Second round

rules/network/cisco/aaa/cisco_cli_clear_logs.yml

@@ -5,10 +5,6 @@ description: Clear command history in network OS which is used for defense evasi
 author: Austin Clark
 date: 2019/08/12
 modified: 2020/09/02
-tags:
-    - attack.defense_evasion
-    - attack.t1146          # an old one
-    - attack.t1070.003
 logsource:
     product: cisco
     service: aaa
@@ -27,3 +23,7 @@ detection:
 falsepositives:
     - Legitimate administrators may run these commands
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1146          # an old one
+    - attack.t1070.003

rules/network/cisco/aaa/cisco_cli_collect_data.yml

@@ -5,16 +5,6 @@ description: Collect pertinent data from the configuration files
 author: Austin Clark
 date: 2019/08/11
 modified: 2020/09/02
-tags:
-    - attack.discovery
-    - attack.credential_access
-    - attack.collection
-    - attack.t1087           # an old one
-    - attack.t1087.001
-    - attack.t1003           # an old one
-    - attack.t1081           # an old one
-    - attack.t1552.001
-    - attack.t1005
 logsource:
     product: cisco
     service: aaa
@@ -35,3 +25,13 @@ detection:
 falsepositives:
     - Commonly run by administrators
 level: low
+tags:
+    - attack.discovery
+    - attack.credential_access
+    - attack.collection
+    - attack.t1087           # an old one
+    - attack.t1087.001
+    - attack.t1003           # an old one
+    - attack.t1081           # an old one
+    - attack.t1552.001
+    - attack.t1005

rules/network/cisco/aaa/cisco_cli_crypto_actions.yml

@@ -4,13 +4,6 @@ status: experimental
 description: Show when private keys are being exported from the device, or when new certificates are installed
 author: Austin Clark
 date: 2019/08/12
-tags:
-    - attack.credential_access
-    - attack.defense_evasion
-    - attack.t1130          # an old one
-    - attack.t1553.004
-    - attack.t1145          # an old one
-    - attack.t1552.004
 logsource:
     product: cisco
     service: aaa
@@ -30,3 +23,10 @@ detection:
 falsepositives:
     - Not commonly run by administrators. Also whitelist your known good certificates
 level: high
+tags:
+    - attack.credential_access
+    - attack.defense_evasion
+    - attack.t1130          # an old one
+    - attack.t1553.004
+    - attack.t1145          # an old one
+    - attack.t1552.004

rules/network/cisco/aaa/cisco_cli_disable_logging.yml

@@ -4,10 +4,6 @@ status: experimental
 description: Turn off logging locally or remote
 author: Austin Clark
 date: 2019/08/11
-tags:
-    - attack.defense_evasion
-    - attack.t1089          # an old one
-    - attack.t1562.001
 logsource:
     product: cisco
     service: aaa
@@ -26,3 +22,7 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1089          # an old one
+    - attack.t1562.001

rules/network/cisco/aaa/cisco_cli_discovery.yml

@@ -4,17 +4,6 @@ status: experimental
 description: Find information about network devices that is not stored in config files
 author: Austin Clark
 date: 2019/08/12
-tags:
-    - attack.discovery
-    - attack.t1083
-    - attack.t1201
-    - attack.t1057
-    - attack.t1018
-    - attack.t1082
-    - attack.t1016
-    - attack.t1049
-    - attack.t1033
-    - attack.t1124
 logsource:
     product: cisco
     service: aaa
@@ -42,3 +31,14 @@ detection:
 falsepositives:
     - Commonly used by administrators for troubleshooting
 level: low
+tags:
+    - attack.discovery
+    - attack.t1083
+    - attack.t1201
+    - attack.t1057
+    - attack.t1018
+    - attack.t1082
+    - attack.t1016
+    - attack.t1049
+    - attack.t1033
+    - attack.t1124

rules/network/cisco/aaa/cisco_cli_dos.yml

@@ -5,12 +5,6 @@ description: Detect a system being shutdown or put into different boot mode
 author: Austin Clark
 date: 2019/08/15
 modified: 2020/09/02
-tags:
-    - attack.impact
-    - attack.t1495
-    - attack.t1529
-    - attack.t1492          # an old one
-    - attack.t1565.001
 logsource:
     product: cisco
     service: aaa
@@ -26,3 +20,9 @@ detection:
 falsepositives:
     - Legitimate administrators may run these commands, though rarely.
 level: medium
+tags:
+    - attack.impact
+    - attack.t1495
+    - attack.t1529
+    - attack.t1492          # an old one
+    - attack.t1565.001

rules/network/cisco/aaa/cisco_cli_file_deletion.yml

@@ -4,15 +4,6 @@ status: experimental
 description: See what files are being deleted from flash file systems
 author: Austin Clark
 date: 2019/08/12
-tags:
-    - attack.defense_evasion
-    - attack.impact
-    - attack.t1107          # an old one
-    - attack.t1070.004
-    - attack.t1488          # an old one
-    - attack.t1561.001
-    - attack.t1487          # an old one
-    - attack.t1561.002
 logsource:
     product: cisco
     service: aaa
@@ -28,3 +19,12 @@ detection:
 falsepositives:
     - Will be used sometimes by admins to clean up local flash space
 level: medium
+tags:
+    - attack.defense_evasion
+    - attack.impact
+    - attack.t1107          # an old one
+    - attack.t1070.004
+    - attack.t1488          # an old one
+    - attack.t1561.001
+    - attack.t1487          # an old one
+    - attack.t1561.002

rules/network/cisco/aaa/cisco_cli_input_capture.yml

@@ -5,10 +5,6 @@ description: See what commands are being input into the device by other people,
 author: Austin Clark
 date: 2019/08/11
 modified: 2020/09/02
-tags:
-    - attack.credential_access
-    - attack.t1139          # an old one
-    - attack.t1552.003
 logsource:
     product: cisco
     service: aaa
@@ -24,3 +20,8 @@ detection:
 falsepositives:
     - Not commonly run by administrators, especially if remote logging is configured
 level: medium
+tags:
+    - attack.credential_access
+    - attack.t1139          # an old one
+    - attack.t1552.003
+    

rules/network/cisco/aaa/cisco_cli_local_accounts.yml

@@ -5,11 +5,6 @@ description: Find local accounts being created or modified as well as remote aut
 author: Austin Clark
 date: 2019/08/12
 modified: 2020/09/02
-tags:
-    - attack.persistence
-    - attack.t1136          # an old one
-    - attack.t1136.001
-    - attack.t1098
 logsource:
     product: cisco
     service: aaa
@@ -24,3 +19,8 @@ detection:
 falsepositives:
     - When remote authentication is in place, this should not change often
 level: high
+tags:
+    - attack.persistence
+    - attack.t1136          # an old one
+    - attack.t1136.001
+    - attack.t1098

rules/network/cisco/aaa/cisco_cli_modify_config.yml

@@ -5,15 +5,6 @@ description: Modifications to a config that will serve an adversary's impacts or
 author: Austin Clark
 date: 2019/08/12
 modified: 2020/09/02
-tags:
-    - attack.persistence
-    - attack.impact
-    - attack.t1490
-    - attack.t1505
-    - attack.t1493          # an old one
-    - attack.t1565.002
-    - attack.t1168          # an old one
-    - attack.t1053
 logsource:
     product: cisco
     service: aaa
@@ -34,3 +25,12 @@ detection:
 falsepositives:
     - Legitimate administrators may run these commands
 level: medium
+tags:
+    - attack.persistence
+    - attack.impact
+    - attack.t1490
+    - attack.t1505
+    - attack.t1493          # an old one
+    - attack.t1565.002
+    - attack.t1168          # an old one
+    - attack.t1053

rules/network/cisco/aaa/cisco_cli_moving_data.yml

@@ -5,15 +5,6 @@ description: Various protocols maybe used to put data on the device for exfil or
 author: Austin Clark
 date: 2019/08/12
 modified: 2020/09/02
-tags:
-    - attack.collection
-    - attack.lateral_movement
-    - attack.command_and_control
-    - attack.exfiltration
-    - attack.t1074
-    - attack.t1105
-    - attack.t1002          # an old one
-    - attack.t1560.001
 logsource:
     product: cisco
     service: aaa
@@ -32,3 +23,12 @@ detection:
 falsepositives:
     - Generally used to copy configs or IOS images
 level: low
+tags:
+    - attack.collection
+    - attack.lateral_movement
+    - attack.command_and_control
+    - attack.exfiltration
+    - attack.t1074
+    - attack.t1105
+    - attack.t1002          # an old one
+    - attack.t1560.001

rules/network/cisco/aaa/cisco_cli_net_sniff.yml

@@ -4,10 +4,6 @@ status: experimental
 description: Show when a monitor or a span/rspan is setup or modified
 author: Austin Clark
 date: 2019/08/11
-tags:
-    - attack.credential_access
-    - attack.discovery
-    - attack.t1040
 logsource:
     product: cisco
     service: aaa
@@ -23,3 +19,7 @@ detection:
 falsepositives:
     - Admins may setup new or modify old spans, or use a monitor for troubleshooting
 level: medium
+tags:
+    - attack.credential_access
+    - attack.discovery
+    - attack.t1040

rules/network/net_apt_equationgroup_c2.yml

@@ -1,14 +1,11 @@
 title: Equation Group C2 Communication
 id: 881834a4-6659-4773-821e-1c151789d873
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
+author: Florian Roth
+date: 2017/04/15
 references:
     - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
     - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
-tags:
-    - attack.command_and_control
-    - attack.g0020
-author: Florian Roth
-date: 2017/04/15
 logsource:
     category: firewall
 detection:
@@ -24,3 +21,6 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.command_and_control
+    - attack.g0020

rules/network/net_dns_c2_detection.yml

@@ -3,19 +3,12 @@ id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
 status: experimental
 description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain,
     which can be an indicator that DNS is used to transfer data.
-references:
-    - https://zeltser.com/c2-dns-tunneling/
-    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
 author: Patrick Bareiss
 date: 2019/04/07
 modified: 2020/08/27
-tags:
-    - attack.command_and_control
-    - attack.t1071 # an old one
-    - attack.t1071.004
-    - attack.exfiltration
-    - attack.t1048 # an old one
-    - attack.t1048.003
+references:
+    - https://zeltser.com/c2-dns-tunneling/
+    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
 logsource:
     category: dns
 detection:
@@ -25,3 +18,10 @@ detection:
 falsepositives:
     - Valid software, which uses dns for transferring data
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
+    - attack.exfiltration
+    - attack.t1048 # an old one
+    - attack.t1048.003

rules/network/net_high_dns_bytes_out.yml

@@ -1,18 +1,18 @@
 action: global
 title: High DNS Bytes Out
 id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
-description: High DNS queries bytes amount from host per short period of time
 status: experimental
+description: High DNS queries bytes amount from host per short period of time
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
 modified: 2020/08/27
+falsepositives:
+    - Legitimate high DNS bytes out rate to domain name which should be added to whitelist
+level: medium
 tags:
     - attack.exfiltration
     - attack.t1048 # an old one
     - attack.t1048.003
-falsepositives:
-    - Legitimate high DNS bytes out rate to domain name which should be added to whitelist
-level: medium
 ---
 logsource:
     category: dns

rules/network/net_high_dns_requests_rate.yml

@@ -1,11 +1,14 @@
 action: global
 title: High DNS Requests Rate
 id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
-description: High DNS requests amount from host per short period of time
 status: experimental
+description: High DNS requests amount from host per short period of time
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
 modified: 2020/08/27
+falsepositives:
+    - Legitimate high DNS requests rate to domain name which should be added to whitelist
+level: medium
 tags:
     - attack.exfiltration
     - attack.t1048 # an old one
@@ -13,9 +16,6 @@ tags:
     - attack.command_and_control
     - attack.t1071 # an old one
     - attack.t1071.004
-falsepositives:
-    - Legitimate high DNS requests rate to domain name which should be added to whitelist
-level: medium
 ---
 logsource:
     category: dns

rules/network/net_high_null_records_requests_rate.yml

@@ -1,17 +1,10 @@
 title: High NULL Records Requests Rate
 id: 44ae5117-9c44-40cf-9c7c-7edad385ca70
-description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
 status: experimental
+description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
 modified: 2020/08/27
-tags:
-    - attack.exfiltration
-    - attack.t1048 # an old one
-    - attack.t1048.003
-    - attack.command_and_control
-    - attack.t1071 # an old one
-    - attack.t1071.004
 logsource:
     category: dns
 detection:
@@ -22,3 +15,10 @@ detection:
 falsepositives:
     - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist
 level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1048 # an old one
+    - attack.t1048.003
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004

rules/network/net_high_txt_records_requests_rate.yml

@@ -1,17 +1,10 @@
 title: High TXT Records Requests Rate
 id: f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35
-description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
 status: experimental
+description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
 modified: 2020/08/27
-tags:
-    - attack.exfiltration
-    - attack.t1048 # an old one
-    - attack.t1048.003
-    - attack.command_and_control
-    - attack.t1071 # an old one
-    - attack.t1071.004
 logsource:
     category: dns
 detection:
@@ -22,3 +15,10 @@ detection:
 falsepositives:
     - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist
 level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1048 # an old one
+    - attack.t1048.003
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004

rules/network/net_mal_dns_cobaltstrike.yml

@@ -2,15 +2,11 @@ title: Cobalt Strike DNS Beaconing
 id: 2975af79-28c4-4d2f-a951-9095f229df29
 status: experimental
 description: Detects suspicious DNS queries known from Cobalt Strike beacons
-references:
-    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
 author: Florian Roth
 date: 2018/05/10
 modified: 2020/08/27
-tags:
-    - attack.command_and_control
-    - attack.t1071 # an old one
-    - attack.t1071.004
+references:
+    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
 logsource:
     category: dns
 detection:
@@ -22,4 +18,7 @@ detection:
 falsepositives:
     - Unknown
 level: high
-
+tags:
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004

rules/network/net_susp_dns_b64_queries.yml

@@ -2,18 +2,11 @@ title: Suspicious DNS Query with B64 Encoded String
 id: 4153a907-2451-4e4f-a578-c52bb6881432
 status: experimental
 description: Detects suspicious DNS queries using base64 encoding
-references:
-    - https://github.com/krmaxwell/dns-exfiltration
 author: Florian Roth
 date: 2018/05/10
 modified: 2020/08/27
-tags:
-    - attack.exfiltration
-    - attack.t1048 # an old one
-    - attack.t1048.003
-    - attack.command_and_control
-    - attack.t1071 # an old one
-    - attack.t1071.004
+references:
+    - https://github.com/krmaxwell/dns-exfiltration
 logsource:
     category: dns
 detection:
@@ -23,4 +16,11 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: medium
+level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1048 # an old one
+    - attack.t1048.003
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004

rules/network/net_susp_dns_txt_exec_strings.yml

@@ -2,16 +2,12 @@ title: DNS TXT Answer with Possible Execution Strings
 id: 8ae51330-899c-4641-8125-e39f2e07da72
 status: experimental
 description: Detects strings used in command execution in DNS TXT Answer
-references:
-    - https://twitter.com/stvemillertime/status/1024707932447854592
-    - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
-tags:
-    - attack.command_and_control
-    - attack.t1071 # an old one
-    - attack.t1071.004
 author: Markus Neis
 date: 2018/08/08
 modified: 2020/08/27
+references:
+    - https://twitter.com/stvemillertime/status/1024707932447854592
+    - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
 logsource:
     category: dns
 detection:
@@ -25,3 +21,7 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004

rules/network/net_susp_network_scan.yml

@@ -1,12 +1,10 @@
 title: Network Scans
 id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
+status: experimental
 description: Detects many failed connection attempts to different ports or hosts
 author: Thomas Patzke
 date: 2017/02/19
 modified: 2020/08/27
-tags:
-    - attack.discovery
-    - attack.t1046
 logsource:
     category: firewall
 detection:
@@ -25,3 +23,6 @@ falsepositives:
     - Vulnerability scans
     - Penetration testing activity
 level: medium
+tags:
+    - attack.discovery
+    - attack.t1046

rules/network/net_susp_telegram_api.yml

@@ -2,18 +2,14 @@ title: Telegram Bot API Request
 id: c64c5175-5189-431b-a55e-6d9882158251
 status: experimental
 description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
+author: Florian Roth
+date: 2018/06/05
+modified: 2020/08/27
 references:
     - https://core.telegram.org/bots/faq
     - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
     - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
     - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
-author: Florian Roth
-date: 2018/06/05
-modified: 2020/08/27
-tags:
-    - attack.command_and_control
-    - attack.t1102 # an old one
-    - attack.t1102.002
 logsource:
     category: dns
 detection:
@@ -23,4 +19,8 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate use of Telegram bots in the company
-level: medium
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1102 # an old one
+    - attack.t1102.002

rules/proxy/proxy_apt40.yml

@@ -2,18 +2,11 @@ title: APT40 Dropbox Tool User Agent
 id: 5ba715b6-71b7-44fd-8245-f66893e81b3d
 status: experimental
 description: Detects suspicious user agent string of APT40 Dropbox tool
+author: Thomas Patzke
 references:
     - Internal research from Florian Roth
-author: Thomas Patzke
 date: 2019/11/12
 modified: 2020/09/02
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
-    - attack.t1043  # an old one
-    - attack.exfiltration
-    - attack.t1567.002
-    - attack.t1048  # an old one 
 logsource:
     category: proxy
 detection:
@@ -27,3 +20,10 @@ fields:
 falsepositives:
     - Old browsers
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
+    - attack.exfiltration
+    - attack.t1567.002
+    - attack.t1048  # an old one 

rules/proxy/proxy_chafer_malware.yml

@@ -2,14 +2,10 @@ title: Chafer Malware URL Pattern
 id: fb502828-2db0-438e-93e6-801c7548686d
 status: experimental
 description: Detects HTTP requests used by Chafer malware
-references:
-    - https://securelist.com/chafer-used-remexi-malware/89538/
 author: Florian Roth
 date: 2019/01/31
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
-    - attack.t1043  # an old one
+references:
+    - https://securelist.com/chafer-used-remexi-malware/89538/
 logsource:
     category: proxy
 detection:
@@ -23,3 +19,7 @@ fields:
 falsepositives:
     - Unknown
 level: critical
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one

rules/proxy/proxy_cobalt_amazon.yml

@@ -2,17 +2,12 @@ title: CobaltStrike Malleable Amazon Browsing Traffic Profile
 id: 953b895e-5cc9-454b-b183-7f3db555452e
 status: experimental
 description: Detects Malleable Amazon Profile
-references:
-  - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
-  - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
 author: Markus Neis
 date: 2019/11/12
 modified: 2020/09/02
-tags:
-  - attack.defense_evasion
-  - attack.command_and_control
-  - attack.t1071.001
-  - attack.t1043  # an old one
+references:
+  - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
+  - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
 logsource:
   category: proxy
 detection:
@@ -31,3 +26,8 @@ detection:
 falsepositives:
   - Unknown
 level: high
+tags:
+  - attack.defense_evasion
+  - attack.command_and_control
+  - attack.t1071.001
+  - attack.t1043  # an old one

rules/proxy/proxy_cobalt_ocsp.yml

@@ -2,11 +2,11 @@ title: CobaltStrike Malleable (OCSP) Profile
 id: 37325383-740a-403d-b1a2-b2b4ab7992e7
 status: experimental
 description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
-references:
-    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
 author: Markus Neis
 date: 2019/11/12
 modified: 2020/09/02
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
 tags:
     - attack.defense_evasion
     - attack.command_and_control

rules/proxy/proxy_cobalt_onedrive.yml

@@ -2,16 +2,11 @@ title: CobaltStrike Malleable OneDrive Browsing Traffic Profile
 id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
 status: experimental
 description: Detects Malleable OneDrive Profile
-references:
-    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
 author: Markus Neis
 date: 2019/11/12
 modified: 2020/09/02
-tags:
-    - attack.defense_evasion
-    - attack.command_and_control
-    - attack.t1071.001
-    - attack.t1043  # an old one
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
 logsource:
     category: proxy
 detection:
@@ -25,3 +20,8 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one

rules/proxy/proxy_download_susp_dyndns.yml

@@ -2,16 +2,11 @@ title: Download from Suspicious Dyndns Hosts
 id: 195c1119-ef07-4909-bb12-e66f5e07bf3c
 status: experimental
 description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
-references:
-    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
 author: Florian Roth
 date: 2017/11/08
 modified: 2020/09/03
-tags:
-    - attack.defense_evasion
-    - attack.command_and_control
-    - attack.t1105
-    - attack.t1568
+references:
+    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
 logsource:
     category: proxy
 detection:
@@ -113,3 +108,8 @@ fields:
 falsepositives:
     - Software downloads
 level: medium
+tags:
+    - attack.defense_evasion
+    - attack.command_and_control
+    - attack.t1105
+    - attack.t1568

rules/proxy/proxy_download_susp_tlds_blacklist.yml

@@ -2,21 +2,14 @@ title: Download from Suspicious TLD
 id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
 status: experimental
 description: Detects download of certain file types from hosts in suspicious TLDs
+author: Florian Roth
+date: 2017/11/07
+modified: 2020/09/03
 references:
     - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
     - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
     - https://www.spamhaus.org/statistics/tlds/
     - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
-author: Florian Roth
-date: 2017/11/07
-modified: 2020/09/03
-tags:
-    - attack.initial_access
-    - attack.t1566
-    - attack.execution
-    - attack.t1203
-    - attack.t1204.002
-    - attack.t1204  # an old one
 logsource:
     category: proxy
 detection:
@@ -114,3 +107,10 @@ fields:
 falsepositives:
     - All kinds of software downloads
 level: low
+tags:
+    - attack.initial_access
+    - attack.t1566
+    - attack.execution
+    - attack.t1203
+    - attack.t1204.002
+    - attack.t1204  # an old one

rules/proxy/proxy_download_susp_tlds_whitelist.yml

@@ -5,13 +5,6 @@ description: Detects executable downloads from suspicious remote systems
 author: Florian Roth
 date: 2017/03/13
 modified: 2020/09/03
-tags:
-    - attack.initial_access
-    - attack.t1566
-    - attack.execution
-    - attack.t1203
-    - attack.t1204.002
-    - attack.t1204  # an old one
 logsource:
     category: proxy
 detection:
@@ -63,3 +56,10 @@ fields:
 falsepositives:
     - All kind of software downloads
 level: low
+tags:
+    - attack.initial_access
+    - attack.t1566
+    - attack.execution
+    - attack.t1203
+    - attack.t1204.002
+    - attack.t1204  # an old one

rules/proxy/proxy_downloadcradle_webdav.yml

@@ -2,15 +2,11 @@ title: Windows WebDAV User Agent
 id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
 status: experimental
 description: Detects WebDav DownloadCradle
-references:
-    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 author: Florian Roth
 date: 2018/04/06
 modified: 2020/09/03
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
-    - attack.t1043  # an old one
+references:
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 logsource:
     category: proxy
 detection:
@@ -28,3 +24,7 @@ falsepositives:
     - Administrative scripts that retrieve certain website contents
     - Legitimate WebDAV administration
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one

rules/proxy/proxy_empire_ua_uri_combos.yml

@@ -2,16 +2,11 @@ title: Empire UserAgent URI Combo
 id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
 status: experimental
 description: Detects user agent and URI paths used by empire agents
-references:
-    - https://github.com/BC-SECURITY/Empire
 author: Florian Roth
 date: 2020/07/13
 modified: 2020/09/03
-tags:
-  - attack.defense_evasion
-  - attack.command_and_control
-  - attack.t1071.001
-  - attack.t1043  # an old one
+references:
+    - https://github.com/BC-SECURITY/Empire
 logsource:
     category: proxy
 detection:
@@ -29,3 +24,8 @@ fields:
 falsepositives:
     - Valid requests with this exact user agent to server scripts of the defined names
 level: high
+tags:
+  - attack.defense_evasion
+  - attack.command_and_control
+  - attack.t1071.001
+  - attack.t1043  # an old one

rules/proxy/proxy_empty_ua.yml

@@ -2,15 +2,11 @@ title: Empty User Agent
 id: 21e44d78-95e7-421b-a464-ffd8395659c4
 status: experimental
 description: Detects suspicious empty user agent strings in proxy logs
-references:
-    - https://twitter.com/Carlos_Perez/status/883455096645931008
 author: Florian Roth
 date: 2017/07/08
 modified: 2020/09/03
-tags:
-  - attack.defense_evasion
-  - attack.command_and_control
-  - attack.t1071.001
+references:
+    - https://twitter.com/Carlos_Perez/status/883455096645931008
 logsource:
     category: proxy
 detection:
@@ -25,3 +21,7 @@ fields:
 falsepositives:
     - Unknown
 level: medium
+tags:
+  - attack.defense_evasion
+  - attack.command_and_control
+  - attack.t1071.001

rules/proxy/proxy_ios_implant.yml

@@ -2,22 +2,12 @@ title: iOS Implant URL Pattern
 id: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6
 status: experimental
 description: Detects URL pattern used by iOS Implant
-references:
-    - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
-    - https://twitter.com/craiu/status/1167358457344925696
 author: Florian Roth
 date: 2019/08/30
 modified: 2020/09/03
-tags:
-    - attack.execution
-    - attack.t1203
-    - attack.collection
-    - attack.t1005
-    - attack.t1119
-    - attack.credential_access
-    - attack.t1528
-    - attack.t1552.001
-    - attack.t1081  # an old one
+references:
+    - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
+    - https://twitter.com/craiu/status/1167358457344925696
 logsource:
     category: proxy
 detection:
@@ -31,3 +21,13 @@ fields:
 falsepositives:
     - Unknown
 level: critical
+tags:
+    - attack.execution
+    - attack.t1203
+    - attack.collection
+    - attack.t1005
+    - attack.t1119
+    - attack.credential_access
+    - attack.t1528
+    - attack.t1552.001
+    - attack.t1081  # an old one

rules/proxy/proxy_powershell_ua.yml

@@ -2,15 +2,11 @@ title: Windows PowerShell User Agent
 id: c8557060-9221-4448-8794-96320e6f3e74
 status: experimental
 description: Detects Windows PowerShell Web Access
-references:
-    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
 author: Florian Roth
 date: 2017/03/13
 modified: 2020/09/03
-tags:
-  - attack.defense_evasion
-  - attack.command_and_control
-  - attack.t1071.001
+references:
+    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
 logsource:
     category: proxy
 detection:
@@ -25,3 +21,7 @@ falsepositives:
     - Administrative scripts that download files from the Internet
     - Administrative scripts that retrieve certain website contents
 level: medium
+tags:
+  - attack.defense_evasion
+  - attack.command_and_control
+  - attack.t1071.001

rules/proxy/proxy_pwndrop.yml

@@ -2,18 +2,11 @@ title: PwnDrp Access
 id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
 status: experimental
 description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
-references:
-    - https://breakdev.org/pwndrop/
 author: Florian Roth
 date: 2020/04/15
 modified: 2020/09/03
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
-    - attack.t1043  # an old one
-    - attack.t1102.001
-    - attack.t1102.003
-    - attack.t1102  # an old one
+references:
+    - https://breakdev.org/pwndrop/
 logsource:
     category: proxy
 detection:
@@ -27,3 +20,10 @@ fields:
 falsepositives:
     - Unknown
 level: critical
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
+    - attack.t1102.001
+    - attack.t1102.003
+    - attack.t1102  # an old one

rules/proxy/proxy_raw_paste_service_access.yml

@@ -2,19 +2,11 @@ title: Raw Paste Service Access
 id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
 status: experimental
 description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
-references:
-    - https://www.virustotal.com/gui/domain/paste.ee/relations
 author: Florian Roth
 date: 2019/12/05
 modified: 2020/09/03
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
-    - attack.t1043  # an old one
-    - attack.t1102.001
-    - attack.t1102.003
-    - attack.defense_evasion
-    - attack.t1102  # an old one
+references:
+    - https://www.virustotal.com/gui/domain/paste.ee/relations
 logsource:
     category: proxy
 detection:
@@ -32,3 +24,11 @@ fields:
 falsepositives:
     - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
+    - attack.t1102.001
+    - attack.t1102.003
+    - attack.defense_evasion
+    - attack.t1102  # an old one

rules/proxy/proxy_susp_flash_download_loc.yml

@@ -2,19 +2,10 @@ title: Flash Player Update from Suspicious Location
 id: 4922a5dd-6743-4fc2-8e81-144374280997
 status: experimental
 description: Detects a flashplayer update from an unofficial location
-references:
-    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 author: Florian Roth
 date: 2017/10/25
-tags:
-    - attack.initial_access
-    - attack.t1189
-    - attack.execution
-    - attack.t1204.002
-    - attack.t1204  # an old one
-    - attack.defense_evasion
-    - attack.t1036.005
-    - attack.t1036  # an old one
+references:
+    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 logsource:
     category: proxy
 detection:
@@ -28,3 +19,12 @@ detection:
 falsepositives:
     - Unknown flash download locations
 level: high
+tags:
+    - attack.initial_access
+    - attack.t1189
+    - attack.execution
+    - attack.t1204.002
+    - attack.t1204  # an old one
+    - attack.defense_evasion
+    - attack.t1036.005
+    - attack.t1036  # an old one

rules/proxy/proxy_telegram_api.yml

@@ -2,20 +2,13 @@ title: Telegram API Access
 id: b494b165-6634-483d-8c47-2026a6c52372
 status: experimental
 description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
+author: Florian Roth
+date: 2018/06/05
+modified: 2020/09/03
 references:
     - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
     - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
     - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
-author: Florian Roth
-date: 2018/06/05
-modified: 2020/09/03
-tags:
-    - attack.defense_evasion
-    - attack.command_and_control
-    - attack.t1071.001
-    - attack.t1043  # an old one
-    - attack.t1102.002
-    - attack.t1102  # an old one
 logsource:
     category: proxy
 detection:
@@ -35,4 +28,10 @@ fields:
 falsepositives:
     - Legitimate use of Telegram bots in the company
 level: medium
-
+tags:
+    - attack.defense_evasion
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
+    - attack.t1102.002
+    - attack.t1102  # an old one

rules/proxy/proxy_turla_comrat.yml

@@ -2,17 +2,11 @@ title: Turla ComRAT
 id: 7857f021-007f-4928-8b2c-7aedbe64bb82
 status: experimental
 description: Detects Turla ComRAT patterns
-references:
-    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
 author: Florian Roth
 date: 2020/05/26
 modified: 2020/09/03
-tags:
-    - attack.defense_evasion
-    - attack.command_and_control
-    - attack.t1071.001
-    - attack.t1043  # an old one
-    - attack.g0010
+references:
+    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
 logsource:
     category: proxy
 detection:
@@ -22,3 +16,9 @@ detection:
 falsepositives:
     - Unknown
 level: critical
+tags:
+    - attack.defense_evasion
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.t1043  # an old one
+    - attack.g0010

rules/proxy/proxy_ua_apt.yml

@@ -2,14 +2,11 @@ title: APT User Agent
 id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
 status: experimental
 description: Detects suspicious user agent strings used in APT malware in proxy logs
-references:
-    - Internal Research
 author: Florian Roth, Markus Neis
 date: 2019/11/12
 modified: 2020/09/03
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
+references:
+    - Internal Research
 logsource:
     category: proxy
 detection:
@@ -59,3 +56,6 @@ fields:
 falsepositives:
     - Old browsers
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1071.001

rules/proxy/proxy_ua_bitsadmin_susp_tld.yml

@@ -5,13 +5,6 @@ description: Detects Bitsadmin connections to domains with uncommon TLDs - https
 author: Florian Roth
 date: 2019/03/07
 modified: 2020/09/03
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
-    - attack.defense_evasion
-    - attack.persistence
-    - attack.t1197
-    - attack.s0190
 logsource:
     category: proxy
 detection:
@@ -31,3 +24,10 @@ fields:
 falsepositives:
     - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1197
+    - attack.s0190

rules/proxy/proxy_ua_cryptominer.yml

@@ -2,15 +2,12 @@ title: Crypto Miner User Agent
 id: fa935401-513b-467b-81f4-f9e77aa0dd78
 status: experimental
 description: Detects suspicious user agent strings used by crypto miners in proxy logs
-references:
-    - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
-    - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
 author: Florian Roth
 date: 2019/10/21
 modified: 2020/09/03
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
+references:
+    - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
+    - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
 logsource:
     category: proxy
 detection:
@@ -28,3 +25,6 @@ fields:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1071.001

rules/proxy/proxy_ua_frameworks.yml

@@ -2,14 +2,11 @@ title: Exploit Framework User Agent
 id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
 status: experimental
 description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs
-references:
-    - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
 author: Florian Roth
 date: 2017/07/08
 modified: 2020/09/03
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
+references:
+    - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
 logsource:
     category: proxy
 detection:
@@ -56,3 +53,6 @@ fields:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1071.001

rules/proxy/proxy_ua_hacktool.yml

@@ -2,17 +2,12 @@ title: Hack Tool User Agent
 id: c42a3073-30fb-48ae-8c99-c23ada84b103
 status: experimental
 description: Detects suspicious user agent strings user by hack tools in proxy logs
-references:
-    - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
-    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
 author: Florian Roth
 date: 2017/07/08
 modified: 2020/09/03
-tags:
-    - attack.initial_access
-    - attack.t1190
-    - attack.credential_access
-    - attack.t1110
+references:
+    - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
+    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
 logsource:
     category: proxy
 detection:
@@ -77,3 +72,8 @@ fields:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.initial_access
+    - attack.t1190
+    - attack.credential_access
+    - attack.t1110

rules/proxy/proxy_ua_malware.yml

@@ -2,18 +2,15 @@ title: Malware User Agent
 id: 5c84856b-55a5-45f1-826f-13f37250cf4e
 status: experimental
 description: Detects suspicious user agent strings used by malware in proxy logs
+author: Florian Roth
+date: 2017/07/08
+modified: 2020/09/03
 references:
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
     - http://www.botopedia.org/search?searchword=scan&searchphrase=all
     - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
     - https://perishablepress.com/blacklist/ua-2013.txt
     - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
-author: Florian Roth
-date: 2017/07/08
-modified: 2020/09/03
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
 logsource:
     category: proxy
 detection:
@@ -82,3 +79,6 @@ fields:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1071.001

rules/proxy/proxy_ua_suspicious.yml

@@ -2,14 +2,11 @@ title: Suspicious User Agent
 id: 7195a772-4b3f-43a4-a210-6a003d65caa1
 status: experimental
 description: Detects suspicious malformed user agent strings in proxy logs
-references:
-    - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
 author: Florian Roth
 date: 2017/07/08
 modified: 2020/09/03
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
+references:
+    - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
 logsource:
     category: proxy
 detection:
@@ -41,3 +38,6 @@ fields:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1071.001

rules/proxy/proxy_ursnif_malware.yml

@@ -5,15 +5,6 @@ description: Detects download of Ursnif malware done by dropper documents.
 author: Thomas Patzke
 date: 2019/12/19
 modified: 2020/09/03
-tags:
-    - attack.initial_access
-    - attack.t1566.001
-    - attack.t1193  # an old one
-    - attack.execution
-    - attack.t1204.002
-    - attack.t1204  # an old one
-    - attack.command_and_control
-    - attack.t1071.001
 logsource:
   category: proxy
 detection:
@@ -63,3 +54,12 @@ fields:
 falsepositives:
   - Unknown
 level: critical
+tags:
+    - attack.initial_access
+    - attack.t1566.001
+    - attack.t1193  # an old one
+    - attack.execution
+    - attack.t1204.002
+    - attack.t1204  # an old one
+    - attack.command_and_control
+    - attack.t1071.001

rules/web/web_apache_segfault.yml

@@ -4,10 +4,6 @@ description: Detects a segmentation fault error message caused by a creashing ap
 author: Florian Roth
 date: 2017/02/28
 modified: 2020/09/03
-tags:
-    - attack.impact
-    - attack.t1499 # an old one
-    - attack.t1499.004
 references:
     - http://www.securityfocus.com/infocus/1633
 logsource:
@@ -19,3 +15,7 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.impact
+    - attack.t1499 # an old one
+    - attack.t1499.004

rules/web/web_citrix_cve_2019_19781_exploit.yml

@@ -1,19 +1,16 @@
 title: Citrix Netscaler Attack CVE-2019-19781
-description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
 id: ac5a6409-8c89-44c2-8d64-668c29a2d756
+status: experimental
+description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
+author: Arnim Rupp, Florian Roth
+date: 2020/01/02
+modified: 2020/09/03
 references:
     - https://support.citrix.com/article/CTX267679
     - https://support.citrix.com/article/CTX267027
     - https://isc.sans.edu/diary/25686
     - https://twitter.com/mpgn_x64/status/1216787131210829826
     - https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md
-author: Arnim Rupp, Florian Roth
-status: experimental
-date: 2020/01/02
-modified: 2020/09/03
-tags:
-    - attack.initial_access
-    - attack.t1190
 logsource:
     category: webserver
     definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
@@ -32,4 +29,6 @@ fields:
 falsepositives:
     - Unknown
 level: critical
-
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/web/web_citrix_cve_2020_8193_8195_exploit.yml

@@ -1,16 +1,13 @@
 title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
 description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
 id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7
+author: Florian Roth
+status: experimental
+date: 2020/07/10
 references:
     - https://support.citrix.com/article/CTX276688
     - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/
     - https://dmaasland.github.io/posts/citrix.html
-author: Florian Roth
-status: experimental
-date: 2020/07/10
-tags:
-    - attack.initial_access
-    - attack.t1190
 logsource:
     category: webserver
 detection:
@@ -31,4 +28,6 @@ fields:
 falsepositives:
     - Unknown
 level: critical
-
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/web/web_cve_2018_2894_weblogic_exploit.yml

@@ -1,10 +1,10 @@
 title: Oracle WebLogic Exploit
 id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000
+status: experimental
 description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
 author: Florian Roth
 date: 2018/07/22
 modified: 2020/09/03
-status: experimental
 references:
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
     - https://twitter.com/pyn3rd/status/1020620932967223296
@@ -21,6 +21,7 @@ fields:
     - c-dns
 falsepositives:
     - Unknown
+level: critical
 tags:
     - attack.t1100 # an old one
     - attack.t1190
@@ -28,5 +29,3 @@ tags:
     - attack.persistence
     - cve.2018-2894
     - attack.t1505.003
-level: critical
-

rules/web/web_cve_2019_3398_confluence.yml

@@ -2,13 +2,10 @@ title: Confluence Exploitation CVE-2019-3398
 id: e9bc39ae-978a-4e49-91ab-5bd481fc668b
 status: experimental
 description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398 
-references:
-    - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181
 author: Florian Roth
 date: 2020/05/26
-tags:
-    - attack.initial_access
-    - attack.t1190
+references:
+    - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181
 logsource:
     category: webserver
 detection:
@@ -24,4 +21,6 @@ fields:
 falsepositives:
     - Unknown
 level: critical
-
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/web/web_cve_2020_0688_msexchange.yml

@@ -2,10 +2,10 @@ title: CVE-2020-0688 Exchange Exploitation via Web Log
 id: fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5
 status: experimental
 description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 
-references:
-    - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
 author: Florian Roth
 date: 2020/02/29
+references:
+    - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
 logsource:
     category: webserver
 detection:
@@ -22,8 +22,7 @@ fields:
     - c-dns
 falsepositives:
     - Unknown
+level: critical
 tags:
     - attack.initial_access
     - attack.t1190
-level: critical
-

rules/web/web_exchange_cve_2020_0688_exploit.yml

@@ -2,14 +2,11 @@ title: CVE-2020-0688 Exploitation Attempt
 id: 7c64e577-d72e-4c3d-9d75-8de6d1f9146a
 status: experimental
 description: Detects CVE-2020-0688 Exploitation attempts
-references:
-  - https://github.com/Ridter/cve-2020-0688
 author: NVISO
 date: 2020/02/27
 modified: 2020/09/03
-tags:
-    - attack.initial_access
-    - attack.t1190
+references:
+  - https://github.com/Ridter/cve-2020-0688
 logsource:
   category: webserver
 detection:
@@ -22,3 +19,6 @@ detection:
 falsepositives:
   - Unknown
 level: high
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/web/web_multiple_suspicious_resp_codes_single_source.yml

@@ -1,12 +1,10 @@
 title: Multiple Suspicious Resp Codes Caused by Single Client
 id: 6fdfc796-06b3-46e8-af08-58f3505318af
+status: experimental
 description: Detects possible exploitation activity or bugs in a web application
 author: Thomas Patzke
 date: 2017/02/19
 modified: 2020/09/03
-tags:
-    - attack.initial_access
-    - attack.t1190
 logsource:
     category: webserver
 detection:
@@ -27,3 +25,6 @@ falsepositives:
     - Unstable application
     - Application that misuses the response codes
 level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/web/web_pulsesecure_cve-2019-11510.yml

@@ -1,14 +1,12 @@
 title: Pulse Secure Attack CVE-2019-11510
 id: 2dbc10d7-a797-49a8-8776-49efa6442e60
+status: experimental
 description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
-references:
-    - https://www.exploit-db.com/exploits/47297
 author: Florian Roth
 date: 2019/11/18
 modified: 2020/09/03
-tags:
-    - attack.initial_access
-    - attack.t1190
+references:
+    - https://www.exploit-db.com/exploits/47297
 logsource:
     category: webserver
 detection:
@@ -23,3 +21,6 @@ fields:
 falsepositives:
     - Unknown
 level: critical
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/web/web_source_code_enumeration.yml

@@ -1,12 +1,10 @@
 title: Source Code Enumeration Detection by Keyword
 id: 953d460b-f810-420a-97a2-cfca4c98e602
+status: experimental
 description: Detects source code enumeration that use GET requests by keyword searches in URL strings
 author: James Ahearn
 date: 2019/06/08
 modified: 2020/09/03
-tags:
-    - attack.discovery
-    - attack.t1083
 references:
     - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
     - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
@@ -24,3 +22,6 @@ fields:
 falsepositives:
     - unknown
 level: medium
+tags:
+    - attack.discovery
+    - attack.t1083

rules/web/web_webshell_keyword.yml

@@ -1,13 +1,10 @@
 title: Webshell Detection by Keyword
 id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
+status: experimental
 description: Detects webshells that use GET requests by keyword searches in URL strings
 author: Florian Roth
 date: 2017/02/19
 modified: 2020/09/03
-tags:
-    - attack.persistence
-    - attack.t1100 # an old one
-    - attack.t1505.003
 logsource:
     category: webserver
 detection:
@@ -25,3 +22,7 @@ falsepositives:
     - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
     - User searches in search boxes of the respective website
 level: high
+tags:
+    - attack.persistence
+    - attack.t1100 # an old one
+    - attack.t1505.003

rules/web/win_webshell_regeorg.yml

@@ -3,15 +3,11 @@ id: 2ea44a60-cfda-11ea-87d0-0242ac130003
 status: experimental
 description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
 author: Cian Heasley
+date: 2020/08/04
+modified: 2020/09/03
 reference:
     - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
     - https://github.com/sensepost/reGeorg
-date: 2020/08/04
-modified: 2020/09/03
-tags:
-    - attack.persistence
-    - attack.t1100
-    - attack.t1505.003
 logsource:
     category: webserver
 detection:
@@ -35,3 +31,7 @@ fields:
 falsepositives:
     - web applications that use the same URL parameters as ReGeorg
 level: high
+tags:
+    - attack.persistence
+    - attack.t1100
+    - attack.t1505.003