b/rules/sigma/builtin/win_mal_wceaux_dll.yml index 9350fc66..45c1eb04 100644 --- a/rules/sigma/builtin/win_mal_wceaux_dll.yml +++ b/rules/sigma/builtin/win_mal_wceaux_dll.yml @@ -31,3 +31,4 @@ tags: - attack.credential_access - attack.t1003 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_metasploit_authentication.yml b/rules/sigma/builtin/win_metasploit_authentication.yml index 9f778c97..a1d7f3a3 100644 --- a/rules/sigma/builtin/win_metasploit_authentication.yml +++ b/rules/sigma/builtin/win_metasploit_authentication.yml @@ -37,3 +37,4 @@ tags: - attack.lateral_movement - attack.t1077 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index fa8bd1b4..eec1f046 100644 --- a/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/sigma/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -63,3 +63,4 @@ tags: - attack.t1134 - attack.t1134.001 - attack.t1134.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_mmc20_lateral_movement.yml b/rules/sigma/builtin/win_mmc20_lateral_movement.yml index c9e5c481..59d719b3 100644 --- a/rules/sigma/builtin/win_mmc20_lateral_movement.yml +++ b/rules/sigma/builtin/win_mmc20_lateral_movement.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1175 - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_moriya_rootkit.yml b/rules/sigma/builtin/win_moriya_rootkit.yml index de950763..d7ceedf2 100644 --- a/rules/sigma/builtin/win_moriya_rootkit.yml +++ b/rules/sigma/builtin/win_moriya_rootkit.yml @@ -25,3 +25,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_net_ntlm_downgrade.yml b/rules/sigma/builtin/win_net_ntlm_downgrade.yml index 40f423fd..31b36e4b 100644 --- a/rules/sigma/builtin/win_net_ntlm_downgrade.yml +++ b/rules/sigma/builtin/win_net_ntlm_downgrade.yml @@ -38,3 +38,4 @@ tags: - attack.t1089 - attack.t1562.001 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_net_use_admin_share.yml b/rules/sigma/builtin/win_net_use_admin_share.yml index 27179c34..29ad7473 100644 --- a/rules/sigma/builtin/win_net_use_admin_share.yml +++ b/rules/sigma/builtin/win_net_use_admin_share.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index e4ddbbc5..594e73f1 100644 --- a/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/sigma/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_not_allowed_rdp_access.yml b/rules/sigma/builtin/win_not_allowed_rdp_access.yml index f9eb2008..1d79dbb4 100644 --- a/rules/sigma/builtin/win_not_allowed_rdp_access.yml +++ b/rules/sigma/builtin/win_not_allowed_rdp_access.yml @@ -28,3 +28,4 @@ tags: - attack.lateral_movement - attack.t1076 - attack.t1021.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_ntfs_vuln_exploit.yml b/rules/sigma/builtin/win_ntfs_vuln_exploit.yml index 41f87cd5..519b471e 100644 --- a/rules/sigma/builtin/win_ntfs_vuln_exploit.yml +++ b/rules/sigma/builtin/win_ntfs_vuln_exploit.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.impact - attack.t1499.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_overpass_the_hash.yml b/rules/sigma/builtin/win_overpass_the_hash.yml index 46bb891e..6681cb74 100644 --- a/rules/sigma/builtin/win_overpass_the_hash.yml +++ b/rules/sigma/builtin/win_overpass_the_hash.yml @@ -29,3 +29,4 @@ tags: - attack.t1075 - attack.s0002 - attack.t1550.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_pass_the_hash.yml b/rules/sigma/builtin/win_pass_the_hash.yml index 5585185a..c9549334 100644 --- a/rules/sigma/builtin/win_pass_the_hash.yml +++ b/rules/sigma/builtin/win_pass_the_hash.yml @@ -40,3 +40,4 @@ tags: - attack.t1075 - car.2016-04-004 - attack.t1550.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_pass_the_hash_2.yml b/rules/sigma/builtin/win_pass_the_hash_2.yml index 42f919b9..2cce718f 100644 --- a/rules/sigma/builtin/win_pass_the_hash_2.yml +++ b/rules/sigma/builtin/win_pass_the_hash_2.yml @@ -42,3 +42,4 @@ tags: - attack.lateral_movement - attack.t1075 - attack.t1550.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_petitpotam_network_share.yml b/rules/sigma/builtin/win_petitpotam_network_share.yml index 455e9744..7c6c8a7e 100644 --- a/rules/sigma/builtin/win_petitpotam_network_share.yml +++ b/rules/sigma/builtin/win_petitpotam_network_share.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.credential_access - attack.t1187 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml b/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml index 579882d1..0bf1ffbc 100644 --- a/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml +++ b/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml @@ -41,3 +41,4 @@ status: experimental tags: - attack.credential_access - attack.t1187 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_possible_dc_shadow.yml b/rules/sigma/builtin/win_possible_dc_shadow.yml index db7a1ae2..698d33a8 100644 --- a/rules/sigma/builtin/win_possible_dc_shadow.yml +++ b/rules/sigma/builtin/win_possible_dc_shadow.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.credential_access - attack.t1207 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_powershell_script_installed_as_service.yml b/rules/sigma/builtin/win_powershell_script_installed_as_service.yml index bb086901..0f2671e9 100644 --- a/rules/sigma/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/sigma/builtin/win_powershell_script_installed_as_service.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_privesc_cve_2020_1472.yml b/rules/sigma/builtin/win_privesc_cve_2020_1472.yml index d3a1e278..1cacfe12 100644 --- a/rules/sigma/builtin/win_privesc_cve_2020_1472.yml +++ b/rules/sigma/builtin/win_privesc_cve_2020_1472.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.t1068 - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_protected_storage_service_access.yml b/rules/sigma/builtin/win_protected_storage_service_access.yml index 9caec014..1fbee11a 100644 --- a/rules/sigma/builtin/win_protected_storage_service_access.yml +++ b/rules/sigma/builtin/win_protected_storage_service_access.yml @@ -27,3 +27,4 @@ tags: - attack.lateral_movement - attack.t1021 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml b/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml index 56adafad..9c1364aa 100644 --- a/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml +++ b/rules/sigma/builtin/win_quarkspwdump_clearing_hive_access_history.yml @@ -24,3 +24,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rare_schtasks_creations.yml b/rules/sigma/builtin/win_rare_schtasks_creations.yml index 97b16991..2453fd24 100644 --- a/rules/sigma/builtin/win_rare_schtasks_creations.yml +++ b/rules/sigma/builtin/win_rare_schtasks_creations.yml @@ -29,3 +29,4 @@ tags: - attack.t1053 - car.2013-08-001 - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rare_service_installs.yml b/rules/sigma/builtin/win_rare_service_installs.yml index e1906682..956abf96 100644 --- a/rules/sigma/builtin/win_rare_service_installs.yml +++ b/rules/sigma/builtin/win_rare_service_installs.yml @@ -24,3 +24,4 @@ tags: - attack.t1050 - car.2013-09-005 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml index 5b944042..8c6ee0a1 100644 --- a/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml +++ b/rules/sigma/builtin/win_rdp_bluekeep_poc_scanner.yml @@ -26,3 +26,4 @@ tags: - attack.lateral_movement - attack.t1210 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_localhost_login.yml b/rules/sigma/builtin/win_rdp_localhost_login.yml index a5b60e50..e0b37345 100644 --- a/rules/sigma/builtin/win_rdp_localhost_login.yml +++ b/rules/sigma/builtin/win_rdp_localhost_login.yml @@ -29,3 +29,4 @@ tags: - attack.t1076 - car.2013-07-002 - attack.t1021.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml b/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml index 6e2c3e2c..c502101c 100644 --- a/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml +++ b/rules/sigma/builtin/win_rdp_potential_cve_2019_0708.yml @@ -27,3 +27,4 @@ tags: - attack.lateral_movement - attack.t1210 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_rdp_reverse_tunnel.yml b/rules/sigma/builtin/win_rdp_reverse_tunnel.yml index 1b63af63..64eb9646 100644 --- a/rules/sigma/builtin/win_rdp_reverse_tunnel.yml +++ b/rules/sigma/builtin/win_rdp_reverse_tunnel.yml @@ -42,3 +42,4 @@ tags: - attack.t1090.002 - attack.t1021.001 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml index f13755a6..33858382 100644 --- a/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml +++ b/rules/sigma/builtin/win_register_new_logon_process_by_rubeus.yml @@ -25,3 +25,4 @@ tags: - attack.privilege_escalation - attack.t1208 - attack.t1558.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_remote_powershell_session.yml b/rules/sigma/builtin/win_remote_powershell_session.yml index 05c1f437..0abee6a5 100644 --- a/rules/sigma/builtin/win_remote_powershell_session.yml +++ b/rules/sigma/builtin/win_remote_powershell_session.yml @@ -29,3 +29,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml b/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml index 6035d21a..64260e10 100644 --- a/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml +++ b/rules/sigma/builtin/win_remote_registry_management_using_reg_utility.yml @@ -30,3 +30,4 @@ tags: - attack.credential_access - attack.t1552.002 - attack.s0075 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_root_certificate_installed.yml b/rules/sigma/builtin/win_root_certificate_installed.yml index f40b81f4..c6afd974 100644 --- a/rules/sigma/builtin/win_root_certificate_installed.yml +++ b/rules/sigma/builtin/win_root_certificate_installed.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1553.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml b/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml index 98d776d2..01917a8b 100644 --- a/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml +++ b/rules/sigma/builtin/win_sam_registry_hive_handle_request.yml @@ -33,3 +33,4 @@ tags: - attack.t1012 - attack.credential_access - attack.t1552.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scheduled_task_deletion.yml b/rules/sigma/builtin/win_scheduled_task_deletion.yml index dc7c8d05..20e4b058 100644 --- a/rules/sigma/builtin/win_scheduled_task_deletion.yml +++ b/rules/sigma/builtin/win_scheduled_task_deletion.yml @@ -29,3 +29,4 @@ tags: - attack.t1053 - car.2013-08-001 - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scm_database_handle_failure.yml b/rules/sigma/builtin/win_scm_database_handle_failure.yml index c890dded..110c061d 100644 --- a/rules/sigma/builtin/win_scm_database_handle_failure.yml +++ b/rules/sigma/builtin/win_scm_database_handle_failure.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.discovery - attack.t1010 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scm_database_privileged_operation.yml b/rules/sigma/builtin/win_scm_database_privileged_operation.yml index 7224c518..568020cb 100644 --- a/rules/sigma/builtin/win_scm_database_privileged_operation.yml +++ b/rules/sigma/builtin/win_scm_database_privileged_operation.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml index 9bbff293..8c3cde51 100644 --- a/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml +++ b/rules/sigma/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml @@ -29,3 +29,4 @@ tags: - attack.privilege_escalation - attack.persistence - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml b/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml index af1ea237..4fd129a9 100644 --- a/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml +++ b/rules/sigma/builtin/win_security_cobaltstrike_service_installs.yml @@ -49,3 +49,4 @@ tags: - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_mal_creddumper.yml b/rules/sigma/builtin/win_security_mal_creddumper.yml index a18266fa..25aa5e17 100644 --- a/rules/sigma/builtin/win_security_mal_creddumper.yml +++ b/rules/sigma/builtin/win_security_mal_creddumper.yml @@ -43,3 +43,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_mal_service_installs.yml b/rules/sigma/builtin/win_security_mal_service_installs.yml index a8483148..c5ce8b1c 100644 --- a/rules/sigma/builtin/win_security_mal_service_installs.yml +++ b/rules/sigma/builtin/win_security_mal_service_installs.yml @@ -35,3 +35,4 @@ tags: - car.2013-09-005 - attack.t1543.003 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml index cb99ab46..38e48d2a 100644 --- a/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/sigma/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -46,3 +46,4 @@ tags: - attack.t1570 - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index dd86fbb6..12376834 100644 --- a/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/sigma/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -66,3 +66,4 @@ tags: - attack.t1134 - attack.t1134.001 - attack.t1134.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml b/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml index 435c6e13..5ba61d36 100644 --- a/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml +++ b/rules/sigma/builtin/win_security_powershell_script_installed_as_service.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_security_tap_driver_installation.yml b/rules/sigma/builtin/win_security_tap_driver_installation.yml index 9aea52b1..c70dae79 100644 --- a/rules/sigma/builtin/win_security_tap_driver_installation.yml +++ b/rules/sigma/builtin/win_security_tap_driver_installation.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.exfiltration - attack.t1048 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml index b417272d..9e2a8e04 100644 --- a/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml +++ b/rules/sigma/builtin/win_set_oabvirtualdirectory_externalurl.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.persistence - attack.t1505.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml b/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml index 6c275f44..9c708842 100644 --- a/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml +++ b/rules/sigma/builtin/win_smb_file_creation_admin_shares.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml b/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml index f8f004b7..9387fcbf 100644 --- a/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml +++ b/rules/sigma/builtin/win_software_atera_rmm_agent_install.yml @@ -25,3 +25,4 @@ references: status: experimental tags: - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_add_domain_trust.yml b/rules/sigma/builtin/win_susp_add_domain_trust.yml index 7e2fc5b4..9df063a5 100644 --- a/rules/sigma/builtin/win_susp_add_domain_trust.yml +++ b/rules/sigma/builtin/win_susp_add_domain_trust.yml @@ -18,3 +18,4 @@ status: stable tags: - attack.persistence - attack.t1098 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_add_sid_history.yml b/rules/sigma/builtin/win_susp_add_sid_history.yml index 38e6f1df..4350892f 100644 --- a/rules/sigma/builtin/win_susp_add_sid_history.yml +++ b/rules/sigma/builtin/win_susp_add_sid_history.yml @@ -33,3 +33,4 @@ tags: - attack.privilege_escalation - attack.t1178 - attack.t1134.005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_backup_delete.yml b/rules/sigma/builtin/win_susp_backup_delete.yml index a3f5d27f..2faf96f1 100644 --- a/rules/sigma/builtin/win_susp_backup_delete.yml +++ b/rules/sigma/builtin/win_susp_backup_delete.yml @@ -25,3 +25,4 @@ tags: - attack.defense_evasion - attack.t1107 - attack.t1070.004 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml b/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml index 70384e41..ba6e3a58 100644 --- a/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml +++ b/rules/sigma/builtin/win_susp_codeintegrity_check_failure.yml @@ -22,3 +22,4 @@ tags: - attack.defense_evasion - attack.t1009 - attack.t1027.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dhcp_config.yml b/rules/sigma/builtin/win_susp_dhcp_config.yml index d9135256..b2720813 100644 --- a/rules/sigma/builtin/win_susp_dhcp_config.yml +++ b/rules/sigma/builtin/win_susp_dhcp_config.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dhcp_config_failed.yml b/rules/sigma/builtin/win_susp_dhcp_config_failed.yml index af2086ef..70697751 100644 --- a/rules/sigma/builtin/win_susp_dhcp_config_failed.yml +++ b/rules/sigma/builtin/win_susp_dhcp_config_failed.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dns_config.yml b/rules/sigma/builtin/win_susp_dns_config.yml index 6aaa09e1..91810c41 100644 --- a/rules/sigma/builtin/win_susp_dns_config.yml +++ b/rules/sigma/builtin/win_susp_dns_config.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_dsrm_password_change.yml b/rules/sigma/builtin/win_susp_dsrm_password_change.yml index 01ce1c2c..95ff1bb3 100644 --- a/rules/sigma/builtin/win_susp_dsrm_password_change.yml +++ b/rules/sigma/builtin/win_susp_dsrm_password_change.yml @@ -22,3 +22,4 @@ status: stable tags: - attack.persistence - attack.t1098 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_eventlog_cleared.yml b/rules/sigma/builtin/win_susp_eventlog_cleared.yml index 00fcfea1..8309611a 100644 --- a/rules/sigma/builtin/win_susp_eventlog_cleared.yml +++ b/rules/sigma/builtin/win_susp_eventlog_cleared.yml @@ -34,3 +34,4 @@ tags: - attack.t1070 - attack.t1070.001 - car.2016-04-002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_guest_logon.yml b/rules/sigma/builtin/win_susp_failed_guest_logon.yml index 349fe587..e44823b4 100644 --- a/rules/sigma/builtin/win_susp_failed_guest_logon.yml +++ b/rules/sigma/builtin/win_susp_failed_guest_logon.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.credential_access - attack.t1110.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logon_reasons.yml b/rules/sigma/builtin/win_susp_failed_logon_reasons.yml index 744ce243..2b41b9fd 100644 --- a/rules/sigma/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/sigma/builtin/win_susp_failed_logon_reasons.yml @@ -38,3 +38,4 @@ tags: - attack.privilege_escalation - attack.initial_access - attack.t1078 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logon_source.yml b/rules/sigma/builtin/win_susp_failed_logon_source.yml index 0b238313..51d806bd 100644 --- a/rules/sigma/builtin/win_susp_failed_logon_source.yml +++ b/rules/sigma/builtin/win_susp_failed_logon_source.yml @@ -54,3 +54,4 @@ tags: - attack.t1078 - attack.t1190 - attack.t1133 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml index 3e60d865..b5198853 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_explicit_credentials.yml @@ -26,3 +26,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_process.yml b/rules/sigma/builtin/win_susp_failed_logons_single_process.yml index 76bdeea8..9c43959b 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_process.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_process.yml @@ -32,3 +32,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source.yml index 86a08baa..8e6d1d1b 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source.yml @@ -31,3 +31,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1078 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml index b022c620..2f5be1ee 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source2.yml @@ -32,3 +32,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1078 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml index 6ff18ae6..85f238bc 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos.yml @@ -32,3 +32,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml index 303512c6..3efef0e8 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos2.yml @@ -32,3 +32,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml index 9915f931..ad15a8cb 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source_kerberos3.yml @@ -32,3 +32,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml index 40acd762..f7efc427 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm.yml @@ -31,3 +31,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml index a5be7cdd..c51d606e 100644 --- a/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml +++ b/rules/sigma/builtin/win_susp_failed_logons_single_source_ntlm2.yml @@ -31,3 +31,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml index 490cc94e..8002f8f7 100644 --- a/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml +++ b/rules/sigma/builtin/win_susp_failed_remote_logons_single_source.yml @@ -31,3 +31,4 @@ tags: - attack.t1110.003 - attack.initial_access - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_interactive_logons.yml b/rules/sigma/builtin/win_susp_interactive_logons.yml index 0d308e00..c0f6713d 100644 --- a/rules/sigma/builtin/win_susp_interactive_logons.yml +++ b/rules/sigma/builtin/win_susp_interactive_logons.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1078 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_kerberos_manipulation.yml b/rules/sigma/builtin/win_susp_kerberos_manipulation.yml index 257da46c..84a40a82 100644 --- a/rules/sigma/builtin/win_susp_kerberos_manipulation.yml +++ b/rules/sigma/builtin/win_susp_kerberos_manipulation.yml @@ -57,3 +57,4 @@ status: experimental tags: - attack.credential_access - attack.t1212 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ldap_dataexchange.yml b/rules/sigma/builtin/win_susp_ldap_dataexchange.yml index 666a893b..ff34fef6 100644 --- a/rules/sigma/builtin/win_susp_ldap_dataexchange.yml +++ b/rules/sigma/builtin/win_susp_ldap_dataexchange.yml @@ -33,3 +33,4 @@ tags: - attack.t1071 - attack.t1001.003 - attack.command_and_control +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_local_anon_logon_created.yml b/rules/sigma/builtin/win_susp_local_anon_logon_created.yml index be0b662d..9d4d3d4f 100644 --- a/rules/sigma/builtin/win_susp_local_anon_logon_created.yml +++ b/rules/sigma/builtin/win_susp_local_anon_logon_created.yml @@ -29,3 +29,4 @@ tags: - attack.t1136 - attack.t1136.001 - attack.t1136.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml b/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml index 9d657508..3cdfaa0f 100644 --- a/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/sigma/builtin/win_susp_logon_explicit_credentials.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.t1078 - attack.lateral_movement +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_lsass_dump.yml b/rules/sigma/builtin/win_susp_lsass_dump.yml index d30ba662..72a5f42b 100644 --- a/rules/sigma/builtin/win_susp_lsass_dump.yml +++ b/rules/sigma/builtin/win_susp_lsass_dump.yml @@ -29,3 +29,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_lsass_dump_generic.yml b/rules/sigma/builtin/win_susp_lsass_dump_generic.yml index f87c18c4..ff536f86 100644 --- a/rules/sigma/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/sigma/builtin/win_susp_lsass_dump_generic.yml @@ -82,3 +82,4 @@ tags: - attack.t1003 - car.2019-04-004 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_mshta_execution.yml b/rules/sigma/builtin/win_susp_mshta_execution.yml index 6dbd6bb3..d18df3fa 100644 --- a/rules/sigma/builtin/win_susp_mshta_execution.yml +++ b/rules/sigma/builtin/win_susp_mshta_execution.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.t1140 - attack.t1218.005 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_msmpeng_crash.yml b/rules/sigma/builtin/win_susp_msmpeng_crash.yml index 91009cde..83a03004 100644 --- a/rules/sigma/builtin/win_susp_msmpeng_crash.yml +++ b/rules/sigma/builtin/win_susp_msmpeng_crash.yml @@ -36,3 +36,4 @@ tags: - attack.t1089 - attack.t1211 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml b/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml index e732c2f8..2c7e5f3b 100644 --- a/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/sigma/builtin/win_susp_multiple_files_renamed_or_deleted.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.impact - attack.t1486 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_net_recon_activity.yml b/rules/sigma/builtin/win_susp_net_recon_activity.yml index 7a2687a5..a6a1ff0d 100644 --- a/rules/sigma/builtin/win_susp_net_recon_activity.yml +++ b/rules/sigma/builtin/win_susp_net_recon_activity.yml @@ -43,3 +43,4 @@ tags: - attack.t1069 - attack.t1069.002 - attack.s0039 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ntlm_auth.yml b/rules/sigma/builtin/win_susp_ntlm_auth.yml index 9f5eff83..a86566f9 100644 --- a/rules/sigma/builtin/win_susp_ntlm_auth.yml +++ b/rules/sigma/builtin/win_susp_ntlm_auth.yml @@ -27,3 +27,4 @@ tags: - attack.lateral_movement - attack.t1075 - attack.t1550.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_ntlm_rdp.yml b/rules/sigma/builtin/win_susp_ntlm_rdp.yml index 8cc21ffe..0d7a6604 100644 --- a/rules/sigma/builtin/win_susp_ntlm_rdp.yml +++ b/rules/sigma/builtin/win_susp_ntlm_rdp.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.command_and_control - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_proceshacker.yml b/rules/sigma/builtin/win_susp_proceshacker.yml index fb6be0ce..1fe43beb 100644 --- a/rules/sigma/builtin/win_susp_proceshacker.yml +++ b/rules/sigma/builtin/win_susp_proceshacker.yml @@ -27,3 +27,4 @@ tags: - attack.privilege_escalation - attack.t1543.003 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_psexec.yml b/rules/sigma/builtin/win_susp_psexec.yml index 874f6f18..2d651b26 100644 --- a/rules/sigma/builtin/win_susp_psexec.yml +++ b/rules/sigma/builtin/win_susp_psexec.yml @@ -39,3 +39,4 @@ tags: - attack.lateral_movement - attack.t1077 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml b/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml index 60daafde..b70fac83 100644 --- a/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml +++ b/rules/sigma/builtin/win_susp_raccess_sensitive_fext.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.collection - attack.t1039 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_rc4_kerberos.yml b/rules/sigma/builtin/win_susp_rc4_kerberos.yml index c556f550..1da55067 100644 --- a/rules/sigma/builtin/win_susp_rc4_kerberos.yml +++ b/rules/sigma/builtin/win_susp_rc4_kerberos.yml @@ -30,3 +30,4 @@ tags: - attack.credential_access - attack.t1208 - attack.t1558.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_rottenpotato.yml b/rules/sigma/builtin/win_susp_rottenpotato.yml index 22ba93aa..aee0c95d 100644 --- a/rules/sigma/builtin/win_susp_rottenpotato.yml +++ b/rules/sigma/builtin/win_susp_rottenpotato.yml @@ -32,3 +32,4 @@ tags: - attack.credential_access - attack.t1171 - attack.t1557.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_sam_dump.yml b/rules/sigma/builtin/win_susp_sam_dump.yml index 196f3b60..c2a0a130 100644 --- a/rules/sigma/builtin/win_susp_sam_dump.yml +++ b/rules/sigma/builtin/win_susp_sam_dump.yml @@ -25,3 +25,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_sdelete.yml b/rules/sigma/builtin/win_susp_sdelete.yml index 1495d239..eca49526 100644 --- a/rules/sigma/builtin/win_susp_sdelete.yml +++ b/rules/sigma/builtin/win_susp_sdelete.yml @@ -38,3 +38,4 @@ tags: - attack.t1485 - attack.t1553.002 - attack.s0195 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_time_modification.yml b/rules/sigma/builtin/win_susp_time_modification.yml index 3fdcf5fd..abeb35b5 100644 --- a/rules/sigma/builtin/win_susp_time_modification.yml +++ b/rules/sigma/builtin/win_susp_time_modification.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.t1099 - attack.t1070.006 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_susp_wmi_login.yml b/rules/sigma/builtin/win_susp_wmi_login.yml index f71228a1..af31284e 100644 --- a/rules/sigma/builtin/win_susp_wmi_login.yml +++ b/rules/sigma/builtin/win_susp_wmi_login.yml @@ -21,3 +21,4 @@ status: stable tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml index 04dcba2f..e9d683d5 100644 --- a/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/sigma/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -31,3 +31,4 @@ tags: - attack.lateral_movement - attack.t1208 - attack.t1558.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_svcctl_remote_service.yml b/rules/sigma/builtin/win_svcctl_remote_service.yml index a02dadc2..de4e3024 100644 --- a/rules/sigma/builtin/win_svcctl_remote_service.yml +++ b/rules/sigma/builtin/win_svcctl_remote_service.yml @@ -31,3 +31,4 @@ tags: - attack.persistence - attack.t1077 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_syskey_registry_access.yml b/rules/sigma/builtin/win_syskey_registry_access.yml index a03abe07..09270214 100644 --- a/rules/sigma/builtin/win_syskey_registry_access.yml +++ b/rules/sigma/builtin/win_syskey_registry_access.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.discovery - attack.t1012 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml b/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml index 2e5ec716..d0c57140 100644 --- a/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml +++ b/rules/sigma/builtin/win_sysmon_channel_reference_deletion.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml b/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml index 1556a183..56c69cef 100644 --- a/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml +++ b/rules/sigma/builtin/win_system_susp_eventlog_cleared.yml @@ -34,3 +34,4 @@ tags: - attack.t1070 - attack.t1070.001 - car.2016-04-002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_tap_driver_installation.yml b/rules/sigma/builtin/win_tap_driver_installation.yml index 913ab312..0daf9eaa 100644 --- a/rules/sigma/builtin/win_tap_driver_installation.yml +++ b/rules/sigma/builtin/win_tap_driver_installation.yml @@ -22,3 +22,4 @@ status: experimental tags: - attack.exfiltration - attack.t1048 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml index 47dc4116..556771b6 100644 --- a/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/sigma/builtin/win_transferring_files_with_credential_data_via_network_shares.yml @@ -34,3 +34,4 @@ tags: - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_usb_device_plugged.yml b/rules/sigma/builtin/win_usb_device_plugged.yml index 24d35c90..23f93a97 100644 --- a/rules/sigma/builtin/win_usb_device_plugged.yml +++ b/rules/sigma/builtin/win_usb_device_plugged.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.initial_access - attack.t1200 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_added_to_local_administrators.yml b/rules/sigma/builtin/win_user_added_to_local_administrators.yml index 0ba30fcc..4fe138b6 100644 --- a/rules/sigma/builtin/win_user_added_to_local_administrators.yml +++ b/rules/sigma/builtin/win_user_added_to_local_administrators.yml @@ -28,3 +28,4 @@ tags: - attack.t1078 - attack.persistence - attack.t1098 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index 0fbf2966..92b07a83 100644 --- a/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/sigma/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -29,3 +29,4 @@ tags: - attack.privilege_escalation - attack.t1208 - attack.t1558.003 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_creation.yml b/rules/sigma/builtin/win_user_creation.yml index c0bd2f4c..aaa45500 100644 --- a/rules/sigma/builtin/win_user_creation.yml +++ b/rules/sigma/builtin/win_user_creation.yml @@ -29,3 +29,4 @@ tags: - attack.persistence - attack.t1136 - attack.t1136.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_user_driver_loaded.yml b/rules/sigma/builtin/win_user_driver_loaded.yml index b98aef90..951db50a 100644 --- a/rules/sigma/builtin/win_user_driver_loaded.yml +++ b/rules/sigma/builtin/win_user_driver_loaded.yml @@ -49,3 +49,4 @@ tags: - attack.t1089 - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_volume_shadow_copy_mount.yml b/rules/sigma/builtin/win_volume_shadow_copy_mount.yml index cbd86f44..5aec87e1 100644 --- a/rules/sigma/builtin/win_volume_shadow_copy_mount.yml +++ b/rules/sigma/builtin/win_volume_shadow_copy_mount.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml b/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml index 24a406e8..80f1cca6 100644 --- a/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml +++ b/rules/sigma/builtin/win_vssaudit_secevent_source_registration.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vul_cve_2020_0688.yml b/rules/sigma/builtin/win_vul_cve_2020_0688.yml index 9575b497..b8960b6d 100644 --- a/rules/sigma/builtin/win_vul_cve_2020_0688.yml +++ b/rules/sigma/builtin/win_vul_cve_2020_0688.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.initial_access - attack.t1190 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_vul_cve_2020_1472.yml b/rules/sigma/builtin/win_vul_cve_2020_1472.yml index 52d09c8d..7b73408e 100644 --- a/rules/sigma/builtin/win_vul_cve_2020_1472.yml +++ b/rules/sigma/builtin/win_vul_cve_2020_1472.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml index d31eb0df..3278229c 100644 --- a/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/sigma/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml @@ -27,3 +27,4 @@ tags: - attack.t1047 - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_cactustorch.yml b/rules/sigma/create_remote_thread/sysmon_cactustorch.yml index 23817bfb..75c2655a 100644 --- a/rules/sigma/create_remote_thread/sysmon_cactustorch.yml +++ b/rules/sigma/create_remote_thread/sysmon_cactustorch.yml @@ -39,3 +39,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1218.005 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index b67031bd..4e260051 100644 --- a/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml +++ b/rules/sigma/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1055 - attack.t1055.001 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index 981bc40e..aac6829d 100644 --- a/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ b/rules/sigma/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1055 - attack.t1055.001 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml b/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml index fa0f2607..9c56270b 100644 --- a/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml +++ b/rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml @@ -30,3 +30,4 @@ tags: - attack.t1003 - attack.s0005 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml index 3c080014..5a3396c2 100644 --- a/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml +++ b/rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml b/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml index 4430c13a..65c06f01 100644 --- a/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml +++ b/rules/sigma/create_remote_thread/sysmon_susp_powershell_rundll32.yml @@ -29,3 +29,4 @@ tags: - attack.t1218.011 - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml b/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml index f0402ae0..62d05fa3 100644 --- a/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml +++ b/rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml @@ -86,3 +86,4 @@ tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/create_stream_hash/sysmon_ads_executable.yml b/rules/sigma/create_stream_hash/sysmon_ads_executable.yml index 85044cb1..cf32a722 100644 --- a/rules/sigma/create_stream_hash/sysmon_ads_executable.yml +++ b/rules/sigma/create_stream_hash/sysmon_ads_executable.yml @@ -32,3 +32,4 @@ tags: - attack.t1027 - attack.s0139 - attack.t1564.004 +ruletype: SIGMA diff --git a/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml b/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml index 8df65a8e..9e3a7b40 100644 --- a/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml +++ b/rules/sigma/create_stream_hash/sysmon_regedit_export_to_ads.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564.004 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml b/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml index d770ad26..061ce08f 100644 --- a/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml +++ b/rules/sigma/dns_query/dns_net_mal_cobaltstrike.yml @@ -32,3 +32,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_net_susp_ipify.yml b/rules/sigma/dns_query/dns_net_susp_ipify.yml index cb5dcf49..6c6a7533 100644 --- a/rules/sigma/dns_query/dns_net_susp_ipify.yml +++ b/rules/sigma/dns_query/dns_net_susp_ipify.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.reconnaissance - attack.t1590 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml b/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml index c7d02945..098f6e01 100644 --- a/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml +++ b/rules/sigma/dns_query/dns_query_hybridconnectionmgr_servicebus.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.persistence - attack.t1554 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_mega_nz.yml b/rules/sigma/dns_query/dns_query_mega_nz.yml index de60de21..d0ae8a7b 100644 --- a/rules/sigma/dns_query/dns_query_mega_nz.yml +++ b/rules/sigma/dns_query/dns_query_mega_nz.yml @@ -22,3 +22,4 @@ status: experimental tags: - attack.exfiltration - attack.t1567.002 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml b/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml index 3e706528..f45dd33d 100644 --- a/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml +++ b/rules/sigma/dns_query/dns_query_possible_dns_rebinding.yml @@ -73,3 +73,4 @@ status: experimental tags: - attack.initial_access - attack.t1189 +ruletype: SIGMA diff --git a/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml b/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml index 3ead6e60..399f4c18 100644 --- a/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml +++ b/rules/sigma/dns_query/dns_query_regsvr32_network_activity.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.t1218.010 - attack.t1117 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_mal_creddumper.yml b/rules/sigma/driver_load/driver_load_mal_creddumper.yml index 41e0386b..be4611a2 100644 --- a/rules/sigma/driver_load/driver_load_mal_creddumper.yml +++ b/rules/sigma/driver_load/driver_load_mal_creddumper.yml @@ -43,3 +43,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 34625e24..c3a686f5 100644 --- a/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/sigma/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -66,3 +66,4 @@ tags: - attack.t1134 - attack.t1134.001 - attack.t1134.002 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml index a2f2f2e3..2d4eff19 100644 --- a/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml +++ b/rules/sigma/driver_load/driver_load_powershell_script_installed_as_service.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_susp_temp_use.yml b/rules/sigma/driver_load/driver_load_susp_temp_use.yml index 5f647cad..3c95b5ba 100644 --- a/rules/sigma/driver_load/driver_load_susp_temp_use.yml +++ b/rules/sigma/driver_load/driver_load_susp_temp_use.yml @@ -23,3 +23,4 @@ tags: - attack.privilege_escalation - attack.t1050 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml b/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml index 7e129f9e..1afc0de5 100644 --- a/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/sigma/driver_load/driver_load_vuln_dell_driver.yml @@ -32,3 +32,4 @@ tags: - attack.privilege_escalation - cve.2021.21551 - attack.t1543 +ruletype: SIGMA diff --git a/rules/sigma/driver_load/driver_load_windivert.yml b/rules/sigma/driver_load/driver_load_windivert.yml index 202a4b63..bbd6699d 100644 --- a/rules/sigma/driver_load/driver_load_windivert.yml +++ b/rules/sigma/driver_load/driver_load_windivert.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.t1599.001 - attack.t1557.001 +ruletype: SIGMA diff --git a/rules/sigma/edr/edr_command_execution_by_office_applications.yml b/rules/sigma/edr/edr_command_execution_by_office_applications.yml index a00d36a0..aaa27e57 100644 --- a/rules/sigma/edr/edr_command_execution_by_office_applications.yml +++ b/rules/sigma/edr/edr_command_execution_by_office_applications.yml @@ -34,3 +34,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/file_delete/sysmon_delete_prefetch.yml b/rules/sigma/file_delete/sysmon_delete_prefetch.yml index 6ba6585f..ad26aa1a 100644 --- a/rules/sigma/file_delete/sysmon_delete_prefetch.yml +++ b/rules/sigma/file_delete/sysmon_delete_prefetch.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.004 +ruletype: SIGMA diff --git a/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml index f002c41d..09e8b1ac 100644 --- a/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml +++ b/rules/sigma/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.004 +ruletype: SIGMA diff --git a/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml b/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml index 0f4cea05..2f9f5720 100644 --- a/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml +++ b/rules/sigma/file_delete/win_cve_2021_1675_printspooler_del.yml @@ -31,3 +31,4 @@ tags: - attack.privilege_escalation - attack.t1574 - cve.2021.1675 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_advanced_ip_scanner.yml b/rules/sigma/file_event/file_event_advanced_ip_scanner.yml index 9cefb6c6..5e595fd6 100644 --- a/rules/sigma/file_event/file_event_advanced_ip_scanner.yml +++ b/rules/sigma/file_event/file_event_advanced_ip_scanner.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.discovery - attack.t1046 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml b/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml index 89c748bd..d6f8fd79 100644 --- a/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml +++ b/rules/sigma/file_event/file_event_apt_unidentified_nov_18.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1218.011 - attack.t1085 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml index 67caf167..d5138819 100644 --- a/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/sigma/file_event/file_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -38,3 +38,4 @@ tags: - attack.t1203 - cve.2021.33771 - cve.2021.31979 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_hack_dumpert.yml b/rules/sigma/file_event/file_event_hack_dumpert.yml index b777829b..7b10aec1 100644 --- a/rules/sigma/file_event/file_event_hack_dumpert.yml +++ b/rules/sigma/file_event/file_event_hack_dumpert.yml @@ -29,3 +29,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_hktl_createminidump.yml b/rules/sigma/file_event/file_event_hktl_createminidump.yml index caaac0fe..759c245f 100644 --- a/rules/sigma/file_event/file_event_hktl_createminidump.yml +++ b/rules/sigma/file_event/file_event_hktl_createminidump.yml @@ -28,3 +28,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_lsass_dump.yml b/rules/sigma/file_event/file_event_lsass_dump.yml index eefbce4f..f8a18a0b 100644 --- a/rules/sigma/file_event/file_event_lsass_dump.yml +++ b/rules/sigma/file_event/file_event_lsass_dump.yml @@ -35,3 +35,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mal_adwind.yml b/rules/sigma/file_event/file_event_mal_adwind.yml index 640f36e3..89d02db2 100644 --- a/rules/sigma/file_event/file_event_mal_adwind.yml +++ b/rules/sigma/file_event/file_event_mal_adwind.yml @@ -33,3 +33,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mal_vhd_download.yml b/rules/sigma/file_event/file_event_mal_vhd_download.yml index cc3e37b0..d52d9515 100644 --- a/rules/sigma/file_event/file_event_mal_vhd_download.yml +++ b/rules/sigma/file_event/file_event_mal_vhd_download.yml @@ -38,3 +38,4 @@ status: test tags: - attack.resource_development - attack.t1587.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml b/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml index db212b1f..dc9d26df 100644 --- a/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml +++ b/rules/sigma/file_event/file_event_mimikatz_kirbi_file_creation.yml @@ -23,3 +23,4 @@ status: test tags: - attack.credential_access - attack.t1558 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_moriya_rootkit.yml b/rules/sigma/file_event/file_event_moriya_rootkit.yml index b01ef6ea..3f7ba19a 100644 --- a/rules/sigma/file_event/file_event_moriya_rootkit.yml +++ b/rules/sigma/file_event/file_event_moriya_rootkit.yml @@ -28,3 +28,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_pingback_backdoor.yml b/rules/sigma/file_event/file_event_pingback_backdoor.yml index de05302b..8b387765 100644 --- a/rules/sigma/file_event/file_event_pingback_backdoor.yml +++ b/rules/sigma/file_event/file_event_pingback_backdoor.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.persistence - attack.t1574.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml index 21100bbd..cf7d60b7 100644 --- a/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml +++ b/rules/sigma/file_event/file_event_script_creation_by_office_using_file_ext.yml @@ -44,3 +44,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_susp_task_write.yml b/rules/sigma/file_event/file_event_susp_task_write.yml index 729734d2..5429a0cf 100644 --- a/rules/sigma/file_event/file_event_susp_task_write.yml +++ b/rules/sigma/file_event/file_event_susp_task_write.yml @@ -28,3 +28,4 @@ tags: - attack.persistence - attack.execution - attack.t1053 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_tool_psexec.yml b/rules/sigma/file_event/file_event_tool_psexec.yml index 004327bb..f5a257b3 100644 --- a/rules/sigma/file_event/file_event_tool_psexec.yml +++ b/rules/sigma/file_event/file_event_tool_psexec.yml @@ -38,3 +38,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0029 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_uac_bypass_winsat.yml b/rules/sigma/file_event/file_event_uac_bypass_winsat.yml index 0866da20..81183bbd 100644 --- a/rules/sigma/file_event/file_event_uac_bypass_winsat.yml +++ b/rules/sigma/file_event/file_event_uac_bypass_winsat.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_uac_bypass_wmp.yml b/rules/sigma/file_event/file_event_uac_bypass_wmp.yml index cdbae4e8..d5ca7ab4 100644 --- a/rules/sigma/file_event/file_event_uac_bypass_wmp.yml +++ b/rules/sigma/file_event/file_event_uac_bypass_wmp.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml b/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml index b93b9117..e442758a 100644 --- a/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml @@ -47,3 +47,4 @@ logsource: references: - No references status: experimental +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_winrm_awl_bypass.yml b/rules/sigma/file_event/file_event_winrm_awl_bypass.yml index 6add2daf..8d003e2a 100644 --- a/rules/sigma/file_event/file_event_winrm_awl_bypass.yml +++ b/rules/sigma/file_event/file_event_winrm_awl_bypass.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml index 30783eb6..a6f4e9a5 100644 --- a/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/sigma/file_event/file_event_wmiprvse_wbemcomn_dll_hijack.yml @@ -28,3 +28,4 @@ tags: - attack.t1047 - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_creation_system_file.yml b/rules/sigma/file_event/sysmon_creation_system_file.yml index aa8389f4..fca4521b 100644 --- a/rules/sigma/file_event/sysmon_creation_system_file.yml +++ b/rules/sigma/file_event/sysmon_creation_system_file.yml @@ -65,3 +65,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.005 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml b/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml index 189b3f81..cf546df7 100644 --- a/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml +++ b/rules/sigma/file_event/sysmon_cred_dump_tools_dropped_files.yml @@ -55,3 +55,4 @@ tags: - attack.t1003.003 - attack.t1003.004 - attack.t1003.005 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml index 99213c30..1a282c20 100644 --- a/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml +++ b/rules/sigma/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -36,3 +36,4 @@ tags: - attack.t1203 - attack.execution - cve.2021.26858 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml b/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml index 1a080745..a66f5b02 100644 --- a/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml +++ b/rules/sigma/file_event/sysmon_detect_powerup_dllhijacking.yml @@ -30,3 +30,4 @@ tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1574.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml b/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml index 4829dfc3..ace295fb 100644 --- a/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml +++ b/rules/sigma/file_event/sysmon_ghostpack_safetykatz.yml @@ -24,3 +24,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml index ff534e89..9d54ad3e 100644 --- a/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml +++ b/rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml @@ -32,3 +32,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_office_persistence.yml b/rules/sigma/file_event/sysmon_office_persistence.yml index 09b9e6de..afa4c9dc 100644 --- a/rules/sigma/file_event/sysmon_office_persistence.yml +++ b/rules/sigma/file_event/sysmon_office_persistence.yml @@ -38,3 +38,4 @@ tags: - attack.persistence - attack.t1137 - attack.t1137.006 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_outlook_newform.yml b/rules/sigma/file_event/sysmon_outlook_newform.yml index bed12314..94b0b8dd 100644 --- a/rules/sigma/file_event/sysmon_outlook_newform.yml +++ b/rules/sigma/file_event/sysmon_outlook_newform.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.persistence - attack.t1137.003 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml b/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml index a700c4bc..2bee4489 100644 --- a/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml +++ b/rules/sigma/file_event/sysmon_pcre_net_temp_file.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml b/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml index 4d8625cd..9c9acc39 100644 --- a/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml +++ b/rules/sigma/file_event/sysmon_powershell_exploit_scripts.yml @@ -118,3 +118,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml index 975db71f..d8f3f241 100644 --- a/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml +++ b/rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.registry_run_keys_/_startup_folder - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_quarkspw_filedump.yml b/rules/sigma/file_event/sysmon_quarkspw_filedump.yml index 59631cad..0d7e58b5 100644 --- a/rules/sigma/file_event/sysmon_quarkspw_filedump.yml +++ b/rules/sigma/file_event/sysmon_quarkspw_filedump.yml @@ -26,3 +26,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml b/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml index 27dbef75..7144b964 100644 --- a/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml +++ b/rules/sigma/file_event/sysmon_redmimicry_winnti_filedrop.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_startup_folder_file_write.yml b/rules/sigma/file_event/sysmon_startup_folder_file_write.yml index c95ceaf6..474f4758 100644 --- a/rules/sigma/file_event/sysmon_startup_folder_file_write.yml +++ b/rules/sigma/file_event/sysmon_startup_folder_file_write.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.persistence - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml index 2192a92f..36e1cb6c 100644 --- a/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml +++ b/rules/sigma/file_event/sysmon_susp_adsi_cache_usage.yml @@ -37,3 +37,4 @@ tags: - attack.t1071 - attack.t1001.003 - attack.command_and_control +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_clr_logs.yml b/rules/sigma/file_event/sysmon_susp_clr_logs.yml index 51f891cf..cff06d72 100644 --- a/rules/sigma/file_event/sysmon_susp_clr_logs.yml +++ b/rules/sigma/file_event/sysmon_susp_clr_logs.yml @@ -42,3 +42,4 @@ tags: - attack.defense_evasion - attack.t1059.001 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_desktop_ini.yml b/rules/sigma/file_event/sysmon_susp_desktop_ini.yml index 1aa2c2c3..8269eafd 100644 --- a/rules/sigma/file_event/sysmon_susp_desktop_ini.yml +++ b/rules/sigma/file_event/sysmon_susp_desktop_ini.yml @@ -31,3 +31,4 @@ tags: - attack.persistence - attack.t1023 - attack.t1547.009 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml b/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml index 69228b11..71481373 100644 --- a/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml +++ b/rules/sigma/file_event/sysmon_susp_pfx_file_creation.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.credential_access - attack.t1552.004 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index efb44c6c..22e29910 100644 --- a/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/sigma/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -36,3 +36,4 @@ tags: - attack.t1089 - attack.t1562.001 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml b/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml index 08781f7b..9f340600 100644 --- a/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml +++ b/rules/sigma/file_event/sysmon_suspicious_powershell_profile_create.yml @@ -28,3 +28,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.013 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml index 2dc971d9..112ec4af 100644 --- a/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml +++ b/rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml @@ -23,3 +23,4 @@ status: experimental tags: - attack.command_and_control - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml b/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml index 6fff1ce4..4b4354b6 100644 --- a/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml +++ b/rules/sigma/file_event/sysmon_uac_bypass_consent_comctl32.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml b/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml index 9bae5cc2..0754223c 100644 --- a/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml +++ b/rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml b/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml index 04172c32..9676afb4 100644 --- a/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml +++ b/rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml b/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml index 9d470fc6..ff744dca 100644 --- a/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml +++ b/rules/sigma/file_event/sysmon_uac_bypass_msconfig_gui.yml @@ -25,3 +25,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml b/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml index db909df0..de79c275 100644 --- a/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml +++ b/rules/sigma/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_webshell_creation_detect.yml b/rules/sigma/file_event/sysmon_webshell_creation_detect.yml index ce9784b2..40389d2e 100644 --- a/rules/sigma/file_event/sysmon_webshell_creation_detect.yml +++ b/rules/sigma/file_event/sysmon_webshell_creation_detect.yml @@ -57,3 +57,4 @@ tags: - attack.persistence - attack.t1100 - attack.t1505.003 +ruletype: SIGMA diff --git a/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml index bb1d6f8c..48e26ae1 100644 --- a/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml +++ b/rules/sigma/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml @@ -24,3 +24,4 @@ tags: - attack.t1084 - attack.t1546.003 - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml b/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml index bf66f0c7..51720d15 100644 --- a/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/sigma/file_event/win_cve_2021_1675_printspooler.yml @@ -34,3 +34,4 @@ tags: - attack.resource_development - attack.t1587 - cve.2021.1675 +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml b/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml index 68edbc2b..5042704f 100644 --- a/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml +++ b/rules/sigma/file_event/win_file_winword_cve_2021_40444.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.resource_development - attack.t1587 +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_hivenightmare_file_exports.yml b/rules/sigma/file_event/win_hivenightmare_file_exports.yml index 82bd22cf..6d80bb79 100644 --- a/rules/sigma/file_event/win_hivenightmare_file_exports.yml +++ b/rules/sigma/file_event/win_hivenightmare_file_exports.yml @@ -37,3 +37,4 @@ tags: - attack.credential_access - attack.t1552.001 - cve.2021.36934 +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_outlook_c2_macro_creation.yml b/rules/sigma/file_event/win_outlook_c2_macro_creation.yml index dec1443e..d9f6f964 100644 --- a/rules/sigma/file_event/win_outlook_c2_macro_creation.yml +++ b/rules/sigma/file_event/win_outlook_c2_macro_creation.yml @@ -27,3 +27,4 @@ tags: - attack.t1137 - attack.t1008 - attack.t1546 +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_rclone_exec_file.yml b/rules/sigma/file_event/win_rclone_exec_file.yml index 2213fef9..1455ae44 100644 --- a/rules/sigma/file_event/win_rclone_exec_file.yml +++ b/rules/sigma/file_event/win_rclone_exec_file.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.exfiltration - attack.t1567.002 +ruletype: SIGMA diff --git a/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml b/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml index 12ada67a..ec85a436 100644 --- a/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml +++ b/rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_pingback_backdoor.yml b/rules/sigma/image_load/image_load_pingback_backdoor.yml index df069556..a9f33802 100644 --- a/rules/sigma/image_load/image_load_pingback_backdoor.yml +++ b/rules/sigma/image_load/image_load_pingback_backdoor.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.persistence - attack.t1574.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml b/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml index c9136ff8..cc88231c 100644 --- a/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml +++ b/rules/sigma/image_load/image_load_silenttrinity_stage_use.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.command_and_control - attack.t1071 +ruletype: SIGMA diff --git a/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml index 9f934c89..f533e5fb 100644 --- a/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/sigma/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml @@ -28,3 +28,4 @@ tags: - attack.t1047 - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/process_creation_tttracer_mod_load.yml b/rules/sigma/image_load/process_creation_tttracer_mod_load.yml index 434af1a5..95031338 100644 --- a/rules/sigma/image_load/process_creation_tttracer_mod_load.yml +++ b/rules/sigma/image_load/process_creation_tttracer_mod_load.yml @@ -31,3 +31,4 @@ tags: - attack.credential_access - attack.t1218 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml b/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml index 7873f0f6..2b9dcdbc 100644 --- a/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml +++ b/rules/sigma/image_load/sysmon_abusing_azure_browser_sso.yml @@ -35,3 +35,4 @@ tags: - attack.privilege_escalation - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml index 73c7ca5e..cd4202f9 100644 --- a/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml +++ b/rules/sigma/image_load/sysmon_alternate_powershell_hosts_moduleload.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml b/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml index 370faf5a..ae5fc804 100644 --- a/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml +++ b/rules/sigma/image_load/sysmon_foggyweb_nobelium.yml @@ -22,3 +22,4 @@ status: experimental tags: - attack.resource_development - attack.t1587 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_in_memory_powershell.yml b/rules/sigma/image_load/sysmon_in_memory_powershell.yml index c8d5128a..c08df0f6 100644 --- a/rules/sigma/image_load/sysmon_in_memory_powershell.yml +++ b/rules/sigma/image_load/sysmon_in_memory_powershell.yml @@ -49,3 +49,4 @@ tags: - attack.t1086 - attack.t1059.001 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_pcre_net_load.yml b/rules/sigma/image_load/sysmon_pcre_net_load.yml index ce90f8b3..06efb137 100644 --- a/rules/sigma/image_load/sysmon_pcre_net_load.yml +++ b/rules/sigma/image_load/sysmon_pcre_net_load.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml index 25be1a44..2c4d93bc 100644 --- a/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml +++ b/rules/sigma/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml @@ -33,3 +33,4 @@ tags: - attack.privilege_escalation - attack.persistence - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml b/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml index acaf7518..7040913e 100644 --- a/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml +++ b/rules/sigma/image_load/sysmon_spoolsv_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.t1574 - cve.2021.1675 - cve.2021.34527 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_fax_dll.yml b/rules/sigma/image_load/sysmon_susp_fax_dll.yml index 27671f58..527347bc 100644 --- a/rules/sigma/image_load/sysmon_susp_fax_dll.yml +++ b/rules/sigma/image_load/sysmon_susp_fax_dll.yml @@ -35,3 +35,4 @@ tags: - attack.t1038 - attack.t1574.001 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_image_load.yml b/rules/sigma/image_load/sysmon_susp_image_load.yml index 64630bd8..5e7c1c98 100644 --- a/rules/sigma/image_load/sysmon_susp_image_load.yml +++ b/rules/sigma/image_load/sysmon_susp_image_load.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml index 017745c3..8bf01a6a 100644 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml index 5179191a..2d6e9c41 100644 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml index a58112dc..85d73b1b 100644 --- a/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml index b21e9441..e0636a7c 100644 --- a/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_office_dsparse_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml index 6d0ffd63..34c4c4fe 100644 --- a/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_office_kerberos_dll_load.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_python_image_load.yml b/rules/sigma/image_load/sysmon_susp_python_image_load.yml index f92ee9e2..2af6e561 100644 --- a/rules/sigma/image_load/sysmon_susp_python_image_load.yml +++ b/rules/sigma/image_load/sysmon_susp_python_image_load.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml index faff2405..013da64c 100644 --- a/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml b/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml index adb82add..8d0ea2fe 100644 --- a/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml +++ b/rules/sigma/image_load/sysmon_susp_system_drawing_load.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.collection - attack.t1113 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml index 945e6be0..a91fa571 100644 --- a/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_winword_vbadll_load.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml b/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml index f74c63d2..c63c492f 100644 --- a/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml +++ b/rules/sigma/image_load/sysmon_susp_winword_wmidll_load.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 328753ed..05dc8b88 100644 --- a/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/sigma/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -70,3 +70,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml index c21bce53..9e8e4668 100644 --- a/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/sigma/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -40,3 +40,4 @@ tags: - attack.t1574.002 - attack.t1038 - attack.t1574.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_tttracer_mod_load.yml b/rules/sigma/image_load/sysmon_tttracer_mod_load.yml index 0c26cf85..51ebaf59 100644 --- a/rules/sigma/image_load/sysmon_tttracer_mod_load.yml +++ b/rules/sigma/image_load/sysmon_tttracer_mod_load.yml @@ -31,3 +31,4 @@ tags: - attack.credential_access - attack.t1218 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml b/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml index 086be58e..0f9cf9e9 100644 --- a/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml +++ b/rules/sigma/image_load/sysmon_uac_bypass_via_dism.yml @@ -30,3 +30,4 @@ tags: - attack.privilege_escalation - attack.t1548.002 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml index 4bfe4bc8..4066e9f6 100644 --- a/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml +++ b/rules/sigma/image_load/sysmon_uipromptforcreds_dlls.yml @@ -37,3 +37,4 @@ tags: - attack.credential_access - attack.collection - attack.t1056.002 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml index c4bc888e..5669d048 100644 --- a/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml +++ b/rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml @@ -26,3 +26,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmi_module_load.yml b/rules/sigma/image_load/sysmon_wmi_module_load.yml index 2407090f..dc7ec21f 100644 --- a/rules/sigma/image_load/sysmon_wmi_module_load.yml +++ b/rules/sigma/image_load/sysmon_wmi_module_load.yml @@ -61,3 +61,4 @@ status: experimental tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml index eaa26ec9..e99b0f1b 100644 --- a/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/sigma/image_load/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -26,3 +26,4 @@ tags: - attack.t1084 - attack.t1546.003 - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml index 1c04b346..060b0a77 100644 --- a/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml +++ b/rules/sigma/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1220 +ruletype: SIGMA diff --git a/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml b/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml index 2eb5e89e..30483b48 100644 --- a/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml +++ b/rules/sigma/image_load/sysmon_wsman_provider_image_load.yml @@ -46,3 +46,4 @@ tags: - attack.t1059.001 - attack.lateral_movement - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/image_load/win_susp_svchost_clfsw32.yml b/rules/sigma/image_load/win_susp_svchost_clfsw32.yml index 0ea4588c..a6d45e9c 100644 --- a/rules/sigma/image_load/win_susp_svchost_clfsw32.yml +++ b/rules/sigma/image_load/win_susp_svchost_clfsw32.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/image_load/win_suspicious_vss_ps_load.yml b/rules/sigma/image_load/win_suspicious_vss_ps_load.yml index 2d98af3f..c2a7adc2 100644 --- a/rules/sigma/image_load/win_suspicious_vss_ps_load.yml +++ b/rules/sigma/image_load/win_suspicious_vss_ps_load.yml @@ -40,3 +40,4 @@ tags: - attack.defense_evasion - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_exploiting.yml b/rules/sigma/malware/av_exploiting.yml index 0dc45e26..08f613a5 100644 --- a/rules/sigma/malware/av_exploiting.yml +++ b/rules/sigma/malware/av_exploiting.yml @@ -39,3 +39,4 @@ tags: - attack.t1203 - attack.command_and_control - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_hacktool.yml b/rules/sigma/malware/av_hacktool.yml index 39502cc5..e425932b 100644 --- a/rules/sigma/malware/av_hacktool.yml +++ b/rules/sigma/malware/av_hacktool.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.execution - attack.t1204 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_password_dumper.yml b/rules/sigma/malware/av_password_dumper.yml index 69a2a004..e358a522 100644 --- a/rules/sigma/malware/av_password_dumper.yml +++ b/rules/sigma/malware/av_password_dumper.yml @@ -39,3 +39,4 @@ tags: - attack.t1558 - attack.t1003.001 - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml b/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml index 676fcd5e..11ea7d57 100644 --- a/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml +++ b/rules/sigma/malware/av_printernightmare_cve_2021_34527.yml @@ -27,3 +27,4 @@ status: stable tags: - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_relevant_files.yml b/rules/sigma/malware/av_relevant_files.yml index d1214c71..084f4989 100644 --- a/rules/sigma/malware/av_relevant_files.yml +++ b/rules/sigma/malware/av_relevant_files.yml @@ -79,3 +79,4 @@ status: experimental tags: - attack.resource_development - attack.t1588 +ruletype: SIGMA diff --git a/rules/sigma/malware/av_webshell.yml b/rules/sigma/malware/av_webshell.yml index 73b6e098..1ffda88b 100644 --- a/rules/sigma/malware/av_webshell.yml +++ b/rules/sigma/malware/av_webshell.yml @@ -77,3 +77,4 @@ tags: - attack.persistence - attack.t1100 - attack.t1505.003 +ruletype: SIGMA diff --git a/rules/sigma/malware/file_event_mal_octopus_scanner.yml b/rules/sigma/malware/file_event_mal_octopus_scanner.yml index 9e9d151f..611a0e31 100644 --- a/rules/sigma/malware/file_event_mal_octopus_scanner.yml +++ b/rules/sigma/malware/file_event_mal_octopus_scanner.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.t1195 - attack.t1195.001 +ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml b/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml index c193a043..dcb7ae82 100644 --- a/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml +++ b/rules/sigma/malware/process_creation_mal_blue_mockingbird.yml @@ -36,3 +36,4 @@ tags: - attack.execution - attack.t1112 - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml b/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml index 972dd8c1..a1ed5f01 100644 --- a/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml +++ b/rules/sigma/malware/process_creation_mal_darkside_ransomware.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.execution - attack.t1204 +ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml b/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml index efe7aeb7..37d2a39a 100644 --- a/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml +++ b/rules/sigma/malware/process_creation_mal_lockergoga_ransomware.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.impact - attack.t1486 +ruletype: SIGMA diff --git a/rules/sigma/malware/process_creation_mal_ryuk.yml b/rules/sigma/malware/process_creation_mal_ryuk.yml index 0a388e82..3c24bb4f 100644 --- a/rules/sigma/malware/process_creation_mal_ryuk.yml +++ b/rules/sigma/malware/process_creation_mal_ryuk.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.execution - attack.t1204 +ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_azorult.yml b/rules/sigma/malware/registry_event_mal_azorult.yml index ad726d65..99935e08 100644 --- a/rules/sigma/malware/registry_event_mal_azorult.yml +++ b/rules/sigma/malware/registry_event_mal_azorult.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.execution - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml b/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml index 0c355ce1..44f831f6 100644 --- a/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml +++ b/rules/sigma/malware/registry_event_mal_blue_mockingbird.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1112 - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_flowcloud.yml b/rules/sigma/malware/registry_event_mal_flowcloud.yml index db1beb5e..b1058002 100644 --- a/rules/sigma/malware/registry_event_mal_flowcloud.yml +++ b/rules/sigma/malware/registry_event_mal_flowcloud.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.persistence - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_netwire.yml b/rules/sigma/malware/registry_event_mal_netwire.yml index cdb4e8ee..1ce88a79 100644 --- a/rules/sigma/malware/registry_event_mal_netwire.yml +++ b/rules/sigma/malware/registry_event_mal_netwire.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/malware/registry_event_mal_ursnif.yml b/rules/sigma/malware/registry_event_mal_ursnif.yml index 217993b5..dcf82a6a 100644 --- a/rules/sigma/malware/registry_event_mal_ursnif.yml +++ b/rules/sigma/malware/registry_event_mal_ursnif.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.execution - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml index 892dfc91..9d47d0d6 100644 --- a/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml +++ b/rules/sigma/network_connection/silenttrinity_stager_msbuild_activity.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.execution - attack.t1127.001 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml b/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml index d8311bee..8394040b 100644 --- a/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml +++ b/rules/sigma/network_connection/sysmon_dllhost_net_connections.yml @@ -50,3 +50,4 @@ tags: - attack.execution - attack.t1559.001 - attack.t1175 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml b/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml index ea505fe0..98f059c7 100644 --- a/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml +++ b/rules/sigma/network_connection/sysmon_excel_outbound_network_connection.yml @@ -58,3 +58,4 @@ status: experimental tags: - attack.execution - attack.t1203 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml b/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml index 88f7e2a4..5576ab1e 100644 --- a/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml +++ b/rules/sigma/network_connection/sysmon_malware_backconnect_ports.yml @@ -108,3 +108,4 @@ tags: - attack.command_and_control - attack.t1571 - attack.t1043 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_notepad_network_connection.yml b/rules/sigma/network_connection/sysmon_notepad_network_connection.yml index a3b04bc1..0911c917 100644 --- a/rules/sigma/network_connection/sysmon_notepad_network_connection.yml +++ b/rules/sigma/network_connection/sysmon_notepad_network_connection.yml @@ -28,3 +28,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_powershell_network_connection.yml b/rules/sigma/network_connection/sysmon_powershell_network_connection.yml index 58f7e71b..96429c14 100644 --- a/rules/sigma/network_connection/sysmon_powershell_network_connection.yml +++ b/rules/sigma/network_connection/sysmon_powershell_network_connection.yml @@ -60,3 +60,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml index e72a8a6f..38e1f4b9 100644 --- a/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/sigma/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -39,3 +39,4 @@ tags: - attack.t1021.001 - attack.t1076 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml b/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml index 8bba95c9..e3c3567c 100644 --- a/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml +++ b/rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.t1218.010 - attack.t1117 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml b/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml index 52bcf32d..79b124ec 100644 --- a/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml +++ b/rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml @@ -32,3 +32,4 @@ tags: - attack.lateral_movement - attack.t1021.006 - attack.t1028 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml b/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml index 9f88bd02..b3db683e 100644 --- a/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml +++ b/rules/sigma/network_connection/sysmon_rundll32_net_connections.yml @@ -49,3 +49,4 @@ tags: - attack.t1218.011 - attack.t1085 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml index fe34a3c4..0a65bd83 100644 --- a/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml +++ b/rules/sigma/network_connection/sysmon_susp_prog_location_network_connection.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_susp_rdp.yml b/rules/sigma/network_connection/sysmon_susp_rdp.yml index 0297cae8..5113f650 100644 --- a/rules/sigma/network_connection/sysmon_susp_rdp.yml +++ b/rules/sigma/network_connection/sysmon_susp_rdp.yml @@ -51,3 +51,4 @@ tags: - attack.t1021.001 - attack.t1076 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml index 8d9c613b..1ea0e858 100644 --- a/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/sigma/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml @@ -36,3 +36,4 @@ tags: - attack.lateral_movement - attack.t1550.003 - attack.t1097 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_win_binary_github_com.yml b/rules/sigma/network_connection/sysmon_win_binary_github_com.yml index 80024fbc..8c594e4a 100644 --- a/rules/sigma/network_connection/sysmon_win_binary_github_com.yml +++ b/rules/sigma/network_connection/sysmon_win_binary_github_com.yml @@ -35,3 +35,4 @@ tags: - attack.exfiltration - attack.t1567.001 - attack.t1048 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml b/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml index 2ba79e73..cd1b5e3e 100644 --- a/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml +++ b/rules/sigma/network_connection/sysmon_win_binary_susp_com.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml b/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml index 78ff9b9b..ebb03586 100644 --- a/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml +++ b/rules/sigma/network_connection/sysmon_wuauclt_network_connection.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/network_connection/win_net_crypto_mining.yml b/rules/sigma/network_connection/win_net_crypto_mining.yml index 231d212e..51a5bf04 100644 --- a/rules/sigma/network_connection/win_net_crypto_mining.yml +++ b/rules/sigma/network_connection/win_net_crypto_mining.yml @@ -44,3 +44,4 @@ status: stable tags: - attack.impact - attack.t1496 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_amsi_trigger.yml b/rules/sigma/other/win_defender_amsi_trigger.yml index adc37c0e..ceb96d3e 100644 --- a/rules/sigma/other/win_defender_amsi_trigger.yml +++ b/rules/sigma/other/win_defender_amsi_trigger.yml @@ -23,3 +23,4 @@ status: stable tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_bypass.yml b/rules/sigma/other/win_defender_bypass.yml index 0fc20e93..934a7dfd 100644 --- a/rules/sigma/other/win_defender_bypass.yml +++ b/rules/sigma/other/win_defender_bypass.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_disabled.yml b/rules/sigma/other/win_defender_disabled.yml index 27c285ee..5f668850 100644 --- a/rules/sigma/other/win_defender_disabled.yml +++ b/rules/sigma/other/win_defender_disabled.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_exclusions.yml b/rules/sigma/other/win_defender_exclusions.yml index 38cadac8..392ae2b0 100644 --- a/rules/sigma/other/win_defender_exclusions.yml +++ b/rules/sigma/other/win_defender_exclusions.yml @@ -24,3 +24,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_history_delete.yml b/rules/sigma/other/win_defender_history_delete.yml index 0328eb8f..f91be5ee 100644 --- a/rules/sigma/other/win_defender_history_delete.yml +++ b/rules/sigma/other/win_defender_history_delete.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_psexec_wmi_asr.yml b/rules/sigma/other/win_defender_psexec_wmi_asr.yml index cef87a24..7f411ec9 100644 --- a/rules/sigma/other/win_defender_psexec_wmi_asr.yml +++ b/rules/sigma/other/win_defender_psexec_wmi_asr.yml @@ -32,3 +32,4 @@ tags: - attack.t1047 - attack.t1035 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_tamper_protection_trigger.yml b/rules/sigma/other/win_defender_tamper_protection_trigger.yml index 5798cdf7..ddd5ea17 100644 --- a/rules/sigma/other/win_defender_tamper_protection_trigger.yml +++ b/rules/sigma/other/win_defender_tamper_protection_trigger.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_defender_threat.yml b/rules/sigma/other/win_defender_threat.yml index bd01bd2d..1ba96d93 100644 --- a/rules/sigma/other/win_defender_threat.yml +++ b/rules/sigma/other/win_defender_threat.yml @@ -26,3 +26,4 @@ status: stable tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_cve_2021_42321.yml b/rules/sigma/other/win_exchange_cve_2021_42321.yml index 6cde2afc..77e2a949 100644 --- a/rules/sigma/other/win_exchange_cve_2021_42321.yml +++ b/rules/sigma/other/win_exchange_cve_2021_42321.yml @@ -19,3 +19,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1210 +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml b/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml index 431a2dd7..7d698702 100644 --- a/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml +++ b/rules/sigma/other/win_exchange_proxylogon_oabvirtualdir.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.t1587.001 - attack.resource_development +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_proxyshell_certificate_generation.yml b/rules/sigma/other/win_exchange_proxyshell_certificate_generation.yml index 6e81d25a..a4cf41b3 100644 --- a/rules/sigma/other/win_exchange_proxyshell_certificate_generation.yml +++ b/rules/sigma/other/win_exchange_proxyshell_certificate_generation.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.persistence - attack.t1505.003 +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_proxyshell_mailbox_export.yml b/rules/sigma/other/win_exchange_proxyshell_mailbox_export.yml index ff00aace..476a404b 100644 --- a/rules/sigma/other/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/sigma/other/win_exchange_proxyshell_mailbox_export.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.persistence - attack.t1505.003 +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/sigma/other/win_exchange_proxyshell_remove_mailbox_export.yml index c2261028..1d2b913d 100644 --- a/rules/sigma/other/win_exchange_proxyshell_remove_mailbox_export.yml +++ b/rules/sigma/other/win_exchange_proxyshell_remove_mailbox_export.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070 +ruletype: SIGMA diff --git a/rules/sigma/other/win_exchange_transportagent_failed.yml b/rules/sigma/other/win_exchange_transportagent_failed.yml index 61c5afe1..1970f784 100644 --- a/rules/sigma/other/win_exchange_transportagent_failed.yml +++ b/rules/sigma/other/win_exchange_transportagent_failed.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.persistence - attack.t1505.002 +ruletype: SIGMA diff --git a/rules/sigma/other/win_lateral_movement_condrv.yml b/rules/sigma/other/win_lateral_movement_condrv.yml index 313514f4..e725bd25 100644 --- a/rules/sigma/other/win_lateral_movement_condrv.yml +++ b/rules/sigma/other/win_lateral_movement_condrv.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.t1021 - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/other/win_ldap_recon.yml b/rules/sigma/other/win_ldap_recon.yml index f73b214a..d6bd1659 100644 --- a/rules/sigma/other/win_ldap_recon.yml +++ b/rules/sigma/other/win_ldap_recon.yml @@ -79,3 +79,4 @@ tags: - attack.t1069.002 - attack.t1087.002 - attack.t1482 +ruletype: SIGMA diff --git a/rules/sigma/other/win_pcap_drivers.yml b/rules/sigma/other/win_pcap_drivers.yml index 41f30ba2..139528fd 100644 --- a/rules/sigma/other/win_pcap_drivers.yml +++ b/rules/sigma/other/win_pcap_drivers.yml @@ -40,3 +40,4 @@ tags: - attack.discovery - attack.credential_access - attack.t1040 +ruletype: SIGMA diff --git a/rules/sigma/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/sigma/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml index a4a4b044..e4fc4bfb 100644 --- a/rules/sigma/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml +++ b/rules/sigma/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -27,3 +27,4 @@ status: stable tags: - attack.t1210 - attack.lateral_movement +ruletype: SIGMA diff --git a/rules/sigma/other/win_rare_schtask_creation.yml b/rules/sigma/other/win_rare_schtask_creation.yml index 2c57427f..dd190b17 100644 --- a/rules/sigma/other/win_rare_schtask_creation.yml +++ b/rules/sigma/other/win_rare_schtask_creation.yml @@ -22,3 +22,4 @@ tags: - attack.t1053 - attack.s0111 - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/other/win_security_wmi_persistence.yml b/rules/sigma/other/win_security_wmi_persistence.yml index 8d6da1ba..6d8823c7 100644 --- a/rules/sigma/other/win_security_wmi_persistence.yml +++ b/rules/sigma/other/win_security_wmi_persistence.yml @@ -32,3 +32,4 @@ tags: - attack.privilege_escalation - attack.t1084 - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/other/win_system_defender_disabled.yml b/rules/sigma/other/win_system_defender_disabled.yml index ce21edc6..f7cced97 100644 --- a/rules/sigma/other/win_system_defender_disabled.yml +++ b/rules/sigma/other/win_system_defender_disabled.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/other/win_tool_psexec.yml b/rules/sigma/other/win_tool_psexec.yml index 716d9d1c..1220752d 100644 --- a/rules/sigma/other/win_tool_psexec.yml +++ b/rules/sigma/other/win_tool_psexec.yml @@ -39,3 +39,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0029 +ruletype: SIGMA diff --git a/rules/sigma/other/win_wmi_persistence.yml b/rules/sigma/other/win_wmi_persistence.yml index 12064004..c2c4058b 100644 --- a/rules/sigma/other/win_wmi_persistence.yml +++ b/rules/sigma/other/win_wmi_persistence.yml @@ -33,3 +33,4 @@ tags: - attack.privilege_escalation - attack.t1084 - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/pipe_created_tool_psexec.yml b/rules/sigma/pipe_created/pipe_created_tool_psexec.yml index 78f31d32..b3af623c 100644 --- a/rules/sigma/pipe_created/pipe_created_tool_psexec.yml +++ b/rules/sigma/pipe_created/pipe_created_tool_psexec.yml @@ -46,3 +46,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0029 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/sigma/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index 9bef3ed3..5cd00728 100644 --- a/rules/sigma/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/sigma/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -36,3 +36,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_apt_turla_namedpipes.yml b/rules/sigma/pipe_created/sysmon_apt_turla_namedpipes.yml index a0407181..ade9f287 100644 --- a/rules/sigma/pipe_created/sysmon_apt_turla_namedpipes.yml +++ b/rules/sigma/pipe_created/sysmon_apt_turla_namedpipes.yml @@ -37,3 +37,4 @@ tags: - attack.g0010 - attack.execution - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_cred_dump_tools_named_pipes.yml b/rules/sigma/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index 1830b3c6..b16e722d 100644 --- a/rules/sigma/pipe_created/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/sigma/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -39,3 +39,4 @@ tags: - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml b/rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml index bf58ef3e..135bd2b7 100644 --- a/rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml +++ b/rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml @@ -34,3 +34,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/sigma/pipe_created/sysmon_mal_cobaltstrike.yml index d4f17979..2d2aa7f7 100644 --- a/rules/sigma/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/sigma/pipe_created/sysmon_mal_cobaltstrike.yml @@ -46,3 +46,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml b/rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml index ce3bb40d..b65a1149 100644 --- a/rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml +++ b/rules/sigma/pipe_created/sysmon_mal_cobaltstrike_re.yml @@ -76,3 +76,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_mal_namedpipes.yml b/rules/sigma/pipe_created/sysmon_mal_namedpipes.yml index f15598d9..d0bdd3bf 100644 --- a/rules/sigma/pipe_created/sysmon_mal_namedpipes.yml +++ b/rules/sigma/pipe_created/sysmon_mal_namedpipes.yml @@ -68,3 +68,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_powershell_execution_pipe.yml b/rules/sigma/pipe_created/sysmon_powershell_execution_pipe.yml index d0b1567f..3305c48f 100644 --- a/rules/sigma/pipe_created/sysmon_powershell_execution_pipe.yml +++ b/rules/sigma/pipe_created/sysmon_powershell_execution_pipe.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_psexec_pipes_artifacts.yml b/rules/sigma/pipe_created/sysmon_psexec_pipes_artifacts.yml index b127e1cb..d8a9cf17 100644 --- a/rules/sigma/pipe_created/sysmon_psexec_pipes_artifacts.yml +++ b/rules/sigma/pipe_created/sysmon_psexec_pipes_artifacts.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml b/rules/sigma/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml index af8e9489..3e1d1fcc 100644 --- a/rules/sigma/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml +++ b/rules/sigma/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.collection - attack.t1005 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml b/rules/sigma/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml index bf7d55d3..29ac1f99 100644 --- a/rules/sigma/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/sigma/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml @@ -74,3 +74,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml b/rules/sigma/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml index d0831c31..4317b12c 100644 --- a/rules/sigma/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml +++ b/rules/sigma/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.t1047 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml index 6ae70b9c..b129b6ef 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml index 082e2277..84be8344 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.command_and_control - attack.t1095 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml index 90e19d33..3acb6208 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml @@ -31,3 +31,4 @@ tags: - attack.lateral_movement - attack.t1021.006 - attack.t1028 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml index 6cf210da..e905f40f 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml index 0effda91..5d7da005 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.collection - attack.t1074.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml b/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml index 3b6b8025..19b754a7 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml @@ -28,3 +28,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml b/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml index d3494f13..f12618f2 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml b/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml index 26eff79e..0bc76d22 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml @@ -28,3 +28,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml b/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml index 74bcecbe..da705169 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml b/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml index 6d3f2e41..4f13e805 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml b/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml index 6d7ee6f4..b3ef5615 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml b/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml index 113645d7..54d7cf2e 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml @@ -29,3 +29,4 @@ tags: - attack.t1059.001 - attack.lateral_movement - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml b/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml index cad79788..aabd04f6 100644 --- a/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml +++ b/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index 2a8b6e82..94b5c525 100644 --- a/rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml +++ b/rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -28,3 +28,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index 89a12bb1..e743cdc4 100644 --- a/rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml +++ b/rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -38,3 +38,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml index b72240cd..3bd801bc 100644 --- a/rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -37,3 +37,4 @@ tags: - attack.defense_evasion - attack.t1070.003 - attack.t1146 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml b/rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml index 3e351139..5a0df3af 100644 --- a/rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml +++ b/rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1140 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml b/rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml index 78098bc6..d45c5560 100644 --- a/rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml +++ b/rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.collection - attack.t1115 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index 69dd2eba..8de8a9b0 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index 60dbd5a1..70477331 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -40,3 +40,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index 7104bb9d..cb6fa371 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index 98092567..f6382508 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index 54d02b0d..05fc8781 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index cbc49feb..db5e95e7 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index 64dceebd..23274f42 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 87064602..7944dcc9 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index 13c5308e..05e71589 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index eb89454a..17701049 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 80201302..d2fb0c38 100644 --- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml +++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -27,3 +27,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_powercat.yml b/rules/sigma/powershell/powershell_module/powershell_powercat.yml index 0a70fa09..2d636ee3 100644 --- a/rules/sigma/powershell/powershell_module/powershell_powercat.yml +++ b/rules/sigma/powershell/powershell_module/powershell_powercat.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.command_and_control - attack.t1095 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml index 4c77f359..bc852c78 100644 --- a/rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml +++ b/rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -28,3 +28,4 @@ tags: - attack.lateral_movement - attack.t1021.006 - attack.t1028 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml index e95289fc..df562b92 100644 --- a/rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml index b1dbc676..74cf57f5 100644 --- a/rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.collection - attack.t1074.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml b/rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml index b1b5d29e..086318ea 100644 --- a/rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml +++ b/rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml b/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml index 6acaa178..c95e63cb 100644 --- a/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml +++ b/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml @@ -35,3 +35,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml b/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml index 4f85a6b7..17237bfc 100644 --- a/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml +++ b/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml @@ -92,3 +92,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml b/rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml index 0b506ae9..fee2b3fb 100644 --- a/rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml +++ b/rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml b/rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml index 33e6bce4..4ad79ed9 100644 --- a/rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml +++ b/rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml @@ -70,3 +70,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml b/rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml index 5edf13a1..4fda5bb3 100644 --- a/rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml +++ b/rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml @@ -27,3 +27,4 @@ tags: - attack.discovery - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_automated_collection.yml b/rules/sigma/powershell/powershell_script/powershell_automated_collection.yml index 2cf0cc52..30594c2c 100644 --- a/rules/sigma/powershell/powershell_script/powershell_automated_collection.yml +++ b/rules/sigma/powershell/powershell_script/powershell_automated_collection.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.collection - attack.t1119 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml b/rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml index fbba403e..9d4f4032 100644 --- a/rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml +++ b/rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml @@ -29,3 +29,4 @@ tags: - attack.t1069.001 - attack.t1069.002 - attack.t1069 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml b/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml index 221ee898..fd3cd4a8 100644 --- a/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml +++ b/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml b/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml index 4f78b7df..e48150ef 100644 --- a/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml +++ b/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml b/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml index a01ea32f..deaa9875 100644 --- a/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml +++ b/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml index 61f935a4..0581347a 100644 --- a/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml +++ b/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_create_local_user.yml b/rules/sigma/powershell/powershell_script/powershell_create_local_user.yml index 6f6d38ad..b3c67d5d 100644 --- a/rules/sigma/powershell/powershell_script/powershell_create_local_user.yml +++ b/rules/sigma/powershell/powershell_script/powershell_create_local_user.yml @@ -26,3 +26,4 @@ tags: - attack.persistence - attack.t1136.001 - attack.t1136 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_data_compressed.yml b/rules/sigma/powershell/powershell_script/powershell_data_compressed.yml index 277c2054..2234755d 100644 --- a/rules/sigma/powershell/powershell_script/powershell_data_compressed.yml +++ b/rules/sigma/powershell/powershell_script/powershell_data_compressed.yml @@ -29,3 +29,4 @@ tags: - attack.exfiltration - attack.t1560 - attack.t1002 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml b/rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml index 0a2cd462..67d5590d 100644 --- a/rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml +++ b/rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1497.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml b/rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml index 4993de7d..84047140 100644 --- a/rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml +++ b/rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml @@ -23,3 +23,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml b/rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml index 00d272ea..16c38b9b 100644 --- a/rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml +++ b/rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.exfiltration - attack.t1048.003 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml index 29e134d7..bf5307d3 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml @@ -22,3 +22,4 @@ status: test tags: - attack.privilege_escalation - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml index 991077af..bb0cc012 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml index a99d1725..3c882dae 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml index 10751f80..835457f7 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml index 604ac728..11437409 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml index 9a2a8eb7..ce67206d 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml index 77141983..6351b70f 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml index 4dbdb15c..6f801ddb 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml index 3e99fdc8..c733f87c 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml index fd72b483..054e5628 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml index ec0a3c13..fe5e9d80 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml index 5d2ab8c3..df52c285 100644 --- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_keylogging.yml b/rules/sigma/powershell/powershell_script/powershell_keylogging.yml index 9f1143b2..f6863858 100644 --- a/rules/sigma/powershell/powershell_script/powershell_keylogging.yml +++ b/rules/sigma/powershell/powershell_script/powershell_keylogging.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.collection - attack.t1056.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml index 48130617..ca621e46 100644 --- a/rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml +++ b/rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml @@ -121,3 +121,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml b/rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml index e7d60deb..165ba0e2 100644 --- a/rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml +++ b/rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml @@ -44,3 +44,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml index 952c468b..6b077362 100644 --- a/rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml +++ b/rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml @@ -24,3 +24,4 @@ references: status: experimental tags: - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml b/rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml index c53aaa7f..393a2b6b 100644 --- a/rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml +++ b/rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml @@ -94,3 +94,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml index b4fb1d52..5c3e523b 100644 --- a/rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml +++ b/rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml b/rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml index 45dc63b3..9ae67c71 100644 --- a/rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml +++ b/rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml @@ -147,3 +147,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml b/rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml index a063939c..fb926ab8 100644 --- a/rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml +++ b/rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml @@ -25,3 +25,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_psattack.yml b/rules/sigma/powershell/powershell_script/powershell_psattack.yml index b5b33ea1..27a01dad 100644 --- a/rules/sigma/powershell/powershell_script/powershell_psattack.yml +++ b/rules/sigma/powershell/powershell_script/powershell_psattack.yml @@ -23,3 +23,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml b/rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml index 5faa925d..cca361d0 100644 --- a/rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml +++ b/rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml b/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml index dd3ea6da..f7309bb6 100644 --- a/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml +++ b/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml @@ -30,3 +30,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml b/rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml index 5e671fab..20fda8a3 100644 --- a/rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml +++ b/rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_software_discovery.yml b/rules/sigma/powershell/powershell_script/powershell_software_discovery.yml index 7b7ecaae..14c17ae4 100644 --- a/rules/sigma/powershell/powershell_script/powershell_software_discovery.yml +++ b/rules/sigma/powershell/powershell_script/powershell_software_discovery.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.discovery - attack.t1518 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml b/rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml index 83e70370..9d9ff315 100644 --- a/rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml +++ b/rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564.004 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml index 1e260625..51c21a50 100644 --- a/rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.collection - attack.t1074.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml index 6892568b..fdb419d1 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml index 81d5f760..8cc5f7c2 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.credential_access - attack.t1552.004 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml index 3a2d0b46..4c51cf26 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml index 2327b537..cb3d60a4 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml @@ -35,3 +35,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml index 0f8f53af..4d8af680 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml @@ -92,3 +92,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml index 46050db5..5f7848b7 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml index 1bcafe80..0f264fdb 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.collection - attack.t1114.001 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml index 317a983c..11465ddb 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.005 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml index b75974f9..cce18b1a 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.collection - attack.t1119 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml index 5a7776ba..2851d113 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml @@ -23,3 +23,4 @@ status: experimental tags: - attack.discovery - attack.t1120 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml b/rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml index bdaed16a..b6b5db5f 100644 --- a/rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml +++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564.003 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml b/rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml index 2ff81987..7ca13350 100644 --- a/rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml +++ b/rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_timestomp.yml b/rules/sigma/powershell/powershell_script/powershell_timestomp.yml index fc7b7e0e..eae20ab9 100644 --- a/rules/sigma/powershell/powershell_script/powershell_timestomp.yml +++ b/rules/sigma/powershell/powershell_script/powershell_timestomp.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.006 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml b/rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml index ac71ad5c..248e37fb 100644 --- a/rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml +++ b/rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1546.013 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_web_request.yml b/rules/sigma/powershell/powershell_script/powershell_web_request.yml index eb71f58e..e89ed7d2 100644 --- a/rules/sigma/powershell/powershell_script/powershell_web_request.yml +++ b/rules/sigma/powershell/powershell_script/powershell_web_request.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml b/rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml index f04b14e1..b3c3407f 100644 --- a/rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml +++ b/rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.004 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml b/rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml index 64455fed..240bbc16 100644 --- a/rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml +++ b/rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml @@ -33,3 +33,4 @@ tags: - attack.persistence - attack.t1547.004 - attack.t1004 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml b/rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml index b126f634..79a636c5 100644 --- a/rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml +++ b/rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/powershell/powershell_script/powershell_wmimplant.yml b/rules/sigma/powershell/powershell_script/powershell_wmimplant.yml index 94014edb..f5238541 100644 --- a/rules/sigma/powershell/powershell_script/powershell_wmimplant.yml +++ b/rules/sigma/powershell/powershell_script/powershell_wmimplant.yml @@ -42,3 +42,4 @@ tags: - attack.t1047 - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_cmstp_execution_by_access.yml b/rules/sigma/process_access/sysmon_cmstp_execution_by_access.yml index 2e1b415e..f2c73c44 100644 --- a/rules/sigma/process_access/sysmon_cmstp_execution_by_access.yml +++ b/rules/sigma/process_access/sysmon_cmstp_execution_by_access.yml @@ -35,3 +35,4 @@ tags: - attack.g0069 - attack.g0080 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml b/rules/sigma/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml index 0aaa09de..afd66cae 100644 --- a/rules/sigma/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml +++ b/rules/sigma/process_access/sysmon_cobaltstrike_bof_injection_pattern.yml @@ -30,3 +30,4 @@ tags: - attack.t1106 - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml b/rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml index 35a34ac3..0ae109eb 100644 --- a/rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml @@ -76,3 +76,4 @@ tags: - attack.t1003 - attack.s0002 - car.2019-04-004 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml b/rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml index 00bce1d0..f09a794a 100644 --- a/rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml +++ b/rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml @@ -23,3 +23,4 @@ status: experimental tags: - attack.execution - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml b/rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml index e52f3b8b..355b3989 100644 --- a/rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml @@ -77,3 +77,4 @@ tags: - attack.t1055.001 - attack.t1055.002 - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_invoke_phantom.yml b/rules/sigma/process_access/sysmon_invoke_phantom.yml index 390ac4fc..d14366e3 100644 --- a/rules/sigma/process_access/sysmon_invoke_phantom.yml +++ b/rules/sigma/process_access/sysmon_invoke_phantom.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1562.002 - attack.t1089 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/sigma/process_access/sysmon_lazagne_cred_dump_lsass_access.yml index c7344327..7bc875ac 100644 --- a/rules/sigma/process_access/sysmon_lazagne_cred_dump_lsass_access.yml +++ b/rules/sigma/process_access/sysmon_lazagne_cred_dump_lsass_access.yml @@ -34,3 +34,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.s0349 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_littlecorporal_generated_maldoc.yml b/rules/sigma/process_access/sysmon_littlecorporal_generated_maldoc.yml index 70671a30..2b9ac073 100644 --- a/rules/sigma/process_access/sysmon_littlecorporal_generated_maldoc.yml +++ b/rules/sigma/process_access/sysmon_littlecorporal_generated_maldoc.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1204.002 - attack.t1055.003 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/sigma/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml index 5bc48ff5..a00d411e 100644 --- a/rules/sigma/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml +++ b/rules/sigma/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml b/rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml index 1797721a..6b77f92f 100644 --- a/rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml +++ b/rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_lsass_memdump.yml b/rules/sigma/process_access/sysmon_lsass_memdump.yml index 0d7e7e72..66f25dbf 100644 --- a/rules/sigma/process_access/sysmon_lsass_memdump.yml +++ b/rules/sigma/process_access/sysmon_lsass_memdump.yml @@ -32,3 +32,4 @@ tags: - attack.t1003.001 - attack.t1003 - attack.s0002 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml b/rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml index 3ad5ee8f..f8a9ecc7 100644 --- a/rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml +++ b/rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/sigma/process_access/sysmon_mimikatz_trough_winrm.yml index 7a508673..9aab467d 100644 --- a/rules/sigma/process_access/sysmon_mimikatz_trough_winrm.yml +++ b/rules/sigma/process_access/sysmon_mimikatz_trough_winrm.yml @@ -34,3 +34,4 @@ tags: - attack.t1021.006 - attack.t1028 - attack.s0002 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml b/rules/sigma/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml index 0b85033c..8fe3d37a 100644 --- a/rules/sigma/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml +++ b/rules/sigma/process_access/sysmon_pypykatz_cred_dump_lsass_access.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_svchost_cred_dump.yml b/rules/sigma/process_access/sysmon_svchost_cred_dump.yml index c796d818..a1e494f6 100644 --- a/rules/sigma/process_access/sysmon_svchost_cred_dump.yml +++ b/rules/sigma/process_access/sysmon_svchost_cred_dump.yml @@ -26,3 +26,4 @@ logsource: status: experimental tags: - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/process_access/sysmon_uac_bypass_wow64_logger.yml b/rules/sigma/process_access/sysmon_uac_bypass_wow64_logger.yml index 95c8faa9..1f6c6daf 100644 --- a/rules/sigma/process_access/sysmon_uac_bypass_wow64_logger.yml +++ b/rules/sigma/process_access/sysmon_uac_bypass_wow64_logger.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/sigma/process_access/win_susp_shell_spawn_from_winrm.yml index 1be3400d..34870643 100644 --- a/rules/sigma/process_access/win_susp_shell_spawn_from_winrm.yml +++ b/rules/sigma/process_access/win_susp_shell_spawn_from_winrm.yml @@ -33,3 +33,4 @@ tags: - attack.initial_access - attack.persistence - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml b/rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml index 4ed438a4..cf0531cc 100644 --- a/rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml +++ b/rules/sigma/process_creation/process_creation_abusing_windows_telemetry_for_persistence.yml @@ -35,3 +35,4 @@ tags: - attack.persistence - attack.t1112 - attack.t1053 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml b/rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml index cbe02627..eab10a4b 100644 --- a/rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml +++ b/rules/sigma/process_creation/process_creation_advanced_ip_scanner.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.discovery - attack.t1046 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_alternate_data_streams.yml b/rules/sigma/process_creation/process_creation_alternate_data_streams.yml index 77dcc021..4be82e88 100644 --- a/rules/sigma/process_creation/process_creation_alternate_data_streams.yml +++ b/rules/sigma/process_creation/process_creation_alternate_data_streams.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_gallium.yml b/rules/sigma/process_creation/process_creation_apt_gallium.yml index 534b8a8a..0967bca2 100644 --- a/rules/sigma/process_creation/process_creation_apt_gallium.yml +++ b/rules/sigma/process_creation/process_creation_apt_gallium.yml @@ -35,3 +35,4 @@ tags: - attack.t1212 - attack.command_and_control - attack.t1071 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml b/rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml index 9d162292..ee1c1436 100644 --- a/rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml +++ b/rules/sigma/process_creation/process_creation_apt_gallium_sha1.yml @@ -46,3 +46,4 @@ tags: - attack.t1212 - attack.command_and_control - attack.t1071 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_pandemic.yml b/rules/sigma/process_creation/process_creation_apt_pandemic.yml index ddf58638..b6dc70b1 100644 --- a/rules/sigma/process_creation/process_creation_apt_pandemic.yml +++ b/rules/sigma/process_creation/process_creation_apt_pandemic.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_slingshot.yml b/rules/sigma/process_creation/process_creation_apt_slingshot.yml index ac825e03..0ea4e96b 100644 --- a/rules/sigma/process_creation/process_creation_apt_slingshot.yml +++ b/rules/sigma/process_creation/process_creation_apt_slingshot.yml @@ -33,3 +33,4 @@ tags: - attack.persistence - attack.t1053.005 - attack.s0111 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml b/rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml index 8b67f48a..0fa9ba89 100644 --- a/rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml +++ b/rules/sigma/process_creation/process_creation_apt_turla_commands_critical.yml @@ -33,3 +33,4 @@ tags: - attack.discovery - attack.t1083 - attack.t1135 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_apt_wocao.yml b/rules/sigma/process_creation/process_creation_apt_wocao.yml index 89e3ba6a..42ee3340 100644 --- a/rules/sigma/process_creation/process_creation_apt_wocao.yml +++ b/rules/sigma/process_creation/process_creation_apt_wocao.yml @@ -46,3 +46,4 @@ tags: - attack.t1053 - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_automated_collection.yml b/rules/sigma/process_creation/process_creation_automated_collection.yml index 156d4a86..00aac6e1 100644 --- a/rules/sigma/process_creation/process_creation_automated_collection.yml +++ b/rules/sigma/process_creation/process_creation_automated_collection.yml @@ -43,3 +43,4 @@ status: experimental tags: - attack.collection - attack.t1119 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml b/rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml index bc1e8098..4a6ed644 100644 --- a/rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml +++ b/rules/sigma/process_creation/process_creation_c3_load_by_rundll32.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_certoc_execution.yml b/rules/sigma/process_creation/process_creation_certoc_execution.yml index 95610712..7dac646f 100644 --- a/rules/sigma/process_creation/process_creation_certoc_execution.yml +++ b/rules/sigma/process_creation/process_creation_certoc_execution.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_clip.yml b/rules/sigma/process_creation/process_creation_clip.yml index bf91eaa3..d39b8b6d 100644 --- a/rules/sigma/process_creation/process_creation_clip.yml +++ b/rules/sigma/process_creation/process_creation_clip.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.collection - attack.t1115 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml index d44fdbef..df1125b3 100644 --- a/rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml +++ b/rules/sigma/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml b/rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml index 7650a607..c9d5b758 100644 --- a/rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml +++ b/rules/sigma/process_creation/process_creation_conti_cmd_ransomware.yml @@ -35,3 +35,4 @@ tags: - attack.impact - attack.s0575 - attack.t1486 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_coti_sqlcmd.yml b/rules/sigma/process_creation/process_creation_coti_sqlcmd.yml index ff4a5dd9..8545f587 100644 --- a/rules/sigma/process_creation/process_creation_coti_sqlcmd.yml +++ b/rules/sigma/process_creation/process_creation_coti_sqlcmd.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.collection - attack.t1005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_discover_private_keys.yml b/rules/sigma/process_creation/process_creation_discover_private_keys.yml index 4123a159..c5aec594 100644 --- a/rules/sigma/process_creation/process_creation_discover_private_keys.yml +++ b/rules/sigma/process_creation/process_creation_discover_private_keys.yml @@ -42,3 +42,4 @@ status: experimental tags: - attack.credential_access - attack.t1552.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml b/rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml index d8758df3..f5d7e1d5 100644 --- a/rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml +++ b/rules/sigma/process_creation/process_creation_dns_serverlevelplugindll.yml @@ -41,3 +41,4 @@ tags: - attack.t1073 - attack.t1574.002 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_dotnet.yml b/rules/sigma/process_creation/process_creation_dotnet.yml index 05f07ba5..b2baa7f7 100644 --- a/rules/sigma/process_creation/process_creation_dotnet.yml +++ b/rules/sigma/process_creation/process_creation_dotnet.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_hack_dumpert.yml b/rules/sigma/process_creation/process_creation_hack_dumpert.yml index 99503438..6abc5f87 100644 --- a/rules/sigma/process_creation/process_creation_hack_dumpert.yml +++ b/rules/sigma/process_creation/process_creation_hack_dumpert.yml @@ -26,3 +26,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_infdefaultinstall.yml b/rules/sigma/process_creation/process_creation_infdefaultinstall.yml index b808f3ef..e9719186 100644 --- a/rules/sigma/process_creation/process_creation_infdefaultinstall.yml +++ b/rules/sigma/process_creation/process_creation_infdefaultinstall.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml index 2692492b..1367d099 100644 --- a/rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml +++ b/rules/sigma/process_creation/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.exfiltration - attack.t1567 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml b/rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml index 9dd2c465..94f98b21 100644 --- a/rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml +++ b/rules/sigma/process_creation/process_creation_lolbins_by_office_applications.yml @@ -37,3 +37,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml index 790bf9e7..88769ec9 100644 --- a/rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml +++ b/rules/sigma/process_creation/process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -43,3 +43,4 @@ tags: - attack.persistence - attack.t1547 - attack.t1547.006 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml b/rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml index f8b861d1..acf5eb79 100644 --- a/rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/sigma/process_creation/process_creation_lolbins_with_wmiprvse_parent_process.yml @@ -34,3 +34,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_msdeploy.yml b/rules/sigma/process_creation/process_creation_msdeploy.yml index 830f1258..69ef9452 100644 --- a/rules/sigma/process_creation/process_creation_msdeploy.yml +++ b/rules/sigma/process_creation/process_creation_msdeploy.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml b/rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml index ffa12c65..9cb05479 100644 --- a/rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml +++ b/rules/sigma/process_creation/process_creation_office_applications_spawning_wmi_commandline.yml @@ -40,3 +40,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml b/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml index 5b6bdf31..cc1f0913 100644 --- a/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload.yml @@ -56,3 +56,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml b/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml index 763db361..91572efc 100644 --- a/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/sigma/process_creation/process_creation_office_from_proxy_executing_regsvr32_payload2.yml @@ -52,3 +52,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml b/rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml index 91b26d77..7182ab78 100644 --- a/rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml +++ b/rules/sigma/process_creation/process_creation_office_spawning_wmi_commandline.yml @@ -35,3 +35,4 @@ tags: - attack.t1218.010 - attack.execution - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_pingback_backdoor.yml b/rules/sigma/process_creation/process_creation_pingback_backdoor.yml index 864e6773..bf876d96 100644 --- a/rules/sigma/process_creation/process_creation_pingback_backdoor.yml +++ b/rules/sigma/process_creation/process_creation_pingback_backdoor.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.persistence - attack.t1574.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml b/rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml index 08ee1334..4fe2de3c 100644 --- a/rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml +++ b/rules/sigma/process_creation/process_creation_protocolhandler_suspicious_file.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_root_certificate_installed.yml b/rules/sigma/process_creation/process_creation_root_certificate_installed.yml index 5d17a358..8f1f9e5c 100644 --- a/rules/sigma/process_creation/process_creation_root_certificate_installed.yml +++ b/rules/sigma/process_creation/process_creation_root_certificate_installed.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1553.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_sdelete.yml b/rules/sigma/process_creation/process_creation_sdelete.yml index 863a6111..9c1c5782 100644 --- a/rules/sigma/process_creation/process_creation_sdelete.yml +++ b/rules/sigma/process_creation/process_creation_sdelete.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.impact - attack.t1485 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_software_discovery.yml b/rules/sigma/process_creation/process_creation_software_discovery.yml index 4225cf8a..1a1e28de 100644 --- a/rules/sigma/process_creation/process_creation_software_discovery.yml +++ b/rules/sigma/process_creation/process_creation_software_discovery.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.discovery - attack.t1518 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml b/rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml index 09dca05f..a1fe0c99 100644 --- a/rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml +++ b/rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml @@ -42,3 +42,4 @@ tags: - attack.t1546.008 - car.2014-11-003 - car.2014-11-008 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_stordiag_execution.yml b/rules/sigma/process_creation/process_creation_stordiag_execution.yml index d6873cdb..b6267d45 100644 --- a/rules/sigma/process_creation/process_creation_stordiag_execution.yml +++ b/rules/sigma/process_creation/process_creation_stordiag_execution.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_7z.yml b/rules/sigma/process_creation/process_creation_susp_7z.yml index 89b4264d..ff8267b8 100644 --- a/rules/sigma/process_creation/process_creation_susp_7z.yml +++ b/rules/sigma/process_creation/process_creation_susp_7z.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.collection - attack.t1560.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml b/rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml index 6db8e7ed..dc04c42b 100644 --- a/rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/sigma/process_creation/process_creation_susp_athremotefxvgpudisablementcommand.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_del.yml b/rules/sigma/process_creation/process_creation_susp_del.yml index 0fe3665d..1790d924 100644 --- a/rules/sigma/process_creation/process_creation_susp_del.yml +++ b/rules/sigma/process_creation/process_creation_susp_del.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_recon.yml b/rules/sigma/process_creation/process_creation_susp_recon.yml index 07c6cc1d..a792eff4 100644 --- a/rules/sigma/process_creation/process_creation_susp_recon.yml +++ b/rules/sigma/process_creation/process_creation_susp_recon.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.collection - attack.t1119 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml b/rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml index 1e41f6fa..8f5aec97 100644 --- a/rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml +++ b/rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml @@ -32,3 +32,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_winzip.yml b/rules/sigma/process_creation/process_creation_susp_winzip.yml index 6d165697..007fa229 100644 --- a/rules/sigma/process_creation/process_creation_susp_winzip.yml +++ b/rules/sigma/process_creation/process_creation_susp_winzip.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.collection - attack.t1560.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_susp_zip_compress.yml b/rules/sigma/process_creation/process_creation_susp_zip_compress.yml index 4afc6d49..cf49b7fb 100644 --- a/rules/sigma/process_creation/process_creation_susp_zip_compress.yml +++ b/rules/sigma/process_creation/process_creation_susp_zip_compress.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.collection - attack.t1074.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml b/rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml index 9979f413..b48a3851 100644 --- a/rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml +++ b/rules/sigma/process_creation/process_creation_syncappvpublishingserver_execute_arbitrary_powershell.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml index 3472d02b..ddcfe6b3 100644 --- a/rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml +++ b/rules/sigma/process_creation/process_creation_syncappvpublishingserver_vbs_execute_powershell.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml b/rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml index e7722dd8..c49444eb 100644 --- a/rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml +++ b/rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.resource_development - attack.t1588.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml b/rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml index 23ca6e38..c27690b3 100644 --- a/rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml +++ b/rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml @@ -35,3 +35,4 @@ tags: - attack.t1088 - attack.t1548.002 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_tool_psexec.yml b/rules/sigma/process_creation/process_creation_tool_psexec.yml index 4476fa14..b4fe39f7 100644 --- a/rules/sigma/process_creation/process_creation_tool_psexec.yml +++ b/rules/sigma/process_creation/process_creation_tool_psexec.yml @@ -40,3 +40,4 @@ tags: - attack.t1035 - attack.t1569.002 - attack.s0029 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml b/rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml index 93108f3d..cf9f59a7 100644 --- a/rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml +++ b/rules/sigma/process_creation/process_creation_win_exchange_transportagent.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.persistence - attack.t1505.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_mailboxexport_share.yml b/rules/sigma/process_creation/process_mailboxexport_share.yml index 95071c03..c4a35ae4 100644 --- a/rules/sigma/process_creation/process_mailboxexport_share.yml +++ b/rules/sigma/process_creation/process_mailboxexport_share.yml @@ -34,3 +34,4 @@ tags: - attack.t1505.003 - attack.resource_development - attack.t1584.006 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/process_susp_esentutl_params.yml b/rules/sigma/process_creation/process_susp_esentutl_params.yml index c1f06134..ccc58671 100644 --- a/rules/sigma/process_creation/process_susp_esentutl_params.yml +++ b/rules/sigma/process_creation/process_susp_esentutl_params.yml @@ -34,3 +34,4 @@ tags: - attack.credential_access - attack.t1003 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml b/rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml index 810a8011..9215cda1 100644 --- a/rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml @@ -48,3 +48,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml index 5e6561e5..fd2a7a4c 100644 --- a/rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml +++ b/rules/sigma/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.discovery - attack.t1069.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml index fdd4403a..3c06a9f7 100644 --- a/rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml +++ b/rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml index 911fc9aa..17f1e102 100644 --- a/rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml +++ b/rules/sigma/process_creation/sysmon_always_install_elevated_windows_installer.yml @@ -44,3 +44,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml b/rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml index 3e0b8cdb..9bf4d4d0 100644 --- a/rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/sigma/process_creation/sysmon_apt_muddywater_dnstunnel.yml @@ -31,3 +31,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_apt_sourgrum.yml b/rules/sigma/process_creation/sysmon_apt_sourgrum.yml index eddf6811..ceaa4d59 100644 --- a/rules/sigma/process_creation/sysmon_apt_sourgrum.yml +++ b/rules/sigma/process_creation/sysmon_apt_sourgrum.yml @@ -46,3 +46,4 @@ tags: - attack.t1546.015 - attack.persistence - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml b/rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml index 33f81cd8..f4143416 100644 --- a/rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml +++ b/rules/sigma/process_creation/sysmon_atlassian_confluence_cve_2021_26084_exploit.yml @@ -36,3 +36,4 @@ tags: - attack.execution - attack.t1190 - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml b/rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml index f03dc1eb..e3fc5185 100644 --- a/rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml +++ b/rules/sigma/process_creation/sysmon_cmstp_execution_by_creation.yml @@ -32,3 +32,4 @@ tags: - attack.t1218.003 - attack.g0069 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml b/rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml index 28c3af54..fd4eac65 100644 --- a/rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml +++ b/rules/sigma/process_creation/sysmon_creation_mavinject_dll.yml @@ -35,3 +35,4 @@ tags: - attack.collection - attack.t1218 - attack.t1056.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml b/rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml index 09ae9bbd..61289f3f 100644 --- a/rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml +++ b/rules/sigma/process_creation/sysmon_cve_2021_26857_msexchange.yml @@ -29,3 +29,4 @@ tags: - attack.t1203 - attack.execution - cve.2021.26857 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_expand_cabinet_files.yml b/rules/sigma/process_creation/sysmon_expand_cabinet_files.yml index 9a05f81f..5709c9ed 100644 --- a/rules/sigma/process_creation/sysmon_expand_cabinet_files.yml +++ b/rules/sigma/process_creation/sysmon_expand_cabinet_files.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_hack_wce.yml b/rules/sigma/process_creation/sysmon_hack_wce.yml index e8a75801..82dfe65a 100644 --- a/rules/sigma/process_creation/sysmon_hack_wce.yml +++ b/rules/sigma/process_creation/sysmon_hack_wce.yml @@ -36,3 +36,4 @@ tags: - attack.t1003 - attack.t1003.001 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml b/rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml index 92ec9d82..33d3d0e0 100644 --- a/rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml +++ b/rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml @@ -27,3 +27,4 @@ tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml index 4c4689fc..a2df47f8 100644 --- a/rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml @@ -36,3 +36,4 @@ tags: - attack.t1037 - attack.t1037.001 - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_long_powershell_commandline.yml b/rules/sigma/process_creation/sysmon_long_powershell_commandline.yml index 13385e3f..ee4a0ca8 100644 --- a/rules/sigma/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/sigma/process_creation/sysmon_long_powershell_commandline.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_netcat_execution.yml b/rules/sigma/process_creation/sysmon_netcat_execution.yml index b3a01fae..242c674d 100644 --- a/rules/sigma/process_creation/sysmon_netcat_execution.yml +++ b/rules/sigma/process_creation/sysmon_netcat_execution.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.command_and_control - attack.t1095 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml index 772e528c..37d18933 100644 --- a/rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml +++ b/rules/sigma/process_creation/sysmon_proxy_execution_wuauclt.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml b/rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml index 2cfdf710..c4b39b89 100644 --- a/rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml +++ b/rules/sigma/process_creation/sysmon_remove_windows_defender_definition_files.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_sdclt_child_process.yml b/rules/sigma/process_creation/sysmon_sdclt_child_process.yml index 6f3c9696..0a418ffa 100644 --- a/rules/sigma/process_creation/sysmon_sdclt_child_process.yml +++ b/rules/sigma/process_creation/sysmon_sdclt_child_process.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml b/rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml index 70e384ab..61e241f0 100644 --- a/rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml +++ b/rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml @@ -27,3 +27,4 @@ tags: - attack.t1572 - attack.lateral_movement - attack.t1021.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_susp_service_modification.yml b/rules/sigma/process_creation/sysmon_susp_service_modification.yml index f13fd76e..1071bf85 100644 --- a/rules/sigma/process_creation/sysmon_susp_service_modification.yml +++ b/rules/sigma/process_creation/sysmon_susp_service_modification.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml b/rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml index b5323fd2..73749f55 100644 --- a/rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml +++ b/rules/sigma/process_creation/sysmon_susp_webdav_client_execution.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.exfiltration - attack.t1048.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml b/rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml index cae61af4..1499249b 100644 --- a/rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml +++ b/rules/sigma/process_creation/sysmon_uninstall_crowdstrike_falcon.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml b/rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml index 291620cc..ed1f4445 100644 --- a/rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml +++ b/rules/sigma/process_creation/sysmon_vmtoolsd_susp_child_process.yml @@ -43,3 +43,4 @@ tags: - attack.execution - attack.persistence - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml b/rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml index 37e65b4e..da3e6907 100644 --- a/rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml +++ b/rules/sigma/process_creation/wim_pc_apt_chafer_mar18.yml @@ -56,3 +56,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_ad_find_discovery.yml b/rules/sigma/process_creation/win_ad_find_discovery.yml index 88760312..3b96b582 100644 --- a/rules/sigma/process_creation/win_ad_find_discovery.yml +++ b/rules/sigma/process_creation/win_ad_find_discovery.yml @@ -45,3 +45,4 @@ tags: - attack.discovery - attack.t1482 - attack.t1018 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_anydesk_silent_install.yml b/rules/sigma/process_creation/win_anydesk_silent_install.yml index 1a6558b0..d9b25886 100644 --- a/rules/sigma/process_creation/win_anydesk_silent_install.yml +++ b/rules/sigma/process_creation/win_anydesk_silent_install.yml @@ -31,3 +31,4 @@ references: status: experimental tags: - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_apt29_thinktanks.yml b/rules/sigma/process_creation/win_apt_apt29_thinktanks.yml index 4b1f78bc..c177046d 100644 --- a/rules/sigma/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/sigma/process_creation/win_apt_apt29_thinktanks.yml @@ -34,3 +34,4 @@ tags: - attack.t1086 - attack.t1059 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_babyshark.yml b/rules/sigma/process_creation/win_apt_babyshark.yml index e4cf610c..82ca8b98 100644 --- a/rules/sigma/process_creation/win_apt_babyshark.yml +++ b/rules/sigma/process_creation/win_apt_babyshark.yml @@ -35,3 +35,4 @@ tags: - attack.t1170 - attack.t1218 - attack.t1218.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml b/rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml index de569e2f..8f4aebb7 100644 --- a/rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/sigma/process_creation/win_apt_bear_activity_gtr19.yml @@ -49,3 +49,4 @@ tags: - attack.t1003 - attack.t1552.001 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_bluemashroom.yml b/rules/sigma/process_creation/win_apt_bluemashroom.yml index 1aa02e81..9a1f2087 100644 --- a/rules/sigma/process_creation/win_apt_bluemashroom.yml +++ b/rules/sigma/process_creation/win_apt_bluemashroom.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.t1117 - attack.t1218.010 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_cloudhopper.yml b/rules/sigma/process_creation/win_apt_cloudhopper.yml index 26350656..498e0741 100644 --- a/rules/sigma/process_creation/win_apt_cloudhopper.yml +++ b/rules/sigma/process_creation/win_apt_cloudhopper.yml @@ -31,3 +31,4 @@ tags: - attack.g0045 - attack.t1064 - attack.t1059.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_dragonfly.yml b/rules/sigma/process_creation/win_apt_dragonfly.yml index f16b484a..19c329c2 100644 --- a/rules/sigma/process_creation/win_apt_dragonfly.yml +++ b/rules/sigma/process_creation/win_apt_dragonfly.yml @@ -27,3 +27,4 @@ tags: - attack.discovery - attack.t1110 - attack.t1087 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_elise.yml b/rules/sigma/process_creation/win_apt_elise.yml index d0f2dd4f..8e1df888 100644 --- a/rules/sigma/process_creation/win_apt_elise.yml +++ b/rules/sigma/process_creation/win_apt_elise.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1059 - attack.t1059.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml b/rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml index ebb10f90..b3c8762a 100644 --- a/rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml +++ b/rules/sigma/process_creation/win_apt_emissarypanda_sep19.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_empiremonkey.yml b/rules/sigma/process_creation/win_apt_empiremonkey.yml index 8f2f5198..ca014a07 100644 --- a/rules/sigma/process_creation/win_apt_empiremonkey.yml +++ b/rules/sigma/process_creation/win_apt_empiremonkey.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.t1218.010 - attack.t1117 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml index 9fae02a4..7dad647a 100644 --- a/rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/sigma/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_evilnum_jul20.yml b/rules/sigma/process_creation/win_apt_evilnum_jul20.yml index 41625fdd..04e2de66 100644 --- a/rules/sigma/process_creation/win_apt_evilnum_jul20.yml +++ b/rules/sigma/process_creation/win_apt_evilnum_jul20.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_greenbug_may20.yml b/rules/sigma/process_creation/win_apt_greenbug_may20.yml index 264040d5..3a2b5fcc 100644 --- a/rules/sigma/process_creation/win_apt_greenbug_may20.yml +++ b/rules/sigma/process_creation/win_apt_greenbug_may20.yml @@ -60,3 +60,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_hafnium.yml b/rules/sigma/process_creation/win_apt_hafnium.yml index 7f34eaad..4d358ba9 100644 --- a/rules/sigma/process_creation/win_apt_hafnium.yml +++ b/rules/sigma/process_creation/win_apt_hafnium.yml @@ -91,3 +91,4 @@ tags: - attack.persistence - attack.t1546 - attack.t1053 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_hurricane_panda.yml b/rules/sigma/process_creation/win_apt_hurricane_panda.yml index 2eb25834..038fcd00 100644 --- a/rules/sigma/process_creation/win_apt_hurricane_panda.yml +++ b/rules/sigma/process_creation/win_apt_hurricane_panda.yml @@ -30,3 +30,4 @@ tags: - attack.privilege_escalation - attack.g0009 - attack.t1068 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml index 4d6b8aca..8716625c 100644 --- a/rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/sigma/process_creation/win_apt_judgement_panda_gtr19.yml @@ -41,3 +41,4 @@ tags: - attack.exfiltration - attack.t1002 - attack.t1560.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_ke3chang_regadd.yml b/rules/sigma/process_creation/win_apt_ke3chang_regadd.yml index a3c317a8..4c38a72f 100644 --- a/rules/sigma/process_creation/win_apt_ke3chang_regadd.yml +++ b/rules/sigma/process_creation/win_apt_ke3chang_regadd.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml b/rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml index 6907dd89..aca32e54 100644 --- a/rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml +++ b/rules/sigma/process_creation/win_apt_lazarus_activity_apr21.yml @@ -40,3 +40,4 @@ tags: - attack.g0032 - attack.execution - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml b/rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml index 048988b7..963ec7e1 100644 --- a/rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml +++ b/rules/sigma/process_creation/win_apt_lazarus_activity_dec20.yml @@ -43,3 +43,4 @@ tags: - attack.g0032 - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_lazarus_loader.yml b/rules/sigma/process_creation/win_apt_lazarus_loader.yml index 0db05a88..2f7eaa47 100644 --- a/rules/sigma/process_creation/win_apt_lazarus_loader.yml +++ b/rules/sigma/process_creation/win_apt_lazarus_loader.yml @@ -45,3 +45,4 @@ tags: - attack.g0032 - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml b/rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml index 10d97282..5fc99293 100644 --- a/rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/sigma/process_creation/win_apt_lazarus_session_highjack.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_mustangpanda.yml b/rules/sigma/process_creation/win_apt_mustangpanda.yml index 868b160f..6050d061 100644 --- a/rules/sigma/process_creation/win_apt_mustangpanda.yml +++ b/rules/sigma/process_creation/win_apt_mustangpanda.yml @@ -42,3 +42,4 @@ status: experimental tags: - attack.t1587.001 - attack.resource_development +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_revil_kaseya.yml b/rules/sigma/process_creation/win_apt_revil_kaseya.yml index cdadc9c4..4cfc6311 100644 --- a/rules/sigma/process_creation/win_apt_revil_kaseya.yml +++ b/rules/sigma/process_creation/win_apt_revil_kaseya.yml @@ -46,3 +46,4 @@ tags: - attack.execution - attack.t1059 - attack.g0115 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_sofacy.yml b/rules/sigma/process_creation/win_apt_sofacy.yml index 3ad219ac..508d3142 100644 --- a/rules/sigma/process_creation/win_apt_sofacy.yml +++ b/rules/sigma/process_creation/win_apt_sofacy.yml @@ -37,3 +37,4 @@ tags: - attack.t1085 - car.2013-10-002 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_ta17_293a_ps.yml b/rules/sigma/process_creation/win_apt_ta17_293a_ps.yml index 87d4cf80..35ac8106 100644 --- a/rules/sigma/process_creation/win_apt_ta17_293a_ps.yml +++ b/rules/sigma/process_creation/win_apt_ta17_293a_ps.yml @@ -27,3 +27,4 @@ tags: - attack.t1036 - attack.t1036.003 - car.2013-05-009 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_ta505_dropper.yml b/rules/sigma/process_creation/win_apt_ta505_dropper.yml index 300c5997..85b9c709 100644 --- a/rules/sigma/process_creation/win_apt_ta505_dropper.yml +++ b/rules/sigma/process_creation/win_apt_ta505_dropper.yml @@ -26,3 +26,4 @@ tags: - attack.execution - attack.g0092 - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_taidoor.yml b/rules/sigma/process_creation/win_apt_taidoor.yml index ebe10664..e8dca757 100644 --- a/rules/sigma/process_creation/win_apt_taidoor.yml +++ b/rules/sigma/process_creation/win_apt_taidoor.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.t1055 - attack.t1055.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_tropictrooper.yml b/rules/sigma/process_creation/win_apt_tropictrooper.yml index badba166..bec37578 100644 --- a/rules/sigma/process_creation/win_apt_tropictrooper.yml +++ b/rules/sigma/process_creation/win_apt_tropictrooper.yml @@ -23,3 +23,4 @@ tags: - attack.execution - attack.t1059 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_turla_comrat_may20.yml b/rules/sigma/process_creation/win_apt_turla_comrat_may20.yml index 62912b86..8e90dafe 100644 --- a/rules/sigma/process_creation/win_apt_turla_comrat_may20.yml +++ b/rules/sigma/process_creation/win_apt_turla_comrat_may20.yml @@ -35,3 +35,4 @@ tags: - attack.t1053 - attack.t1053.005 - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_unc2452_cmds.yml b/rules/sigma/process_creation/win_apt_unc2452_cmds.yml index a20216d6..c20f6136 100644 --- a/rules/sigma/process_creation/win_apt_unc2452_cmds.yml +++ b/rules/sigma/process_creation/win_apt_unc2452_cmds.yml @@ -58,3 +58,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_unc2452_ps.yml b/rules/sigma/process_creation/win_apt_unc2452_ps.yml index 905477c0..5557f436 100644 --- a/rules/sigma/process_creation/win_apt_unc2452_ps.yml +++ b/rules/sigma/process_creation/win_apt_unc2452_ps.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_unidentified_nov_18.yml b/rules/sigma/process_creation/win_apt_unidentified_nov_18.yml index ed9f69de..96679043 100644 --- a/rules/sigma/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/sigma/process_creation/win_apt_unidentified_nov_18.yml @@ -26,3 +26,4 @@ tags: - attack.execution - attack.t1218.011 - attack.t1085 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/sigma/process_creation/win_apt_winnti_mal_hk_jan20.yml index bc531f20..4782d153 100644 --- a/rules/sigma/process_creation/win_apt_winnti_mal_hk_jan20.yml +++ b/rules/sigma/process_creation/win_apt_winnti_mal_hk_jan20.yml @@ -44,3 +44,4 @@ tags: - attack.t1574.002 - attack.t1073 - attack.g0044 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_winnti_pipemon.yml b/rules/sigma/process_creation/win_apt_winnti_pipemon.yml index f8228429..818a0ee9 100644 --- a/rules/sigma/process_creation/win_apt_winnti_pipemon.yml +++ b/rules/sigma/process_creation/win_apt_winnti_pipemon.yml @@ -33,3 +33,4 @@ tags: - attack.t1574.002 - attack.t1073 - attack.g0044 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_apt_zxshell.yml b/rules/sigma/process_creation/win_apt_zxshell.yml index 5ffae81d..0aa5c7c1 100644 --- a/rules/sigma/process_creation/win_apt_zxshell.yml +++ b/rules/sigma/process_creation/win_apt_zxshell.yml @@ -37,3 +37,4 @@ tags: - attack.t1085 - attack.s0412 - attack.g0001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_attrib_hiding_files.yml b/rules/sigma/process_creation/win_attrib_hiding_files.yml index 55099e81..0549a0ea 100644 --- a/rules/sigma/process_creation/win_attrib_hiding_files.yml +++ b/rules/sigma/process_creation/win_attrib_hiding_files.yml @@ -41,3 +41,4 @@ tags: - attack.defense_evasion - attack.t1564.001 - attack.t1158 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/sigma/process_creation/win_bad_opsec_sacrificial_processes.yml index 70a4a4fb..b310fd90 100644 --- a/rules/sigma/process_creation/win_bad_opsec_sacrificial_processes.yml +++ b/rules/sigma/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -61,3 +61,4 @@ tags: - attack.defense_evasion - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_bootconf_mod.yml b/rules/sigma/process_creation/win_bootconf_mod.yml index 3061bb34..e9974c56 100644 --- a/rules/sigma/process_creation/win_bootconf_mod.yml +++ b/rules/sigma/process_creation/win_bootconf_mod.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_bypass_squiblytwo.yml b/rules/sigma/process_creation/win_bypass_squiblytwo.yml index cf159c1a..b31bfe1e 100644 --- a/rules/sigma/process_creation/win_bypass_squiblytwo.yml +++ b/rules/sigma/process_creation/win_bypass_squiblytwo.yml @@ -45,3 +45,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_change_default_file_association.yml b/rules/sigma/process_creation/win_change_default_file_association.yml index 39f864a9..b72876b5 100644 --- a/rules/sigma/process_creation/win_change_default_file_association.yml +++ b/rules/sigma/process_creation/win_change_default_file_association.yml @@ -41,3 +41,4 @@ tags: - attack.persistence - attack.t1546.001 - attack.t1042 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_cl_invocation_lolscript.yml b/rules/sigma/process_creation/win_cl_invocation_lolscript.yml index ce9958b5..262f34e3 100644 --- a/rules/sigma/process_creation/win_cl_invocation_lolscript.yml +++ b/rules/sigma/process_creation/win_cl_invocation_lolscript.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_cl_mutexverifiers_lolscript.yml b/rules/sigma/process_creation/win_cl_mutexverifiers_lolscript.yml index 60cb6a2e..26620003 100644 --- a/rules/sigma/process_creation/win_cl_mutexverifiers_lolscript.yml +++ b/rules/sigma/process_creation/win_cl_mutexverifiers_lolscript.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_class_exec_xwizard.yml b/rules/sigma/process_creation/win_class_exec_xwizard.yml index 837d391b..878c7b0c 100644 --- a/rules/sigma/process_creation/win_class_exec_xwizard.yml +++ b/rules/sigma/process_creation/win_class_exec_xwizard.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_cmdkey_recon.yml b/rules/sigma/process_creation/win_cmdkey_recon.yml index e84288c7..d1c691c0 100644 --- a/rules/sigma/process_creation/win_cmdkey_recon.yml +++ b/rules/sigma/process_creation/win_cmdkey_recon.yml @@ -31,3 +31,4 @@ tags: - attack.credential_access - attack.t1003.005 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_cmstp_com_object_access.yml b/rules/sigma/process_creation/win_cmstp_com_object_access.yml index 68ed8434..9395e4d7 100644 --- a/rules/sigma/process_creation/win_cmstp_com_object_access.yml +++ b/rules/sigma/process_creation/win_cmstp_com_object_access.yml @@ -49,3 +49,4 @@ tags: - attack.t1191 - attack.g0069 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml b/rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml index 4a1213e2..d6bfb229 100644 --- a/rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml +++ b/rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml @@ -48,3 +48,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_commandline_path_traversal.yml b/rules/sigma/process_creation/win_commandline_path_traversal.yml index a0a99b38..76761fbc 100644 --- a/rules/sigma/process_creation/win_commandline_path_traversal.yml +++ b/rules/sigma/process_creation/win_commandline_path_traversal.yml @@ -30,3 +30,4 @@ tags: - attack.execution - attack.t1059.003 - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_commandline_path_traversal_evasion.yml b/rules/sigma/process_creation/win_commandline_path_traversal_evasion.yml index ebac3b47..4917ad2e 100644 --- a/rules/sigma/process_creation/win_commandline_path_traversal_evasion.yml +++ b/rules/sigma/process_creation/win_commandline_path_traversal_evasion.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_control_panel_item.yml b/rules/sigma/process_creation/win_control_panel_item.yml index f1374c3c..4082f179 100644 --- a/rules/sigma/process_creation/win_control_panel_item.yml +++ b/rules/sigma/process_creation/win_control_panel_item.yml @@ -40,3 +40,4 @@ tags: - attack.t1196 - attack.persistence - attack.t1546 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml index 5eb389c0..68071bc1 100644 --- a/rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml +++ b/rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml @@ -48,3 +48,4 @@ tags: - attack.t1003 - car.2013-07-001 - attack.s0404 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_credential_access_via_password_filter.yml b/rules/sigma/process_creation/win_credential_access_via_password_filter.yml index 501a3d7b..ae22133a 100644 --- a/rules/sigma/process_creation/win_credential_access_via_password_filter.yml +++ b/rules/sigma/process_creation/win_credential_access_via_password_filter.yml @@ -30,3 +30,4 @@ tags: - attack.credential_access - attack.t1174 - attack.t1556.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_crime_fireball.yml b/rules/sigma/process_creation/win_crime_fireball.yml index 140d326c..0371bb23 100644 --- a/rules/sigma/process_creation/win_crime_fireball.yml +++ b/rules/sigma/process_creation/win_crime_fireball.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1218.011 - attack.t1085 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_crime_maze_ransomware.yml b/rules/sigma/process_creation/win_crime_maze_ransomware.yml index 3634b66a..c11b6e56 100644 --- a/rules/sigma/process_creation/win_crime_maze_ransomware.yml +++ b/rules/sigma/process_creation/win_crime_maze_ransomware.yml @@ -49,3 +49,4 @@ tags: - attack.t1047 - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_crime_snatch_ransomware.yml b/rules/sigma/process_creation/win_crime_snatch_ransomware.yml index 304681cb..85266602 100644 --- a/rules/sigma/process_creation/win_crime_snatch_ransomware.yml +++ b/rules/sigma/process_creation/win_crime_snatch_ransomware.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.execution - attack.t1204 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_crypto_mining_monero.yml b/rules/sigma/process_creation/win_crypto_mining_monero.yml index 5550b968..7a3725e1 100644 --- a/rules/sigma/process_creation/win_crypto_mining_monero.yml +++ b/rules/sigma/process_creation/win_crypto_mining_monero.yml @@ -38,3 +38,4 @@ status: stable tags: - attack.impact - attack.t1496 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_data_compressed_with_rar.yml b/rules/sigma/process_creation/win_data_compressed_with_rar.yml index dc31ae53..3b7efdcd 100644 --- a/rules/sigma/process_creation/win_data_compressed_with_rar.yml +++ b/rules/sigma/process_creation/win_data_compressed_with_rar.yml @@ -38,3 +38,4 @@ tags: - attack.t1002 - attack.collection - attack.t1560.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_detecting_fake_instances_of_hxtsr.yml b/rules/sigma/process_creation/win_detecting_fake_instances_of_hxtsr.yml index 81f72a7c..dc1724d6 100644 --- a/rules/sigma/process_creation/win_detecting_fake_instances_of_hxtsr.yml +++ b/rules/sigma/process_creation/win_detecting_fake_instances_of_hxtsr.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_dll_sideload_xwizard.yml b/rules/sigma/process_creation/win_dll_sideload_xwizard.yml index bca98893..d53dc057 100644 --- a/rules/sigma/process_creation/win_dll_sideload_xwizard.yml +++ b/rules/sigma/process_creation/win_dll_sideload_xwizard.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/sigma/process_creation/win_dns_exfiltration_tools_execution.yml index a1443e87..cc5b35a5 100644 --- a/rules/sigma/process_creation/win_dns_exfiltration_tools_execution.yml +++ b/rules/sigma/process_creation/win_dns_exfiltration_tools_execution.yml @@ -29,3 +29,4 @@ tags: - attack.t1071 - attack.t1132.001 - attack.t1132 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_dnscat2_powershell_implementation.yml b/rules/sigma/process_creation/win_dnscat2_powershell_implementation.yml index 2bd254fd..2ddfb8c3 100644 --- a/rules/sigma/process_creation/win_dnscat2_powershell_implementation.yml +++ b/rules/sigma/process_creation/win_dnscat2_powershell_implementation.yml @@ -38,3 +38,4 @@ tags: - attack.t1071.004 - attack.t1001.003 - attack.t1041 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_encoded_frombase64string.yml b/rules/sigma/process_creation/win_encoded_frombase64string.yml index 65092fcd..4cc92caa 100644 --- a/rules/sigma/process_creation/win_encoded_frombase64string.yml +++ b/rules/sigma/process_creation/win_encoded_frombase64string.yml @@ -30,3 +30,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_encoded_iex.yml b/rules/sigma/process_creation/win_encoded_iex.yml index 4443cc19..885fb7ca 100644 --- a/rules/sigma/process_creation/win_encoded_iex.yml +++ b/rules/sigma/process_creation/win_encoded_iex.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_etw_modification_cmdline.yml b/rules/sigma/process_creation/win_etw_modification_cmdline.yml index 376f80c9..415a5775 100644 --- a/rules/sigma/process_creation/win_etw_modification_cmdline.yml +++ b/rules/sigma/process_creation/win_etw_modification_cmdline.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_etw_trace_evasion.yml b/rules/sigma/process_creation/win_etw_trace_evasion.yml index b20be104..ab84d4b1 100644 --- a/rules/sigma/process_creation/win_etw_trace_evasion.yml +++ b/rules/sigma/process_creation/win_etw_trace_evasion.yml @@ -69,3 +69,4 @@ tags: - attack.t1070 - attack.t1562.006 - car.2016-04-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml index 944759ec..43ab45e3 100644 --- a/rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml +++ b/rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml @@ -29,3 +29,4 @@ tags: - attack.t1041 - attack.t1572 - attack.t1071.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2015_1641.yml b/rules/sigma/process_creation/win_exploit_cve_2015_1641.yml index 260ed96d..f7793c7d 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2015_1641.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2015_1641.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1036.005 - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2017_0261.yml b/rules/sigma/process_creation/win_exploit_cve_2017_0261.yml index 32870701..81e9e369 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2017_0261.yml @@ -32,3 +32,4 @@ tags: - attack.initial_access - attack.t1566.001 - attack.t1193 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2017_11882.yml b/rules/sigma/process_creation/win_exploit_cve_2017_11882.yml index b46045bb..4288080d 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2017_11882.yml @@ -32,3 +32,4 @@ tags: - attack.initial_access - attack.t1566.001 - attack.t1193 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2017_8759.yml b/rules/sigma/process_creation/win_exploit_cve_2017_8759.yml index a2809398..9203d869 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2017_8759.yml @@ -32,3 +32,4 @@ tags: - attack.initial_access - attack.t1566.001 - attack.t1193 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2019_1378.yml b/rules/sigma/process_creation/win_exploit_cve_2019_1378.yml index 04975758..07fed794 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2019_1378.yml @@ -44,3 +44,4 @@ tags: - attack.t1059 - attack.t1574 - cve.2019.1378 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2019_1388.yml b/rules/sigma/process_creation/win_exploit_cve_2019_1388.yml index 7042ecbf..75c6a884 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2019_1388.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2019_1388.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1068 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2020_10189.yml b/rules/sigma/process_creation/win_exploit_cve_2020_10189.yml index 9afb47b5..130e48b7 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2020_10189.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2020_10189.yml @@ -36,3 +36,4 @@ tags: - attack.t1059 - attack.s0190 - cve.2020.10189 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2020_1048.yml b/rules/sigma/process_creation/win_exploit_cve_2020_1048.yml index 279fd128..fa227418 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2020_1048.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2020_1048.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_cve_2020_1350.yml b/rules/sigma/process_creation/win_exploit_cve_2020_1350.yml index 86946aa0..e1dd17b2 100644 --- a/rules/sigma/process_creation/win_exploit_cve_2020_1350.yml +++ b/rules/sigma/process_creation/win_exploit_cve_2020_1350.yml @@ -31,3 +31,4 @@ tags: - attack.t1190 - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_exploit_systemnightmare.yml b/rules/sigma/process_creation/win_exploit_systemnightmare.yml index df133512..5903a73b 100644 --- a/rules/sigma/process_creation/win_exploit_systemnightmare.yml +++ b/rules/sigma/process_creation/win_exploit_systemnightmare.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1068 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_file_permission_modifications.yml b/rules/sigma/process_creation/win_file_permission_modifications.yml index caad29f5..8a3d6c92 100644 --- a/rules/sigma/process_creation/win_file_permission_modifications.yml +++ b/rules/sigma/process_creation/win_file_permission_modifications.yml @@ -37,3 +37,4 @@ tags: - attack.defense_evasion - attack.t1222.001 - attack.t1222 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/sigma/process_creation/win_grabbing_sensitive_hives_via_reg.yml index 8f30c99a..8e25fec6 100644 --- a/rules/sigma/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/sigma/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -53,3 +53,4 @@ tags: - attack.t1003.005 - attack.t1003 - car.2013-07-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hack_adcspwn.yml b/rules/sigma/process_creation/win_hack_adcspwn.yml index 43a825dd..2ef74deb 100644 --- a/rules/sigma/process_creation/win_hack_adcspwn.yml +++ b/rules/sigma/process_creation/win_hack_adcspwn.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.credential_access - attack.t1557.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hack_bloodhound.yml b/rules/sigma/process_creation/win_hack_bloodhound.yml index d3da3091..82f12d3a 100644 --- a/rules/sigma/process_creation/win_hack_bloodhound.yml +++ b/rules/sigma/process_creation/win_hack_bloodhound.yml @@ -51,3 +51,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hack_koadic.yml b/rules/sigma/process_creation/win_hack_koadic.yml index eead4fd1..d3908f08 100644 --- a/rules/sigma/process_creation/win_hack_koadic.yml +++ b/rules/sigma/process_creation/win_hack_koadic.yml @@ -38,3 +38,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hack_rubeus.yml b/rules/sigma/process_creation/win_hack_rubeus.yml index 5c15df58..5ac072d5 100644 --- a/rules/sigma/process_creation/win_hack_rubeus.yml +++ b/rules/sigma/process_creation/win_hack_rubeus.yml @@ -39,3 +39,4 @@ tags: - attack.lateral_movement - attack.t1550.003 - attack.t1097 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hack_secutyxploded.yml b/rules/sigma/process_creation/win_hack_secutyxploded.yml index 26c695ef..c529e825 100644 --- a/rules/sigma/process_creation/win_hack_secutyxploded.yml +++ b/rules/sigma/process_creation/win_hack_secutyxploded.yml @@ -30,3 +30,4 @@ tags: - attack.t1555 - attack.t1003 - attack.t1503 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hh_chm.yml b/rules/sigma/process_creation/win_hh_chm.yml index 679fd8a6..eaf5952d 100644 --- a/rules/sigma/process_creation/win_hh_chm.yml +++ b/rules/sigma/process_creation/win_hh_chm.yml @@ -32,3 +32,4 @@ tags: - attack.t1218.001 - attack.execution - attack.t1223 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/sigma/process_creation/win_hiding_malware_in_fonts_folder.yml index 585eb4a5..92efeb1c 100644 --- a/rules/sigma/process_creation/win_hiding_malware_in_fonts_folder.yml +++ b/rules/sigma/process_creation/win_hiding_malware_in_fonts_folder.yml @@ -32,3 +32,4 @@ tags: - attack.t1059 - attack.defense_evasion - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hktl_createminidump.yml b/rules/sigma/process_creation/win_hktl_createminidump.yml index e24d8d32..3b749c27 100644 --- a/rules/sigma/process_creation/win_hktl_createminidump.yml +++ b/rules/sigma/process_creation/win_hktl_createminidump.yml @@ -27,3 +27,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml b/rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml index 46f9e476..d6c5058b 100644 --- a/rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml +++ b/rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_html_help_spawn.yml b/rules/sigma/process_creation/win_html_help_spawn.yml index f16b4fb7..b2afb198 100644 --- a/rules/sigma/process_creation/win_html_help_spawn.yml +++ b/rules/sigma/process_creation/win_html_help_spawn.yml @@ -45,3 +45,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_hwp_exploits.yml b/rules/sigma/process_creation/win_hwp_exploits.yml index 5900bb75..750d8b15 100644 --- a/rules/sigma/process_creation/win_hwp_exploits.yml +++ b/rules/sigma/process_creation/win_hwp_exploits.yml @@ -36,3 +36,4 @@ tags: - attack.t1059.003 - attack.t1059 - attack.g0032 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_impacket_compiled_tools.yml b/rules/sigma/process_creation/win_impacket_compiled_tools.yml index 5653b928..3ff46142 100644 --- a/rules/sigma/process_creation/win_impacket_compiled_tools.yml +++ b/rules/sigma/process_creation/win_impacket_compiled_tools.yml @@ -60,3 +60,4 @@ status: experimental tags: - attack.execution - attack.t1557.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_impacket_lateralization.yml b/rules/sigma/process_creation/win_impacket_lateralization.yml index 6f157258..a9a1598c 100644 --- a/rules/sigma/process_creation/win_impacket_lateralization.yml +++ b/rules/sigma/process_creation/win_impacket_lateralization.yml @@ -56,3 +56,4 @@ tags: - attack.t1175 - attack.t1021.003 - attack.t1021 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_indirect_cmd.yml b/rules/sigma/process_creation/win_indirect_cmd.yml index e7e6de9d..a8e83504 100644 --- a/rules/sigma/process_creation/win_indirect_cmd.yml +++ b/rules/sigma/process_creation/win_indirect_cmd.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_indirect_cmd_compatibility_assistant.yml b/rules/sigma/process_creation/win_indirect_cmd_compatibility_assistant.yml index 03b99b13..0515a198 100644 --- a/rules/sigma/process_creation/win_indirect_cmd_compatibility_assistant.yml +++ b/rules/sigma/process_creation/win_indirect_cmd_compatibility_assistant.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_install_reg_debugger_backdoor.yml b/rules/sigma/process_creation/win_install_reg_debugger_backdoor.yml index 5fba8e96..90e4a59c 100644 --- a/rules/sigma/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/sigma/process_creation/win_install_reg_debugger_backdoor.yml @@ -34,3 +34,4 @@ tags: - attack.privilege_escalation - attack.t1546.008 - attack.t1015 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_interactive_at.yml b/rules/sigma/process_creation/win_interactive_at.yml index 7e2c101c..f6edcbce 100644 --- a/rules/sigma/process_creation/win_interactive_at.yml +++ b/rules/sigma/process_creation/win_interactive_at.yml @@ -32,3 +32,4 @@ tags: - attack.privilege_escalation - attack.t1053.002 - attack.t1053 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_clip.yml b/rules/sigma/process_creation/win_invoke_obfuscation_clip.yml index 6638eeac..10be869f 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_clip.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_clip.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/sigma/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml index a95029dd..6e8d96aa 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -38,3 +38,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_stdin.yml b/rules/sigma/process_creation/win_invoke_obfuscation_stdin.yml index fef0cadc..560f1daa 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_stdin.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_stdin.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_var.yml b/rules/sigma/process_creation/win_invoke_obfuscation_var.yml index 5479f07a..71dec6bf 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_var.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_var.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_compress.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_compress.yml index 34f30fa7..ac865dda 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_compress.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_compress.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_rundll.yml index dedb22ae..fc36204c 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_rundll.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_rundll.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_stdin.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_stdin.yml index 8cee1ab8..893c5d97 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_stdin.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_stdin.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_clip.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_clip.yml index dc8943f5..1fecd4f8 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_clip.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_clip.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_mhsta.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_mhsta.yml index b737c688..cbc56261 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_mhsta.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_rundll32.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_rundll32.yml index 6a2a7b9a..5dc8f6d9 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_use_rundll32.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_invoke_obfuscation_via_var.yml b/rules/sigma/process_creation/win_invoke_obfuscation_via_var.yml index 13ded1d9..04549739 100644 --- a/rules/sigma/process_creation/win_invoke_obfuscation_via_var.yml +++ b/rules/sigma/process_creation/win_invoke_obfuscation_via_var.yml @@ -24,3 +24,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_lethalhta.yml b/rules/sigma/process_creation/win_lethalhta.yml index 3a621ee0..a8b24a15 100644 --- a/rules/sigma/process_creation/win_lethalhta.yml +++ b/rules/sigma/process_creation/win_lethalhta.yml @@ -27,3 +27,4 @@ tags: - attack.t1218.005 - attack.execution - attack.t1170 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_local_system_owner_account_discovery.yml b/rules/sigma/process_creation/win_local_system_owner_account_discovery.yml index 06cc042c..3108ad6f 100644 --- a/rules/sigma/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/sigma/process_creation/win_local_system_owner_account_discovery.yml @@ -78,3 +78,4 @@ tags: - attack.t1033 - attack.t1087.001 - attack.t1087 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/sigma/process_creation/win_lolbas_execution_of_wuauclt.yml index e3af2ec2..9e96d554 100644 --- a/rules/sigma/process_creation/win_lolbas_execution_of_wuauclt.yml +++ b/rules/sigma/process_creation/win_lolbas_execution_of_wuauclt.yml @@ -32,3 +32,4 @@ tags: - attack.execution - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_lolbin_execution_via_winget.yml b/rules/sigma/process_creation/win_lolbin_execution_via_winget.yml index b794867f..2f048be2 100644 --- a/rules/sigma/process_creation/win_lolbin_execution_via_winget.yml +++ b/rules/sigma/process_creation/win_lolbin_execution_via_winget.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_lsass_dump.yml b/rules/sigma/process_creation/win_lsass_dump.yml index cb5bfa34..783d6508 100644 --- a/rules/sigma/process_creation/win_lsass_dump.yml +++ b/rules/sigma/process_creation/win_lsass_dump.yml @@ -43,3 +43,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mal_adwind.yml b/rules/sigma/process_creation/win_mal_adwind.yml index 47f8ff2e..059886e7 100644 --- a/rules/sigma/process_creation/win_mal_adwind.yml +++ b/rules/sigma/process_creation/win_mal_adwind.yml @@ -35,3 +35,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_conti.yml b/rules/sigma/process_creation/win_malware_conti.yml index 3ea05012..ae2c8fcc 100644 --- a/rules/sigma/process_creation/win_malware_conti.yml +++ b/rules/sigma/process_creation/win_malware_conti.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.t1587.001 - attack.resource_development +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_conti_7zip.yml b/rules/sigma/process_creation/win_malware_conti_7zip.yml index 4961b844..80b54994 100644 --- a/rules/sigma/process_creation/win_malware_conti_7zip.yml +++ b/rules/sigma/process_creation/win_malware_conti_7zip.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.collection - attack.t1560 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_conti_shadowcopy.yml b/rules/sigma/process_creation/win_malware_conti_shadowcopy.yml index 14bfb6b2..73ef1ef9 100644 --- a/rules/sigma/process_creation/win_malware_conti_shadowcopy.yml +++ b/rules/sigma/process_creation/win_malware_conti_shadowcopy.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_dridex.yml b/rules/sigma/process_creation/win_malware_dridex.yml index 23962991..a4e7ecd1 100644 --- a/rules/sigma/process_creation/win_malware_dridex.yml +++ b/rules/sigma/process_creation/win_malware_dridex.yml @@ -46,3 +46,4 @@ tags: - attack.discovery - attack.t1135 - attack.t1033 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_dtrack.yml b/rules/sigma/process_creation/win_malware_dtrack.yml index ffef1743..77a1657c 100644 --- a/rules/sigma/process_creation/win_malware_dtrack.yml +++ b/rules/sigma/process_creation/win_malware_dtrack.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_emotet.yml b/rules/sigma/process_creation/win_malware_emotet.yml index 5a075efe..5bbf0ef9 100644 --- a/rules/sigma/process_creation/win_malware_emotet.yml +++ b/rules/sigma/process_creation/win_malware_emotet.yml @@ -41,3 +41,4 @@ tags: - attack.t1086 - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_formbook.yml b/rules/sigma/process_creation/win_malware_formbook.yml index a898d572..a254954f 100644 --- a/rules/sigma/process_creation/win_malware_formbook.yml +++ b/rules/sigma/process_creation/win_malware_formbook.yml @@ -61,3 +61,4 @@ status: experimental tags: - attack.develop_capabilities - attack.t1587.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_notpetya.yml b/rules/sigma/process_creation/win_malware_notpetya.yml index 88af539a..32138ad6 100644 --- a/rules/sigma/process_creation/win_malware_notpetya.yml +++ b/rules/sigma/process_creation/win_malware_notpetya.yml @@ -46,3 +46,4 @@ tags: - attack.t1003.001 - attack.t1003 - car.2016-04-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_qbot.yml b/rules/sigma/process_creation/win_malware_qbot.yml index 335dc265..c86ef187 100644 --- a/rules/sigma/process_creation/win_malware_qbot.yml +++ b/rules/sigma/process_creation/win_malware_qbot.yml @@ -40,3 +40,4 @@ tags: - attack.t1059.005 - attack.defense_evasion - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_ryuk.yml b/rules/sigma/process_creation/win_malware_ryuk.yml index 75b4c7f3..68cf8730 100644 --- a/rules/sigma/process_creation/win_malware_ryuk.yml +++ b/rules/sigma/process_creation/win_malware_ryuk.yml @@ -29,3 +29,4 @@ tags: - attack.persistence - attack.t1547.001 - attack.t1060 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_script_dropper.yml b/rules/sigma/process_creation/win_malware_script_dropper.yml index e72e89e0..663aeac7 100644 --- a/rules/sigma/process_creation/win_malware_script_dropper.yml +++ b/rules/sigma/process_creation/win_malware_script_dropper.yml @@ -44,3 +44,4 @@ tags: - attack.t1059.007 - attack.defense_evasion - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_trickbot_recon_activity.yml b/rules/sigma/process_creation/win_malware_trickbot_recon_activity.yml index 0d40f63d..e486ea85 100644 --- a/rules/sigma/process_creation/win_malware_trickbot_recon_activity.yml +++ b/rules/sigma/process_creation/win_malware_trickbot_recon_activity.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.discovery - attack.t1482 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_trickbot_wermgr.yml b/rules/sigma/process_creation/win_malware_trickbot_wermgr.yml index c65c3862..3c074dc3 100644 --- a/rules/sigma/process_creation/win_malware_trickbot_wermgr.yml +++ b/rules/sigma/process_creation/win_malware_trickbot_wermgr.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.execution - attack.t1559 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_malware_wannacry.yml b/rules/sigma/process_creation/win_malware_wannacry.yml index effc56e5..ae3c8781 100644 --- a/rules/sigma/process_creation/win_malware_wannacry.yml +++ b/rules/sigma/process_creation/win_malware_wannacry.yml @@ -82,3 +82,4 @@ tags: - attack.impact - attack.t1486 - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_manage_bde_lolbas.yml b/rules/sigma/process_creation/win_manage_bde_lolbas.yml index 359be25f..c385b705 100644 --- a/rules/sigma/process_creation/win_manage_bde_lolbas.yml +++ b/rules/sigma/process_creation/win_manage_bde_lolbas.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mavinject_proc_inj.yml b/rules/sigma/process_creation/win_mavinject_proc_inj.yml index 07da4807..98d8f939 100644 --- a/rules/sigma/process_creation/win_mavinject_proc_inj.yml +++ b/rules/sigma/process_creation/win_mavinject_proc_inj.yml @@ -26,3 +26,4 @@ tags: - attack.t1055 - attack.t1055.001 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index c8944626..fe399755 100644 --- a/rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -67,3 +67,4 @@ tags: - attack.t1134 - attack.t1134.001 - attack.t1134.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mimikatz_command_line.yml b/rules/sigma/process_creation/win_mimikatz_command_line.yml index 08d650a8..0a86eee3 100644 --- a/rules/sigma/process_creation/win_mimikatz_command_line.yml +++ b/rules/sigma/process_creation/win_mimikatz_command_line.yml @@ -44,3 +44,4 @@ tags: - attack.t1003.004 - attack.t1003.005 - attack.t1003.006 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mmc_spawn_shell.yml b/rules/sigma/process_creation/win_mmc_spawn_shell.yml index f23e77c2..65cd66d0 100644 --- a/rules/sigma/process_creation/win_mmc_spawn_shell.yml +++ b/rules/sigma/process_creation/win_mmc_spawn_shell.yml @@ -39,3 +39,4 @@ tags: - attack.lateral_movement - attack.t1175 - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/sigma/process_creation/win_modif_of_services_for_via_commandline.yml index b20dba40..b488ca62 100644 --- a/rules/sigma/process_creation/win_modif_of_services_for_via_commandline.yml +++ b/rules/sigma/process_creation/win_modif_of_services_for_via_commandline.yml @@ -32,3 +32,4 @@ tags: - attack.t1543.003 - attack.t1058 - attack.t1574.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml b/rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml index 3b184a5f..a7f46669 100644 --- a/rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml +++ b/rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1197 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mouse_lock.yml b/rules/sigma/process_creation/win_mouse_lock.yml index e483223f..a0444812 100644 --- a/rules/sigma/process_creation/win_mouse_lock.yml +++ b/rules/sigma/process_creation/win_mouse_lock.yml @@ -34,3 +34,4 @@ tags: - attack.credential_access - attack.collection - attack.t1056.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mshta_javascript.yml b/rules/sigma/process_creation/win_mshta_javascript.yml index e87ff501..46852f00 100644 --- a/rules/sigma/process_creation/win_mshta_javascript.yml +++ b/rules/sigma/process_creation/win_mshta_javascript.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1170 - attack.t1218.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_mshta_spawn_shell.yml b/rules/sigma/process_creation/win_mshta_spawn_shell.yml index 6c624355..c47f3c3b 100644 --- a/rules/sigma/process_creation/win_mshta_spawn_shell.yml +++ b/rules/sigma/process_creation/win_mshta_spawn_shell.yml @@ -44,3 +44,4 @@ tags: - car.2013-02-003 - car.2013-03-001 - car.2014-04-003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_multiple_suspicious_cli.yml b/rules/sigma/process_creation/win_multiple_suspicious_cli.yml index 2b1029e7..0e60a2f8 100644 --- a/rules/sigma/process_creation/win_multiple_suspicious_cli.yml +++ b/rules/sigma/process_creation/win_multiple_suspicious_cli.yml @@ -63,3 +63,4 @@ tags: - car.2013-04-002 - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_net_enum.yml b/rules/sigma/process_creation/win_net_enum.yml index 1ecb75c1..f592dc38 100644 --- a/rules/sigma/process_creation/win_net_enum.yml +++ b/rules/sigma/process_creation/win_net_enum.yml @@ -35,3 +35,4 @@ status: stable tags: - attack.discovery - attack.t1018 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_net_user_add.yml b/rules/sigma/process_creation/win_net_user_add.yml index d20f614c..ab20baf1 100644 --- a/rules/sigma/process_creation/win_net_user_add.yml +++ b/rules/sigma/process_creation/win_net_user_add.yml @@ -36,3 +36,4 @@ tags: - attack.persistence - attack.t1136 - attack.t1136.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_allow_port_rdp.yml b/rules/sigma/process_creation/win_netsh_allow_port_rdp.yml index 10058033..36fbe1d5 100644 --- a/rules/sigma/process_creation/win_netsh_allow_port_rdp.yml +++ b/rules/sigma/process_creation/win_netsh_allow_port_rdp.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_fw_add.yml b/rules/sigma/process_creation/win_netsh_fw_add.yml index 1b91cd52..861da866 100644 --- a/rules/sigma/process_creation/win_netsh_fw_add.yml +++ b/rules/sigma/process_creation/win_netsh_fw_add.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_fw_add_susp_image.yml b/rules/sigma/process_creation/win_netsh_fw_add_susp_image.yml index 4d14c024..1f0d4e05 100644 --- a/rules/sigma/process_creation/win_netsh_fw_add_susp_image.yml +++ b/rules/sigma/process_creation/win_netsh_fw_add_susp_image.yml @@ -69,3 +69,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_packet_capture.yml b/rules/sigma/process_creation/win_netsh_packet_capture.yml index 4c010108..f1d2a627 100644 --- a/rules/sigma/process_creation/win_netsh_packet_capture.yml +++ b/rules/sigma/process_creation/win_netsh_packet_capture.yml @@ -29,3 +29,4 @@ tags: - attack.discovery - attack.credential_access - attack.t1040 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_port_fwd.yml b/rules/sigma/process_creation/win_netsh_port_fwd.yml index bde31e3c..ed7d73e2 100644 --- a/rules/sigma/process_creation/win_netsh_port_fwd.yml +++ b/rules/sigma/process_creation/win_netsh_port_fwd.yml @@ -43,3 +43,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1090 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_port_fwd_3389.yml b/rules/sigma/process_creation/win_netsh_port_fwd_3389.yml index bcf10308..96fac741 100644 --- a/rules/sigma/process_creation/win_netsh_port_fwd_3389.yml +++ b/rules/sigma/process_creation/win_netsh_port_fwd_3389.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1090 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_netsh_wifi_credential_harvesting.yml b/rules/sigma/process_creation/win_netsh_wifi_credential_harvesting.yml index d04d3e5a..ee236f4e 100644 --- a/rules/sigma/process_creation/win_netsh_wifi_credential_harvesting.yml +++ b/rules/sigma/process_creation/win_netsh_wifi_credential_harvesting.yml @@ -36,3 +36,4 @@ tags: - attack.discovery - attack.credential_access - attack.t1040 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_network_sniffing.yml b/rules/sigma/process_creation/win_network_sniffing.yml index 5a12e598..2c6c6dfc 100644 --- a/rules/sigma/process_creation/win_network_sniffing.yml +++ b/rules/sigma/process_creation/win_network_sniffing.yml @@ -39,3 +39,4 @@ tags: - attack.credential_access - attack.discovery - attack.t1040 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_new_service_creation.yml b/rules/sigma/process_creation/win_new_service_creation.yml index c6ca9f15..045b6dfc 100644 --- a/rules/sigma/process_creation/win_new_service_creation.yml +++ b/rules/sigma/process_creation/win_new_service_creation.yml @@ -34,3 +34,4 @@ tags: - attack.privilege_escalation - attack.t1050 - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_nltest_recon.yml b/rules/sigma/process_creation/win_nltest_recon.yml index 97a2516c..2a404f47 100644 --- a/rules/sigma/process_creation/win_nltest_recon.yml +++ b/rules/sigma/process_creation/win_nltest_recon.yml @@ -44,3 +44,4 @@ tags: - attack.discovery - attack.t1016 - attack.t1482 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_non_interactive_powershell.yml b/rules/sigma/process_creation/win_non_interactive_powershell.yml index e874cbc5..baf938ed 100644 --- a/rules/sigma/process_creation/win_non_interactive_powershell.yml +++ b/rules/sigma/process_creation/win_non_interactive_powershell.yml @@ -29,3 +29,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_non_priv_reg_or_ps.yml b/rules/sigma/process_creation/win_non_priv_reg_or_ps.yml index e9515007..b0504e87 100644 --- a/rules/sigma/process_creation/win_non_priv_reg_or_ps.yml +++ b/rules/sigma/process_creation/win_non_priv_reg_or_ps.yml @@ -48,3 +48,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_office_shell.yml b/rules/sigma/process_creation/win_office_shell.yml index f0347cfe..7696f593 100644 --- a/rules/sigma/process_creation/win_office_shell.yml +++ b/rules/sigma/process_creation/win_office_shell.yml @@ -59,3 +59,4 @@ tags: - attack.execution - attack.t1204 - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml index 1cc48bac..2f13cf2d 100644 --- a/rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -43,3 +43,4 @@ tags: - attack.t1204.002 - attack.g0046 - car.2013-05-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_pc_set_policies_to_unsecure_level.yml b/rules/sigma/process_creation/win_pc_set_policies_to_unsecure_level.yml index 2affa1c2..56d409b2 100644 --- a/rules/sigma/process_creation/win_pc_set_policies_to_unsecure_level.yml +++ b/rules/sigma/process_creation/win_pc_set_policies_to_unsecure_level.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_pc_susp_cmdl32_lolbas.yml b/rules/sigma/process_creation/win_pc_susp_cmdl32_lolbas.yml index 8569767d..08811692 100644 --- a/rules/sigma/process_creation/win_pc_susp_cmdl32_lolbas.yml +++ b/rules/sigma/process_creation/win_pc_susp_cmdl32_lolbas.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_pc_susp_reg_bitlocker.yml b/rules/sigma/process_creation/win_pc_susp_reg_bitlocker.yml index b3181d2b..7f37650e 100644 --- a/rules/sigma/process_creation/win_pc_susp_reg_bitlocker.yml +++ b/rules/sigma/process_creation/win_pc_susp_reg_bitlocker.yml @@ -41,3 +41,4 @@ status: experimental tags: - attack.impact - attack.t1486 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml b/rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml index 12b1c1a4..9c4ea7cc 100644 --- a/rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml +++ b/rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.execution - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_pc_susp_zipexec.yml b/rules/sigma/process_creation/win_pc_susp_zipexec.yml index 368f8e5b..c7093b3b 100644 --- a/rules/sigma/process_creation/win_pc_susp_zipexec.yml +++ b/rules/sigma/process_creation/win_pc_susp_zipexec.yml @@ -37,3 +37,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_plugx_susp_exe_locations.yml b/rules/sigma/process_creation/win_plugx_susp_exe_locations.yml index 9ded65bd..3c6ec290 100644 --- a/rules/sigma/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/sigma/process_creation/win_plugx_susp_exe_locations.yml @@ -105,3 +105,4 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1574.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_possible_applocker_bypass.yml b/rules/sigma/process_creation/win_possible_applocker_bypass.yml index 34a03c59..4cf64c6c 100644 --- a/rules/sigma/process_creation/win_possible_applocker_bypass.yml +++ b/rules/sigma/process_creation/win_possible_applocker_bypass.yml @@ -43,3 +43,4 @@ tags: - attack.t1170 - attack.t1218.005 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml b/rules/sigma/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml index 4f6dc54e..528f12e3 100644 --- a/rules/sigma/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml +++ b/rules/sigma/process_creation/win_possible_privilege_escalation_via_service_registry_permissions.yml @@ -38,3 +38,4 @@ tags: - attack.privilege_escalation - attack.t1058 - attack.t1574.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_amsi_bypass.yml b/rules/sigma/process_creation/win_powershell_amsi_bypass.yml index 6d2dc3bd..0b5bcdfc 100644 --- a/rules/sigma/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/sigma/process_creation/win_powershell_amsi_bypass.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_audio_capture.yml b/rules/sigma/process_creation/win_powershell_audio_capture.yml index df058cdd..582e0de9 100644 --- a/rules/sigma/process_creation/win_powershell_audio_capture.yml +++ b/rules/sigma/process_creation/win_powershell_audio_capture.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.collection - attack.t1123 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_b64_shellcode.yml b/rules/sigma/process_creation/win_powershell_b64_shellcode.yml index 5e08a0e9..9104ff9f 100644 --- a/rules/sigma/process_creation/win_powershell_b64_shellcode.yml +++ b/rules/sigma/process_creation/win_powershell_b64_shellcode.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_bitsjob.yml b/rules/sigma/process_creation/win_powershell_bitsjob.yml index bb8f93d9..d5fcfcba 100644 --- a/rules/sigma/process_creation/win_powershell_bitsjob.yml +++ b/rules/sigma/process_creation/win_powershell_bitsjob.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.persistence - attack.t1197 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_cmdline_reversed_strings.yml b/rules/sigma/process_creation/win_powershell_cmdline_reversed_strings.yml index 656384b5..b31177c7 100644 --- a/rules/sigma/process_creation/win_powershell_cmdline_reversed_strings.yml +++ b/rules/sigma/process_creation/win_powershell_cmdline_reversed_strings.yml @@ -53,3 +53,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml b/rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml index d4934af9..7485d0de 100644 --- a/rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml +++ b/rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml @@ -35,3 +35,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml b/rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml index e79b7e2a..37f9f263 100644 --- a/rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml +++ b/rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml @@ -57,3 +57,4 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_defender_exclusion.yml b/rules/sigma/process_creation/win_powershell_defender_exclusion.yml index 5327a7a0..ac097a3a 100644 --- a/rules/sigma/process_creation/win_powershell_defender_exclusion.yml +++ b/rules/sigma/process_creation/win_powershell_defender_exclusion.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_disable_windef_av.yml b/rules/sigma/process_creation/win_powershell_disable_windef_av.yml index 4722b8e3..99fc958d 100644 --- a/rules/sigma/process_creation/win_powershell_disable_windef_av.yml +++ b/rules/sigma/process_creation/win_powershell_disable_windef_av.yml @@ -47,3 +47,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_dll_execution.yml b/rules/sigma/process_creation/win_powershell_dll_execution.yml index 387ab490..b46dff39 100644 --- a/rules/sigma/process_creation/win_powershell_dll_execution.yml +++ b/rules/sigma/process_creation/win_powershell_dll_execution.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_downgrade_attack.yml b/rules/sigma/process_creation/win_powershell_downgrade_attack.yml index e54b24ef..67e15ddc 100644 --- a/rules/sigma/process_creation/win_powershell_downgrade_attack.yml +++ b/rules/sigma/process_creation/win_powershell_downgrade_attack.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_download.yml b/rules/sigma/process_creation/win_powershell_download.yml index c8fcabbf..ab08f8e4 100644 --- a/rules/sigma/process_creation/win_powershell_download.yml +++ b/rules/sigma/process_creation/win_powershell_download.yml @@ -36,3 +36,4 @@ tags: - attack.t1086 - attack.execution - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_frombase64string.yml b/rules/sigma/process_creation/win_powershell_frombase64string.yml index 7d70c8e8..03c47c24 100644 --- a/rules/sigma/process_creation/win_powershell_frombase64string.yml +++ b/rules/sigma/process_creation/win_powershell_frombase64string.yml @@ -25,3 +25,4 @@ tags: - attack.defense_evasion - attack.t1140 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_reverse_shell_connection.yml b/rules/sigma/process_creation/win_powershell_reverse_shell_connection.yml index 41f3e59b..6fc6e72c 100644 --- a/rules/sigma/process_creation/win_powershell_reverse_shell_connection.yml +++ b/rules/sigma/process_creation/win_powershell_reverse_shell_connection.yml @@ -31,3 +31,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/sigma/process_creation/win_powershell_suspicious_parameter_variation.yml index 96119cd3..b349a7c7 100644 --- a/rules/sigma/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/sigma/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -67,3 +67,4 @@ tags: - attack.execution - attack.t1086 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powershell_xor_commandline.yml b/rules/sigma/process_creation/win_powershell_xor_commandline.yml index ba29864c..1146a19c 100644 --- a/rules/sigma/process_creation/win_powershell_xor_commandline.yml +++ b/rules/sigma/process_creation/win_powershell_xor_commandline.yml @@ -32,3 +32,4 @@ tags: - attack.t1059.001 - attack.t1140 - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_powersploit_empire_schtasks.yml b/rules/sigma/process_creation/win_powersploit_empire_schtasks.yml index 59a90334..e3aa2259 100644 --- a/rules/sigma/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/sigma/process_creation/win_powersploit_empire_schtasks.yml @@ -54,3 +54,4 @@ tags: - car.2013-08-001 - attack.t1053.005 - attack.t1059.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_proc_wrong_parent.yml b/rules/sigma/process_creation/win_proc_wrong_parent.yml index f4732826..527b8aaa 100644 --- a/rules/sigma/process_creation/win_proc_wrong_parent.yml +++ b/rules/sigma/process_creation/win_proc_wrong_parent.yml @@ -52,3 +52,4 @@ tags: - attack.t1036 - attack.t1036.003 - attack.t1036.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_procdump.yml b/rules/sigma/process_creation/win_procdump.yml index 27abc1b2..ba8d94c8 100644 --- a/rules/sigma/process_creation/win_procdump.yml +++ b/rules/sigma/process_creation/win_procdump.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml b/rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml index 53299119..749805ec 100644 --- a/rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml +++ b/rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml @@ -48,3 +48,4 @@ tags: - attack.t1197 - attack.s0190 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_process_dump_rdrleakdiag.yml b/rules/sigma/process_creation/win_process_dump_rdrleakdiag.yml index d3346f1c..71371bf2 100644 --- a/rules/sigma/process_creation/win_process_dump_rdrleakdiag.yml +++ b/rules/sigma/process_creation/win_process_dump_rdrleakdiag.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/sigma/process_creation/win_process_dump_rundll32_comsvcs.yml index f1585f88..d3f232d7 100644 --- a/rules/sigma/process_creation/win_process_dump_rundll32_comsvcs.yml +++ b/rules/sigma/process_creation/win_process_dump_rundll32_comsvcs.yml @@ -31,3 +31,4 @@ tags: - attack.t1003 - car.2013-05-009 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_psexesvc_start.yml b/rules/sigma/process_creation/win_psexesvc_start.yml index f42e6c54..05ce187d 100644 --- a/rules/sigma/process_creation/win_psexesvc_start.yml +++ b/rules/sigma/process_creation/win_psexesvc_start.yml @@ -23,3 +23,4 @@ tags: - attack.t1035 - attack.s0029 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_purplesharp_indicators.yml b/rules/sigma/process_creation/win_purplesharp_indicators.yml index 7f1b2229..a2878b4b 100644 --- a/rules/sigma/process_creation/win_purplesharp_indicators.yml +++ b/rules/sigma/process_creation/win_purplesharp_indicators.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.t1587 - attack.resource_development +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_query_registry.yml b/rules/sigma/process_creation/win_query_registry.yml index 5aae1241..b234c5fe 100644 --- a/rules/sigma/process_creation/win_query_registry.yml +++ b/rules/sigma/process_creation/win_query_registry.yml @@ -48,3 +48,4 @@ tags: - attack.discovery - attack.t1012 - attack.t1007 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_rasautou_dll_execution.yml b/rules/sigma/process_creation/win_rasautou_dll_execution.yml index e4de4dbb..f227df12 100644 --- a/rules/sigma/process_creation/win_rasautou_dll_execution.yml +++ b/rules/sigma/process_creation/win_rasautou_dll_execution.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_rdp_hijack_shadowing.yml b/rules/sigma/process_creation/win_rdp_hijack_shadowing.yml index a6286db7..c163bc3e 100644 --- a/rules/sigma/process_creation/win_rdp_hijack_shadowing.yml +++ b/rules/sigma/process_creation/win_rdp_hijack_shadowing.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1563.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_redmimicry_winnti_proc.yml b/rules/sigma/process_creation/win_redmimicry_winnti_proc.yml index 6b83a6b6..4add0c60 100644 --- a/rules/sigma/process_creation/win_redmimicry_winnti_proc.yml +++ b/rules/sigma/process_creation/win_redmimicry_winnti_proc.yml @@ -34,3 +34,4 @@ tags: - attack.t1106 - attack.t1059.003 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_reg_add_run_key.yml b/rules/sigma/process_creation/win_reg_add_run_key.yml index eb7d6de2..64ef082f 100644 --- a/rules/sigma/process_creation/win_reg_add_run_key.yml +++ b/rules/sigma/process_creation/win_reg_add_run_key.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.persistence - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regedit_export_critical_keys.yml b/rules/sigma/process_creation/win_regedit_export_critical_keys.yml index 749a600e..36a460f3 100644 --- a/rules/sigma/process_creation/win_regedit_export_critical_keys.yml +++ b/rules/sigma/process_creation/win_regedit_export_critical_keys.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.exfiltration - attack.t1012 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regedit_export_keys.yml b/rules/sigma/process_creation/win_regedit_export_keys.yml index 57c6783a..caef01b6 100644 --- a/rules/sigma/process_creation/win_regedit_export_keys.yml +++ b/rules/sigma/process_creation/win_regedit_export_keys.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.exfiltration - attack.t1012 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regedit_import_keys.yml b/rules/sigma/process_creation/win_regedit_import_keys.yml index c9c18c20..f172e8f3 100644 --- a/rules/sigma/process_creation/win_regedit_import_keys.yml +++ b/rules/sigma/process_creation/win_regedit_import_keys.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.t1112 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regedit_import_keys_ads.yml b/rules/sigma/process_creation/win_regedit_import_keys_ads.yml index 72b9ccb1..f6bd79ae 100644 --- a/rules/sigma/process_creation/win_regedit_import_keys_ads.yml +++ b/rules/sigma/process_creation/win_regedit_import_keys_ads.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.t1112 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regini.yml b/rules/sigma/process_creation/win_regini.yml index ab7e1d70..83f0910a 100644 --- a/rules/sigma/process_creation/win_regini.yml +++ b/rules/sigma/process_creation/win_regini.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.t1112 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_regini_ads.yml b/rules/sigma/process_creation/win_regini_ads.yml index b0e7422c..523b72e9 100644 --- a/rules/sigma/process_creation/win_regini_ads.yml +++ b/rules/sigma/process_creation/win_regini_ads.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.t1112 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_remote_powershell_session_process.yml b/rules/sigma/process_creation/win_remote_powershell_session_process.yml index 45b82709..f7a454e9 100644 --- a/rules/sigma/process_creation/win_remote_powershell_session_process.yml +++ b/rules/sigma/process_creation/win_remote_powershell_session_process.yml @@ -33,3 +33,4 @@ tags: - attack.t1086 - attack.t1059.001 - attack.t1021.006 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_remote_time_discovery.yml b/rules/sigma/process_creation/win_remote_time_discovery.yml index a4e6e30b..52de2534 100644 --- a/rules/sigma/process_creation/win_remote_time_discovery.yml +++ b/rules/sigma/process_creation/win_remote_time_discovery.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.discovery - attack.t1124 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_binary.yml b/rules/sigma/process_creation/win_renamed_binary.yml index 8863cd80..248f0dd6 100644 --- a/rules/sigma/process_creation/win_renamed_binary.yml +++ b/rules/sigma/process_creation/win_renamed_binary.yml @@ -71,3 +71,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_binary_highly_relevant.yml b/rules/sigma/process_creation/win_renamed_binary_highly_relevant.yml index 1907cce3..c4266ec9 100644 --- a/rules/sigma/process_creation/win_renamed_binary_highly_relevant.yml +++ b/rules/sigma/process_creation/win_renamed_binary_highly_relevant.yml @@ -56,3 +56,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_jusched.yml b/rules/sigma/process_creation/win_renamed_jusched.yml index 22f1b7fa..8852e916 100644 --- a/rules/sigma/process_creation/win_renamed_jusched.yml +++ b/rules/sigma/process_creation/win_renamed_jusched.yml @@ -33,3 +33,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_megasync.yml b/rules/sigma/process_creation/win_renamed_megasync.yml index 1e88f243..605520be 100644 --- a/rules/sigma/process_creation/win_renamed_megasync.yml +++ b/rules/sigma/process_creation/win_renamed_megasync.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_paexec.yml b/rules/sigma/process_creation/win_renamed_paexec.yml index 80bb0aab..f58777ef 100644 --- a/rules/sigma/process_creation/win_renamed_paexec.yml +++ b/rules/sigma/process_creation/win_renamed_paexec.yml @@ -40,3 +40,4 @@ tags: - attack.t1036.003 - attack.g0046 - car.2013-05-009 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_powershell.yml b/rules/sigma/process_creation/win_renamed_powershell.yml index 34e4de1b..e9ddecde 100644 --- a/rules/sigma/process_creation/win_renamed_powershell.yml +++ b/rules/sigma/process_creation/win_renamed_powershell.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_procdump.yml b/rules/sigma/process_creation/win_renamed_procdump.yml index ed25b8f5..1f585505 100644 --- a/rules/sigma/process_creation/win_renamed_procdump.yml +++ b/rules/sigma/process_creation/win_renamed_procdump.yml @@ -41,3 +41,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_psexec.yml b/rules/sigma/process_creation/win_renamed_psexec.yml index bf14a6b0..1a981867 100644 --- a/rules/sigma/process_creation/win_renamed_psexec.yml +++ b/rules/sigma/process_creation/win_renamed_psexec.yml @@ -33,3 +33,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_renamed_whoami.yml b/rules/sigma/process_creation/win_renamed_whoami.yml index 7de993ab..b86506db 100644 --- a/rules/sigma/process_creation/win_renamed_whoami.yml +++ b/rules/sigma/process_creation/win_renamed_whoami.yml @@ -27,3 +27,4 @@ tags: - attack.discovery - attack.t1033 - car.2016-03-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_run_powershell_script_from_ads.yml b/rules/sigma/process_creation/win_run_powershell_script_from_ads.yml index b92d04fb..cb3f8cc7 100644 --- a/rules/sigma/process_creation/win_run_powershell_script_from_ads.yml +++ b/rules/sigma/process_creation/win_run_powershell_script_from_ads.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1096 - attack.t1564.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_run_powershell_script_from_input_stream.yml b/rules/sigma/process_creation/win_run_powershell_script_from_input_stream.yml index 81cf3560..a19c2d59 100644 --- a/rules/sigma/process_creation/win_run_powershell_script_from_input_stream.yml +++ b/rules/sigma/process_creation/win_run_powershell_script_from_input_stream.yml @@ -26,3 +26,4 @@ tags: - attack.defense_evasion - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_run_virtualbox.yml b/rules/sigma/process_creation/win_run_virtualbox.yml index 073552cd..d07a0a48 100644 --- a/rules/sigma/process_creation/win_run_virtualbox.yml +++ b/rules/sigma/process_creation/win_run_virtualbox.yml @@ -41,3 +41,4 @@ tags: - attack.defense_evasion - attack.t1564.006 - attack.t1564 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_rundll32_without_parameters.yml b/rules/sigma/process_creation/win_rundll32_without_parameters.yml index e25ffcaa..784b34c7 100644 --- a/rules/sigma/process_creation/win_rundll32_without_parameters.yml +++ b/rules/sigma/process_creation/win_rundll32_without_parameters.yml @@ -32,3 +32,4 @@ tags: - attack.t1570 - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_script_event_consumer_spawn.yml b/rules/sigma/process_creation/win_script_event_consumer_spawn.yml index d73d7a2c..7e7fb735 100644 --- a/rules/sigma/process_creation/win_script_event_consumer_spawn.yml +++ b/rules/sigma/process_creation/win_script_event_consumer_spawn.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_sdbinst_shim_persistence.yml b/rules/sigma/process_creation/win_sdbinst_shim_persistence.yml index d300eb18..687f3378 100644 --- a/rules/sigma/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/sigma/process_creation/win_sdbinst_shim_persistence.yml @@ -31,3 +31,4 @@ tags: - attack.privilege_escalation - attack.t1546.011 - attack.t1138 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_service_execution.yml b/rules/sigma/process_creation/win_service_execution.yml index 6c923f4a..935b2889 100644 --- a/rules/sigma/process_creation/win_service_execution.yml +++ b/rules/sigma/process_creation/win_service_execution.yml @@ -28,3 +28,4 @@ tags: - attack.execution - attack.t1035 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_service_stop.yml b/rules/sigma/process_creation/win_service_stop.yml index e38dab39..1241c8a7 100644 --- a/rules/sigma/process_creation/win_service_stop.yml +++ b/rules/sigma/process_creation/win_service_stop.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.impact - attack.t1489 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_shadow_copies_access_symlink.yml b/rules/sigma/process_creation/win_shadow_copies_access_symlink.yml index 94e55433..3ddac79f 100644 --- a/rules/sigma/process_creation/win_shadow_copies_access_symlink.yml +++ b/rules/sigma/process_creation/win_shadow_copies_access_symlink.yml @@ -27,3 +27,4 @@ tags: - attack.t1003 - attack.t1003.002 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_shadow_copies_creation.yml b/rules/sigma/process_creation/win_shadow_copies_creation.yml index 34a1cb88..bc1ff2d6 100644 --- a/rules/sigma/process_creation/win_shadow_copies_creation.yml +++ b/rules/sigma/process_creation/win_shadow_copies_creation.yml @@ -33,3 +33,4 @@ tags: - attack.t1003 - attack.t1003.002 - attack.t1003.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_shadow_copies_deletion.yml b/rules/sigma/process_creation/win_shadow_copies_deletion.yml index e6d6f8de..dd564216 100644 --- a/rules/sigma/process_creation/win_shadow_copies_deletion.yml +++ b/rules/sigma/process_creation/win_shadow_copies_deletion.yml @@ -64,3 +64,4 @@ tags: - attack.impact - attack.t1070 - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_shell_spawn_mshta.yml b/rules/sigma/process_creation/win_shell_spawn_mshta.yml index 8e807b6e..1399cccd 100644 --- a/rules/sigma/process_creation/win_shell_spawn_mshta.yml +++ b/rules/sigma/process_creation/win_shell_spawn_mshta.yml @@ -35,3 +35,4 @@ tags: - attack.t1059.005 - attack.t1059.001 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_shell_spawn_susp_program.yml b/rules/sigma/process_creation/win_shell_spawn_susp_program.yml index 4a84307c..2b4a3776 100644 --- a/rules/sigma/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/sigma/process_creation/win_shell_spawn_susp_program.yml @@ -46,3 +46,4 @@ tags: - attack.t1059.005 - attack.t1059.001 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_silenttrinity_stage_use.yml b/rules/sigma/process_creation/win_silenttrinity_stage_use.yml index f617b04a..f0ec5a59 100644 --- a/rules/sigma/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/sigma/process_creation/win_silenttrinity_stage_use.yml @@ -23,3 +23,4 @@ status: experimental tags: - attack.command_and_control - attack.t1071 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_soundrec_audio_capture.yml b/rules/sigma/process_creation/win_soundrec_audio_capture.yml index 30b9c394..29b404dd 100644 --- a/rules/sigma/process_creation/win_soundrec_audio_capture.yml +++ b/rules/sigma/process_creation/win_soundrec_audio_capture.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.collection - attack.t1123 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_spn_enum.yml b/rules/sigma/process_creation/win_spn_enum.yml index 24b49e05..4f415e61 100644 --- a/rules/sigma/process_creation/win_spn_enum.yml +++ b/rules/sigma/process_creation/win_spn_enum.yml @@ -29,3 +29,4 @@ tags: - attack.credential_access - attack.t1558.003 - attack.t1208 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/sigma/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index 0d12159f..f8683c4f 100644 --- a/rules/sigma/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/sigma/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -31,3 +31,4 @@ tags: - attack.t1015 - attack.t1546.008 - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_sus_auditpol_usage.yml b/rules/sigma/process_creation/win_sus_auditpol_usage.yml index b9f50fe5..6044a107 100644 --- a/rules/sigma/process_creation/win_sus_auditpol_usage.yml +++ b/rules/sigma/process_creation/win_sus_auditpol_usage.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_adfind.yml b/rules/sigma/process_creation/win_susp_adfind.yml index fa161b2c..d6559fe2 100644 --- a/rules/sigma/process_creation/win_susp_adfind.yml +++ b/rules/sigma/process_creation/win_susp_adfind.yml @@ -35,3 +35,4 @@ tags: - attack.t1087.002 - attack.t1482 - attack.t1069.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_atbroker.yml b/rules/sigma/process_creation/win_susp_atbroker.yml index e4575d76..1d488f21 100644 --- a/rules/sigma/process_creation/win_susp_atbroker.yml +++ b/rules/sigma/process_creation/win_susp_atbroker.yml @@ -55,3 +55,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_bcdedit.yml b/rules/sigma/process_creation/win_susp_bcdedit.yml index 6d7e22f8..7ed14ab1 100644 --- a/rules/sigma/process_creation/win_susp_bcdedit.yml +++ b/rules/sigma/process_creation/win_susp_bcdedit.yml @@ -32,3 +32,4 @@ tags: - attack.persistence - attack.t1542.003 - attack.t1067 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_bginfo.yml b/rules/sigma/process_creation/win_susp_bginfo.yml index a11e9408..5374400c 100644 --- a/rules/sigma/process_creation/win_susp_bginfo.yml +++ b/rules/sigma/process_creation/win_susp_bginfo.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_bitstransfer.yml b/rules/sigma/process_creation/win_susp_bitstransfer.yml index 617a2df5..e2544113 100644 --- a/rules/sigma/process_creation/win_susp_bitstransfer.yml +++ b/rules/sigma/process_creation/win_susp_bitstransfer.yml @@ -35,3 +35,4 @@ tags: - attack.exfiltration - attack.persistence - attack.t1197 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_calc.yml b/rules/sigma/process_creation/win_susp_calc.yml index 41fc493f..dd1b859a 100644 --- a/rules/sigma/process_creation/win_susp_calc.yml +++ b/rules/sigma/process_creation/win_susp_calc.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_cdb.yml b/rules/sigma/process_creation/win_susp_cdb.yml index 7ba506b2..b64aca41 100644 --- a/rules/sigma/process_creation/win_susp_cdb.yml +++ b/rules/sigma/process_creation/win_susp_cdb.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1127 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_certutil_command.yml b/rules/sigma/process_creation/win_susp_certutil_command.yml index 02aff336..d310d013 100644 --- a/rules/sigma/process_creation/win_susp_certutil_command.yml +++ b/rules/sigma/process_creation/win_susp_certutil_command.yml @@ -58,3 +58,4 @@ tags: - attack.g0049 - attack.g0075 - attack.g0096 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_certutil_encode.yml b/rules/sigma/process_creation/win_susp_certutil_encode.yml index c78521d5..ae6f3c17 100644 --- a/rules/sigma/process_creation/win_susp_certutil_encode.yml +++ b/rules/sigma/process_creation/win_susp_certutil_encode.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_child_process_as_system_.yml b/rules/sigma/process_creation/win_susp_child_process_as_system_.yml index aaa01fd6..224e5b32 100644 --- a/rules/sigma/process_creation/win_susp_child_process_as_system_.yml +++ b/rules/sigma/process_creation/win_susp_child_process_as_system_.yml @@ -44,3 +44,4 @@ tags: - attack.privilege_escalation - attack.t1134 - attack.t1134.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_cli_escape.yml b/rules/sigma/process_creation/win_susp_cli_escape.yml index c33b682a..a9b33c29 100644 --- a/rules/sigma/process_creation/win_susp_cli_escape.yml +++ b/rules/sigma/process_creation/win_susp_cli_escape.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1140 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_cmd_http_appdata.yml b/rules/sigma/process_creation/win_susp_cmd_http_appdata.yml index d6f6e55b..80900c67 100644 --- a/rules/sigma/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/sigma/process_creation/win_susp_cmd_http_appdata.yml @@ -38,3 +38,4 @@ tags: - attack.t1059.001 - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_cmd_shadowcopy_access.yml b/rules/sigma/process_creation/win_susp_cmd_shadowcopy_access.yml index 53d62e27..c90bd4e8 100644 --- a/rules/sigma/process_creation/win_susp_cmd_shadowcopy_access.yml +++ b/rules/sigma/process_creation/win_susp_cmd_shadowcopy_access.yml @@ -23,3 +23,4 @@ status: experimental tags: - attack.impact - attack.t1490 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_codepage_switch.yml b/rules/sigma/process_creation/win_susp_codepage_switch.yml index 7ef415cd..e9d9a8fc 100644 --- a/rules/sigma/process_creation/win_susp_codepage_switch.yml +++ b/rules/sigma/process_creation/win_susp_codepage_switch.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.t1036 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_commands_recon_activity.yml b/rules/sigma/process_creation/win_susp_commands_recon_activity.yml index 983f7a7a..c40ac091 100644 --- a/rules/sigma/process_creation/win_susp_commands_recon_activity.yml +++ b/rules/sigma/process_creation/win_susp_commands_recon_activity.yml @@ -49,3 +49,4 @@ tags: - attack.t1087 - attack.t1082 - car.2016-03-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_compression_params.yml b/rules/sigma/process_creation/win_susp_compression_params.yml index 29335439..c2330d1b 100644 --- a/rules/sigma/process_creation/win_susp_compression_params.yml +++ b/rules/sigma/process_creation/win_susp_compression_params.yml @@ -40,3 +40,4 @@ tags: - attack.exfiltration - attack.t1020 - attack.t1002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_comsvcs_procdump.yml b/rules/sigma/process_creation/win_susp_comsvcs_procdump.yml index 154bff4c..ad450f29 100644 --- a/rules/sigma/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/sigma/process_creation/win_susp_comsvcs_procdump.yml @@ -39,3 +39,4 @@ tags: - attack.credential_access - attack.t1003.001 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_conhost.yml b/rules/sigma/process_creation/win_susp_conhost.yml index ccf456d7..9acbf50d 100644 --- a/rules/sigma/process_creation/win_susp_conhost.yml +++ b/rules/sigma/process_creation/win_susp_conhost.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_control_cve_2021_40444.yml b/rules/sigma/process_creation/win_susp_control_cve_2021_40444.yml index 03aaa648..296b47b7 100644 --- a/rules/sigma/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/sigma/process_creation/win_susp_control_cve_2021_40444.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_control_dll_load.yml b/rules/sigma/process_creation/win_susp_control_dll_load.yml index c9262984..65537df4 100644 --- a/rules/sigma/process_creation/win_susp_control_dll_load.yml +++ b/rules/sigma/process_creation/win_susp_control_dll_load.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1085 - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_copy_lateral_movement.yml b/rules/sigma/process_creation/win_susp_copy_lateral_movement.yml index ae70e66e..ac84dd49 100644 --- a/rules/sigma/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/sigma/process_creation/win_susp_copy_lateral_movement.yml @@ -52,3 +52,4 @@ tags: - attack.t1105 - attack.t1048 - attack.t1021.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_copy_system32.yml b/rules/sigma/process_creation/win_susp_copy_system32.yml index 8c5596c3..c20be8f9 100644 --- a/rules/sigma/process_creation/win_susp_copy_system32.yml +++ b/rules/sigma/process_creation/win_susp_copy_system32.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_covenant.yml b/rules/sigma/process_creation/win_susp_covenant.yml index c47bcc43..beb20a76 100644 --- a/rules/sigma/process_creation/win_susp_covenant.yml +++ b/rules/sigma/process_creation/win_susp_covenant.yml @@ -40,3 +40,4 @@ tags: - attack.t1059.001 - attack.t1564.003 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_crackmapexec_execution.yml b/rules/sigma/process_creation/win_susp_crackmapexec_execution.yml index 277f8a50..e0a34355 100644 --- a/rules/sigma/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/sigma/process_creation/win_susp_crackmapexec_execution.yml @@ -38,3 +38,4 @@ tags: - attack.t1059.001 - attack.s0106 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/sigma/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index e7d75b21..024851fe 100644 --- a/rules/sigma/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/sigma/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -40,3 +40,4 @@ tags: - attack.t1027.005 - attack.t1027 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_csc.yml b/rules/sigma/process_creation/win_susp_csc.yml index 2c883a5c..9a62d434 100644 --- a/rules/sigma/process_creation/win_susp_csc.yml +++ b/rules/sigma/process_creation/win_susp_csc.yml @@ -34,3 +34,4 @@ tags: - attack.t1500 - attack.t1218.005 - attack.t1027.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_csc_folder.yml b/rules/sigma/process_creation/win_susp_csc_folder.yml index 76a4c81b..5ababa6c 100644 --- a/rules/sigma/process_creation/win_susp_csc_folder.yml +++ b/rules/sigma/process_creation/win_susp_csc_folder.yml @@ -43,3 +43,4 @@ tags: - attack.defense_evasion - attack.t1500 - attack.t1027.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_csi.yml b/rules/sigma/process_creation/win_susp_csi.yml index 17d16643..7efec0c8 100644 --- a/rules/sigma/process_creation/win_susp_csi.yml +++ b/rules/sigma/process_creation/win_susp_csi.yml @@ -45,3 +45,4 @@ tags: - attack.t1072 - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_curl_download.yml b/rules/sigma/process_creation/win_susp_curl_download.yml index ebe37152..b30d7811 100644 --- a/rules/sigma/process_creation/win_susp_curl_download.yml +++ b/rules/sigma/process_creation/win_susp_curl_download.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_curl_fileupload.yml b/rules/sigma/process_creation/win_susp_curl_fileupload.yml index 7bdaccef..3a04fe5f 100644 --- a/rules/sigma/process_creation/win_susp_curl_fileupload.yml +++ b/rules/sigma/process_creation/win_susp_curl_fileupload.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.exfiltration - attack.t1567 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_curl_start_combo.yml b/rules/sigma/process_creation/win_susp_curl_start_combo.yml index 8f74e8dd..d7222ef7 100644 --- a/rules/sigma/process_creation/win_susp_curl_start_combo.yml +++ b/rules/sigma/process_creation/win_susp_curl_start_combo.yml @@ -31,3 +31,4 @@ tags: - attack.t1218 - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_dctask64_proc_inject.yml b/rules/sigma/process_creation/win_susp_dctask64_proc_inject.yml index 6395d703..f08246f2 100644 --- a/rules/sigma/process_creation/win_susp_dctask64_proc_inject.yml +++ b/rules/sigma/process_creation/win_susp_dctask64_proc_inject.yml @@ -34,3 +34,4 @@ tags: - attack.defense_evasion - attack.t1055.001 - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_desktopimgdownldr.yml b/rules/sigma/process_creation/win_susp_desktopimgdownldr.yml index 8a2b0c54..d835cde8 100644 --- a/rules/sigma/process_creation/win_susp_desktopimgdownldr.yml +++ b/rules/sigma/process_creation/win_susp_desktopimgdownldr.yml @@ -41,3 +41,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_devtoolslauncher.yml b/rules/sigma/process_creation/win_susp_devtoolslauncher.yml index 9b6b6a0d..da072a61 100644 --- a/rules/sigma/process_creation/win_susp_devtoolslauncher.yml +++ b/rules/sigma/process_creation/win_susp_devtoolslauncher.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml index f9eef227..a1f5056c 100644 --- a/rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -44,3 +44,4 @@ tags: - attack.persistence - attack.t1547.001 - attack.t1060 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_disable_eventlog.yml b/rules/sigma/process_creation/win_susp_disable_eventlog.yml index 203ba0bb..5c633b4d 100644 --- a/rules/sigma/process_creation/win_susp_disable_eventlog.yml +++ b/rules/sigma/process_creation/win_susp_disable_eventlog.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.t1562.001 - attack.t1070.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_disable_ie_features.yml b/rules/sigma/process_creation/win_susp_disable_ie_features.yml index d93a684c..51047ffa 100644 --- a/rules/sigma/process_creation/win_susp_disable_ie_features.yml +++ b/rules/sigma/process_creation/win_susp_disable_ie_features.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.t1562.001 - attack.t1089 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_disable_raccine.yml b/rules/sigma/process_creation/win_susp_disable_raccine.yml index 3fdc59a9..2cb54f69 100644 --- a/rules/sigma/process_creation/win_susp_disable_raccine.yml +++ b/rules/sigma/process_creation/win_susp_disable_raccine.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_diskshadow.yml b/rules/sigma/process_creation/win_susp_diskshadow.yml index 00382b38..c421bafc 100644 --- a/rules/sigma/process_creation/win_susp_diskshadow.yml +++ b/rules/sigma/process_creation/win_susp_diskshadow.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ditsnap.yml b/rules/sigma/process_creation/win_susp_ditsnap.yml index d567ef9f..129afb8c 100644 --- a/rules/sigma/process_creation/win_susp_ditsnap.yml +++ b/rules/sigma/process_creation/win_susp_ditsnap.yml @@ -28,3 +28,4 @@ tags: - attack.credential_access - attack.t1003.003 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_dnx.yml b/rules/sigma/process_creation/win_susp_dnx.yml index 3fd0469a..476e4498 100644 --- a/rules/sigma/process_creation/win_susp_dnx.yml +++ b/rules/sigma/process_creation/win_susp_dnx.yml @@ -26,3 +26,4 @@ tags: - attack.t1218 - attack.t1027.004 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_double_extension.yml b/rules/sigma/process_creation/win_susp_double_extension.yml index 2ec6bfbd..79be6245 100644 --- a/rules/sigma/process_creation/win_susp_double_extension.yml +++ b/rules/sigma/process_creation/win_susp_double_extension.yml @@ -37,3 +37,4 @@ tags: - attack.initial_access - attack.t1566.001 - attack.t1193 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_dxcap.yml b/rules/sigma/process_creation/win_susp_dxcap.yml index 47e7bbee..f0790011 100644 --- a/rules/sigma/process_creation/win_susp_dxcap.yml +++ b/rules/sigma/process_creation/win_susp_dxcap.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_emotet_rundll32_execution.yml b/rules/sigma/process_creation/win_susp_emotet_rundll32_execution.yml index c991b5c9..c64a7329 100644 --- a/rules/sigma/process_creation/win_susp_emotet_rundll32_execution.yml +++ b/rules/sigma/process_creation/win_susp_emotet_rundll32_execution.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_eventlog_clear.yml b/rules/sigma/process_creation/win_susp_eventlog_clear.yml index 4b49fff0..150808bc 100644 --- a/rules/sigma/process_creation/win_susp_eventlog_clear.yml +++ b/rules/sigma/process_creation/win_susp_eventlog_clear.yml @@ -48,3 +48,4 @@ tags: - attack.t1070.001 - attack.t1070 - car.2016-04-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_execution_path.yml b/rules/sigma/process_creation/win_susp_execution_path.yml index 172443e7..c94b47a9 100644 --- a/rules/sigma/process_creation/win_susp_execution_path.yml +++ b/rules/sigma/process_creation/win_susp_execution_path.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_execution_path_webserver.yml b/rules/sigma/process_creation/win_susp_execution_path_webserver.yml index 807db25d..850d15d1 100644 --- a/rules/sigma/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/sigma/process_creation/win_susp_execution_path_webserver.yml @@ -37,3 +37,4 @@ tags: - attack.persistence - attack.t1505.003 - attack.t1100 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_explorer.yml b/rules/sigma/process_creation/win_susp_explorer.yml index 997eeac8..e2acd3fc 100644 --- a/rules/sigma/process_creation/win_susp_explorer.yml +++ b/rules/sigma/process_creation/win_susp_explorer.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_explorer_break_proctree.yml b/rules/sigma/process_creation/win_susp_explorer_break_proctree.yml index 664249c6..b51b27fa 100644 --- a/rules/sigma/process_creation/win_susp_explorer_break_proctree.yml +++ b/rules/sigma/process_creation/win_susp_explorer_break_proctree.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_file_characteristics.yml b/rules/sigma/process_creation/win_susp_file_characteristics.yml index 91dd3b07..8e03c93c 100644 --- a/rules/sigma/process_creation/win_susp_file_characteristics.yml +++ b/rules/sigma/process_creation/win_susp_file_characteristics.yml @@ -39,3 +39,4 @@ tags: - attack.t1059.006 - attack.defense_evasion - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/sigma/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml index c02e6c78..08acdaac 100644 --- a/rules/sigma/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml +++ b/rules/sigma/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_findstr.yml b/rules/sigma/process_creation/win_susp_findstr.yml index be4e59b6..c6aa2a4d 100644 --- a/rules/sigma/process_creation/win_susp_findstr.yml +++ b/rules/sigma/process_creation/win_susp_findstr.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_findstr_lnk.yml b/rules/sigma/process_creation/win_susp_findstr_lnk.yml index 592dd6fd..4d8760ce 100644 --- a/rules/sigma/process_creation/win_susp_findstr_lnk.yml +++ b/rules/sigma/process_creation/win_susp_findstr_lnk.yml @@ -32,3 +32,4 @@ tags: - attack.t1036 - attack.t1202 - attack.t1027.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_finger_usage.yml b/rules/sigma/process_creation/win_susp_finger_usage.yml index d1e4cf27..04be3ea9 100644 --- a/rules/sigma/process_creation/win_susp_finger_usage.yml +++ b/rules/sigma/process_creation/win_susp_finger_usage.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_firewall_disable.yml b/rules/sigma/process_creation/win_susp_firewall_disable.yml index a35af3c7..c86787b5 100644 --- a/rules/sigma/process_creation/win_susp_firewall_disable.yml +++ b/rules/sigma/process_creation/win_susp_firewall_disable.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1562.004 - attack.s0108 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_fsutil_usage.yml b/rules/sigma/process_creation/win_susp_fsutil_usage.yml index a110a656..c58b6006 100644 --- a/rules/sigma/process_creation/win_susp_fsutil_usage.yml +++ b/rules/sigma/process_creation/win_susp_fsutil_usage.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ftp.yml b/rules/sigma/process_creation/win_susp_ftp.yml index 08cae4f2..2f4a5192 100644 --- a/rules/sigma/process_creation/win_susp_ftp.yml +++ b/rules/sigma/process_creation/win_susp_ftp.yml @@ -43,3 +43,4 @@ tags: - attack.t1059 - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_gup.yml b/rules/sigma/process_creation/win_susp_gup.yml index 08c505f7..05add07f 100644 --- a/rules/sigma/process_creation/win_susp_gup.yml +++ b/rules/sigma/process_creation/win_susp_gup.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1574.002 - attack.t1073 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_iss_module_install.yml b/rules/sigma/process_creation/win_susp_iss_module_install.yml index 0938f179..dcbfb246 100644 --- a/rules/sigma/process_creation/win_susp_iss_module_install.yml +++ b/rules/sigma/process_creation/win_susp_iss_module_install.yml @@ -31,3 +31,4 @@ tags: - attack.persistence - attack.t1505.003 - attack.t1100 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_mounted_share_deletion.yml b/rules/sigma/process_creation/win_susp_mounted_share_deletion.yml index fac22b63..dfd6ca8a 100644 --- a/rules/sigma/process_creation/win_susp_mounted_share_deletion.yml +++ b/rules/sigma/process_creation/win_susp_mounted_share_deletion.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_mpcmdrun_download.yml b/rules/sigma/process_creation/win_susp_mpcmdrun_download.yml index 893c3b65..abe9d68d 100644 --- a/rules/sigma/process_creation/win_susp_mpcmdrun_download.yml +++ b/rules/sigma/process_creation/win_susp_mpcmdrun_download.yml @@ -33,3 +33,4 @@ tags: - attack.t1218 - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_mshta_pattern.yml b/rules/sigma/process_creation/win_susp_mshta_pattern.yml index 239b7e78..3ff795bd 100644 --- a/rules/sigma/process_creation/win_susp_mshta_pattern.yml +++ b/rules/sigma/process_creation/win_susp_mshta_pattern.yml @@ -46,3 +46,4 @@ status: experimental tags: - attack.execution - attack.t1106 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_msiexec_cwd.yml b/rules/sigma/process_creation/win_susp_msiexec_cwd.yml index b900473b..b7fb39ce 100644 --- a/rules/sigma/process_creation/win_susp_msiexec_cwd.yml +++ b/rules/sigma/process_creation/win_susp_msiexec_cwd.yml @@ -28,3 +28,4 @@ tags: - attack.defense_evasion - attack.t1036.005 - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_msiexec_web_install.yml b/rules/sigma/process_creation/win_susp_msiexec_web_install.yml index 88c81834..72bf73f2 100644 --- a/rules/sigma/process_creation/win_susp_msiexec_web_install.yml +++ b/rules/sigma/process_creation/win_susp_msiexec_web_install.yml @@ -28,3 +28,4 @@ tags: - attack.t1218.007 - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_msoffice.yml b/rules/sigma/process_creation/win_susp_msoffice.yml index bb5cdc64..da52ea01 100644 --- a/rules/sigma/process_creation/win_susp_msoffice.yml +++ b/rules/sigma/process_creation/win_susp_msoffice.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.command_and_control - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_net_execution.yml b/rules/sigma/process_creation/win_susp_net_execution.yml index 9fb32086..ceb2807b 100644 --- a/rules/sigma/process_creation/win_susp_net_execution.yml +++ b/rules/sigma/process_creation/win_susp_net_execution.yml @@ -55,3 +55,4 @@ tags: - attack.t1021.002 - attack.t1077 - attack.s0039 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml b/rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml index 32aeed50..b61176d4 100644 --- a/rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml +++ b/rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml @@ -34,3 +34,4 @@ tags: - attack.privilege_escalation - attack.t1546.007 - attack.s0108 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ngrok_pua.yml b/rules/sigma/process_creation/win_susp_ngrok_pua.yml index bc129893..61f3cadf 100644 --- a/rules/sigma/process_creation/win_susp_ngrok_pua.yml +++ b/rules/sigma/process_creation/win_susp_ngrok_pua.yml @@ -52,3 +52,4 @@ status: experimental tags: - attack.command_and_control - attack.t1572 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ntdsutil.yml b/rules/sigma/process_creation/win_susp_ntdsutil.yml index 192f82b4..d6a8c396 100644 --- a/rules/sigma/process_creation/win_susp_ntdsutil.yml +++ b/rules/sigma/process_creation/win_susp_ntdsutil.yml @@ -25,3 +25,4 @@ tags: - attack.credential_access - attack.t1003.003 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_odbcconf.yml b/rules/sigma/process_creation/win_susp_odbcconf.yml index 68157db6..70b54b4a 100644 --- a/rules/sigma/process_creation/win_susp_odbcconf.yml +++ b/rules/sigma/process_creation/win_susp_odbcconf.yml @@ -34,3 +34,4 @@ tags: - attack.t1218.008 - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_openwith.yml b/rules/sigma/process_creation/win_susp_openwith.yml index 6b2b3907..364cce87 100644 --- a/rules/sigma/process_creation/win_susp_openwith.yml +++ b/rules/sigma/process_creation/win_susp_openwith.yml @@ -27,3 +27,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_outlook.yml b/rules/sigma/process_creation/win_susp_outlook.yml index bab24a0c..d19163fe 100644 --- a/rules/sigma/process_creation/win_susp_outlook.yml +++ b/rules/sigma/process_creation/win_susp_outlook.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.t1059 - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_outlook_temp.yml b/rules/sigma/process_creation/win_susp_outlook_temp.yml index 24628d62..de3e9fb5 100644 --- a/rules/sigma/process_creation/win_susp_outlook_temp.yml +++ b/rules/sigma/process_creation/win_susp_outlook_temp.yml @@ -25,3 +25,4 @@ tags: - attack.initial_access - attack.t1566.001 - attack.t1193 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_pcwutl.yml b/rules/sigma/process_creation/win_susp_pcwutl.yml index 716554e7..234ce7d6 100644 --- a/rules/sigma/process_creation/win_susp_pcwutl.yml +++ b/rules/sigma/process_creation/win_susp_pcwutl.yml @@ -30,3 +30,4 @@ tags: - attack.t1218.011 - attack.execution - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_pester.yml b/rules/sigma/process_creation/win_susp_pester.yml index c2a2a0b1..8d0abd08 100644 --- a/rules/sigma/process_creation/win_susp_pester.yml +++ b/rules/sigma/process_creation/win_susp_pester.yml @@ -42,3 +42,4 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ping_hex_ip.yml b/rules/sigma/process_creation/win_susp_ping_hex_ip.yml index 266671e6..fd7a6daf 100644 --- a/rules/sigma/process_creation/win_susp_ping_hex_ip.yml +++ b/rules/sigma/process_creation/win_susp_ping_hex_ip.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.t1140 - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_empire_launch.yml b/rules/sigma/process_creation/win_susp_powershell_empire_launch.yml index 6e3cb74a..e35a128a 100644 --- a/rules/sigma/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/sigma/process_creation/win_susp_powershell_empire_launch.yml @@ -33,3 +33,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/sigma/process_creation/win_susp_powershell_empire_uac_bypass.yml index 55304b82..5efaf22c 100644 --- a/rules/sigma/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/sigma/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -31,3 +31,4 @@ tags: - attack.t1548.002 - attack.t1088 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_enc_cmd.yml b/rules/sigma/process_creation/win_susp_powershell_enc_cmd.yml index 73876d7b..25148719 100644 --- a/rules/sigma/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/sigma/process_creation/win_susp_powershell_enc_cmd.yml @@ -58,3 +58,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_encoded_param.yml b/rules/sigma/process_creation/win_susp_powershell_encoded_param.yml index 0438015e..bbbb5bad 100644 --- a/rules/sigma/process_creation/win_susp_powershell_encoded_param.yml +++ b/rules/sigma/process_creation/win_susp_powershell_encoded_param.yml @@ -25,3 +25,4 @@ tags: - attack.t1086 - attack.defense_evasion - attack.t1027 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml b/rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml index ed3d3a94..2f6c0b69 100644 --- a/rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml +++ b/rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.credential_access - attack.t1552.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/sigma/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 78f74daa..72b75736 100644 --- a/rules/sigma/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/sigma/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -76,3 +76,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_parent_combo.yml b/rules/sigma/process_creation/win_susp_powershell_parent_combo.yml index 16d37285..08017080 100644 --- a/rules/sigma/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/sigma/process_creation/win_susp_powershell_parent_combo.yml @@ -35,3 +35,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_parent_process.yml b/rules/sigma/process_creation/win_susp_powershell_parent_process.yml index 07f6e48f..40a80112 100644 --- a/rules/sigma/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/sigma/process_creation/win_susp_powershell_parent_process.yml @@ -64,3 +64,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_powershell_sam_access.yml b/rules/sigma/process_creation/win_susp_powershell_sam_access.yml index ded4bc3f..66b21927 100644 --- a/rules/sigma/process_creation/win_susp_powershell_sam_access.yml +++ b/rules/sigma/process_creation/win_susp_powershell_sam_access.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_print.yml b/rules/sigma/process_creation/win_susp_print.yml index 264ac846..f9c8ff9b 100644 --- a/rules/sigma/process_creation/win_susp_print.yml +++ b/rules/sigma/process_creation/win_susp_print.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_procdump.yml b/rules/sigma/process_creation/win_susp_procdump.yml index f8f4c8f3..93ddf935 100644 --- a/rules/sigma/process_creation/win_susp_procdump.yml +++ b/rules/sigma/process_creation/win_susp_procdump.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_procdump_lsass.yml b/rules/sigma/process_creation/win_susp_procdump_lsass.yml index fba4d8fc..3698e60e 100644 --- a/rules/sigma/process_creation/win_susp_procdump_lsass.yml +++ b/rules/sigma/process_creation/win_susp_procdump_lsass.yml @@ -37,3 +37,4 @@ tags: - attack.t1003.001 - attack.t1003 - car.2013-05-009 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ps_appdata.yml b/rules/sigma/process_creation/win_susp_ps_appdata.yml index 1ff47e55..8e9d7a34 100644 --- a/rules/sigma/process_creation/win_susp_ps_appdata.yml +++ b/rules/sigma/process_creation/win_susp_ps_appdata.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_ps_downloadfile.yml b/rules/sigma/process_creation/win_susp_ps_downloadfile.yml index a3b540c4..fe12a56c 100644 --- a/rules/sigma/process_creation/win_susp_ps_downloadfile.yml +++ b/rules/sigma/process_creation/win_susp_ps_downloadfile.yml @@ -31,3 +31,4 @@ tags: - attack.command_and_control - attack.t1104 - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_psexec_eula.yml b/rules/sigma/process_creation/win_susp_psexec_eula.yml index ccd05fd2..a8369a1c 100644 --- a/rules/sigma/process_creation/win_susp_psexec_eula.yml +++ b/rules/sigma/process_creation/win_susp_psexec_eula.yml @@ -27,3 +27,4 @@ tags: - attack.execution - attack.t1569 - attack.t1021 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_psexex_paexec_flags.yml b/rules/sigma/process_creation/win_susp_psexex_paexec_flags.yml index dd061f87..5bb2f951 100644 --- a/rules/sigma/process_creation/win_susp_psexex_paexec_flags.yml +++ b/rules/sigma/process_creation/win_susp_psexex_paexec_flags.yml @@ -46,3 +46,4 @@ status: experimental tags: - attack.develop_capabilities - attack.t1587.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_psr_capture_screenshots.yml b/rules/sigma/process_creation/win_susp_psr_capture_screenshots.yml index 967f57d7..2dc10ac9 100644 --- a/rules/sigma/process_creation/win_susp_psr_capture_screenshots.yml +++ b/rules/sigma/process_creation/win_susp_psr_capture_screenshots.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.collection - attack.t1113 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rar_flags.yml b/rules/sigma/process_creation/win_susp_rar_flags.yml index fc288237..0f1f8ff7 100644 --- a/rules/sigma/process_creation/win_susp_rar_flags.yml +++ b/rules/sigma/process_creation/win_susp_rar_flags.yml @@ -35,3 +35,4 @@ tags: - attack.t1560.001 - attack.exfiltration - attack.t1002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rasdial_activity.yml b/rules/sigma/process_creation/win_susp_rasdial_activity.yml index aaa83586..0bda6c47 100644 --- a/rules/sigma/process_creation/win_susp_rasdial_activity.yml +++ b/rules/sigma/process_creation/win_susp_rasdial_activity.yml @@ -26,3 +26,4 @@ tags: - attack.execution - attack.t1059 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_razorinstaller_explorer.yml b/rules/sigma/process_creation/win_susp_razorinstaller_explorer.yml index 9ebabbfa..8393f05d 100644 --- a/rules/sigma/process_creation/win_susp_razorinstaller_explorer.yml +++ b/rules/sigma/process_creation/win_susp_razorinstaller_explorer.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1553 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rclone_execution.yml b/rules/sigma/process_creation/win_susp_rclone_execution.yml index d744b573..6504e07a 100644 --- a/rules/sigma/process_creation/win_susp_rclone_execution.yml +++ b/rules/sigma/process_creation/win_susp_rclone_execution.yml @@ -70,3 +70,4 @@ status: experimental tags: - attack.exfiltration - attack.t1567.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_recon_activity.yml b/rules/sigma/process_creation/win_susp_recon_activity.yml index 640b4a72..107a6814 100644 --- a/rules/sigma/process_creation/win_susp_recon_activity.yml +++ b/rules/sigma/process_creation/win_susp_recon_activity.yml @@ -38,3 +38,4 @@ tags: - attack.t1087.001 - attack.t1087.002 - attack.t1087 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_reg_disable_sec_services.yml b/rules/sigma/process_creation/win_susp_reg_disable_sec_services.yml index bbf42839..671cc882 100644 --- a/rules/sigma/process_creation/win_susp_reg_disable_sec_services.yml +++ b/rules/sigma/process_creation/win_susp_reg_disable_sec_services.yml @@ -44,3 +44,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/sigma/process_creation/win_susp_regedit_trustedinstaller.yml index 8ed9110c..f450845e 100644 --- a/rules/sigma/process_creation/win_susp_regedit_trustedinstaller.yml +++ b/rules/sigma/process_creation/win_susp_regedit_trustedinstaller.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_register_cimprovider.yml b/rules/sigma/process_creation/win_susp_register_cimprovider.yml index 57e4f7ec..24e47762 100644 --- a/rules/sigma/process_creation/win_susp_register_cimprovider.yml +++ b/rules/sigma/process_creation/win_susp_register_cimprovider.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1574 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_registration_via_cscript.yml b/rules/sigma/process_creation/win_susp_registration_via_cscript.yml index 82ca65dd..d5d61a1f 100644 --- a/rules/sigma/process_creation/win_susp_registration_via_cscript.yml +++ b/rules/sigma/process_creation/win_susp_registration_via_cscript.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml b/rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml index c2b633cc..cd876fd6 100644 --- a/rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml @@ -72,3 +72,4 @@ tags: - attack.t1117 - car.2019-04-002 - car.2019-04-003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml b/rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml index a7e09aa0..aea3af33 100644 --- a/rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml +++ b/rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1218.010 - attack.t1117 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_regsvr32_no_dll.yml b/rules/sigma/process_creation/win_susp_regsvr32_no_dll.yml index dc90051c..9e5cfa2a 100644 --- a/rules/sigma/process_creation/win_susp_regsvr32_no_dll.yml +++ b/rules/sigma/process_creation/win_susp_regsvr32_no_dll.yml @@ -41,3 +41,4 @@ tags: - attack.defense_evasion - attack.t1574 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_renamed_dctask64.yml b/rules/sigma/process_creation/win_susp_renamed_dctask64.yml index ec05f3b8..c1d654bc 100644 --- a/rules/sigma/process_creation/win_susp_renamed_dctask64.yml +++ b/rules/sigma/process_creation/win_susp_renamed_dctask64.yml @@ -35,3 +35,4 @@ tags: - attack.t1055.001 - attack.t1202 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_renamed_debugview.yml b/rules/sigma/process_creation/win_susp_renamed_debugview.yml index 2bf85a4c..11afca8b 100644 --- a/rules/sigma/process_creation/win_susp_renamed_debugview.yml +++ b/rules/sigma/process_creation/win_susp_renamed_debugview.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.resource_development - attack.t1588.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_renamed_paexec.yml b/rules/sigma/process_creation/win_susp_renamed_paexec.yml index 3e10911f..d43935d9 100644 --- a/rules/sigma/process_creation/win_susp_renamed_paexec.yml +++ b/rules/sigma/process_creation/win_susp_renamed_paexec.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rpcping.yml b/rules/sigma/process_creation/win_susp_rpcping.yml index c4026f51..ed4c2bc2 100644 --- a/rules/sigma/process_creation/win_susp_rpcping.yml +++ b/rules/sigma/process_creation/win_susp_rpcping.yml @@ -48,3 +48,4 @@ status: experimental tags: - attack.credential_access - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_run_locations.yml b/rules/sigma/process_creation/win_susp_run_locations.yml index 33b1fd75..fdf5276a 100644 --- a/rules/sigma/process_creation/win_susp_run_locations.yml +++ b/rules/sigma/process_creation/win_susp_run_locations.yml @@ -37,3 +37,4 @@ tags: - attack.defense_evasion - attack.t1036 - car.2013-05-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_activity.yml b/rules/sigma/process_creation/win_susp_rundll32_activity.yml index 9ae36460..c5aaa0b7 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_activity.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_activity.yml @@ -104,3 +104,4 @@ tags: - attack.execution - attack.t1218.011 - attack.t1085 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml index 989ce2eb..805f4e50 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml @@ -36,3 +36,4 @@ tags: - attack.execution - attack.t1218.011 - attack.t1085 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_inline_vbs.yml b/rules/sigma/process_creation/win_susp_rundll32_inline_vbs.yml index 983dbdf5..896ac256 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_inline_vbs.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_inline_vbs.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_no_params.yml b/rules/sigma/process_creation/win_susp_rundll32_no_params.yml index da5fa0a8..668e28b9 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_no_params.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_no_params.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/sigma/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml index 7e67c2b5..7d954d8e 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml @@ -42,3 +42,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_rundll32_sys.yml b/rules/sigma/process_creation/win_susp_rundll32_sys.yml index 2f9d276b..c1243ec3 100644 --- a/rules/sigma/process_creation/win_susp_rundll32_sys.yml +++ b/rules/sigma/process_creation/win_susp_rundll32_sys.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_runonce_execution.yml b/rules/sigma/process_creation/win_susp_runonce_execution.yml index 56df66d6..247ee4ea 100644 --- a/rules/sigma/process_creation/win_susp_runonce_execution.yml +++ b/rules/sigma/process_creation/win_susp_runonce_execution.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_runscripthelper.yml b/rules/sigma/process_creation/win_susp_runscripthelper.yml index 5bc96a8d..db727292 100644 --- a/rules/sigma/process_creation/win_susp_runscripthelper.yml +++ b/rules/sigma/process_creation/win_susp_runscripthelper.yml @@ -28,3 +28,4 @@ tags: - attack.t1059 - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_schtask_creation.yml b/rules/sigma/process_creation/win_susp_schtask_creation.yml index b39edc12..39681371 100644 --- a/rules/sigma/process_creation/win_susp_schtask_creation.yml +++ b/rules/sigma/process_creation/win_susp_schtask_creation.yml @@ -36,3 +36,4 @@ tags: - attack.t1053 - attack.s0111 - car.2013-08-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_schtask_creation_temp_folder.yml b/rules/sigma/process_creation/win_susp_schtask_creation_temp_folder.yml index dda947a2..0bf21bb3 100644 --- a/rules/sigma/process_creation/win_susp_schtask_creation_temp_folder.yml +++ b/rules/sigma/process_creation/win_susp_schtask_creation_temp_folder.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.persistence - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_screenconnect_access.yml b/rules/sigma/process_creation/win_susp_screenconnect_access.yml index f6929d90..4a1b1f73 100644 --- a/rules/sigma/process_creation/win_susp_screenconnect_access.yml +++ b/rules/sigma/process_creation/win_susp_screenconnect_access.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.initial_access - attack.t1133 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_screensaver_reg.yml b/rules/sigma/process_creation/win_susp_screensaver_reg.yml index fdabba3e..bf3b87ee 100644 --- a/rules/sigma/process_creation/win_susp_screensaver_reg.yml +++ b/rules/sigma/process_creation/win_susp_screensaver_reg.yml @@ -53,3 +53,4 @@ status: experimental tags: - attack.privilege_escalation - attack.t1546.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_script_exec_from_temp.yml b/rules/sigma/process_creation/win_susp_script_exec_from_temp.yml index 5168ba26..bb94734c 100644 --- a/rules/sigma/process_creation/win_susp_script_exec_from_temp.yml +++ b/rules/sigma/process_creation/win_susp_script_exec_from_temp.yml @@ -42,3 +42,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_script_execution.yml b/rules/sigma/process_creation/win_susp_script_execution.yml index 6bb9dbd6..2b692f32 100644 --- a/rules/sigma/process_creation/win_susp_script_execution.yml +++ b/rules/sigma/process_creation/win_susp_script_execution.yml @@ -35,3 +35,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_service_dacl_modification.yml b/rules/sigma/process_creation/win_susp_service_dacl_modification.yml index 64ec8860..e54e2999 100644 --- a/rules/sigma/process_creation/win_susp_service_dacl_modification.yml +++ b/rules/sigma/process_creation/win_susp_service_dacl_modification.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.persistence - attack.t1543.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_service_dir.yml b/rules/sigma/process_creation/win_susp_service_dir.yml index e63a8779..e07e3caf 100644 --- a/rules/sigma/process_creation/win_susp_service_dir.yml +++ b/rules/sigma/process_creation/win_susp_service_dir.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_service_path_modification.yml b/rules/sigma/process_creation/win_susp_service_path_modification.yml index 5bdc8107..dd2e2607 100644 --- a/rules/sigma/process_creation/win_susp_service_path_modification.yml +++ b/rules/sigma/process_creation/win_susp_service_path_modification.yml @@ -36,3 +36,4 @@ tags: - attack.privilege_escalation - attack.t1543.003 - attack.t1031 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml b/rules/sigma/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml index 0ec193ba..e169f584 100644 --- a/rules/sigma/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/sigma/process_creation/win_susp_servu_exploitation_cve_2021_35211.yml @@ -30,3 +30,4 @@ tags: - attack.persistence - attack.t1136.001 - cve.2021.35211 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_servu_process_pattern.yml b/rules/sigma/process_creation/win_susp_servu_process_pattern.yml index 9e73c29f..8f0a6432 100644 --- a/rules/sigma/process_creation/win_susp_servu_process_pattern.yml +++ b/rules/sigma/process_creation/win_susp_servu_process_pattern.yml @@ -41,3 +41,4 @@ tags: - attack.credential_access - attack.t1555 - cve.2021.35211 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml index 5e4a9d4d..71c83d56 100644 --- a/rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml +++ b/rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml @@ -31,3 +31,4 @@ tags: - attack.initial_access - attack.persistence - attack.privilege_escalation +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_shimcache_flush.yml b/rules/sigma/process_creation/win_susp_shimcache_flush.yml index 4b84acb1..7e0788f0 100644 --- a/rules/sigma/process_creation/win_susp_shimcache_flush.yml +++ b/rules/sigma/process_creation/win_susp_shimcache_flush.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_splwow64.yml b/rules/sigma/process_creation/win_susp_splwow64.yml index 9ec1153e..8d557677 100644 --- a/rules/sigma/process_creation/win_susp_splwow64.yml +++ b/rules/sigma/process_creation/win_susp_splwow64.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_spoolsv_child_processes.yml b/rules/sigma/process_creation/win_susp_spoolsv_child_processes.yml index 1cd77a52..c08f47da 100644 --- a/rules/sigma/process_creation/win_susp_spoolsv_child_processes.yml +++ b/rules/sigma/process_creation/win_susp_spoolsv_child_processes.yml @@ -88,3 +88,4 @@ tags: - attack.t1203 - attack.privilege_escalation - attack.t1068 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_sqldumper_activity.yml b/rules/sigma/process_creation/win_susp_sqldumper_activity.yml index 298104e3..b8b0323c 100644 --- a/rules/sigma/process_creation/win_susp_sqldumper_activity.yml +++ b/rules/sigma/process_creation/win_susp_sqldumper_activity.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_squirrel_lolbin.yml b/rules/sigma/process_creation/win_susp_squirrel_lolbin.yml index 9b9e5bba..caebe2f9 100644 --- a/rules/sigma/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/sigma/process_creation/win_susp_squirrel_lolbin.yml @@ -63,3 +63,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_svchost.yml b/rules/sigma/process_creation/win_susp_svchost.yml index 87bba866..fd45a7dd 100644 --- a/rules/sigma/process_creation/win_susp_svchost.yml +++ b/rules/sigma/process_creation/win_susp_svchost.yml @@ -34,3 +34,4 @@ tags: - attack.defense_evasion - attack.t1036.005 - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_svchost_no_cli.yml b/rules/sigma/process_creation/win_susp_svchost_no_cli.yml index f2c97001..52770889 100644 --- a/rules/sigma/process_creation/win_susp_svchost_no_cli.yml +++ b/rules/sigma/process_creation/win_susp_svchost_no_cli.yml @@ -40,3 +40,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_sysprep_appdata.yml b/rules/sigma/process_creation/win_susp_sysprep_appdata.yml index 6d162f93..d2e2eda4 100644 --- a/rules/sigma/process_creation/win_susp_sysprep_appdata.yml +++ b/rules/sigma/process_creation/win_susp_sysprep_appdata.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.execution - attack.t1059 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_sysvol_access.yml b/rules/sigma/process_creation/win_susp_sysvol_access.yml index 528b45b2..d648c9b8 100644 --- a/rules/sigma/process_creation/win_susp_sysvol_access.yml +++ b/rules/sigma/process_creation/win_susp_sysvol_access.yml @@ -27,3 +27,4 @@ tags: - attack.credential_access - attack.t1552.006 - attack.t1003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_taskmgr_localsystem.yml b/rules/sigma/process_creation/win_susp_taskmgr_localsystem.yml index 4d0750cf..ad5d12b4 100644 --- a/rules/sigma/process_creation/win_susp_taskmgr_localsystem.yml +++ b/rules/sigma/process_creation/win_susp_taskmgr_localsystem.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_taskmgr_parent.yml b/rules/sigma/process_creation/win_susp_taskmgr_parent.yml index df4511e3..9b2c7ba1 100644 --- a/rules/sigma/process_creation/win_susp_taskmgr_parent.yml +++ b/rules/sigma/process_creation/win_susp_taskmgr_parent.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_tracker_execution.yml b/rules/sigma/process_creation/win_susp_tracker_execution.yml index 06e49130..1b7a080e 100644 --- a/rules/sigma/process_creation/win_susp_tracker_execution.yml +++ b/rules/sigma/process_creation/win_susp_tracker_execution.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1055.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_tscon_localsystem.yml b/rules/sigma/process_creation/win_susp_tscon_localsystem.yml index d2386454..08f782d2 100644 --- a/rules/sigma/process_creation/win_susp_tscon_localsystem.yml +++ b/rules/sigma/process_creation/win_susp_tscon_localsystem.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.command_and_control - attack.t1219 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/sigma/process_creation/win_susp_tscon_rdp_redirect.yml index 2745bb1b..a822286b 100644 --- a/rules/sigma/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/sigma/process_creation/win_susp_tscon_rdp_redirect.yml @@ -27,3 +27,4 @@ tags: - attack.t1076 - attack.t1021.001 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml b/rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml index d324cd05..701fb462 100644 --- a/rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml +++ b/rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_use_of_csharp_console.yml b/rules/sigma/process_creation/win_susp_use_of_csharp_console.yml index cdba698c..6befae4c 100644 --- a/rules/sigma/process_creation/win_susp_use_of_csharp_console.yml +++ b/rules/sigma/process_creation/win_susp_use_of_csharp_console.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.execution - attack.t1127 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/sigma/process_creation/win_susp_use_of_sqlps_bin.yml index 9d4e5f56..4819bdfc 100644 --- a/rules/sigma/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/sigma/process_creation/win_susp_use_of_sqlps_bin.yml @@ -37,3 +37,4 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1127 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/sigma/process_creation/win_susp_use_of_sqltoolsps_bin.yml index c5614e53..7afed0e8 100644 --- a/rules/sigma/process_creation/win_susp_use_of_sqltoolsps_bin.yml +++ b/rules/sigma/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -36,3 +36,4 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1127 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_use_of_te_bin.yml b/rules/sigma/process_creation/win_susp_use_of_te_bin.yml index 54107567..bbfee003 100644 --- a/rules/sigma/process_creation/win_susp_use_of_te_bin.yml +++ b/rules/sigma/process_creation/win_susp_use_of_te_bin.yml @@ -30,3 +30,4 @@ references: status: experimental tags: - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/sigma/process_creation/win_susp_use_of_vsjitdebugger_bin.yml index 41e7ec1d..129cafe2 100644 --- a/rules/sigma/process_creation/win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/sigma/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.t1218 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_userinit_child.yml b/rules/sigma/process_creation/win_susp_userinit_child.yml index b78960dd..69c36675 100644 --- a/rules/sigma/process_creation/win_susp_userinit_child.yml +++ b/rules/sigma/process_creation/win_susp_userinit_child.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1055 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_vboxdrvinst.yml b/rules/sigma/process_creation/win_susp_vboxdrvinst.yml index 3baa5a7b..9e22da5f 100644 --- a/rules/sigma/process_creation/win_susp_vboxdrvinst.yml +++ b/rules/sigma/process_creation/win_susp_vboxdrvinst.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_vbscript_unc2452.yml b/rules/sigma/process_creation/win_susp_vbscript_unc2452.yml index f42e5500..ec63af92 100644 --- a/rules/sigma/process_creation/win_susp_vbscript_unc2452.yml +++ b/rules/sigma/process_creation/win_susp_vbscript_unc2452.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.persistence - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_volsnap_disable.yml b/rules/sigma/process_creation/win_susp_volsnap_disable.yml index 336feac0..399b8f0d 100644 --- a/rules/sigma/process_creation/win_susp_volsnap_disable.yml +++ b/rules/sigma/process_creation/win_susp_volsnap_disable.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_whoami.yml b/rules/sigma/process_creation/win_susp_whoami.yml index 5a05b904..3e9b4fb7 100644 --- a/rules/sigma/process_creation/win_susp_whoami.yml +++ b/rules/sigma/process_creation/win_susp_whoami.yml @@ -27,3 +27,4 @@ tags: - attack.discovery - attack.t1033 - car.2016-03-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_whoami_anomaly.yml b/rules/sigma/process_creation/win_susp_whoami_anomaly.yml index bd5727da..5db10318 100644 --- a/rules/sigma/process_creation/win_susp_whoami_anomaly.yml +++ b/rules/sigma/process_creation/win_susp_whoami_anomaly.yml @@ -46,3 +46,4 @@ tags: - attack.discovery - attack.t1033 - car.2016-03-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_winrar_execution.yml b/rules/sigma/process_creation/win_susp_winrar_execution.yml index a4a2429f..67fa7ab4 100644 --- a/rules/sigma/process_creation/win_susp_winrar_execution.yml +++ b/rules/sigma/process_creation/win_susp_winrar_execution.yml @@ -31,3 +31,4 @@ tags: - attack.t1560.001 - attack.exfiltration - attack.t1002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_winrm_awl_bypass.yml b/rules/sigma/process_creation/win_susp_winrm_awl_bypass.yml index 52e6a1c9..e1b0054f 100644 --- a/rules/sigma/process_creation/win_susp_winrm_awl_bypass.yml +++ b/rules/sigma/process_creation/win_susp_winrm_awl_bypass.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_winrm_execution.yml b/rules/sigma/process_creation/win_susp_winrm_execution.yml index e35a781c..44514596 100644 --- a/rules/sigma/process_creation/win_susp_winrm_execution.yml +++ b/rules/sigma/process_creation/win_susp_winrm_execution.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1216 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wmi_execution.yml b/rules/sigma/process_creation/win_susp_wmi_execution.yml index 89e7a8f3..28689d46 100644 --- a/rules/sigma/process_creation/win_susp_wmi_execution.yml +++ b/rules/sigma/process_creation/win_susp_wmi_execution.yml @@ -47,3 +47,4 @@ tags: - attack.execution - attack.t1047 - car.2016-03-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wmic_eventconsumer_create.yml b/rules/sigma/process_creation/win_susp_wmic_eventconsumer_create.yml index f14f81a4..105fc0e1 100644 --- a/rules/sigma/process_creation/win_susp_wmic_eventconsumer_create.yml +++ b/rules/sigma/process_creation/win_susp_wmic_eventconsumer_create.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.persistence - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wmic_proc_create_rundll32.yml b/rules/sigma/process_creation/win_susp_wmic_proc_create_rundll32.yml index fc8effbe..798c4a34 100644 --- a/rules/sigma/process_creation/win_susp_wmic_proc_create_rundll32.yml +++ b/rules/sigma/process_creation/win_susp_wmic_proc_create_rundll32.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wmic_security_product_uninstall.yml b/rules/sigma/process_creation/win_susp_wmic_security_product_uninstall.yml index 4a643194..3f81a81a 100644 --- a/rules/sigma/process_creation/win_susp_wmic_security_product_uninstall.yml +++ b/rules/sigma/process_creation/win_susp_wmic_security_product_uninstall.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_workfolders.yml b/rules/sigma/process_creation/win_susp_workfolders.yml index ef3cc086..f2c6c1a3 100644 --- a/rules/sigma/process_creation/win_susp_workfolders.yml +++ b/rules/sigma/process_creation/win_susp_workfolders.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wsl_lolbin.yml b/rules/sigma/process_creation/win_susp_wsl_lolbin.yml index c654622f..4c07fe34 100644 --- a/rules/sigma/process_creation/win_susp_wsl_lolbin.yml +++ b/rules/sigma/process_creation/win_susp_wsl_lolbin.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.t1218 - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_susp_wuauclt.yml b/rules/sigma/process_creation/win_susp_wuauclt.yml index 12679e91..7e4adefc 100644 --- a/rules/sigma/process_creation/win_susp_wuauclt.yml +++ b/rules/sigma/process_creation/win_susp_wuauclt.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.t1105 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_sysmon_driver_unload.yml b/rules/sigma/process_creation/win_sysmon_driver_unload.yml index 22bdda8f..40b76b45 100644 --- a/rules/sigma/process_creation/win_sysmon_driver_unload.yml +++ b/rules/sigma/process_creation/win_sysmon_driver_unload.yml @@ -32,3 +32,4 @@ tags: - attack.t1070 - attack.t1562 - attack.t1562.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_system_exe_anomaly.yml b/rules/sigma/process_creation/win_system_exe_anomaly.yml index 9808398b..aa12da3e 100644 --- a/rules/sigma/process_creation/win_system_exe_anomaly.yml +++ b/rules/sigma/process_creation/win_system_exe_anomaly.yml @@ -63,3 +63,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1036 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_tap_installer_execution.yml b/rules/sigma/process_creation/win_tap_installer_execution.yml index 7049ea2b..8f6fd41d 100644 --- a/rules/sigma/process_creation/win_tap_installer_execution.yml +++ b/rules/sigma/process_creation/win_tap_installer_execution.yml @@ -21,3 +21,4 @@ status: experimental tags: - attack.exfiltration - attack.t1048 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_task_folder_evasion.yml b/rules/sigma/process_creation/win_task_folder_evasion.yml index 17931b61..c492fdae 100644 --- a/rules/sigma/process_creation/win_task_folder_evasion.yml +++ b/rules/sigma/process_creation/win_task_folder_evasion.yml @@ -42,3 +42,4 @@ tags: - attack.t1574.002 - attack.t1059 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_termserv_proc_spawn.yml b/rules/sigma/process_creation/win_termserv_proc_spawn.yml index 37f5d500..8c1e763c 100644 --- a/rules/sigma/process_creation/win_termserv_proc_spawn.yml +++ b/rules/sigma/process_creation/win_termserv_proc_spawn.yml @@ -31,3 +31,4 @@ tags: - attack.lateral_movement - attack.t1210 - car.2013-07-002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_tools_relay_attacks.yml b/rules/sigma/process_creation/win_tools_relay_attacks.yml index b7a18ed1..2ed03653 100644 --- a/rules/sigma/process_creation/win_tools_relay_attacks.yml +++ b/rules/sigma/process_creation/win_tools_relay_attacks.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.execution - attack.t1557.001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_trust_discovery.yml b/rules/sigma/process_creation/win_trust_discovery.yml index c9ffcdd1..dec7db13 100644 --- a/rules/sigma/process_creation/win_trust_discovery.yml +++ b/rules/sigma/process_creation/win_trust_discovery.yml @@ -49,3 +49,4 @@ status: experimental tags: - attack.discovery - attack.t1482 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml b/rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml index b96ad635..2ba8c989 100644 --- a/rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml +++ b/rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml b/rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml index ccd8854d..ef872366 100644 --- a/rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml +++ b/rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_computerdefaults.yml b/rules/sigma/process_creation/win_uac_bypass_computerdefaults.yml index 34c0eb75..1035c8e3 100644 --- a/rules/sigma/process_creation/win_uac_bypass_computerdefaults.yml +++ b/rules/sigma/process_creation/win_uac_bypass_computerdefaults.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml b/rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml index 3767f9ea..eb90fc39 100644 --- a/rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml +++ b/rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_dismhost.yml b/rules/sigma/process_creation/win_uac_bypass_dismhost.yml index d9f70da7..9f4d0e1d 100644 --- a/rules/sigma/process_creation/win_uac_bypass_dismhost.yml +++ b/rules/sigma/process_creation/win_uac_bypass_dismhost.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_ieinstal.yml b/rules/sigma/process_creation/win_uac_bypass_ieinstal.yml index 3f6b541a..183ec99e 100644 --- a/rules/sigma/process_creation/win_uac_bypass_ieinstal.yml +++ b/rules/sigma/process_creation/win_uac_bypass_ieinstal.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_msconfig_gui.yml b/rules/sigma/process_creation/win_uac_bypass_msconfig_gui.yml index bc32dd6f..24650495 100644 --- a/rules/sigma/process_creation/win_uac_bypass_msconfig_gui.yml +++ b/rules/sigma/process_creation/win_uac_bypass_msconfig_gui.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml b/rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml index ca41d33f..03d661c9 100644 --- a/rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml @@ -42,3 +42,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml b/rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml index 2231e939..67992196 100644 --- a/rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml +++ b/rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_winsat.yml b/rules/sigma/process_creation/win_uac_bypass_winsat.yml index 953d1596..80e7123d 100644 --- a/rules/sigma/process_creation/win_uac_bypass_winsat.yml +++ b/rules/sigma/process_creation/win_uac_bypass_winsat.yml @@ -30,3 +30,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_wmp.yml b/rules/sigma/process_creation/win_uac_bypass_wmp.yml index c17ef57f..1f28c793 100644 --- a/rules/sigma/process_creation/win_uac_bypass_wmp.yml +++ b/rules/sigma/process_creation/win_uac_bypass_wmp.yml @@ -33,3 +33,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_bypass_wsreset.yml b/rules/sigma/process_creation/win_uac_bypass_wsreset.yml index 1387c576..b074bad0 100644 --- a/rules/sigma/process_creation/win_uac_bypass_wsreset.yml +++ b/rules/sigma/process_creation/win_uac_bypass_wsreset.yml @@ -29,3 +29,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_cmstp.yml b/rules/sigma/process_creation/win_uac_cmstp.yml index 6bd11065..b0962e31 100644 --- a/rules/sigma/process_creation/win_uac_cmstp.yml +++ b/rules/sigma/process_creation/win_uac_cmstp.yml @@ -37,3 +37,4 @@ tags: - attack.t1218.003 - attack.t1191 - attack.t1088 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_fodhelper.yml b/rules/sigma/process_creation/win_uac_fodhelper.yml index 8809fc98..38500baa 100644 --- a/rules/sigma/process_creation/win_uac_fodhelper.yml +++ b/rules/sigma/process_creation/win_uac_fodhelper.yml @@ -30,3 +30,4 @@ tags: - attack.privilege_escalation - attack.t1548.002 - attack.t1088 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_uac_wsreset.yml b/rules/sigma/process_creation/win_uac_wsreset.yml index af1cc9d0..dcd9dfab 100644 --- a/rules/sigma/process_creation/win_uac_wsreset.yml +++ b/rules/sigma/process_creation/win_uac_wsreset.yml @@ -27,3 +27,4 @@ tags: - attack.privilege_escalation - attack.t1548.002 - attack.t1088 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/sigma/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml index fe842e29..8216137c 100644 --- a/rules/sigma/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml +++ b/rules/sigma/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml @@ -38,3 +38,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1574.011 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_using_settingsynchost_as_lolbin.yml b/rules/sigma/process_creation/win_using_settingsynchost_as_lolbin.yml index dd09818a..340c7dd1 100644 --- a/rules/sigma/process_creation/win_using_settingsynchost_as_lolbin.yml +++ b/rules/sigma/process_creation/win_using_settingsynchost_as_lolbin.yml @@ -36,3 +36,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1574.008 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_verclsid_runs_com.yml b/rules/sigma/process_creation/win_verclsid_runs_com.yml index aeb3535d..664edb60 100644 --- a/rules/sigma/process_creation/win_verclsid_runs_com.yml +++ b/rules/sigma/process_creation/win_verclsid_runs_com.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_visual_basic_compiler.yml b/rules/sigma/process_creation/win_visual_basic_compiler.yml index 5ea68bff..7d249831 100644 --- a/rules/sigma/process_creation/win_visual_basic_compiler.yml +++ b/rules/sigma/process_creation/win_visual_basic_compiler.yml @@ -25,3 +25,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1027.004 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_vul_java_remote_debugging.yml b/rules/sigma/process_creation/win_vul_java_remote_debugging.yml index d12d2629..246aa1fa 100644 --- a/rules/sigma/process_creation/win_vul_java_remote_debugging.yml +++ b/rules/sigma/process_creation/win_vul_java_remote_debugging.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.t1203 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_webshell_detection.yml b/rules/sigma/process_creation/win_webshell_detection.yml index f7117521..cea2853c 100644 --- a/rules/sigma/process_creation/win_webshell_detection.yml +++ b/rules/sigma/process_creation/win_webshell_detection.yml @@ -83,3 +83,4 @@ tags: - attack.t1087 - attack.privilege_escalation - attack.t1100 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_webshell_recon_detection.yml b/rules/sigma/process_creation/win_webshell_recon_detection.yml index 8e44c26f..fae2818d 100644 --- a/rules/sigma/process_creation/win_webshell_recon_detection.yml +++ b/rules/sigma/process_creation/win_webshell_recon_detection.yml @@ -47,3 +47,4 @@ tags: - attack.t1505.003 - attack.privilege_escalation - attack.t1100 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_webshell_spawn.yml b/rules/sigma/process_creation/win_webshell_spawn.yml index 56fa82f9..615315d3 100644 --- a/rules/sigma/process_creation/win_webshell_spawn.yml +++ b/rules/sigma/process_creation/win_webshell_spawn.yml @@ -40,3 +40,4 @@ tags: - attack.t1505.003 - attack.privilege_escalation - attack.t1190 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_whoami_as_system.yml b/rules/sigma/process_creation/win_whoami_as_system.yml index ddafbb33..149d9c8a 100644 --- a/rules/sigma/process_creation/win_whoami_as_system.yml +++ b/rules/sigma/process_creation/win_whoami_as_system.yml @@ -29,3 +29,4 @@ tags: - attack.privilege_escalation - attack.discovery - attack.t1033 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_whoami_priv.yml b/rules/sigma/process_creation/win_whoami_priv.yml index c7bd199b..1dd1101c 100644 --- a/rules/sigma/process_creation/win_whoami_priv.yml +++ b/rules/sigma/process_creation/win_whoami_priv.yml @@ -27,3 +27,4 @@ tags: - attack.privilege_escalation - attack.discovery - attack.t1033 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_win10_sched_task_0day.yml b/rules/sigma/process_creation/win_win10_sched_task_0day.yml index c1e4995e..e7738854 100644 --- a/rules/sigma/process_creation/win_win10_sched_task_0day.yml +++ b/rules/sigma/process_creation/win_win10_sched_task_0day.yml @@ -34,3 +34,4 @@ tags: - attack.t1053.005 - attack.t1053 - car.2013-08-001 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_winword_dll_load.yml b/rules/sigma/process_creation/win_winword_dll_load.yml index 14b8447c..0274c2a6 100644 --- a/rules/sigma/process_creation/win_winword_dll_load.yml +++ b/rules/sigma/process_creation/win_winword_dll_load.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1202 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/sigma/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index bd7a3238..9582d440 100644 --- a/rules/sigma/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/sigma/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -24,3 +24,4 @@ tags: - attack.persistence - attack.t1546.003 - attack.t1084 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml index cbd76831..43341b28 100644 --- a/rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml +++ b/rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml @@ -27,3 +27,4 @@ tags: - attack.privilege_escalation - attack.t1546.003 - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_wmi_spwns_powershell.yml b/rules/sigma/process_creation/win_wmi_spwns_powershell.yml index 6c27166c..151919c7 100644 --- a/rules/sigma/process_creation/win_wmi_spwns_powershell.yml +++ b/rules/sigma/process_creation/win_wmi_spwns_powershell.yml @@ -37,3 +37,4 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_wmiprvse_spawning_process.yml b/rules/sigma/process_creation/win_wmiprvse_spawning_process.yml index 2c6d0f78..8e5fa0e4 100644 --- a/rules/sigma/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/sigma/process_creation/win_wmiprvse_spawning_process.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.execution - attack.t1047 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_workflow_compiler.yml b/rules/sigma/process_creation/win_workflow_compiler.yml index 3d01e095..317f17fe 100644 --- a/rules/sigma/process_creation/win_workflow_compiler.yml +++ b/rules/sigma/process_creation/win_workflow_compiler.yml @@ -34,3 +34,4 @@ tags: - attack.execution - attack.t1127 - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_write_protect_for_storage_disabled.yml b/rules/sigma/process_creation/win_write_protect_for_storage_disabled.yml index 513ee21f..9734bb56 100644 --- a/rules/sigma/process_creation/win_write_protect_for_storage_disabled.yml +++ b/rules/sigma/process_creation/win_write_protect_for_storage_disabled.yml @@ -24,3 +24,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_wsreset_uac_bypass.yml b/rules/sigma/process_creation/win_wsreset_uac_bypass.yml index aea9c179..448f848a 100644 --- a/rules/sigma/process_creation/win_wsreset_uac_bypass.yml +++ b/rules/sigma/process_creation/win_wsreset_uac_bypass.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.t1548.002 - attack.t1088 +ruletype: SIGMA diff --git a/rules/sigma/process_creation/win_xsl_script_processing.yml b/rules/sigma/process_creation/win_xsl_script_processing.yml index 2885b16d..dc06f130 100644 --- a/rules/sigma/process_creation/win_xsl_script_processing.yml +++ b/rules/sigma/process_creation/win_xsl_script_processing.yml @@ -32,3 +32,4 @@ tags: - attack.defense_evasion - attack.t1220 - attack.execution +ruletype: SIGMA diff --git a/rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 1cfb9e57..655fd721 100644 --- a/rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -50,3 +50,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1006 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/sigma/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml index 47a4fc3b..50a11633 100644 --- a/rules/sigma/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml +++ b/rules/sigma/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml @@ -53,3 +53,4 @@ tags: - attack.persistence - attack.t1112 - attack.t1053 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_apt_chafer_mar18.yml b/rules/sigma/registry_event/registry_event_apt_chafer_mar18.yml index 7070f2db..8c2e1ff7 100644 --- a/rules/sigma/registry_event/registry_event_apt_chafer_mar18.yml +++ b/rules/sigma/registry_event/registry_event_apt_chafer_mar18.yml @@ -43,3 +43,4 @@ tags: - attack.command_and_control - attack.t1071 - attack.t1071.004 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_apt_pandemic.yml b/rules/sigma/registry_event/registry_event_apt_pandemic.yml index 7ee287d2..327c1f6f 100644 --- a/rules/sigma/registry_event/registry_event_apt_pandemic.yml +++ b/rules/sigma/registry_event/registry_event_apt_pandemic.yml @@ -35,3 +35,4 @@ status: experimental tags: - attack.lateral_movement - attack.t1105 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/sigma/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml index 11f8126e..f89695a2 100644 --- a/rules/sigma/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/sigma/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -36,3 +36,4 @@ tags: - attack.t1203 - cve.2021.33771 - cve.2021.31979 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_defender_disabled.yml b/rules/sigma/registry_event/registry_event_defender_disabled.yml index a3b4d5ad..ea3d5925 100644 --- a/rules/sigma/registry_event/registry_event_defender_disabled.yml +++ b/rules/sigma/registry_event/registry_event_defender_disabled.yml @@ -45,3 +45,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_defender_exclusions.yml b/rules/sigma/registry_event/registry_event_defender_exclusions.yml index 37d849a8..78cd6175 100644 --- a/rules/sigma/registry_event/registry_event_defender_exclusions.yml +++ b/rules/sigma/registry_event/registry_event_defender_exclusions.yml @@ -33,3 +33,4 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_defender_realtime_protection_disabled.yml b/rules/sigma/registry_event/registry_event_defender_realtime_protection_disabled.yml index 44c19389..ca214320 100644 --- a/rules/sigma/registry_event/registry_event_defender_realtime_protection_disabled.yml +++ b/rules/sigma/registry_event/registry_event_defender_realtime_protection_disabled.yml @@ -45,3 +45,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/sigma/registry_event/registry_event_dns_serverlevelplugindll.yml index a477187d..d4b4318f 100644 --- a/rules/sigma/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/sigma/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -38,3 +38,4 @@ tags: - attack.t1073 - attack.t1574.002 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_mal_adwind.yml b/rules/sigma/registry_event/registry_event_mal_adwind.yml index 0bb3420e..a983849c 100644 --- a/rules/sigma/registry_event/registry_event_mal_adwind.yml +++ b/rules/sigma/registry_event/registry_event_mal_adwind.yml @@ -33,3 +33,4 @@ tags: - attack.t1059.005 - attack.t1059.007 - attack.t1064 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_mstsc_history_cleared.yml b/rules/sigma/registry_event/registry_event_mstsc_history_cleared.yml index c3c71069..d58152ff 100644 --- a/rules/sigma/registry_event/registry_event_mstsc_history_cleared.yml +++ b/rules/sigma/registry_event/registry_event_mstsc_history_cleared.yml @@ -36,3 +36,4 @@ tags: - attack.defense_evasion - attack.t1070 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/sigma/registry_event/registry_event_net_ntlm_downgrade.yml index 35ac8dce..f1a99841 100644 --- a/rules/sigma/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/sigma/registry_event/registry_event_net_ntlm_downgrade.yml @@ -39,3 +39,4 @@ tags: - attack.t1089 - attack.t1562.001 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml index f983bf9b..f2e2bef4 100644 --- a/rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml @@ -39,3 +39,4 @@ tags: - attack.t1546.008 - car.2014-11-003 - car.2014-11-008 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml b/rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml index 16be38c5..642365f2 100644 --- a/rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml +++ b/rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.resource_development - attack.t1588.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_uac_bypass_eventvwr.yml b/rules/sigma/registry_event/registry_event_uac_bypass_eventvwr.yml index 7d91f686..57604345 100644 --- a/rules/sigma/registry_event/registry_event_uac_bypass_eventvwr.yml +++ b/rules/sigma/registry_event/registry_event_uac_bypass_eventvwr.yml @@ -33,3 +33,4 @@ tags: - attack.t1088 - attack.t1548.002 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_uac_bypass_winsat.yml b/rules/sigma/registry_event/registry_event_uac_bypass_winsat.yml index d37c5a83..59f88910 100644 --- a/rules/sigma/registry_event/registry_event_uac_bypass_winsat.yml +++ b/rules/sigma/registry_event/registry_event_uac_bypass_winsat.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/registry_event_uac_bypass_wmp.yml b/rules/sigma/registry_event/registry_event_uac_bypass_wmp.yml index 4cc90b7b..4bfac7b5 100644 --- a/rules/sigma/registry_event/registry_event_uac_bypass_wmp.yml +++ b/rules/sigma/registry_event/registry_event_uac_bypass_wmp.yml @@ -31,3 +31,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_apt_leviathan.yml b/rules/sigma/registry_event/sysmon_apt_leviathan.yml index 3160a30b..9d2fac02 100644 --- a/rules/sigma/registry_event/sysmon_apt_leviathan.yml +++ b/rules/sigma/registry_event/sysmon_apt_leviathan.yml @@ -26,3 +26,4 @@ tags: - attack.persistence - attack.t1060 - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/sigma/registry_event/sysmon_apt_oceanlotus_registry.yml index bd405131..969decd2 100644 --- a/rules/sigma/registry_event/sysmon_apt_oceanlotus_registry.yml +++ b/rules/sigma/registry_event/sysmon_apt_oceanlotus_registry.yml @@ -51,3 +51,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml index d7391e94..8c1f3063 100644 --- a/rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/sigma/registry_event/sysmon_asep_reg_keys_modification.yml @@ -231,3 +231,4 @@ tags: - attack.persistence - attack.t1547.001 - attack.t1060 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_bypass_via_wsreset.yml b/rules/sigma/registry_event/sysmon_bypass_via_wsreset.yml index beb70a1b..2f94b1c7 100644 --- a/rules/sigma/registry_event/sysmon_bypass_via_wsreset.yml +++ b/rules/sigma/registry_event/sysmon_bypass_via_wsreset.yml @@ -35,3 +35,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml b/rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml index ae74dd3e..6eb2b955 100644 --- a/rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml +++ b/rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml @@ -36,3 +36,4 @@ tags: - attack.t1218.003 - attack.g0069 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml b/rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml index f39eb920..7b730927 100644 --- a/rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml +++ b/rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml @@ -48,3 +48,4 @@ tags: - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_comhijack_sdclt.yml b/rules/sigma/registry_event/sysmon_comhijack_sdclt.yml index 1d037bb5..bf7277dc 100644 --- a/rules/sigma/registry_event/sysmon_comhijack_sdclt.yml +++ b/rules/sigma/registry_event/sysmon_comhijack_sdclt.yml @@ -29,3 +29,4 @@ tags: - attack.privilege_escalation - attack.t1546 - attack.t1548 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_cve_2020_1048.yml b/rules/sigma/registry_event/sysmon_cve_2020_1048.yml index 3e5b4efb..fba7657b 100644 --- a/rules/sigma/registry_event/sysmon_cve_2020_1048.yml +++ b/rules/sigma/registry_event/sysmon_cve_2020_1048.yml @@ -37,3 +37,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_dhcp_calloutdll.yml b/rules/sigma/registry_event/sysmon_dhcp_calloutdll.yml index 4ff4a311..56e63171 100644 --- a/rules/sigma/registry_event/sysmon_dhcp_calloutdll.yml +++ b/rules/sigma/registry_event/sysmon_dhcp_calloutdll.yml @@ -34,3 +34,4 @@ tags: - attack.t1073 - attack.t1574.002 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disable_microsoft_office_security_features.yml b/rules/sigma/registry_event/sysmon_disable_microsoft_office_security_features.yml index 18b5d1b9..10aa12ca 100644 --- a/rules/sigma/registry_event/sysmon_disable_microsoft_office_security_features.yml +++ b/rules/sigma/registry_event/sysmon_disable_microsoft_office_security_features.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/sigma/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index 74433337..b398fad1 100644 --- a/rules/sigma/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/sigma/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -40,3 +40,4 @@ tags: - attack.t1089 - attack.t1562.001 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disable_wdigest_credential_guard.yml b/rules/sigma/registry_event/sysmon_disable_wdigest_credential_guard.yml index 9fdeea1f..b0d53219 100644 --- a/rules/sigma/registry_event/sysmon_disable_wdigest_credential_guard.yml +++ b/rules/sigma/registry_event/sysmon_disable_wdigest_credential_guard.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml b/rules/sigma/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml index 1ba4eb36..84bb048e 100644 --- a/rules/sigma/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml +++ b/rules/sigma/registry_event/sysmon_disabled_exploit_guard_network_protection_on_microsoft_defender.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/sigma/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml index 1cb3b3bc..9b75869c 100644 --- a/rules/sigma/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/sigma/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml b/rules/sigma/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml index 2cf4c8cf..5ccd2ead 100644 --- a/rules/sigma/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml +++ b/rules/sigma/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_dns_over_https_enabled.yml b/rules/sigma/registry_event/sysmon_dns_over_https_enabled.yml index ce52751a..f5c714ab 100644 --- a/rules/sigma/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/sigma/registry_event/sysmon_dns_over_https_enabled.yml @@ -45,3 +45,4 @@ tags: - attack.defense_evasion - attack.t1140 - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_enabling_cor_profiler_env_variables.yml b/rules/sigma/registry_event/sysmon_enabling_cor_profiler_env_variables.yml index a702399a..4fac02e1 100644 --- a/rules/sigma/registry_event/sysmon_enabling_cor_profiler_env_variables.yml +++ b/rules/sigma/registry_event/sysmon_enabling_cor_profiler_env_variables.yml @@ -31,3 +31,4 @@ tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1574.012 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_etw_disabled.yml b/rules/sigma/registry_event/sysmon_etw_disabled.yml index 31f5f21e..b73cb73c 100644 --- a/rules/sigma/registry_event/sysmon_etw_disabled.yml +++ b/rules/sigma/registry_event/sysmon_etw_disabled.yml @@ -36,3 +36,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_hack_wce_reg.yml b/rules/sigma/registry_event/sysmon_hack_wce_reg.yml index 4962c14f..0cae5dc2 100644 --- a/rules/sigma/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/sigma/registry_event/sysmon_hack_wce_reg.yml @@ -29,3 +29,4 @@ tags: - attack.t1003 - attack.t1003.001 - attack.s0005 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/sigma/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml index bfc12fd8..7daf835f 100644 --- a/rules/sigma/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml +++ b/rules/sigma/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.resource_development - attack.t1608 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml index 4777a4cd..887bdde1 100644 --- a/rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml @@ -30,3 +30,4 @@ tags: - attack.t1037.001 - attack.persistence - attack.lateral_movement +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/sigma/registry_event/sysmon_modify_screensaver_binary_path.yml index e914e036..94c66766 100644 --- a/rules/sigma/registry_event/sysmon_modify_screensaver_binary_path.yml +++ b/rules/sigma/registry_event/sysmon_modify_screensaver_binary_path.yml @@ -34,3 +34,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1546.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_narrator_feedback_persistance.yml b/rules/sigma/registry_event/sysmon_narrator_feedback_persistance.yml index d9c8340e..410e93d7 100644 --- a/rules/sigma/registry_event/sysmon_narrator_feedback_persistance.yml +++ b/rules/sigma/registry_event/sysmon_narrator_feedback_persistance.yml @@ -33,3 +33,4 @@ tags: - attack.persistence - attack.t1060 - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_new_application_appcompat.yml b/rules/sigma/registry_event/sysmon_new_application_appcompat.yml index 9c7733c7..835b8d41 100644 --- a/rules/sigma/registry_event/sysmon_new_application_appcompat.yml +++ b/rules/sigma/registry_event/sysmon_new_application_appcompat.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.execution - attack.t1204.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/sigma/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index ae044c0b..c84ed6ff 100644 --- a/rules/sigma/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/sigma/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -39,3 +39,4 @@ tags: - attack.persistence - attack.t1182 - attack.t1546.009 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index e0c7bfe5..5a5fa60c 100644 --- a/rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -44,3 +44,4 @@ tags: - attack.persistence - attack.t1103 - attack.t1546.010 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_office_test_regadd.yml b/rules/sigma/registry_event/sysmon_office_test_regadd.yml index 35a4572d..caa8a945 100644 --- a/rules/sigma/registry_event/sysmon_office_test_regadd.yml +++ b/rules/sigma/registry_event/sysmon_office_test_regadd.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.persistence - attack.t1137.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_office_vsto_persistence.yml b/rules/sigma/registry_event/sysmon_office_vsto_persistence.yml index 41a8ba12..9ad28c58 100644 --- a/rules/sigma/registry_event/sysmon_office_vsto_persistence.yml +++ b/rules/sigma/registry_event/sysmon_office_vsto_persistence.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.t1137.006 - attack.persistence +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_powershell_as_service.yml b/rules/sigma/registry_event/sysmon_powershell_as_service.yml index 345b7c13..775fc0f7 100644 --- a/rules/sigma/registry_event/sysmon_powershell_as_service.yml +++ b/rules/sigma/registry_event/sysmon_powershell_as_service.yml @@ -34,3 +34,4 @@ status: experimental tags: - attack.execution - attack.t1569.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_rdp_registry_modification.yml b/rules/sigma/registry_event/sysmon_rdp_registry_modification.yml index bb969501..51554d98 100644 --- a/rules/sigma/registry_event/sysmon_rdp_registry_modification.yml +++ b/rules/sigma/registry_event/sysmon_rdp_registry_modification.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml b/rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml index e4ad6e3a..36738191 100644 --- a/rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml +++ b/rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_redmimicry_winnti_reg.yml b/rules/sigma/registry_event/sysmon_redmimicry_winnti_reg.yml index 5f2d7f48..c44f57e1 100644 --- a/rules/sigma/registry_event/sysmon_redmimicry_winnti_reg.yml +++ b/rules/sigma/registry_event/sysmon_redmimicry_winnti_reg.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_reg_office_security.yml b/rules/sigma/registry_event/sysmon_reg_office_security.yml index 938c7f92..6caf7c7a 100644 --- a/rules/sigma/registry_event/sysmon_reg_office_security.yml +++ b/rules/sigma/registry_event/sysmon_reg_office_security.yml @@ -31,3 +31,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_reg_silentprocessexit.yml b/rules/sigma/registry_event/sysmon_reg_silentprocessexit.yml index de9e5d71..08aec125 100644 --- a/rules/sigma/registry_event/sysmon_reg_silentprocessexit.yml +++ b/rules/sigma/registry_event/sysmon_reg_silentprocessexit.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.persistence - attack.t1546.012 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_reg_silentprocessexit_lsass.yml b/rules/sigma/registry_event/sysmon_reg_silentprocessexit_lsass.yml index 54ee5d2a..6ca17d58 100644 --- a/rules/sigma/registry_event/sysmon_reg_silentprocessexit_lsass.yml +++ b/rules/sigma/registry_event/sysmon_reg_silentprocessexit_lsass.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.007 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/sigma/registry_event/sysmon_reg_vbs_payload_stored.yml index a6b4e5ab..34bb8a51 100644 --- a/rules/sigma/registry_event/sysmon_reg_vbs_payload_stored.yml +++ b/rules/sigma/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -42,3 +42,4 @@ status: experimental tags: - attack.persistence - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/sigma/registry_event/sysmon_registry_add_local_hidden_user.yml index 2c11e9e9..f751b27a 100644 --- a/rules/sigma/registry_event/sysmon_registry_add_local_hidden_user.yml +++ b/rules/sigma/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.persistence - attack.t1136.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/sigma/registry_event/sysmon_registry_persistence_key_linking.yml index df0723ce..d9d67dcd 100644 --- a/rules/sigma/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/sigma/registry_event/sysmon_registry_persistence_key_linking.yml @@ -35,3 +35,4 @@ tags: - attack.persistence - attack.t1122 - attack.t1546.015 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_registry_persistence_search_order.yml b/rules/sigma/registry_event/sysmon_registry_persistence_search_order.yml index 6be91ede..26df3420 100644 --- a/rules/sigma/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/sigma/registry_event/sysmon_registry_persistence_search_order.yml @@ -66,3 +66,4 @@ status: experimental tags: - attack.persistence - attack.t1546.015 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/sigma/registry_event/sysmon_registry_susp_printer_driver.yml index c77c2eb8..e2b54cc4 100644 --- a/rules/sigma/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/sigma/registry_event/sysmon_registry_susp_printer_driver.yml @@ -34,3 +34,4 @@ tags: - attack.privilege_escalation - attack.t1574 - cve.2021.1675 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_registry_trust_record_modification.yml b/rules/sigma/registry_event/sysmon_registry_trust_record_modification.yml index ce240953..8ce84d86 100644 --- a/rules/sigma/registry_event/sysmon_registry_trust_record_modification.yml +++ b/rules/sigma/registry_event/sysmon_registry_trust_record_modification.yml @@ -30,3 +30,4 @@ tags: - attack.initial_access - attack.t1193 - attack.t1566.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_removal_amsi_registry_key.yml b/rules/sigma/registry_event/sysmon_removal_amsi_registry_key.yml index 427629d7..db71adeb 100644 --- a/rules/sigma/registry_event/sysmon_removal_amsi_registry_key.yml +++ b/rules/sigma/registry_event/sysmon_removal_amsi_registry_key.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1562.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml b/rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml index 3ca819ae..d66c1d30 100644 --- a/rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml +++ b/rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_runkey_winekey.yml b/rules/sigma/registry_event/sysmon_runkey_winekey.yml index 934a6657..c754976c 100644 --- a/rules/sigma/registry_event/sysmon_runkey_winekey.yml +++ b/rules/sigma/registry_event/sysmon_runkey_winekey.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.persistence - attack.t1547 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_runonce_persistence.yml b/rules/sigma/registry_event/sysmon_runonce_persistence.yml index e2e3a995..de508cbc 100644 --- a/rules/sigma/registry_event/sysmon_runonce_persistence.yml +++ b/rules/sigma/registry_event/sysmon_runonce_persistence.yml @@ -30,3 +30,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_ssp_added_lsa_config.yml b/rules/sigma/registry_event/sysmon_ssp_added_lsa_config.yml index 481d4674..b0c3d76d 100644 --- a/rules/sigma/registry_event/sysmon_ssp_added_lsa_config.yml +++ b/rules/sigma/registry_event/sysmon_ssp_added_lsa_config.yml @@ -37,3 +37,4 @@ tags: - attack.persistence - attack.t1101 - attack.t1547.005 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_atbroker_change.yml b/rules/sigma/registry_event/sysmon_susp_atbroker_change.yml index 3f053a8e..0eea2775 100644 --- a/rules/sigma/registry_event/sysmon_susp_atbroker_change.yml +++ b/rules/sigma/registry_event/sysmon_susp_atbroker_change.yml @@ -33,3 +33,4 @@ tags: - attack.t1218 - attack.persistence - attack.t1547 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_download_run_key.yml b/rules/sigma/registry_event/sysmon_susp_download_run_key.yml index 491fd3a9..27cc9d19 100644 --- a/rules/sigma/registry_event/sysmon_susp_download_run_key.yml +++ b/rules/sigma/registry_event/sysmon_susp_download_run_key.yml @@ -34,3 +34,4 @@ tags: - attack.persistence - attack.t1060 - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml index ecbd5173..f3e21aae 100644 --- a/rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml +++ b/rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml @@ -33,3 +33,4 @@ tags: - attack.persistence - attack.t1177 - attack.t1547.008 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_mic_cam_access.yml b/rules/sigma/registry_event/sysmon_susp_mic_cam_access.yml index b94e2ba4..98a7cc29 100644 --- a/rules/sigma/registry_event/sysmon_susp_mic_cam_access.yml +++ b/rules/sigma/registry_event/sysmon_susp_mic_cam_access.yml @@ -45,3 +45,4 @@ tags: - attack.collection - attack.t1125 - attack.t1123 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/sigma/registry_event/sysmon_susp_reg_persist_explorer_run.yml index c5562124..bc41185c 100644 --- a/rules/sigma/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/sigma/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -44,3 +44,4 @@ tags: - attack.persistence - attack.t1060 - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml index da55b2d4..5c1b159d 100644 --- a/rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml @@ -48,3 +48,4 @@ tags: - attack.persistence - attack.t1060 - attack.t1547.001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_susp_service_installed.yml b/rules/sigma/registry_event/sysmon_susp_service_installed.yml index dd34521c..4fa24636 100644 --- a/rules/sigma/registry_event/sysmon_susp_service_installed.yml +++ b/rules/sigma/registry_event/sysmon_susp_service_installed.yml @@ -43,3 +43,4 @@ tags: - attack.t1089 - attack.t1562.001 - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/sigma/registry_event/sysmon_suspicious_keyboard_layout_load.yml index 279f61cd..7fe0ee4a 100644 --- a/rules/sigma/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/sigma/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -40,3 +40,4 @@ status: experimental tags: - attack.resource_development - attack.t1588.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/sigma/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml index a795baf7..424020dc 100644 --- a/rules/sigma/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml +++ b/rules/sigma/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1070.004 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_taskcache_entry.yml b/rules/sigma/registry_event/sysmon_taskcache_entry.yml index b109b134..01e7fe0f 100644 --- a/rules/sigma/registry_event/sysmon_taskcache_entry.yml +++ b/rules/sigma/registry_event/sysmon_taskcache_entry.yml @@ -31,3 +31,4 @@ tags: - attack.persistence - attack.t1053 - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/sigma/registry_event/sysmon_uac_bypass_sdclt.yml index bc0656b6..e34c74fe 100644 --- a/rules/sigma/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/sigma/registry_event/sysmon_uac_bypass_sdclt.yml @@ -37,3 +37,4 @@ tags: - attack.t1088 - attack.t1548.002 - car.2019-04-001 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_volume_shadow_copy_service_keys.yml b/rules/sigma/registry_event/sysmon_volume_shadow_copy_service_keys.yml index ff247a5b..e07ddd1a 100644 --- a/rules/sigma/registry_event/sysmon_volume_shadow_copy_service_keys.yml +++ b/rules/sigma/registry_event/sysmon_volume_shadow_copy_service_keys.yml @@ -32,3 +32,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/sigma/registry_event/sysmon_wab_dllpath_reg_change.yml index 4da84d48..0ab1a004 100644 --- a/rules/sigma/registry_event/sysmon_wab_dllpath_reg_change.yml +++ b/rules/sigma/registry_event/sysmon_wab_dllpath_reg_change.yml @@ -33,3 +33,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1218 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml b/rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml index 457cf9ae..5af07936 100644 --- a/rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml +++ b/rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml @@ -29,3 +29,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_win_reg_persistence.yml b/rules/sigma/registry_event/sysmon_win_reg_persistence.yml index 22c7885f..03736a3c 100644 --- a/rules/sigma/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/sigma/registry_event/sysmon_win_reg_persistence.yml @@ -45,3 +45,4 @@ tags: - attack.t1183 - attack.t1546.012 - car.2013-01-002 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_win_reg_persistence_recycle_bin.yml b/rules/sigma/registry_event/sysmon_win_reg_persistence_recycle_bin.yml index 18562284..92f1fbf2 100644 --- a/rules/sigma/registry_event/sysmon_win_reg_persistence_recycle_bin.yml +++ b/rules/sigma/registry_event/sysmon_win_reg_persistence_recycle_bin.yml @@ -32,3 +32,4 @@ references: tags: - attack.persistence - attack.t1547 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/sigma/registry_event/sysmon_win_reg_telemetry_persistence.yml index 1a2299f8..b9bfe897 100644 --- a/rules/sigma/registry_event/sysmon_win_reg_telemetry_persistence.yml +++ b/rules/sigma/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -37,3 +37,4 @@ status: experimental tags: - attack.persistence - attack.t1053.005 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_outlook_c2_registry_key.yml b/rules/sigma/registry_event/win_outlook_c2_registry_key.yml index 371ab09e..e96d95ab 100644 --- a/rules/sigma/registry_event/win_outlook_c2_registry_key.yml +++ b/rules/sigma/registry_event/win_outlook_c2_registry_key.yml @@ -34,3 +34,4 @@ tags: - attack.t1137 - attack.t1008 - attack.t1546 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_outlook_registry_todaypage.yml b/rules/sigma/registry_event/win_outlook_registry_todaypage.yml index 89f63689..56824781 100644 --- a/rules/sigma/registry_event/win_outlook_registry_todaypage.yml +++ b/rules/sigma/registry_event/win_outlook_registry_todaypage.yml @@ -38,3 +38,4 @@ status: experimental tags: - attack.persistence - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_outlook_registry_webview.yml b/rules/sigma/registry_event/win_outlook_registry_webview.yml index 7ab74484..a613d10d 100644 --- a/rules/sigma/registry_event/win_outlook_registry_webview.yml +++ b/rules/sigma/registry_event/win_outlook_registry_webview.yml @@ -39,3 +39,4 @@ status: experimental tags: - attack.persistence - attack.t1112 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_portproxy_registry_key.yml b/rules/sigma/registry_event/win_portproxy_registry_key.yml index 49dfc1f4..14db3036 100644 --- a/rules/sigma/registry_event/win_portproxy_registry_key.yml +++ b/rules/sigma/registry_event/win_portproxy_registry_key.yml @@ -33,3 +33,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1090 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_registry_file_association_exefile.yml b/rules/sigma/registry_event/win_registry_file_association_exefile.yml index deab0db5..fb84dab4 100644 --- a/rules/sigma/registry_event/win_registry_file_association_exefile.yml +++ b/rules/sigma/registry_event/win_registry_file_association_exefile.yml @@ -31,3 +31,4 @@ references: status: experimental tags: - attack.defense_evasion +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/sigma/registry_event/win_registry_mimikatz_printernightmare.yml index 12a076e7..611b746c 100644 --- a/rules/sigma/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/sigma/registry_event/win_registry_mimikatz_printernightmare.yml @@ -56,3 +56,4 @@ tags: - attack.t1204 - cve.2021.1675 - cve.2021.34527 +ruletype: SIGMA diff --git a/rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml b/rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml index 7077ba25..8c80ff5d 100644 --- a/rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml +++ b/rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml @@ -52,3 +52,4 @@ tags: - attack.privilege_escalation - attack.t1548.002 - attack.t1546.001 +ruletype: SIGMA diff --git a/rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index b2670d61..5d80b975 100644 --- a/rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml +++ b/rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -27,3 +27,4 @@ status: experimental tags: - attack.credential_access - attack.t1003.001 +ruletype: SIGMA diff --git a/rules/sigma/sysmon/sysmon_config_modification_error.yml b/rules/sigma/sysmon/sysmon_config_modification_error.yml index 3cda69bc..4d865906 100644 --- a/rules/sigma/sysmon/sysmon_config_modification_error.yml +++ b/rules/sigma/sysmon/sysmon_config_modification_error.yml @@ -26,3 +26,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564 +ruletype: SIGMA diff --git a/rules/sigma/sysmon/sysmon_config_modification_status.yml b/rules/sigma/sysmon/sysmon_config_modification_status.yml index 909fd4eb..bfeaff0d 100644 --- a/rules/sigma/sysmon/sysmon_config_modification_status.yml +++ b/rules/sigma/sysmon/sysmon_config_modification_status.yml @@ -28,3 +28,4 @@ status: experimental tags: - attack.defense_evasion - attack.t1564 +ruletype: SIGMA diff --git a/rules/sigma/sysmon/sysmon_dcom_iertutil_dll_hijack.yml b/rules/sigma/sysmon/sysmon_dcom_iertutil_dll_hijack.yml index ef84d38c..ce935828 100644 --- a/rules/sigma/sysmon/sysmon_dcom_iertutil_dll_hijack.yml +++ b/rules/sigma/sysmon/sysmon_dcom_iertutil_dll_hijack.yml @@ -35,3 +35,4 @@ tags: - attack.lateral_movement - attack.t1021.002 - attack.t1021.003 +ruletype: SIGMA diff --git a/rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml b/rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml index c8379776..e727715f 100644 --- a/rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml @@ -23,3 +23,4 @@ tags: - attack.t1084 - attack.persistence - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/sigma/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index e540de8c..80ecfbd6 100644 --- a/rules/sigma/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/sigma/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -40,3 +40,4 @@ tags: - attack.t1047 - attack.persistence - attack.t1546.003 +ruletype: SIGMA diff --git a/rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml index 02aeddd6..c2bb35c3 100644 --- a/rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml @@ -57,3 +57,4 @@ tags: - attack.t1086 - attack.execution - attack.t1059.005 +ruletype: SIGMA diff --git a/tools/sigmac/hayabusa.py b/tools/sigmac/hayabusa.py index bf69c67b..21c23e10 100644 --- a/tools/sigmac/hayabusa.py +++ b/tools/sigmac/hayabusa.py @@ -11,60 +11,67 @@ from sigma.parser.modifiers.type import SigmaRegularExpressionModifier SPECIAL_REGEX = re.compile("^\{(\d)+,?(\d+)?\}") + class HayabusaBackend(SingleTextQueryBackend): """Base class for backends that generate one text-based expression from a Sigma rule""" - ## see tools.py - ## use this value when sigmac parse argument of "-t" + # see tools.py + # use this value when sigmac parse argument of "-t" identifier = "hayabusa" active = True # the following class variables define the generation and behavior of queries from a parse tree some are prefilled with default values that are quite usual - andToken = " and " # Token used for linking expressions with logical AND + # Token used for linking expressions with logical AND + andToken = " and " orToken = " or " # Same for OR notToken = " not " # Same for NOT - subExpression = "(%s)" # Syntax for subexpressions, usually parenthesis around it. %s is inner expression + # Syntax for subexpressions, usually parenthesis around it. %s is inner expression + subExpression = "(%s)" valueExpression = "%s" # Expression of values, %s represents value - typedValueExpression = dict() # Expression of typed values generated by type modifiers. modifier identifier -> expression dict, %s represents value + # Expression of typed values generated by type modifiers. modifier identifier -> expression dict, %s represents value + typedValueExpression = dict() sort_condition_lists = False mapListsSpecialHandling = True name_idx = 1 selection_prefix = "SELECTION_{0}" name_2_selection = OrderedDict() - + def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) self.re_init() - + def re_init(self): self.name_idx = 1 self.name_2_selection = OrderedDict() - + def cleanValue(self, val): return val - + def generateListNode(self, node): return self.generateORNode(node) - + def create_new_selection(self): name = self.selection_prefix.format(self.name_idx) - self.name_idx+=1 + self.name_idx += 1 return name - + def generateMapItemNode(self, node): fieldname, value = node transformed_fieldname = self.fieldNameMapping(fieldname, value) if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): name = self.create_new_selection() - self.name_2_selection[name] = [(transformed_fieldname, self.generateNode(value))] + self.name_2_selection[name] = [ + (transformed_fieldname, self.generateNode(value))] return name elif type(value) == list: return self.generateMapItemListNode(transformed_fieldname, value) elif isinstance(value, SigmaTypeModifier): return self.generateMapItemTypedNode(transformed_fieldname, value) elif value is None: - return self.generateNode((transformed_fieldname+"|re","^$")) #nullは正規表現で表す。これでいいのかちょっと不安 + # nullは正規表現で表す。これでいいのかちょっと不安 + return self.generateNode((transformed_fieldname+"|re", "^$")) else: - raise TypeError("Backend does not support map values of type " + str(type(value))) - + raise TypeError( + "Backend does not support map values of type " + str(type(value))) + def generateMapItemTypedNode(self, fieldname, value): # `|re`オプションに対応 if type(value) == SigmaRegularExpressionModifier: @@ -73,76 +80,77 @@ class HayabusaBackend(SingleTextQueryBackend): # pythonとかの正規表現では/(スラッシュ)や"(ダブルクオート)をエスケープしてもエラーが出ないが、Rustの正規表現エンジンではスラッシュやダブルクオートをエスケープするとエラーが出てしまう # そこでスラッシュやダブルクオートのエスケープは消しておく。 # あと、この実装は結構怪しいので、将来バージョンではこの実装を無くして、hayabusa側で使用する正規表現エンジンを普通のpythonとかで使われているやつに変えた方がいいと思う。 - regex_value = value.value.replace('\/','/') - regex_value = regex_value.replace("\\\"","\"") - - ## 追加のケースとして、pythonとかの正規表現では{はエスケープ不要だが、Rustでは必要なので、それを修正するためのコード。めんどい + regex_value = value.value.replace('\/', '/') + regex_value = regex_value.replace("\\\"", "\"") + + # 追加のケースとして、pythonとかの正規表現では{はエスケープ不要だが、Rustでは必要なので、それを修正するためのコード。めんどい idx = 0 prev_regex = regex_value regex_value = "" while idx < len(prev_regex): - ## 既にエスケープされているものはスキップする。 + # 既にエスケープされているものはスキップする。 if prev_regex[idx:idx+2] == "\\{" or prev_regex[idx:idx+2] == "\\}": regex_value += prev_regex[idx:idx+2] idx += 2 continue - + ch = prev_regex[idx] - ## エスケープ不要な}はここに来ないように、以降の処理でidxを調整している。なのでここにくる}はエスケープが必要。 + # エスケープ不要な}はここに来ないように、以降の処理でidxを調整している。なのでここにくる}はエスケープが必要。 if ch == "}": regex_value += "\\}" idx += 1 continue - - ## {じゃない場合はそのまま足すだけ + + # {じゃない場合はそのまま足すだけ if ch != "{": regex_value += ch idx += 1 continue - - ## {の場合の処理 + + # {の場合の処理 reg_match = SPECIAL_REGEX.match(prev_regex[idx:]) if reg_match == None: - ## 文字列としての{なので、エスケープ必要 + # 文字列としての{なので、エスケープ必要 regex_value += "\\{" idx += 1 else: - ## これは桁数を指定する{なので、エスケープ不要で}までidxをスキップ + # これは桁数を指定する{なので、エスケープ不要で}までidxをスキップ regex_value += reg_match.group() idx += len(reg_match.group()) return self.generateNode((fieldname, regex_value)) else: - raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) + raise NotImplementedError( + "Type modifier '{}' is not supported by backend".format(value.identifier)) def generateMapItemListNode(self, fieldname, value): - ### 下記のようなケースに対応 - ### selection: - ### EventID: + # 下記のようなケースに対応 + # selection: + # EventID: ### - 1 ### - 2 - ### 基本的にリストはORと良く、generateListNodeもORNodeを生成している。 - ### しかし、上記のケースでgenerateListNode()を実行すると、下記のようなYAMLになってしまう。 - ### selection: + # 基本的にリストはORと良く、generateListNodeもORNodeを生成している。 + # しかし、上記のケースでgenerateListNode()を実行すると、下記のようなYAMLになってしまう。 + # selection: ### EventID: 1 or 2 - ### 上記のようにならないように、修正している。 - ### なお、generateMapItemListNode()を有効にするために、self.mapListsSpecialHandling = Trueとしている + # 上記のようにならないように、修正している。 + # なお、generateMapItemListNode()を有効にするために、self.mapListsSpecialHandling = Trueとしている if self._is_all_str(value): name = self.create_new_selection() - self.name_2_selection[name] = [(fieldname,value)] + self.name_2_selection[name] = [(fieldname, value)] return name list_values = list() for sub_node in value: - list_values.append((fieldname,sub_node)) - return self.subExpression % self.generateORNode(list_values) - + list_values.append((fieldname, sub_node)) + return self.subExpression % self.generateORNode(list_values) + def _is_all_str(self, values): for value in values: if type(value) != str: return False return True - + def generateAggregation(self, agg): # python3 tools/sigmac rules/windows/process_creation/win_dnscat2_powershell_implementation.yml --config tools/config/generic/sysmon.yml --target hayabusa if agg == None: @@ -152,100 +160,101 @@ class HayabusaBackend(SingleTextQueryBackend): # | 以降をそのまま出力する target = '|' condition = agg.parser.parsedyaml["detection"]["condition"] - - ### conditionはなんと複数指定されることもあるらしい!!!!! - ### If multiple conditions are given, they are logically linked with OR.と仕様書に書いてある。詳細はSigmaRuleの仕様を参照のこと。 - ### とりあえず、複数指定のconditionは未対応ということでエラーにするとして、(なお、デフォルトのbase.pyの実装で複数指定のconditionはexceptionがraiseされるので、そのような処理は追加で実装しなくてよい) - ### 問題となるのはagg.parser.parsedyaml["detection"]["condition"]の型 + + # conditionはなんと複数指定されることもあるらしい!!!!! + # If multiple conditions are given, they are logically linked with OR.と仕様書に書いてある。詳細はSigmaRuleの仕様を参照のこと。 + # とりあえず、複数指定のconditionは未対応ということでエラーにするとして、(なお、デフォルトのbase.pyの実装で複数指定のconditionはexceptionがraiseされるので、そのような処理は追加で実装しなくてよい) + # 問題となるのはagg.parser.parsedyaml["detection"]["condition"]の型 ### - ### 下記のように指定すると、agg.parser.parsedyaml["detection"]["condition"]の型はstringになるが + # 下記のように指定すると、agg.parser.parsedyaml["detection"]["condition"]の型はstringになるが ### conditon: selection1 ### - ### 下記のように指定すると、agg.parser.parsedyaml["detection"]["condition"]の型はlistになる - ### conditon: + # 下記のように指定すると、agg.parser.parsedyaml["detection"]["condition"]の型はlistになる + # conditon: ### - selection1 ### - ### なのでlistのケースも想定して、下記のような実装とする。 - if type(condition) == list: + # なのでlistのケースも想定して、下記のような実装とする。 + if type(condition) == list: condition = condition[0] index = condition.find(target) return condition[index:] - ## count以外は対応していないので、エラーを返す - raise NotImplementedError("This rule contains aggregation operator not implemented for this backend") - + # count以外は対応していないので、エラーを返す + raise NotImplementedError( + "This rule contains aggregation operator not implemented for this backend") + def generateValueNode(self, node): - ## このメソッドをオーバーライドしておかないとint型もstr型として扱われてしまうので、int型やint型として、str型はstr型として処理するために実装した。 - ## このメソッドは最悪無くてもいいような気もする。 + # このメソッドをオーバーライドしておかないとint型もstr型として扱われてしまうので、int型やint型として、str型はstr型として処理するために実装した。 + # このメソッドは最悪無くてもいいような気もする。 if type(node) == int: return node else: return self.valueExpression % (self.cleanValue(str(node))) - - ### 全部strかどうかを判定 - def is_keyword_list(self, node ): + + # 全部strかどうかを判定 + def is_keyword_list(self, node): if type(node) != ConditionOR: return False - + for item in node.items: if type(item) != str: return False - + return True - - def generateANDNode(self, node): + + def generateANDNode(self, node): generated = list() for val in node: if type(val) == str: - ### 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース - ### keyが指定されていない場合は、EventLog全体をgrep検索することになっている。(詳細はSigmaルールの仕様書を参照のこと) - ### 具体的には"all of"とか使うとこの分岐に来る + # 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース + # keyが指定されていない場合は、EventLog全体をgrep検索することになっている。(詳細はSigmaルールの仕様書を参照のこと) + # 具体的には"all of"とか使うとこの分岐に来る name = self.create_new_selection() self.name_2_selection[name] = [(None, val)] generated_node = name else: - ### 普通はこっちにくる + # 普通はこっちにくる generated_node = self.generateNode(val) generated.append(generated_node) - filtered = [ g for g in generated if g is not None ] + filtered = [g for g in generated if g is not None] if filtered: if self.sort_condition_lists: filtered = sorted(filtered) return self.andToken.join(filtered) else: return None - + def generateORNode(self, node): if self.is_keyword_list(node) == True: - ## 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース - ## 全てkeyが指定されていない場合はここに来る。 + # 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース + # 全てkeyが指定されていない場合はここに来る。 name = self.create_new_selection() self.name_2_selection[name] = [(None, val) for val in node] return name - + name = None generated = list() for val in node: - ### 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース + # 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース if type(val) == str: if name is None: name = self.create_new_selection() self.name_2_selection[name] = list() - self.name_2_selection[name].append((None,val)) + self.name_2_selection[name].append((None, val)) else: generated.append(self.generateNode(val)) if name is not None: generated.append(name) - filtered = [ g for g in generated if g is not None ] + filtered = [g for g in generated if g is not None] if filtered: if self.sort_condition_lists: filtered = sorted(filtered) return self.orToken.join(filtered) else: return None - + def generateQuery(self, parsed): - ### このクラスのインスタンスは再利用されるので、内部のメンバ変数をresetする。 + # このクラスのインスタンスは再利用されるので、内部のメンバ変数をresetする。 self.re_init() result = self.generateNode(parsed.parsedSearch) if parsed.parsedAgg: @@ -253,26 +262,27 @@ class HayabusaBackend(SingleTextQueryBackend): result += " " + res ret = "" with StringIO() as bs: - ## 元のyamlをいじるとこの後の処理に影響を与える可能性があるので、deepCopyする + # 元のyamlをいじるとこの後の処理に影響を与える可能性があるので、deepCopyする parsed_yaml = copy.deepcopy(parsed.sigmaParser.parsedyaml) - ## なんかタイトルは先頭に来てほしいので、そのための処理 - ## parsed.sigmaParser.parsedyamlがOrderedDictならこんなことしなくていい、後で別のやり方があるか調べる - ## 順番固定してもいいかも + # なんかタイトルは先頭に来てほしいので、そのための処理 + # parsed.sigmaParser.parsedyamlがOrderedDictならこんなことしなくていい、後で別のやり方があるか調べる + # 順番固定してもいいかも bs.write("title: " + parsed_yaml["title"]+"\n") + bs.write("ruletype: SIGMA\n") del parsed_yaml["title"] - ## detectionの部分だけ変更して出力する。 + # detectionの部分だけ変更して出力する。 parsed_yaml["detection"] = {} parsed_yaml["detection"]["condition"] = result for key, values in self.name_2_selection.items(): - ### fieldnameの有無を確認している + # fieldnameの有無を確認している if values[0][0]: - ## 通常はfieldnameがあってその場合は連想配列で初期化 + # 通常はfieldnameがあってその場合は連想配列で初期化 parsed_yaml["detection"][key] = {} else: - ## is_keyword_list() == Trueの場合だけ、ここにくる + # is_keyword_list() == Trueの場合だけ、ここにくる parsed_yaml["detection"][key] = [] - + for fieldname, value in values: if fieldname == None: ## is_keyword_list() == Trueの場合 @@ -283,5 +293,5 @@ class HayabusaBackend(SingleTextQueryBackend): yaml.dump(parsed_yaml, bs, indent=4, default_flow_style=False) ret = bs.getvalue() ret += "---\n" - - return ret \ No newline at end of file + + return ret From 84f17323da191a27687301861c48eb42a273c55c Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sun, 28 Nov 2021 18:27:58 +0900 Subject: [PATCH 06/13] Hotfix/load rule level changed info to informational#237#238 (#240) * changed INFO to informational #237 - INFO in rule level is changed to informational * changed level load default rule from LOW to INFORMATIONAL #238 * fixed level description in doc and help menu #238 * removed test files * removed test check file --- doc/AboutRuleCreation-English.md | 2 +- doc/AboutRuleCreation-Japanese.md | 2 +- src/detections/configs.rs | 4 ++-- src/detections/detection.rs | 13 ++++++++++--- src/main.rs | 2 +- src/yaml.rs | 12 ++++++------ 6 files changed, 21 insertions(+), 14 deletions(-) diff --git a/doc/AboutRuleCreation-English.md b/doc/AboutRuleCreation-English.md index 754aca09..e391c336 100644 --- a/doc/AboutRuleCreation-English.md +++ b/doc/AboutRuleCreation-English.md @@ -27,7 +27,7 @@ updated_date: 2020/11/8 * author [optional]: The name of the person or persons who created the logic for the rule. * detection [required]: The detection logic goes here. * falsepositives [optional]: The possibilities for false positives. For example: `system administrator`, `normal user usage`, `normal system usage`, `legacy application`, `security team`. If it is unknown, write `unknown`. -* level [optional]: Risk level. Please write one of the following: `info`,`low`,`medium`,`high`,`critical` +* level [optional]: Risk level. Please write one of the following: `informational`,`low`,`medium`,`high`,`critical` * output [required]: The details of the alert. (Please output any and only useful fields in the Windows event log for easy analysis.) * creation_date [optional]: The creation date. * updated_date [optional]: The date of the last revision. diff --git a/doc/AboutRuleCreation-Japanese.md b/doc/AboutRuleCreation-Japanese.md index acdaec18..0bc0f95b 100644 --- a/doc/AboutRuleCreation-Japanese.md +++ b/doc/AboutRuleCreation-Japanese.md @@ -27,7 +27,7 @@ updated_date: 2020/11/8 * author [optional]: ルールファイルの作者を入力します。 * detection [required]: 検知ルールを入力します。 * falsepositives [optional]: 誤検知に関する情報を入力します。例:unknown、system administrator、normal user usage、normal system usage、legacy application、security team等々。 -* level [optional]: リスクレベルを入力します。指定する値は`info`,`low`,`medium`,`high`,`critical`のいづれかです。 +* level [optional]: リスクレベルを入力します。指定する値は`informational`,`low`,`medium`,`high`,`critical`のいづれかです。 * output [required]: イベントログが検知した場合に表示されるメッセージを入力します。 * creation_date [optional]: ルールファイルの作成日を入力します。 * updated_date [optional]: ルールファイルの更新日を入力します。 diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 02499876..c37a41e3 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -7,7 +7,7 @@ lazy_static! { pub static ref CONFIG: RwLock = RwLock::new(ConfigReader::new()); pub static ref LEVELMAP: HashMap = { let mut levelmap = HashMap::new(); - levelmap.insert("INFO".to_owned(), 1); + levelmap.insert("INFORMATIONAL".to_owned(), 1); levelmap.insert("LOW".to_owned(), 2); levelmap.insert("MEDIUM".to_owned(), 3); levelmap.insert("HIGH".to_owned(), 4); @@ -54,7 +54,7 @@ fn build_app<'a>() -> ArgMatches<'a> { --verbose 'Output verbose information to target event file path and rule file' -q 'Quiet mode. Do not display the launch banner' -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)' - -L --level=[LEVEL] 'Minimum level for rules (default: low)' + -L --level=[LEVEL] 'Minimum level for rules (default: INFORMATIONAL)' -u --utc 'Output time in UTC format (default: local time)' -d --directory=[DIRECTORY] 'Directory of multiple .evtx files' -s --statistics 'Prints statistics of event IDs' diff --git a/src/detections/detection.rs b/src/detections/detection.rs index b6233769..b103a742 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -145,8 +145,15 @@ impl Detection { pub fn print_unique_results(&self) { let rules = &self.rules; - let levellabel = Vec::from(["Critical", "High", "Medium", "Low", "Info", "Undefined"]); - // levels are [(Undeifned), (Info), (Low),(Medium),(High),(Critical)] + let levellabel = Vec::from([ + "Critical", + "High", + "Medium", + "Low", + "Informational", + "Undeifned", + ]); + // levclcounts is [(Undeifned), (Informational), (Low),(Medium),(High),(Critical)] let mut levelcounts = Vec::from([0, 0, 0, 0, 0, 0]); for rule in rules.into_iter() { if rule.check_exist_countdata() { @@ -258,7 +265,7 @@ impl Detection { #[test] fn test_parse_rule_files() { - let level = "INFO"; + let level = "informational"; let opt_rule_path = Some("./test_files/rules/level_yaml"); let cole = Detection::parse_rule_files(level.to_owned(), opt_rule_path); assert_eq!(5, cole.len()); diff --git a/src/main.rs b/src/main.rs index 6b6b34c0..0eb19097 100644 --- a/src/main.rs +++ b/src/main.rs @@ -116,7 +116,7 @@ fn analysis_files(evtx_files: Vec) { .unwrap() .args .value_of("level") - .unwrap_or("INFO") + .unwrap_or("informational") .to_uppercase(); println!("Analyzing event files: {:?}", evtx_files.len()); let rule_files = detection::Detection::parse_rule_files( diff --git a/src/yaml.rs b/src/yaml.rs index b0ef5065..075cafee 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -121,11 +121,11 @@ impl ParseYaml { // 指定されたレベルより低いルールは無視する let doc_level = &yaml_doc["level"] .as_str() - .unwrap_or("LOW") + .unwrap_or("informational") .to_string() .to_uppercase(); - let doc_level_num = configs::LEVELMAP.get(doc_level).unwrap_or(&2); - let args_level_num = configs::LEVELMAP.get(level).unwrap_or(&2); + let doc_level_num = configs::LEVELMAP.get(doc_level).unwrap_or(&1); + let args_level_num = configs::LEVELMAP.get(level).unwrap_or(&1); if doc_level_num < args_level_num { return Option::None; } @@ -179,19 +179,19 @@ mod tests { } #[test] - /// no specifed "level" arguments value is adapted default level(LOW) + /// no specifed "level" arguments value is adapted default level(informational) fn test_default_level_read_yaml() { let mut yaml = yaml::ParseYaml::new(); let path = Path::new("test_files/rules/level_yaml"); yaml.read_dir(path.to_path_buf(), &"").unwrap(); - assert_eq!(yaml.files.len(), 4); + assert_eq!(yaml.files.len(), 5); } #[test] fn test_info_level_read_yaml() { let mut yaml = yaml::ParseYaml::new(); let path = Path::new("test_files/rules/level_yaml"); - yaml.read_dir(path.to_path_buf(), &"INFO").unwrap(); + yaml.read_dir(path.to_path_buf(), &"informational").unwrap(); assert_eq!(yaml.files.len(), 5); } #[test] From 2febaa9b73518de584edc28c74ff0a6951badee7 Mon Sep 17 00:00:00 2001 From: James Takai / hach1yon <32596618+hach1yon@users.noreply.github.com> Date: Sun, 28 Nov 2021 19:02:27 +0900 Subject: [PATCH 07/13] add target event filtering. (#242) --- config/target_eventids.txt | 0 src/detections/configs.rs | 38 +++++++++++++++++++++++++++++++++++++- src/detections/utils.rs | 4 ++++ src/main.rs | 16 ++++++++++++++++ 4 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 config/target_eventids.txt diff --git a/config/target_eventids.txt b/config/target_eventids.txt new file mode 100644 index 00000000..e69de29b diff --git a/src/detections/configs.rs b/src/detections/configs.rs index c37a41e3..bab9eaf4 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -1,7 +1,7 @@ use crate::detections::utils; use clap::{App, AppSettings, ArgMatches}; use lazy_static::lazy_static; -use std::collections::HashMap; +use std::collections::{HashMap, HashSet}; use std::sync::RwLock; lazy_static! { pub static ref CONFIG: RwLock = RwLock::new(ConfigReader::new()); @@ -21,6 +21,7 @@ pub struct ConfigReader { pub args: ArgMatches<'static>, pub event_key_alias_config: EventKeyAliasConfig, pub event_timeline_config: EventInfoConfig, + pub target_eventids: TargetEventIds, } impl ConfigReader { @@ -29,6 +30,7 @@ impl ConfigReader { args: build_app(), event_key_alias_config: load_eventkey_alias("config/eventkey_alias.txt"), event_timeline_config: load_eventcode_info("config/timeline_event_info.txt"), + target_eventids: load_target_ids("config/target_eventids.txt"), } } } @@ -80,6 +82,40 @@ fn is_test_mode() -> bool { return false; } +#[derive(Debug, Clone)] +pub struct TargetEventIds { + ids: HashSet, +} + +impl TargetEventIds { + pub fn new() -> TargetEventIds { + return TargetEventIds { + ids: HashSet::new(), + }; + } + + pub fn is_target(&self, id: &String) -> bool { + // 中身が空の場合は全EventIdを対象とする。 + if self.ids.is_empty() { + return true; + } + return self.ids.contains(id); + } +} + +fn load_target_ids(path: &str) -> TargetEventIds { + let mut ret = TargetEventIds::new(); + let lines = utils::read_txt(path).unwrap(); // ファイルが存在しなければエラーとする + for line in lines { + if line.is_empty() { + continue; + } + ret.ids.insert(line); + } + + return ret; +} + #[derive(Debug, Clone)] pub struct EventKeyAliasConfig { key_to_eventkey: HashMap, diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 1bacfe10..f354c3b5 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -85,6 +85,10 @@ pub fn read_csv(filename: &str) -> Result>, String> { return Result::Ok(ret); } +pub fn is_target_event_id(s: &String) -> bool { + return configs::CONFIG.read().unwrap().target_eventids.is_target(s); +} + pub fn get_event_id_key() -> String { return "Event.System.EventID".to_string(); } diff --git a/src/main.rs b/src/main.rs index 0eb19097..7898036f 100644 --- a/src/main.rs +++ b/src/main.rs @@ -10,6 +10,7 @@ use hayabusa::omikuji::Omikuji; use hayabusa::{afterfact::after_fact, detections::utils}; use hayabusa::{detections::configs, timeline::timeline::Timeline}; use hhmmss::Hhmmss; +use serde_json::Value; use std::{ fs::{self, File}, path::PathBuf, @@ -172,6 +173,21 @@ fn analysis_file( } let data = record_result.unwrap().data; + + // target_eventids.txtでフィルタする。 + let eventid = utils::get_event_value(&utils::get_event_id_key(), &data); + if eventid.is_some() { + let is_target = match eventid.unwrap() { + Value::String(s) => utils::is_target_event_id(s), + Value::Number(n) => utils::is_target_event_id(&n.to_string()), + _ => true, // レコードからEventIdが取得できない場合は、特にフィルタしない + }; + if !is_target { + continue; + } + } + + // EvtxRecordInfo構造体に変更 let data_string = data.to_string(); let record_info = EvtxRecordInfo::new((&filepath_disp).to_string(), data, data_string); records_per_detect.push(record_info); From 8b9dac961a08416ab1e3a7067df23fde1ff3928f Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 3 Dec 2021 10:12:31 +0900 Subject: [PATCH 08/13] added progress bar #199 (#247) --- Cargo.lock | 53 +++++++++++++++++++++++++++++++++++++++++++---------- Cargo.toml | 1 + src/main.rs | 3 +++ 3 files changed, 47 insertions(+), 10 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 334091d3..b1299b9f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -312,10 +312,20 @@ version = "0.4.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b153fe7cbef478c567df0f972e02e6d736db11affe43dfc9c56a9374d1adfb87" dependencies = [ - "crossbeam-utils", + "crossbeam-utils 0.7.2", "maybe-uninit", ] +[[package]] +name = "crossbeam-channel" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "06ed27e177f16d65f0f0c22a213e17c696ace5dd64b14258b52f9417ccb52db4" +dependencies = [ + "cfg-if 1.0.0", + "crossbeam-utils 0.8.5", +] + [[package]] name = "crossbeam-deque" version = "0.7.3" @@ -323,7 +333,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9f02af974daeee82218205558e51ec8768b48cf524bd01d550abe5573a608285" dependencies = [ "crossbeam-epoch", - "crossbeam-utils", + "crossbeam-utils 0.7.2", "maybe-uninit", ] @@ -335,7 +345,7 @@ checksum = "058ed274caafc1f60c4997b5fc07bf7dc7cca454af7c6e81edffe5f33f70dace" dependencies = [ "autocfg 1.0.1", "cfg-if 0.1.10", - "crossbeam-utils", + "crossbeam-utils 0.7.2", "lazy_static", "maybe-uninit", "memoffset", @@ -349,7 +359,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570" dependencies = [ "cfg-if 0.1.10", - "crossbeam-utils", + "crossbeam-utils 0.7.2", "maybe-uninit", ] @@ -364,6 +374,16 @@ dependencies = [ "lazy_static", ] +[[package]] +name = "crossbeam-utils" +version = "0.8.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d82cfc11ce7f2c3faef78d8a684447b40d503d9681acebed6cb728d45940c4db" +dependencies = [ + "cfg-if 1.0.0", + "lazy_static", +] + [[package]] name = "csv" version = "1.1.3" @@ -730,6 +750,7 @@ dependencies = [ "linked-hash-map", "mopa", "num_cpus", + "pbr", "quick-xml 0.17.2", "regex", "serde", @@ -1288,6 +1309,18 @@ dependencies = [ "winapi 0.3.9", ] +[[package]] +name = "pbr" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff5751d87f7c00ae6403eb1fcbba229b9c76c9a30de8c1cf87182177b168cea2" +dependencies = [ + "crossbeam-channel 0.5.1", + "libc", + "time 0.1.44", + "winapi 0.3.9", +] + [[package]] name = "percent-encoding" version = "1.0.1" @@ -1564,9 +1597,9 @@ version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "91739a34c4355b5434ce54c9086c5895604a9c278586d1f1aa95e04f66b525a0" dependencies = [ - "crossbeam-channel", + "crossbeam-channel 0.4.4", "crossbeam-deque", - "crossbeam-utils", + "crossbeam-utils 0.7.2", "lazy_static", "num_cpus", ] @@ -2209,7 +2242,7 @@ version = "0.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fb2d1b8f4548dbf5e1f7818512e9c406860678f29c300cdf0ebac72d1a3a1671" dependencies = [ - "crossbeam-utils", + "crossbeam-utils 0.7.2", "futures", ] @@ -2241,7 +2274,7 @@ version = "0.1.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "09bc590ec4ba8ba87652da2068d150dcada2cfa2e07faae270a5e0409aa51351" dependencies = [ - "crossbeam-utils", + "crossbeam-utils 0.7.2", "futures", "lazy_static", "log", @@ -2286,7 +2319,7 @@ checksum = "df720b6581784c118f0eb4310796b12b1d242a7eb95f716a8367855325c25f89" dependencies = [ "crossbeam-deque", "crossbeam-queue", - "crossbeam-utils", + "crossbeam-utils 0.7.2", "futures", "lazy_static", "log", @@ -2301,7 +2334,7 @@ version = "0.2.13" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "93044f2d313c95ff1cb7809ce9a7a05735b012288a888b62d4434fd58c94f296" dependencies = [ - "crossbeam-utils", + "crossbeam-utils 0.7.2", "futures", "slab", "tokio-executor", diff --git a/Cargo.toml b/Cargo.toml index 124b102e..7ced827a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -27,6 +27,7 @@ mopa = "0.2.2" slack-hook = "0.8" dotenv = "0.15.0" hhmmss = "*" +pbr = "*" [target.x86_64-pc-windows-gnu] linker = "x86_64-w64-mingw32-gcc" diff --git a/src/main.rs b/src/main.rs index 7898036f..dd4d59df 100644 --- a/src/main.rs +++ b/src/main.rs @@ -10,6 +10,7 @@ use hayabusa::omikuji::Omikuji; use hayabusa::{afterfact::after_fact, detections::utils}; use hayabusa::{detections::configs, timeline::timeline::Timeline}; use hhmmss::Hhmmss; +use pbr::ProgressBar; use serde_json::Value; use std::{ fs::{self, File}, @@ -124,12 +125,14 @@ fn analysis_files(evtx_files: Vec) { level, configs::CONFIG.read().unwrap().args.value_of("rules"), ); + let mut pb = ProgressBar::new(evtx_files.len() as u64); let mut detection = detection::Detection::new(rule_files); for evtx_file in evtx_files { if configs::CONFIG.read().unwrap().args.is_present("verbose") { println!("Checking target evtx FilePath: {:?}", &evtx_file); } detection = analysis_file(evtx_file, detection); + pb.inc(); } after_fact(); detection.print_unique_results(); From e0936ab2d13ea9ba228c021e130bbad803a1fd1b Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Fri, 3 Dec 2021 15:52:43 +0900 Subject: [PATCH 09/13] rule update (#249) --- config/exclude-rules.txt | 5 +++++ config/noisy-rules.txt | 5 +++++ .../4625_LateralMovement_LogonFailure-WrongPassword.yml | 2 +- .../4625_LateralMovement_LogonFailure-WrongUsername.yml | 2 +- ...732-AccountManipulation_UserAddedToLocalSecurityGroup.yml | 2 +- ...rRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml | 2 +- .../BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml | 2 +- .../Security/Logons/4624_LogonType-11-CachedInteractive.yml | 2 +- .../Logons/4624_LogonType-12-CachedRemoteInteractive.yml | 2 +- .../events/Security/Logons/4624_LogonType-2-Interactive.yml | 2 +- .../events/Security/Logons/4624_LogonType-4-Batch.yml | 2 +- .../events/Security/Logons/4647_LogoffUserInitiated.yml | 2 +- rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml | 2 +- .../events/Security/Logons/4768_KerberosTGT-Request.yml | 2 +- .../events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml | 4 ++-- 15 files changed, 24 insertions(+), 14 deletions(-) create mode 100644 config/exclude-rules.txt create mode 100644 config/noisy-rules.txt diff --git a/config/exclude-rules.txt b/config/exclude-rules.txt new file mode 100644 index 00000000..47044f72 --- /dev/null +++ b/config/exclude-rules.txt @@ -0,0 +1,5 @@ +c92f1896-d1d2-43c3-92d5-7a5b35c217bb # rules/sigma/other/win_exchange_cve_2021_42321.yml (rule parse error) +83809e84-4475-4b69-bc3e-4aad8568612f # rules/sigma/builtin/win_exchange_transportagent.yml (rule parse error) +7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # replaced by hayabusa rule +c265cf08-3f99-46c1-8d59-328247057d57 # replaced by hayabusa rule +66b6be3d-55d0-4f47-9855-d69df21740ea # replaced by hayabusa rule \ No newline at end of file diff --git a/config/noisy-rules.txt b/config/noisy-rules.txt new file mode 100644 index 00000000..6e03bcf7 --- /dev/null +++ b/config/noisy-rules.txt @@ -0,0 +1,5 @@ +0f06a3a5-6a09-413f-8743-e6cf35561297 # sysmon_wmi_event_subscription.yml +b0d77106-7bb0-41fe-bd94-d1752164d066 # win_rare_schtasks_creations.yml +66bfef30-22a5-4fcd-ad44-8d81e60922ae # win_rare_service_installs.yml +e98374a6-e2d9-4076-9b5c-11bdb2569995 # win_susp_failed_logons_single_source.yml +6309ffc4-8fa2-47cf-96b8-a2f72e58e538 # win_susp_failed_logons_single_source2.yml \ No newline at end of file diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml index e9f587ab..a48aedf8 100644 --- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml +++ b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: % description: Prints logon information. description_jp: Prints logon information. -id: a85096da-be85-48d7-8ad5-2f957cd74daa +id: e87bd730-df45-4ae9-85de-6c75369c5d29 level: low status: stable detection: diff --git a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml index 35c7936b..d31e06c0 100644 --- a/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml +++ b/rules/hayabusa/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: % description: Prints logon information. description_jp: Prints logon information. -id: a85096da-be85-48d7-8ad5-2f957cd74daa +id: 8afa97ce-a217-4f7c-aced-3e320a57756d level: informational status: stable detection: diff --git a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml index 859d37db..b925c4b8 100644 --- a/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml +++ b/rules/hayabusa/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %MemberName% : SID: %MemberSid% : グループ名: %T description: A user was added to a security-enabled local group. description_jp: ユーザがローカルセキュリティグループに追加された。 -id: 611e2e76-a28f-4255-812c-eb8836b2f5bb +id: 2f04e44e-1c79-4343-b4ab-ba670ee10aa0 level: low status: stable detection: diff --git a/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml b/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml index 91fa9280..d76fd058 100644 --- a/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml +++ b/rules/hayabusa/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml @@ -9,7 +9,7 @@ output_jp: "ユーザ名: %LogFileClearedSubjectUserName%" description: Somebody has cleared the System event log. description_jp: 誰かがシステムログをクリアした。 -id: c2f690ac-53f8-4745-8cfe-7127dda28c74 +id: f481a1f3-969e-4187-b3a5-b47c272bfebd level: high status: stable detection: diff --git a/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml b/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml index 50ed1553..247f8113 100644 --- a/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml +++ b/rules/hayabusa/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml @@ -9,7 +9,7 @@ output_jp: 'Job名: %JobTitle% : URL: %Url%' description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. -id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031 +id: 18e6fa4a-353d-42b6-975c-bb05dbf4a004 level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml index 0d70a81f..23b6a503 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPア description: Prints logon information. description_jp: Prints logon information. -id: e50e3952-06d9-44a8-ab07-7a41c9801d78 +id: fbbe9d3f-ed1f-49a9-9446-726e349f5fba level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml index 31d17a0d..0b4aa4a8 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPア description: Prints logon information. description_jp: Prints logon information. -id: e50e3952-06d9-44a8-ab07-7a41c9801d78 +id: f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml index 62c8f35e..f555d9e9 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-2-Interactive.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPア description: Prints logon information description_jp: Prints logon information -id: c7b22878-e5d8-4c30-b245-e51fd354359e +id: 7beb4832-f357-47a4-afd8-803d69a5c85c level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml b/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml index 41bddeb3..e5cc2622 100644 --- a/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml +++ b/rules/hayabusa/events/Security/Logons/4624_LogonType-4-Batch.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPア description: Prints logon information description_jp: Prints logon information -id: 408e1304-51d7-4d3e-ab31-afd07192400b +id: 8ad8b25f-6052-4cfd-9a50-717cb514af13 level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml b/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml index 202bc2d8..34b7a268 100644 --- a/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml +++ b/rules/hayabusa/events/Security/Logons/4647_LogoffUserInitiated.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%' description: Prints logon information. description_jp: Prints logon information. -id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf +id: 6bad16f1-02c4-4075-b414-3cd16944bc65 level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml b/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml index cd2ad1d3..c3c9346f 100644 --- a/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml +++ b/rules/hayabusa/events/Security/Logons/4672_AdminLogon.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%' description: Prints logon information. description_jp: Prints logon information. -id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf +id: fdd0b325-8b89-469c-8b0c-e5ddfe39b62e level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml b/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml index 2e199fd0..20a61d27 100644 --- a/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml +++ b/rules/hayabusa/events/Security/Logons/4768_KerberosTGT-Request.yml @@ -9,7 +9,7 @@ output_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IP description: Prints logon information. description_jp: Prints logon information. -id: da6257f3-cf49-464a-96fc-c84a7ce20636 +id: d9f336ea-bb16-4a35-8a9c-183216b8d59c level: informational status: stable detection: diff --git a/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml b/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml index e459d48a..2ca207a7 100644 --- a/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml +++ b/rules/hayabusa/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml @@ -4,8 +4,8 @@ modified: 2021/11/26 title: NTLM Logon to Local Account title_jp: ローカルアカウントへのNTLMログオン -output: 'User: %TargetUserName% : Workstation %WorkstationName% : Status: %Status%' -output_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : ステータス: %Status%' +output: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%' +output_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%' description: Prints logon information. description_jp: Prints logon information. From d1121297719ce9e9b7cb977c37ddfe7b1d55deb4 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 4 Dec 2021 11:20:11 +0900 Subject: [PATCH 10/13] changed stdout result delimiter #244 (#245) * changed stdout result delimiter #244 * removed unnecessary space #244 * added display output test #244 - added static map clear function (only test use) - added outputformat test case of stdout (change sequencial process in emit_csv test To prevent the contents of static variables from changing depending on the order of execution) * fixed typo --- src/afterfact.rs | 247 ++++++++++++++++++++++++------------ src/detections/detection.rs | 4 +- src/detections/print.rs | 5 + 3 files changed, 176 insertions(+), 80 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index dd1ae5fb..2be77936 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -72,19 +72,26 @@ pub fn after_fact() { } fn emit_csv(writer: &mut W, displayflag: bool) -> io::Result<()> { - let mut wtr = csv::WriterBuilder::new().from_writer(writer); + let mut wtr; + if displayflag { + wtr = csv::WriterBuilder::new() + .delimiter(b'|') + .from_writer(writer); + } else { + wtr = csv::WriterBuilder::new().from_writer(writer); + } let messages = print::MESSAGES.lock().unwrap(); let mut detect_count = 0; for (time, detect_infos) in messages.iter() { for detect_info in detect_infos { if displayflag { wtr.serialize(DisplayFormat { - time: &format_time(time), - level: &detect_info.level, - computername: &detect_info.computername, - eventid: &detect_info.eventid, - alert: &detect_info.alert, - details: &detect_info.detail, + time: &format!("{} ", &format_time(time)), + level: &format!(" {} ", &detect_info.level), + computername: &format!(" {} ", &detect_info.computername), + eventid: &format!(" {} ", &detect_info.eventid), + alert: &format!(" {} ", &detect_info.alert), + details: &format!(" {}", &detect_info.detail), })?; } else { // csv出力時フォーマット @@ -131,81 +138,165 @@ where } } -#[test] -fn test_emit_csv() { +#[cfg(test)] +mod tests { + use crate::afterfact::emit_csv; + use crate::detections::print; + use chrono::{Local, TimeZone, Utc}; use serde_json::Value; + use std::fs::File; use std::fs::{read_to_string, remove_file}; - let testfilepath: &str = "test.evtx"; - let testrulepath: &str = "test-rule.yml"; - let test_title = "test_title"; - let test_level = "high"; - let test_computername = "testcomputer"; - let test_eventid = "1111"; - let output = "pokepoke"; - { - let mut messages = print::MESSAGES.lock().unwrap(); + use std::io; - let val = r##" - { - "Event": { - "EventData": { - "CommandRLine": "hoge" - }, - "System": { - "TimeCreated_attributes": { - "SystemTime": "1996-02-27T01:05:01Z" - } - } - } - } - "##; - let event: Value = serde_json::from_str(val).unwrap(); - messages.insert( - testfilepath.to_string(), - testrulepath.to_string(), - &event, - test_level.to_string(), - test_computername.to_string(), - test_eventid.to_string(), - test_title.to_string(), - output.to_string(), - ); + #[test] + fn test_emit_csv() { + //テストの並列処理によって読み込みの順序が担保できずstatic変数の内容が担保が取れない為、このテストはシーケンシャルで行う + test_emit_csv_output(); + test_emit_csv_output(); } - let expect_time = Utc - .datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ") - .unwrap(); - let expect_tz = expect_time.with_timezone(&Local); - let expect = "Time,Computername,Eventid,Level,Alert,Details,Rulepath,Filepath\n".to_string() - + &expect_tz - .clone() - .format("%Y-%m-%d %H:%M:%S%.3f %:z") - .to_string() - + "," - + test_computername - + "," - + test_eventid - + "," - + test_level - + "," - + test_title - + "," - + output - + "," - + testrulepath - + "," - + &testfilepath.to_string() - + "\n"; - - let mut file: Box = - Box::new(File::create("./test_emit_csv.csv".to_string()).unwrap()); - assert!(emit_csv(&mut file, false).is_ok()); - - match read_to_string("./test_emit_csv.csv") { - Err(_) => panic!("Failed to open file."), - Ok(s) => { - assert_eq!(s, expect); + fn test_emit_csv_output() { + let testfilepath: &str = "test.evtx"; + let testrulepath: &str = "test-rule.yml"; + let test_title = "test_title"; + let test_level = "high"; + let test_computername = "testcomputer"; + let test_eventid = "1111"; + let output = "pokepoke"; + { + let mut messages = print::MESSAGES.lock().unwrap(); + messages.clear(); + let val = r##" + { + "Event": { + "EventData": { + "CommandRLine": "hoge" + }, + "System": { + "TimeCreated_attributes": { + "SystemTime": "1996-02-27T01:05:01Z" + } + } + } + } + "##; + let event: Value = serde_json::from_str(val).unwrap(); + messages.insert( + testfilepath.to_string(), + testrulepath.to_string(), + &event, + test_level.to_string(), + test_computername.to_string(), + test_eventid.to_string(), + test_title.to_string(), + output.to_string(), + ); } - }; - assert!(remove_file("./test_emit_csv.csv").is_ok()); + let expect_time = Utc + .datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ") + .unwrap(); + let expect_tz = expect_time.with_timezone(&Local); + let expect = "Time,Computername,Eventid,Level,Alert,Details,Rulepath,Filepath\n" + .to_string() + + &expect_tz + .clone() + .format("%Y-%m-%d %H:%M:%S%.3f %:z") + .to_string() + + "," + + test_computername + + "," + + test_eventid + + "," + + test_level + + "," + + test_title + + "," + + output + + "," + + testrulepath + + "," + + &testfilepath.to_string() + + "\n"; + let mut file: Box = + Box::new(File::create("./test_emit_csv.csv".to_string()).unwrap()); + assert!(emit_csv(&mut file, false).is_ok()); + match read_to_string("./test_emit_csv.csv") { + Err(_) => panic!("Failed to open file."), + Ok(s) => { + assert_eq!(s, expect); + } + }; + assert!(remove_file("./test_emit_csv.csv").is_ok()); + check_emit_csv_display(); + } + + fn check_emit_csv_display() { + let testfilepath: &str = "test2.evtx"; + let testrulepath: &str = "test-rule2.yml"; + let test_title = "test_title2"; + let test_level = "medium"; + let test_computername = "testcomputer2"; + let test_eventid = "2222"; + let output = "displaytest"; + { + let mut messages = print::MESSAGES.lock().unwrap(); + messages.clear(); + let val = r##" + { + "Event": { + "EventData": { + "CommandRLine": "hoge" + }, + "System": { + "TimeCreated_attributes": { + "SystemTime": "1996-02-27T01:05:01Z" + } + } + } + } + "##; + let event: Value = serde_json::from_str(val).unwrap(); + messages.insert( + testfilepath.to_string(), + testrulepath.to_string(), + &event, + test_level.to_string(), + test_computername.to_string(), + test_eventid.to_string(), + test_title.to_string(), + output.to_string(), + ); + messages.debug(); + } + let expect_time = Utc + .datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ") + .unwrap(); + let expect_tz = expect_time.with_timezone(&Local); + let expect = "Time|Computername|Eventid|Level|Alert|Details\n".to_string() + + &expect_tz + .clone() + .format("%Y-%m-%d %H:%M:%S%.3f %:z") + .to_string() + + " | " + + test_computername + + " | " + + test_eventid + + " | " + + test_level + + " | " + + test_title + + " | " + + output + + "\n"; + let mut file: Box = + Box::new(File::create("./test_emit_csv_display.txt".to_string()).unwrap()); + assert!(emit_csv(&mut file, true).is_ok()); + match read_to_string("./test_emit_csv_display.txt") { + Err(_) => panic!("Failed to open file."), + Ok(s) => { + assert_eq!(s, expect); + } + }; + assert!(remove_file("./test_emit_csv_display.txt").is_ok()); + } } diff --git a/src/detections/detection.rs b/src/detections/detection.rs index b103a742..8012f1b9 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -151,9 +151,9 @@ impl Detection { "Medium", "Low", "Informational", - "Undeifned", + "Undefined", ]); - // levclcounts is [(Undeifned), (Informational), (Low),(Medium),(High),(Critical)] + // levclcounts is [(Undefined), (Informational), (Low),(Medium),(High),(Critical)] let mut levelcounts = Vec::from([0, 0, 0, 0, 0, 0]); for rule in rules.into_iter() { if rule.check_exist_countdata() { diff --git a/src/detections/print.rs b/src/detections/print.rs index 95563ecc..e489587b 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -188,6 +188,11 @@ impl Message { return Option::Some(datetime.unwrap()); } } + + /// message内のマップをクリアする。テストする際の冪等性の担保のため作成。 + pub fn clear(&mut self) { + self.map.clear(); + } } impl AlertMessage { From ac5c5c2917e4a6716bb8e3449ed498682f0ddde5 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 4 Dec 2021 11:49:38 +0900 Subject: [PATCH 11/13] Bugfix/yml alias not found all data output#227 (#241) * removed no use alias #227 * changed case of object type return none #227 - serde json value is object type when alias key dont exist in detected record. * adjust serde_number_to_string function return value change #227 * adjust yml rule to change of aliaskey_alias.txt #227 * merged same regex as static * create new struct to reduce same output in rule and keyword warn message #227 * changed output position * removed regression warnings #227 * removed output wanring * Fixed a possible panic when None. #227 * added parse_message test #227 * added get_serde_number_to_string tests #227 * removed unnecessary test data part in get_serde_numuber_to_string test #227 --- config/eventkey_alias.txt | 2 +- src/detections/detection.rs | 4 +- src/detections/print.rs | 99 ++++++++++++++++++++++++++++++++++--- src/detections/utils.rs | 68 +++++++++++++++++++++++-- 4 files changed, 162 insertions(+), 11 deletions(-) diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index d7ea313a..3188c4b9 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -126,7 +126,7 @@ SubjectDomainName,Event.EventData.SubjectDomainName SubjectLogonId,Event.EventData.SubjectLogonId SubjectUserName,Event.EventData.SubjectUserName SubjectUserSid,Event.EventData.SubjectUserSid -TargetDomainName,Event.EventData.TargetDomainName +TargetDomainName,Event.EventData.TargetDomainName TargetFilename,Event.EventData.TargetFilename TargetImage,Event.EventData.TargetImage TargetLogonId,Event.EventData.TargetLogonId diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 8012f1b9..b7173ffd 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -206,7 +206,9 @@ impl Detection { record_info.record["Event"]["System"]["Computer"] .to_string() .replace("\"", ""), - get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"]), + get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"]) + .unwrap_or("-".to_owned()) + .to_string(), rule.yaml["title"].as_str().unwrap_or("").to_string(), rule.yaml["output"].as_str().unwrap_or("").to_string(), ); diff --git a/src/detections/print.rs b/src/detections/print.rs index e489587b..51e65acb 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -30,6 +30,7 @@ pub struct AlertMessage {} lazy_static! { pub static ref MESSAGES: Mutex = Mutex::new(Message::new()); + pub static ref ALIASREGEX: Regex = Regex::new(r"%[a-zA-Z0-9-_]+%").unwrap(); } impl Message { @@ -101,8 +102,7 @@ impl Message { fn parse_message(&mut self, event_record: &Value, output: String) -> String { let mut return_message: String = output; let mut hash_map: HashMap = HashMap::new(); - let re = Regex::new(r"%[a-zA-Z0-9-_]+%").unwrap(); - for caps in re.captures_iter(&return_message) { + for caps in ALIASREGEX.captures_iter(&return_message) { let full_target_str = &caps[0]; let target_length = full_target_str.chars().count() - 2; // The meaning of 2 is two percent let target_str = full_target_str @@ -118,16 +118,20 @@ impl Message { .get_event_key(target_str.to_string()) { let split: Vec<&str> = array_str.split(".").collect(); + let mut is_exist_event_key = false; let mut tmp_event_record: &Value = event_record.into(); for s in split { if let Some(record) = tmp_event_record.get(s) { + is_exist_event_key = true; tmp_event_record = record; } } - hash_map.insert( - full_target_str.to_string(), - get_serde_number_to_string(tmp_event_record), - ); + if is_exist_event_key { + let hash_value = get_serde_number_to_string(tmp_event_record); + if hash_value.is_some() { + hash_map.insert(full_target_str.to_string(), hash_value.unwrap()); + } + } } } @@ -332,4 +336,87 @@ mod tests { let mut stdout = stdout.lock(); AlertMessage::alert(&mut stdout, input.to_string()).expect("[WARN] TESTWarn!"); } + + #[test] + /// outputで指定されているキー(eventkey_alias.txt内で設定済み)から対象のレコード内の情報でメッセージをパースしているか確認する関数 + fn test_parse_message() { + let mut message = Message::new(); + let json_str = r##" + { + "Event": { + "EventData": { + "CommandLine": "parsetest1" + }, + "System": { + "Computer": "testcomputer1", + "TimeCreated_attributes": { + "SystemTime": "1996-02-27T01:05:01Z" + } + } + } + } + "##; + let event_record: Value = serde_json::from_str(json_str).unwrap(); + let expected = "commandline:parsetest1 computername:testcomputer1"; + assert_eq!( + message.parse_message( + &event_record, + "commandline:%CommandLine% computername:%ComputerName%".to_owned() + ), + expected, + ); + } + #[test] + /// outputで指定されているキーが、eventkey_alias.txt内で設定されていない場合の出力テスト + fn test_parse_message_not_exist_key_in_output() { + let mut message = Message::new(); + let json_str = r##" + { + "Event": { + "EventData": { + "CommandLine": "parsetest2" + }, + "System": { + "TimeCreated_attributes": { + "SystemTime": "1996-02-27T01:05:01Z" + } + } + } + } + "##; + let event_record: Value = serde_json::from_str(json_str).unwrap(); + let expected = "NoExistKey:%TESTNoExistKey%"; + assert_eq!( + message.parse_message(&event_record, "NoExistKey:%TESTNoExistKey%".to_owned()), + expected, + ); + } + #[test] + /// outputで指定されているキー(eventkey_alias.txt内で設定済み)が対象のレコード内に該当する情報がない場合の出力テスト + fn test_parse_message_not_exist_value_in_record() { + let mut message = Message::new(); + let json_str = r##" + { + "Event": { + "EventData": { + "CommandLine": "parsetest3" + }, + "System": { + "TimeCreated_attributes": { + "SystemTime": "1996-02-27T01:05:01Z" + } + } + } + } + "##; + let event_record: Value = serde_json::from_str(json_str).unwrap(); + let expected = "commandline:parsetest3 computername:%ComputerName%"; + assert_eq!( + message.parse_message( + &event_record, + "commandline:%CommandLine% computername:%ComputerName%".to_owned() + ), + expected, + ); + } } diff --git a/src/detections/utils.rs b/src/detections/utils.rs index f354c3b5..9df91ff7 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -94,11 +94,14 @@ pub fn get_event_id_key() -> String { } /// serde:Valueの型を確認し、文字列を返します。 -pub fn get_serde_number_to_string(value: &serde_json::Value) -> String { +pub fn get_serde_number_to_string(value: &serde_json::Value) -> Option { if value.is_string() { - return value.as_str().unwrap_or("").to_string(); + return Option::Some(value.as_str().unwrap_or("").to_string()); + } else if value.is_object() { + // Object type is not specified record value. + return Option::None; } else { - return value.to_string(); + return Option::Some(value.to_string()); } } @@ -163,6 +166,7 @@ pub fn create_tokio_runtime() -> Runtime { mod tests { use crate::detections::utils; use regex::Regex; + use serde_json::Value; #[test] fn test_check_regex() { @@ -191,4 +195,62 @@ mod tests { let commandline = "\"C:\\Program Files\\Google\\Update\\GoogleUpdate2.exe\""; assert!(false == utils::check_allowlist(commandline, &allowlist)); } + + #[test] + /// Serde::Valueの数値型の値を文字列として返却することを確かめるテスト + fn test_get_serde_number_to_string() { + let json_str = r##" + { + "Event": { + "System": { + "EventID": 11111 + } + } + } + "##; + let event_record: Value = serde_json::from_str(json_str).unwrap(); + + assert_eq!( + utils::get_serde_number_to_string(&event_record["Event"]["System"]["EventID"]).unwrap(), + "11111".to_owned() + ); + } + + #[test] + /// Serde::Valueの文字列型の値を文字列として返却することを確かめるテスト + fn test_get_serde_number_serde_string_to_string() { + let json_str = r##" + { + "Event": { + "EventData": { + "ComputerName": "HayabusaComputer1" + } + } + } + "##; + let event_record: Value = serde_json::from_str(json_str).unwrap(); + + assert_eq!( + utils::get_serde_number_to_string(&event_record["Event"]["EventData"]["ComputerName"]) + .unwrap(), + "HayabusaComputer1".to_owned() + ); + } + + #[test] + /// Serde::Valueのオブジェクト型の内容を誤って渡した際にNoneを返却することを確かめるテスト + fn test_get_serde_number_serde_object_ret_none() { + let json_str = r##" + { + "Event": { + "EventData": { + "ComputerName": "HayabusaComputer1" + } + } + } + "##; + let event_record: Value = serde_json::from_str(json_str).unwrap(); + + assert!(utils::get_serde_number_to_string(&event_record["Event"]["EventData"]).is_none()); + } } From b10b714b36c8490ab6956488826a3391837865ef Mon Sep 17 00:00:00 2001 From: James Takai / hach1yon <32596618+hach1yon@users.noreply.github.com> Date: Sun, 5 Dec 2021 15:02:54 +0900 Subject: [PATCH 12/13] =?UTF-8?q?SIGMA=E3=83=AB=E3=83=BC=E3=83=AB=E3=81=AE?= =?UTF-8?q?=E5=A4=89=E6=8F=9B=E3=83=84=E3=83=BC=E3=83=AB=E3=81=AE=E3=83=86?= =?UTF-8?q?=E3=82=B9=E3=83=88=E3=82=B1=E3=83=BC=E3=82=B9=E4=BD=9C=E6=88=90?= =?UTF-8?q?=E3=81=A8=E3=83=90=E3=82=B0FIX=20(#261)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * grep検索に数値を指定されていると、sigmaルールの変換に失敗する問題を修正しました。 * add test files and bugfix for no timeframe. --- tools/sigmac/hayabusa.py | 12 +++++-- tools/sigmac/test_files/README.md | 12 +++++++ tools/sigmac/test_files/convert_test.sh | 3 ++ .../expected_rules/test_rules/test0001.yml | 17 +++++++++ .../expected_rules/test_rules/test0002.yml | 26 ++++++++++++++ .../expected_rules/test_rules/test0003.yml | 26 ++++++++++++++ .../expected_rules/test_rules/test0004.yml | 24 +++++++++++++ .../expected_rules/test_rules/test0005.yml | 26 ++++++++++++++ .../expected_rules/test_rules/test0006.yml | 20 +++++++++++ .../expected_rules/test_rules/test0007.yml | 20 +++++++++++ .../expected_rules/test_rules/test0008.yml | 20 +++++++++++ .../expected_rules/test_rules/test0009.yml | 26 ++++++++++++++ .../expected_rules/test_rules/test0010.yml | 35 +++++++++++++++++++ .../expected_rules/test_rules/test0011.yml | 33 +++++++++++++++++ .../expected_rules/test_rules/test0012.yml | 31 ++++++++++++++++ .../expected_rules/test_rules/test0013.yml | 31 ++++++++++++++++ .../expected_rules/test_rules/test0014.yml | 19 ++++++++++ .../expected_rules/test_rules/test0015.yml | 25 +++++++++++++ .../expected_rules/test_rules/test0016.yml | 25 +++++++++++++ .../expected_rules/test_rules/test0017.yml | 25 +++++++++++++ .../expected_rules/test_rules/test0018.yml | 27 ++++++++++++++ .../expected_rules/test_rules/test0019.yml | 18 ++++++++++ .../expected_rules/test_rules/test0020.yml | 27 ++++++++++++++ .../expected_rules/test_rules/test0021.yml | 20 +++++++++++ .../expected_rules/test_rules/test0022.yml | 20 +++++++++++ .../sigmac/test_files/test_rules/test0001.yml | 17 +++++++++ .../sigmac/test_files/test_rules/test0002.yml | 21 +++++++++++ .../sigmac/test_files/test_rules/test0003.yml | 22 ++++++++++++ .../sigmac/test_files/test_rules/test0004.yml | 23 ++++++++++++ .../sigmac/test_files/test_rules/test0005.yml | 24 +++++++++++++ .../sigmac/test_files/test_rules/test0006.yml | 18 ++++++++++ .../sigmac/test_files/test_rules/test0007.yml | 18 ++++++++++ .../sigmac/test_files/test_rules/test0008.yml | 18 ++++++++++ .../sigmac/test_files/test_rules/test0009.yml | 22 ++++++++++++ .../sigmac/test_files/test_rules/test0010.yml | 29 +++++++++++++++ .../sigmac/test_files/test_rules/test0011.yml | 28 +++++++++++++++ .../sigmac/test_files/test_rules/test0012.yml | 26 ++++++++++++++ .../sigmac/test_files/test_rules/test0013.yml | 26 ++++++++++++++ .../sigmac/test_files/test_rules/test0014.yml | 18 ++++++++++ .../sigmac/test_files/test_rules/test0015.yml | 24 +++++++++++++ .../sigmac/test_files/test_rules/test0016.yml | 24 +++++++++++++ .../sigmac/test_files/test_rules/test0017.yml | 24 +++++++++++++ .../sigmac/test_files/test_rules/test0018.yml | 25 +++++++++++++ .../sigmac/test_files/test_rules/test0019.yml | 17 +++++++++ .../sigmac/test_files/test_rules/test0020.yml | 25 +++++++++++++ .../sigmac/test_files/test_rules/test0021.yml | 19 ++++++++++ .../sigmac/test_files/test_rules/test0022.yml | 19 ++++++++++ 47 files changed, 1053 insertions(+), 2 deletions(-) create mode 100644 tools/sigmac/test_files/README.md create mode 100644 tools/sigmac/test_files/convert_test.sh create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0001.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0002.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0003.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0004.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0005.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0006.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0007.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0008.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0009.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0010.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0011.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0012.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0013.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0014.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0015.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0016.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0017.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0018.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0019.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0020.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0021.yml create mode 100644 tools/sigmac/test_files/expected_rules/test_rules/test0022.yml create mode 100644 tools/sigmac/test_files/test_rules/test0001.yml create mode 100644 tools/sigmac/test_files/test_rules/test0002.yml create mode 100644 tools/sigmac/test_files/test_rules/test0003.yml create mode 100644 tools/sigmac/test_files/test_rules/test0004.yml create mode 100644 tools/sigmac/test_files/test_rules/test0005.yml create mode 100644 tools/sigmac/test_files/test_rules/test0006.yml create mode 100644 tools/sigmac/test_files/test_rules/test0007.yml create mode 100644 tools/sigmac/test_files/test_rules/test0008.yml create mode 100644 tools/sigmac/test_files/test_rules/test0009.yml create mode 100644 tools/sigmac/test_files/test_rules/test0010.yml create mode 100644 tools/sigmac/test_files/test_rules/test0011.yml create mode 100644 tools/sigmac/test_files/test_rules/test0012.yml create mode 100644 tools/sigmac/test_files/test_rules/test0013.yml create mode 100644 tools/sigmac/test_files/test_rules/test0014.yml create mode 100644 tools/sigmac/test_files/test_rules/test0015.yml create mode 100644 tools/sigmac/test_files/test_rules/test0016.yml create mode 100644 tools/sigmac/test_files/test_rules/test0017.yml create mode 100644 tools/sigmac/test_files/test_rules/test0018.yml create mode 100644 tools/sigmac/test_files/test_rules/test0019.yml create mode 100644 tools/sigmac/test_files/test_rules/test0020.yml create mode 100644 tools/sigmac/test_files/test_rules/test0021.yml create mode 100644 tools/sigmac/test_files/test_rules/test0022.yml diff --git a/tools/sigmac/hayabusa.py b/tools/sigmac/hayabusa.py index 21c23e10..ae53c407 100644 --- a/tools/sigmac/hayabusa.py +++ b/tools/sigmac/hayabusa.py @@ -204,7 +204,7 @@ class HayabusaBackend(SingleTextQueryBackend): def generateANDNode(self, node): generated = list() for val in node: - if type(val) == str: + if type(val) == str or type(val) == int: # 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース # keyが指定されていない場合は、EventLog全体をgrep検索することになっている。(詳細はSigmaルールの仕様書を参照のこと) # 具体的には"all of"とか使うとこの分岐に来る @@ -235,7 +235,7 @@ class HayabusaBackend(SingleTextQueryBackend): generated = list() for val in node: # 普通はtupleでkeyとvalueのペアであるが、これはkeyが指定されていないケース - if type(val) == str: + if type(val) == str or type(val) == int: if name is None: name = self.create_new_selection() self.name_2_selection[name] = list() @@ -270,9 +270,16 @@ class HayabusaBackend(SingleTextQueryBackend): bs.write("title: " + parsed_yaml["title"]+"\n") bs.write("ruletype: SIGMA\n") del parsed_yaml["title"] + + # detectionの部分をクリアする前にtimeflameだけ確保しておく。 + timeflame = None + if "timeflame" in parsed_yaml["detection"]: + timeflame = parsed_yaml["detection"]["timeflame"] # detectionの部分だけ変更して出力する。 parsed_yaml["detection"] = {} + if timeflame is not None and len(timeflame) != 0: + parsed_yaml["detection"]["timeflame"] = timeflame parsed_yaml["detection"]["condition"] = result for key, values in self.name_2_selection.items(): # fieldnameの有無を確認している @@ -290,6 +297,7 @@ class HayabusaBackend(SingleTextQueryBackend): else: ## is_keyword_list() == Falseの場合 parsed_yaml["detection"][key][fieldname] = value + yaml.dump(parsed_yaml, bs, indent=4, default_flow_style=False) ret = bs.getvalue() ret += "---\n" diff --git a/tools/sigmac/test_files/README.md b/tools/sigmac/test_files/README.md new file mode 100644 index 00000000..2acc1f95 --- /dev/null +++ b/tools/sigmac/test_files/README.md @@ -0,0 +1,12 @@ +このフォルダにはテストに必要なファイルが格納されています。 +テストを実行する際には、toos/sigmacにあるファイルに加え、このフォルダのファイルもsigmaディレクトリにコピーしてください。 + +このフォルダにあるファイルについて説明します。 +* test_rules: テスト用のSIGMAルールが格納されたフォルダです。 +* convert_test.sh: テストを実行するためのシェルスクリプトです。test_rulesフォルダ内のSIGMAルールをhayabusaルールに変換し、hayabusa_rules_testフォルダに出力します。 +* expected_rules: test_rulesフォルダ内のルールを正しく変換すると、このフォルダに設置されているhayabusaルールと同じになるはずです。 + +テストは下記のように実行します。 +* convert_test.shを実行する。 +* WinMerge等のツールを利用して、expected_rulesフォルダとhayabusa_rules_testフォルダに差分を確認する。 +* 差分が無ければテストOKです。差分があれば、内容を確認して適宜修正してください。 \ No newline at end of file diff --git a/tools/sigmac/test_files/convert_test.sh b/tools/sigmac/test_files/convert_test.sh new file mode 100644 index 00000000..1577bf98 --- /dev/null +++ b/tools/sigmac/test_files/convert_test.sh @@ -0,0 +1,3 @@ +rm -rf hayabusa_rules +python ./tools/sigmac -t hayabusa --config ./tools/config/generic/sysmon.yml --defer-abort -r test_rules/ > sigma_to_hayabusa.yml +python splitter.py hayabusa_rules_test \ No newline at end of file diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0001.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0001.yml new file mode 100644 index 00000000..17d7b15b --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0001.yml @@ -0,0 +1,17 @@ +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "simple test\n" +detection: + SELECTION_1: + EventID: 4100 + condition: SELECTION_1 +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0002.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0002.yml new file mode 100644 index 00000000..0956adc4 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0002.yml @@ -0,0 +1,26 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "map test and escape str test and empty string test and null test\n" +detection: + SELECTION_1: + EventID: 4100 + SELECTION_2: + ObjectType: Key + SELECTION_3: + ObjectKey: "aaaValu__-*|3'|e " + SELECTION_4: + Ojb: '' + SELECTION_5: + aaa|re: ^$ + condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0003.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0003.yml new file mode 100644 index 00000000..6384fdea --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0003.yml @@ -0,0 +1,26 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "list test\n" +detection: + SELECTION_1: + EventID: 4100 + SELECTION_2: + EventID: 9000 + SELECTION_3: + EventID: 8000 + SELECTION_4: + EventID: aaaa + SELECTION_5: + ObjectType: Key + condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) and SELECTION_5) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0004.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0004.yml new file mode 100644 index 00000000..0b70a617 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0004.yml @@ -0,0 +1,24 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "list test\n" +detection: + SELECTION_1: + - 2 + - dee + - testtesttest + SELECTION_2: + EventID: 22 + SELECTION_3: + EventID: 33 + condition: ((SELECTION_1) and (SELECTION_2 or SELECTION_3)) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0005.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0005.yml new file mode 100644 index 00000000..45ff5edd --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0005.yml @@ -0,0 +1,26 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "all modifier\n" +detection: + SELECTION_1: + - 2 + - dee + - testtesttest + SELECTION_2: + EventID: 22 + SELECTION_3: + EventID: 33 + SELECTION_4: + EventID: hoge + condition: ((SELECTION_1) and (SELECTION_2 and SELECTION_3 and SELECTION_4)) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0006.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0006.yml new file mode 100644 index 00000000..e465f6c2 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0006.yml @@ -0,0 +1,20 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "contains modifier\n" +detection: + SELECTION_1: + UserName: '*hogehoge*' + SELECTION_2: + TargetUserName: '*testest2*' + condition: (SELECTION_1 or SELECTION_2) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0007.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0007.yml new file mode 100644 index 00000000..f2e195fe --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0007.yml @@ -0,0 +1,20 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "endswith pipe modifier and startswith pipe modifier\n" +detection: + SELECTION_1: + UserName: '*hogehoge_end' + SELECTION_2: + TargetUserName: test_start* + condition: (SELECTION_1 or SELECTION_2) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0008.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0008.yml new file mode 100644 index 00000000..528a19ba --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0008.yml @@ -0,0 +1,20 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "base64 encode modifier\n" +detection: + SELECTION_1: + UserName: YmFzZTY0X2VuY29kZWQ= + SELECTION_2: + TargetUserName: test_start + condition: (SELECTION_1 and SELECTION_2) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0009.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0009.yml new file mode 100644 index 00000000..b2aa7f97 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0009.yml @@ -0,0 +1,26 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "re modifier test\n" +detection: + SELECTION_1: + UserName|re: aaa + SELECTION_2: + UserName2|re: .*bbbb$ + SELECTION_3: + UserName3|re: cccc/dd/dd + SELECTION_4: + UserName4|re: cccc"dddd + SELECTION_5: + UserName5|re: cccc"dddd + condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0010.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0010.yml new file mode 100644 index 00000000..cb40bd15 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0010.yml @@ -0,0 +1,35 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "all of test\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + EventID: 7 + SELECTION_3: + EventID: a + SELECTION_4: + UserName: abc + SELECTION_5: + process: nnn + SELECTION_6: + parentprocess: 2 + SELECTION_7: + uuu: zzzz + SELECTION_8: + xxxx: 3 + SELECTION_9: + ppp: iiii + condition: (((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5 + and SELECTION_6 and SELECTION_7 and SELECTION_8) or SELECTION_9) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0011.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0011.yml new file mode 100644 index 00000000..07148a22 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0011.yml @@ -0,0 +1,33 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "1 of\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + EventID: 7 + SELECTION_3: + UserName: abc + SELECTION_4: + process: nnn + SELECTION_5: + parentprocess: sss + SELECTION_6: + uuu: zzzz + SELECTION_7: + xxxx: yyyyy + SELECTION_8: + ppp: iiii + condition: ((((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4 and + SELECTION_5) or (SELECTION_6 and SELECTION_7)) and SELECTION_8) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0012.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0012.yml new file mode 100644 index 00000000..b94ef374 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0012.yml @@ -0,0 +1,31 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "all of them\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + EventID: 7 + SELECTION_3: + UserName: abc + SELECTION_4: + process: nnn + SELECTION_5: + parentprocess: sss + SELECTION_6: + uuu: zzzz + SELECTION_7: + xxxx: yyyyy + condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4 and SELECTION_5 + and SELECTION_6 and SELECTION_7) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0013.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0013.yml new file mode 100644 index 00000000..7e671144 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0013.yml @@ -0,0 +1,31 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "1 of them\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + EventID: 7 + SELECTION_3: + UserName: abc + SELECTION_4: + process: nnn + SELECTION_5: + parentprocess: sss + SELECTION_6: + uuu: zzzz + SELECTION_7: + xxxx: yyyyy + condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3) or (SELECTION_4 and SELECTION_5) + or (SELECTION_6 and SELECTION_7)) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0014.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0014.yml new file mode 100644 index 00000000..7b1a1b91 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0014.yml @@ -0,0 +1,19 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "timeflame \n" +detection: + SELECTION_1: + EventID: 3 + condition: SELECTION_1 + timeflame: 2d +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0015.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0015.yml new file mode 100644 index 00000000..9704c256 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0015.yml @@ -0,0 +1,25 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition and or\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + SELECTION_3: + ccc: ddd + SELECTION_4: + eee: fff + condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) + timeflame: 2d +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0016.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0016.yml new file mode 100644 index 00000000..9704c256 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0016.yml @@ -0,0 +1,25 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition and or\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + SELECTION_3: + ccc: ddd + SELECTION_4: + eee: fff + condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) + timeflame: 2d +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0017.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0017.yml new file mode 100644 index 00000000..469beb17 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0017.yml @@ -0,0 +1,25 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition or\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + SELECTION_3: + ccc: ddd + SELECTION_4: + eee: fff + condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4) + timeflame: 2d +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0018.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0018.yml new file mode 100644 index 00000000..dca7a7fc --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0018.yml @@ -0,0 +1,27 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "() \n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + SELECTION_3: + ccc: ddd + SELECTION_4: + eee: fff + SELECTION_5: + ggg: hhh + condition: ((SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4))) or + SELECTION_5) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0019.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0019.yml new file mode 100644 index 00000000..e2087c51 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0019.yml @@ -0,0 +1,18 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition not\n" +detection: + SELECTION_1: + EventID: 3 + condition: ' not (SELECTION_1)' +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0020.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0020.yml new file mode 100644 index 00000000..1c35eca0 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0020.yml @@ -0,0 +1,27 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition not ()\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + SELECTION_3: + ccc: ddd + SELECTION_4: + eee: fff + SELECTION_5: + ggg: hhh + condition: ( not (SELECTION_1) and not ((SELECTION_2 and not ((SELECTION_3 or + SELECTION_4)))) and SELECTION_5) +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0021.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0021.yml new file mode 100644 index 00000000..db718506 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0021.yml @@ -0,0 +1,20 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition count\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + condition: (SELECTION_1 and not (SELECTION_2)) | count() < 3 +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/expected_rules/test_rules/test0022.yml b/tools/sigmac/test_files/expected_rules/test_rules/test0022.yml new file mode 100644 index 00000000..554b9fc5 --- /dev/null +++ b/tools/sigmac/test_files/expected_rules/test_rules/test0022.yml @@ -0,0 +1,20 @@ + +title: test +ruletype: SIGMA +author: test +date: 2021/12/4 +description: "condition count\n" +detection: + SELECTION_1: + EventID: 3 + SELECTION_2: + aaa: bbb + condition: (SELECTION_1 and not (SELECTION_2)) | count(TEAMNAME) by HOGE < 3 +falsepositives: +- Unknown +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +level: medium +logsource: + product: windows + service: security +status: experimental diff --git a/tools/sigmac/test_files/test_rules/test0001.yml b/tools/sigmac/test_files/test_rules/test0001.yml new file mode 100644 index 00000000..3d233a93 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0001.yml @@ -0,0 +1,17 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + simple test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + EventID: 4100 + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0002.yml b/tools/sigmac/test_files/test_rules/test0002.yml new file mode 100644 index 00000000..8e062ce7 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0002.yml @@ -0,0 +1,21 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + map test and escape str test and empty string test and null test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + EventID: 4100 + ObjectType: 'Key' + ObjectKey: 'aaaValu__-*|3''|e ' + Ojb: '' + aaa: null + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0003.yml b/tools/sigmac/test_files/test_rules/test0003.yml new file mode 100644 index 00000000..ef68446b --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0003.yml @@ -0,0 +1,22 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + list test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4100 + - 9000 + - 8000 + - "aaaa" + ObjectType: 'Key' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0004.yml b/tools/sigmac/test_files/test_rules/test0004.yml new file mode 100644 index 00000000..c6bb133f --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0004.yml @@ -0,0 +1,23 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + list test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + - 2 + - dee + - testtesttest + SELECTION_2: + EventID: + - 22 + - 33 + condition: selection and SELECTION_2 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0005.yml b/tools/sigmac/test_files/test_rules/test0005.yml new file mode 100644 index 00000000..98ba2fdd --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0005.yml @@ -0,0 +1,24 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + all modifier +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + - 2 + - dee + - testtesttest + SELECTION_2: + EventID|all: + - 22 + - 33 + - hoge + condition: selection and SELECTION_2 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0006.yml b/tools/sigmac/test_files/test_rules/test0006.yml new file mode 100644 index 00000000..20733f21 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0006.yml @@ -0,0 +1,18 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + contains modifier +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + - UserName|contains: hogehoge + - TargetUserName|contains: testest2 + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0007.yml b/tools/sigmac/test_files/test_rules/test0007.yml new file mode 100644 index 00000000..80cf4554 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0007.yml @@ -0,0 +1,18 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + endswith pipe modifier and startswith pipe modifier +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + - UserName|endswith: hogehoge_end + - TargetUserName|startswith: test_start + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0008.yml b/tools/sigmac/test_files/test_rules/test0008.yml new file mode 100644 index 00000000..f9a7dee8 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0008.yml @@ -0,0 +1,18 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + base64 encode modifier +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + UserName|base64: base64_encoded + TargetUserName: test_start + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0009.yml b/tools/sigmac/test_files/test_rules/test0009.yml new file mode 100644 index 00000000..42a3bd54 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0009.yml @@ -0,0 +1,22 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + re modifier test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection: + UserName|re: aaa + UserName2|re: .*bbbb$ + UserName3|re: cccc\/dd/\//dd # see hayabusa.py generateMapItemTypedNode() + UserName4|re: cccc\"dd"\""dd # see hayabusa.py generateMapItemTypedNode() + UserName5|re: cccc{{3}0dddd # see hayabusa.py generateMapItemTypedNode() + UserName6|re: cccc{{3}0d{32}dd # see hayabusa.py generateMapItemTypedNode() + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0010.yml b/tools/sigmac/test_files/test_rules/test0010.yml new file mode 100644 index 00000000..4c2598cb --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0010.yml @@ -0,0 +1,29 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + all of test +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: + - 3 + - 7 + - a + UserName: abc + selection2: + process: nnn + parentprocess: 2 + selection3: + uuu: zzzz + xxxx: 3 + another: + ppp: iiii + condition: all of selection* or another +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0011.yml b/tools/sigmac/test_files/test_rules/test0011.yml new file mode 100644 index 00000000..bdc09249 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0011.yml @@ -0,0 +1,28 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + 1 of +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: + - 3 + - 7 + UserName: abc + selection2: + process: nnn + parentprocess: sss + selection3: + uuu: zzzz + xxxx: yyyyy + another: + ppp: iiii + condition: 1 of selection* and another +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0012.yml b/tools/sigmac/test_files/test_rules/test0012.yml new file mode 100644 index 00000000..60d4bcb2 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0012.yml @@ -0,0 +1,26 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + all of them +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: + - 3 + - 7 + UserName: abc + selection2: + process: nnn + parentprocess: sss + selection3: + uuu: zzzz + xxxx: yyyyy + condition: all of them +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0013.yml b/tools/sigmac/test_files/test_rules/test0013.yml new file mode 100644 index 00000000..7a3b8448 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0013.yml @@ -0,0 +1,26 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + 1 of them +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: + - 3 + - 7 + UserName: abc + selection2: + process: nnn + parentprocess: sss + selection3: + uuu: zzzz + xxxx: yyyyy + condition: 1 of them +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0014.yml b/tools/sigmac/test_files/test_rules/test0014.yml new file mode 100644 index 00000000..1f36774a --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0014.yml @@ -0,0 +1,18 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + timeflame +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + timeflame: 2d + condition: selection1 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0015.yml b/tools/sigmac/test_files/test_rules/test0015.yml new file mode 100644 index 00000000..ef674743 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0015.yml @@ -0,0 +1,24 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition and or +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + selection3: + ccc: ddd + selection4: + eee: fff + timeflame: 2d + condition: selection1 and selection2 and selection3 and selection4 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0016.yml b/tools/sigmac/test_files/test_rules/test0016.yml new file mode 100644 index 00000000..a16e3389 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0016.yml @@ -0,0 +1,24 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition and +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + selection3: + ccc: ddd + selection4: + eee: fff + timeflame: 2d + condition: selection1 and selection2 and selection3 and selection4 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0017.yml b/tools/sigmac/test_files/test_rules/test0017.yml new file mode 100644 index 00000000..5ce12de6 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0017.yml @@ -0,0 +1,24 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition or +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + selection3: + ccc: ddd + selection4: + eee: fff + timeflame: 2d + condition: selection1 or selection2 or selection3 or selection4 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0018.yml b/tools/sigmac/test_files/test_rules/test0018.yml new file mode 100644 index 00000000..63747c22 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0018.yml @@ -0,0 +1,25 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + () +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + selection3: + ccc: ddd + selection4: + eee: fff + selection5: + ggg: hhh + condition: selection1 and ( selection2 or (selection3 and selection4) ) or selection5 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0019.yml b/tools/sigmac/test_files/test_rules/test0019.yml new file mode 100644 index 00000000..95c3abbe --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0019.yml @@ -0,0 +1,17 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition not +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + condition: not selection1 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0020.yml b/tools/sigmac/test_files/test_rules/test0020.yml new file mode 100644 index 00000000..24eb01dc --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0020.yml @@ -0,0 +1,25 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition not () +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + selection3: + ccc: ddd + selection4: + eee: fff + selection5: + ggg: hhh + condition: not selection1 and not( selection2 and not (selection3 or selection4)) and selection5 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0021.yml b/tools/sigmac/test_files/test_rules/test0021.yml new file mode 100644 index 00000000..0a0568dd --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0021.yml @@ -0,0 +1,19 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition count +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + condition: selection1 and not selection2 | count() < 3 +falsepositives: + - Unknown +level: medium diff --git a/tools/sigmac/test_files/test_rules/test0022.yml b/tools/sigmac/test_files/test_rules/test0022.yml new file mode 100644 index 00000000..ec0587a1 --- /dev/null +++ b/tools/sigmac/test_files/test_rules/test0022.yml @@ -0,0 +1,19 @@ +title: test +id: ff151c33-45fa-475d-af4f-c2f93571f4fe +description: | + condition count +status: experimental +date: 2021/12/4 +author: test +logsource: + product: windows + service: security +detection: + selection1: + EventID: 3 + selection2: + aaa: bbb + condition: selection1 and not selection2 | count(TEAMNAME) by HOGE < 3 +falsepositives: + - Unknown +level: medium From 50daf1d71631e5aa99bc9bf07f1ada410b4c69d9 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sun, 5 Dec 2021 15:05:09 +0900 Subject: [PATCH 13/13] Feature/improve rule file read time#254 (#260) * fixed cached aggregation parser regex #254 * fixed cached condition parser regex #254 * fixed cached condition parser regex re_pipe #254 --- src/detections/rule/aggregation_parser.rs | 44 +++++++++++------------ src/detections/rule/condition_parser.rs | 33 ++++++++--------- 2 files changed, 37 insertions(+), 40 deletions(-) diff --git a/src/detections/rule/aggregation_parser.rs b/src/detections/rule/aggregation_parser.rs index 92fd56ff..9324daf7 100644 --- a/src/detections/rule/aggregation_parser.rs +++ b/src/detections/rule/aggregation_parser.rs @@ -1,5 +1,23 @@ +use lazy_static::lazy_static; use regex::Regex; +lazy_static! { + // ここで字句解析するときに使う正規表現の一覧を定義する。 + // ここはSigmaのGithubレポジトリにある、toos/sigma/parser/condition.pyのSigmaConditionTokenizerのtokendefsを参考にしています。 + pub static ref AGGREGATION_REGEXMAP: Vec = vec![ + Regex::new(r"^count\( *\w* *\)").unwrap(), // countの式 + Regex::new(r"^ ").unwrap(), + Regex::new(r"^by").unwrap(), + Regex::new(r"^==").unwrap(), + Regex::new(r"^<=").unwrap(), + Regex::new(r"^>=").unwrap(), + Regex::new(r"^<").unwrap(), + Regex::new(r"^>").unwrap(), + Regex::new(r"^\w+").unwrap(), + ]; + pub static ref RE_PIPE: Regex = Regex::new(r"\|.*").unwrap(); +} + #[derive(Debug)] pub struct AggregationParseInfo { pub _field_name: Option, // countの括弧に囲まれた部分の文字 @@ -24,28 +42,11 @@ pub enum AggregationConditionToken { /// SIGMAルールでいうAggregationConditionを解析する。 /// AggregationConditionはconditionに指定された式のパイプ以降の部分を指してます。 #[derive(Debug)] -pub struct AggegationConditionCompiler { - regex_patterns: Vec, -} +pub struct AggegationConditionCompiler {} impl AggegationConditionCompiler { pub fn new() -> Self { - // ここで字句解析するときに使う正規表現の一覧を定義する。 - // ここはSigmaのGithubレポジトリにある、toos/sigma/parser/condition.pyのSigmaConditionTokenizerのtokendefsを参考にしています。 - let mut regex_patterns = vec![]; - regex_patterns.push(Regex::new(r"^count\( *\w* *\)").unwrap()); // countの式 - regex_patterns.push(Regex::new(r"^ ").unwrap()); - regex_patterns.push(Regex::new(r"^by").unwrap()); - regex_patterns.push(Regex::new(r"^==").unwrap()); - regex_patterns.push(Regex::new(r"^<=").unwrap()); - regex_patterns.push(Regex::new(r"^>=").unwrap()); - regex_patterns.push(Regex::new(r"^<").unwrap()); - regex_patterns.push(Regex::new(r"^>").unwrap()); - regex_patterns.push(Regex::new(r"^\w+").unwrap()); - - return AggegationConditionCompiler { - regex_patterns: regex_patterns, - }; + AggegationConditionCompiler {} } pub fn compile(&self, condition_str: String) -> Result, String> { @@ -65,8 +66,7 @@ impl AggegationConditionCompiler { condition_str: String, ) -> Result, String> { // パイプの部分だけを取り出す - let re_pipe = Regex::new(r"\|.*").unwrap(); - let captured = re_pipe.captures(&condition_str); + let captured = self::RE_PIPE.captures(&condition_str); if captured.is_none() { // パイプが無いので終了 return Result::Ok(Option::None); @@ -94,7 +94,7 @@ impl AggegationConditionCompiler { let mut tokens = Vec::new(); while cur_condition_str.len() != 0 { - let captured = self.regex_patterns.iter().find_map(|regex| { + let captured = self::AGGREGATION_REGEXMAP.iter().find_map(|regex| { return regex.captures(cur_condition_str.as_str()); }); if captured.is_none() { diff --git a/src/detections/rule/condition_parser.rs b/src/detections/rule/condition_parser.rs index 3a1e3af4..349f558f 100644 --- a/src/detections/rule/condition_parser.rs +++ b/src/detections/rule/condition_parser.rs @@ -1,3 +1,4 @@ +use lazy_static::lazy_static; use regex::Regex; use self::selectionnodes::{ @@ -6,6 +7,16 @@ use self::selectionnodes::{ use super::selectionnodes; use std::{collections::HashMap, sync::Arc}; +lazy_static! { + pub static ref CONDITION_REGEXMAP: Vec = vec![ + Regex::new(r"^\(").unwrap(), + Regex::new(r"^\)").unwrap(), + Regex::new(r"^ ").unwrap(), + Regex::new(r"^\w+").unwrap(), + ]; + pub static ref RE_PIPE: Regex = Regex::new(r"\|.*").unwrap(); +} + #[derive(Debug, Clone)] /// 字句解析で出てくるトークン pub enum ConditionToken { @@ -92,25 +103,12 @@ impl ConditionToken { } #[derive(Debug)] -pub struct ConditionCompiler { - regex_patterns: Vec, -} +pub struct ConditionCompiler {} // conditionの式を読み取るクラス。 impl ConditionCompiler { pub fn new() -> Self { - // ここで字句解析するときに使う正規表現の一覧を定義する。 - let mut regex_patterns = vec![]; - regex_patterns.push(Regex::new(r"^\(").unwrap()); - regex_patterns.push(Regex::new(r"^\)").unwrap()); - regex_patterns.push(Regex::new(r"^ ").unwrap()); - // ^\w+については、sigmaのソースのsigma/tools/sigma/parser/condition.pyのSigmaConditionTokenizerを参考にしている。 - // 上記ソースの(SigmaConditionToken.TOKEN_ID, re.compile("[\\w*]+")),を参考。 - regex_patterns.push(Regex::new(r"^\w+").unwrap()); - - return ConditionCompiler { - regex_patterns: regex_patterns, - }; + ConditionCompiler {} } pub fn compile_condition( @@ -119,8 +117,7 @@ impl ConditionCompiler { name_2_node: &HashMap>>, ) -> Result, String> { // パイプはここでは処理しない - let re_pipe = Regex::new(r"\|.*").unwrap(); - let captured = re_pipe.captures(&condition_str); + let captured = self::RE_PIPE.captures(&condition_str); let condition_str = if captured.is_some() { let captured = captured.unwrap().get(0).unwrap().as_str().to_string(); condition_str.replacen(&captured, "", 1) @@ -192,7 +189,7 @@ impl ConditionCompiler { let mut tokens = Vec::new(); while cur_condition_str.len() != 0 { - let captured = self.regex_patterns.iter().find_map(|regex| { + let captured = self::CONDITION_REGEXMAP.iter().find_map(|regex| { return regex.captures(cur_condition_str.as_str()); }); if captured.is_none() {