Carbonblack, Arcsight ESM, Elastic Rule

2024-11-07 01:45:21 +00:00 · 2020-02-24 19:29:45 +02:00 · 2020-02-24 19:29:45 +02:00 · 5dc30bd388
commit 5dc30bd388
parent 516e61fdb0 91d1586b97
412 changed files with 11765 additions and 614 deletions
--- a/.gitignore
+++ b/.gitignore
@ -91,3 +91,6 @@ ENV/
 # vi(m)
 *.swp
 settings.json
 # VisualStudio
 .vs/
--- a/.travis.yml
+++ b/.travis.yml
@ -1,9 +1,9 @@
 language: python
 dist: xenial
 python:
-  # - 3.5  # Deactivated because Travis CI tests failed randomly (Travis's problem)
+    # - 3.5  # Deactivated because Travis CI tests failed randomly (Travis's problem)
-  - 3.6
+    - 3.6
-  - 3.7
+    - 3.7
 sudo: true
 services:
    - elasticsearch
@ -11,14 +11,15 @@ cache: pip
 before_install:
    - curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
 install:
-  - pip install -r tools/requirements-devel.txt 
+    - pip install -r tools/requirements-devel.txt
    - pip install -r tests/requirements-test.txt 
 script:
-  - make test
+    - make test
-  - make test-backend-es-qs
+    - make test-backend-es-qs
 notifications:
-  email:
+    email:
-    recipients:
+        recipients:
-      - venom14@gmail.com
+            - venom14@gmail.com
-      - thomas@patzke.org
+            - thomas@patzke.org
-    on_success: change
+        on_success: change
-    on_failure: always
+        on_failure: always
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,6 +14,11 @@ from version 0.14.0.
 * False positives metadata to LimaCharlie backend
 * Additional aggregation capabilitied for es-dsl backend.
 ### Changed
 * Kibana object id is now Sigma rule id if available. Else
  the old naming scheme is used.
 ## 0.15.0 - 2019-12-06
 ### Added
@ -117,4 +122,4 @@ from version 0.14.0.
 * Conditions in es-dsl backend
 * Sumologic handling of null values
-* Ignore timeframe detection keyword in all/any of conditions
+* Ignore timeframe detection keyword in all/any of conditions
--- a/2
+++ b/2
@ -35,6 +35,7 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl -c tools/config/winlogbeat.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell.yml -Ocsv rules/ > /dev/null
@ -44,6 +45,7 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -O rulecomment -c sysmon rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
--- a/1
+++ b/1
@ -13,6 +13,7 @@ elasticsearch-async = "*"
 pymisp = "*"
 PyYAML = ">=3.11"
 progressbar2 = "*"
 colorama = "*"
 [requires]
 python_version = "3.6"
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -1,7 +1,7 @@
 {
    "_meta": {
        "hash": {
-            "sha256": "f3f1c14d8b9cfcd5608e018017012b8712a94fb7a56f633ae179bd3451d636fb"
+            "sha256": "c553c014d5959f8c30ffdb23d4648ff872dbffd5f6f982d8c029a5b4533a959d"
        },
        "pipfile-spec": 6,
        "requires": {
@ -49,10 +49,10 @@
        },
        "certifi": {
            "hashes": [
-                "sha256:e4f3620cfea4f83eedc95b24abd9cd56f3c4b146dd0177e83a21b4eb49e21e50",
+                "sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3",
-                "sha256:fd7c7c74727ddcf00e9acd26bba8da604ffec95bf1c2144e67aff7a8b50e6cef"
+                "sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f"
            ],
-            "version": "==2019.9.11"
+            "version": "==2019.11.28"
        },
        "chardet": {
            "hashes": [
@ -61,58 +61,65 @@
            ],
            "version": "==3.0.4"
        },
-        "coverage": {
+        "colorama": {
            "hashes": [
-                "sha256:08907593569fe59baca0bf152c43f3863201efb6113ecb38ce7e97ce339805a6",
+                "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff",
-                "sha256:0be0f1ed45fc0c185cfd4ecc19a1d6532d72f86a2bac9de7e24541febad72650",
+                "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"
                "sha256:141f08ed3c4b1847015e2cd62ec06d35e67a3ac185c26f7635f4406b90afa9c5",
                "sha256:19e4df788a0581238e9390c85a7a09af39c7b539b29f25c89209e6c3e371270d",
                "sha256:23cc09ed395b03424d1ae30dcc292615c1372bfba7141eb85e11e50efaa6b351",
                "sha256:245388cda02af78276b479f299bbf3783ef0a6a6273037d7c60dc73b8d8d7755",
                "sha256:331cb5115673a20fb131dadd22f5bcaf7677ef758741312bee4937d71a14b2ef",
                "sha256:386e2e4090f0bc5df274e720105c342263423e77ee8826002dcffe0c9533dbca",
                "sha256:3a794ce50daee01c74a494919d5ebdc23d58873747fa0e288318728533a3e1ca",
                "sha256:60851187677b24c6085248f0a0b9b98d49cba7ecc7ec60ba6b9d2e5574ac1ee9",
                "sha256:63a9a5fc43b58735f65ed63d2cf43508f462dc49857da70b8980ad78d41d52fc",
                "sha256:6b62544bb68106e3f00b21c8930e83e584fdca005d4fffd29bb39fb3ffa03cb5",
                "sha256:6ba744056423ef8d450cf627289166da65903885272055fb4b5e113137cfa14f",
                "sha256:7494b0b0274c5072bddbfd5b4a6c6f18fbbe1ab1d22a41e99cd2d00c8f96ecfe",
                "sha256:826f32b9547c8091679ff292a82aca9c7b9650f9fda3e2ca6bf2ac905b7ce888",
                "sha256:93715dffbcd0678057f947f496484e906bf9509f5c1c38fc9ba3922893cda5f5",
                "sha256:9a334d6c83dfeadae576b4d633a71620d40d1c379129d587faa42ee3e2a85cce",
                "sha256:af7ed8a8aa6957aac47b4268631fa1df984643f07ef00acd374e456364b373f5",
                "sha256:bf0a7aed7f5521c7ca67febd57db473af4762b9622254291fbcbb8cd0ba5e33e",
                "sha256:bf1ef9eb901113a9805287e090452c05547578eaab1b62e4ad456fcc049a9b7e",
                "sha256:c0afd27bc0e307a1ffc04ca5ec010a290e49e3afbe841c5cafc5c5a80ecd81c9",
                "sha256:dd579709a87092c6dbee09d1b7cfa81831040705ffa12a1b248935274aee0437",
                "sha256:df6712284b2e44a065097846488f66840445eb987eb81b3cc6e4149e7b6982e1",
                "sha256:e07d9f1a23e9e93ab5c62902833bf3e4b1f65502927379148b6622686223125c",
                "sha256:e2ede7c1d45e65e209d6093b762e98e8318ddeff95317d07a27a2140b80cfd24",
                "sha256:e4ef9c164eb55123c62411f5936b5c2e521b12356037b6e1c2617cef45523d47",
                "sha256:eca2b7343524e7ba246cab8ff00cab47a2d6d54ada3b02772e908a45675722e2",
                "sha256:eee64c616adeff7db37cc37da4180a3a5b6177f5c46b187894e633f088fb5b28",
                "sha256:ef824cad1f980d27f26166f86856efe11eff9912c4fed97d3804820d43fa550c",
                "sha256:efc89291bd5a08855829a3c522df16d856455297cf35ae827a37edac45f466a7",
                "sha256:fa964bae817babece5aa2e8c1af841bebb6d0b9add8e637548809d040443fee0",
                "sha256:ff37757e068ae606659c28c3bd0d923f9d29a85de79bf25b2b34b148473b5025"
            ],
            "index": "pypi",
-            "version": "==4.5.4"
+            "version": "==0.4.3"
        },
        "coverage": {
            "hashes": [
                "sha256:15cf13a6896048d6d947bf7d222f36e4809ab926894beb748fc9caa14605d9c3",
                "sha256:1daa3eceed220f9fdb80d5ff950dd95112cd27f70d004c7918ca6dfc6c47054c",
                "sha256:1e44a022500d944d42f94df76727ba3fc0a5c0b672c358b61067abb88caee7a0",
                "sha256:25dbf1110d70bab68a74b4b9d74f30e99b177cde3388e07cc7272f2168bd1477",
                "sha256:3230d1003eec018ad4a472d254991e34241e0bbd513e97a29727c7c2f637bd2a",
                "sha256:3dbb72eaeea5763676a1a1efd9b427a048c97c39ed92e13336e726117d0b72bf",
                "sha256:5012d3b8d5a500834783689a5d2292fe06ec75dc86ee1ccdad04b6f5bf231691",
                "sha256:51bc7710b13a2ae0c726f69756cf7ffd4362f4ac36546e243136187cfcc8aa73",
                "sha256:527b4f316e6bf7755082a783726da20671a0cc388b786a64417780b90565b987",
                "sha256:722e4557c8039aad9592c6a4213db75da08c2cd9945320220634f637251c3894",
                "sha256:76e2057e8ffba5472fd28a3a010431fd9e928885ff480cb278877c6e9943cc2e",
                "sha256:77afca04240c40450c331fa796b3eab6f1e15c5ecf8bf2b8bee9706cd5452fef",
                "sha256:7afad9835e7a651d3551eab18cbc0fdb888f0a6136169fbef0662d9cdc9987cf",
                "sha256:9bea19ac2f08672636350f203db89382121c9c2ade85d945953ef3c8cf9d2a68",
                "sha256:a8b8ac7876bc3598e43e2603f772d2353d9931709345ad6c1149009fd1bc81b8",
                "sha256:b0840b45187699affd4c6588286d429cd79a99d509fe3de0f209594669bb0954",
                "sha256:b26aaf69713e5674efbde4d728fb7124e429c9466aeaf5f4a7e9e699b12c9fe2",
                "sha256:b63dd43f455ba878e5e9f80ba4f748c0a2156dde6e0e6e690310e24d6e8caf40",
                "sha256:be18f4ae5a9e46edae3f329de2191747966a34a3d93046dbdf897319923923bc",
                "sha256:c312e57847db2526bc92b9bfa78266bfbaabac3fdcd751df4d062cd4c23e46dc",
                "sha256:c60097190fe9dc2b329a0eb03393e2e0829156a589bd732e70794c0dd804258e",
                "sha256:c62a2143e1313944bf4a5ab34fd3b4be15367a02e9478b0ce800cb510e3bbb9d",
                "sha256:cc1109f54a14d940b8512ee9f1c3975c181bbb200306c6d8b87d93376538782f",
                "sha256:cd60f507c125ac0ad83f05803063bed27e50fa903b9c2cfee3f8a6867ca600fc",
                "sha256:d513cc3db248e566e07a0da99c230aca3556d9b09ed02f420664e2da97eac301",
                "sha256:d649dc0bcace6fcdb446ae02b98798a856593b19b637c1b9af8edadf2b150bea",
                "sha256:d7008a6796095a79544f4da1ee49418901961c97ca9e9d44904205ff7d6aa8cb",
                "sha256:da93027835164b8223e8e5af2cf902a4c80ed93cb0909417234f4a9df3bcd9af",
                "sha256:e69215621707119c6baf99bda014a45b999d37602cb7043d943c76a59b05bf52",
                "sha256:ea9525e0fef2de9208250d6c5aeeee0138921057cd67fcef90fbed49c4d62d37",
                "sha256:fca1669d464f0c9831fd10be2eef6b86f5ebd76c724d1e0706ebdff86bb4adf0"
            ],
            "index": "pypi",
            "version": "==5.0.3"
        },
        "deprecated": {
            "hashes": [
-                "sha256:a515c4cf75061552e0284d123c3066fbbe398952c87333a92b8fc3dd8e4f9cc1",
+                "sha256:408038ab5fdeca67554e8f6742d1521cd3cd0ee0ff9d47f29318a4f4da31c308",
-                "sha256:b07b414c8aac88f60c1d837d21def7e83ba711052e03b3cbaff27972567a8f8d"
+                "sha256:8b6a5aa50e482d8244a62e5582b96c372e87e3a28e8b49c316e46b95c76a611d"
            ],
-            "version": "==1.2.6"
+            "version": "==1.2.7"
        },
        "elasticsearch": {
            "hashes": [
-                "sha256:693935914d59a517dfffdaab547ff906712a386d9e25027517464960221cbd4c",
+                "sha256:1815ee1377e7d3cf32770738a70785fe4ab1f05be28336a330ed71cb295a7c6c",
-                "sha256:7644fa0a9ae524344185bda561826a781a5c6bd4d3eb98a24515c567aab88327"
+                "sha256:2a0ca516378ae9b87ac840e7bb529ec508f3010360dd9feed605dff2a898aff5"
            ],
            "index": "pypi",
-            "version": "==7.0.5"
+            "version": "==7.5.1"
        },
        "elasticsearch-async": {
            "hashes": [
@ -138,64 +145,47 @@
        },
        "importlib-metadata": {
            "hashes": [
-                "sha256:aa18d7378b00b40847790e7c27e11673d7fed219354109d0e7b9e5b25dc3ad26",
+                "sha256:06f5b3a99029c7134207dd882428a66992a9de2bef7c2b699b5641f9886c3302",
-                "sha256:d5f18a79777f3aa179c145737780282e27b508fc8fd688cb17c7a813e8bd39af"
+                "sha256:b97607a1a18a5100839aec1dc26a1ea17ee0d93b20b0f008d80a5a050afb200b"
            ],
-            "version": "==0.23"
+            "markers": "python_version < '3.8'",
            "version": "==1.5.0"
        },
        "jsonschema": {
            "hashes": [
-                "sha256:2fa0684276b6333ff3c0b1b27081f4b2305f0a36cf702a23db50edb141893c3f",
+                "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163",
-                "sha256:94c0a13b4a0616458b42529091624e66700a17f847453e52279e35509a5b7631"
+                "sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a"
            ],
-            "version": "==3.1.1"
+            "version": "==3.2.0"
        },
        "more-itertools": {
            "hashes": [
                "sha256:409cd48d4db7052af495b09dec721011634af3753ae1ef92d2b32f73a745f832",
                "sha256:92b8c4b06dac4f0611c0729b2f2ede52b2e1bac1ab48f089c7ddc12e26bb60c4"
            ],
            "version": "==7.2.0"
        },
        "multidict": {
            "hashes": [
-                "sha256:024b8129695a952ebd93373e45b5d341dbb87c17ce49637b34000093f243dd4f",
+                "sha256:13f3ebdb5693944f52faa7b2065b751cb7e578b8dd0a5bb8e4ab05ad0188b85e",
-                "sha256:041e9442b11409be5e4fc8b6a97e4bcead758ab1e11768d1e69160bdde18acc3",
+                "sha256:26502cefa86d79b86752e96639352c7247846515c864d7c2eb85d036752b643c",
-                "sha256:045b4dd0e5f6121e6f314d81759abd2c257db4634260abcfe0d3f7083c4908ef",
+                "sha256:4fba5204d32d5c52439f88437d33ad14b5f228e25072a192453f658bddfe45a7",
-                "sha256:047c0a04e382ef8bd74b0de01407e8d8632d7d1b4db6f2561106af812a68741b",
+                "sha256:527124ef435f39a37b279653ad0238ff606b58328ca7989a6df372fd75d7fe26",
-                "sha256:068167c2d7bbeebd359665ac4fff756be5ffac9cda02375b5c5a7c4777038e73",
+                "sha256:5414f388ffd78c57e77bd253cf829373721f450613de53dc85a08e34d806e8eb",
-                "sha256:148ff60e0fffa2f5fad2eb25aae7bef23d8f3b8bdaf947a65cdbe84a978092bc",
+                "sha256:5eee66f882ab35674944dfa0d28b57fa51e160b4dce0ce19e47f495fdae70703",
-                "sha256:1d1c77013a259971a72ddaa83b9f42c80a93ff12df6a4723be99d858fa30bee3",
+                "sha256:63810343ea07f5cd86ba66ab66706243a6f5af075eea50c01e39b4ad6bc3c57a",
-                "sha256:1d48bc124a6b7a55006d97917f695effa9725d05abe8ee78fd60d6588b8344cd",
+                "sha256:6bd10adf9f0d6a98ccc792ab6f83d18674775986ba9bacd376b643fe35633357",
-                "sha256:31dfa2fc323097f8ad7acd41aa38d7c614dd1960ac6681745b6da124093dc351",
+                "sha256:83c6ddf0add57c6b8a7de0bc7e2d656be3eefeff7c922af9a9aae7e49f225625",
-                "sha256:34f82db7f80c49f38b032c5abb605c458bac997a6c3142e0d6c130be6fb2b941",
+                "sha256:93166e0f5379cf6cd29746989f8a594fa7204dcae2e9335ddba39c870a287e1c",
-                "sha256:3d5dd8e5998fb4ace04789d1d008e2bb532de501218519d70bb672c4c5a2fc5d",
+                "sha256:9a7b115ee0b9b92d10ebc246811d8f55d0c57e82dbb6a26b23c9a9a6ad40ce0c",
-                "sha256:4a6ae52bd3ee41ee0f3acf4c60ceb3f44e0e3bc52ab7da1c2b2aa6703363a3d1",
+                "sha256:a38baa3046cce174a07a59952c9f876ae8875ef3559709639c17fdf21f7b30dd",
-                "sha256:4b02a3b2a2f01d0490dd39321c74273fed0568568ea0e7ea23e02bd1fb10a10b",
+                "sha256:a6d219f49821f4b2c85c6d426346a5d84dab6daa6f85ca3da6c00ed05b54022d",
-                "sha256:4b843f8e1dd6a3195679d9838eb4670222e8b8d01bc36c9894d6c3538316fa0a",
+                "sha256:a8ed33e8f9b67e3b592c56567135bb42e7e0e97417a4b6a771e60898dfd5182b",
-                "sha256:5de53a28f40ef3c4fd57aeab6b590c2c663de87a5af76136ced519923d3efbb3",
+                "sha256:d7d428488c67b09b26928950a395e41cc72bb9c3d5abfe9f0521940ee4f796d4",
-                "sha256:61b2b33ede821b94fa99ce0b09c9ece049c7067a33b279f343adfe35108a4ea7",
+                "sha256:dcfed56aa085b89d644af17442cdc2debaa73388feba4b8026446d168ca8dad7",
-                "sha256:6a3a9b0f45fd75dc05d8e93dc21b18fc1670135ec9544d1ad4acbcf6b86781d0",
+                "sha256:f29b885e4903bd57a7789f09fe9d60b6475a6c1a4c0eca874d8558f00f9d4b51"
                "sha256:76ad8e4c69dadbb31bad17c16baee61c0d1a4a73bed2590b741b2e1a46d3edd0",
                "sha256:7ba19b777dc00194d1b473180d4ca89a054dd18de27d0ee2e42a103ec9b7d014",
                "sha256:7c1b7eab7a49aa96f3db1f716f0113a8a2e93c7375dd3d5d21c4941f1405c9c5",
                "sha256:7fc0eee3046041387cbace9314926aa48b681202f8897f8bff3809967a049036",
                "sha256:8ccd1c5fff1aa1427100ce188557fc31f1e0a383ad8ec42c559aabd4ff08802d",
                "sha256:8e08dd76de80539d613654915a2f5196dbccc67448df291e69a88712ea21e24a",
                "sha256:c18498c50c59263841862ea0501da9f2b3659c00db54abfbf823a80787fde8ce",
                "sha256:c49db89d602c24928e68c0d510f4fcf8989d77defd01c973d6cbe27e684833b1",
                "sha256:ce20044d0317649ddbb4e54dab3c1bcc7483c78c27d3f58ab3d0c7e6bc60d26a",
                "sha256:d1071414dd06ca2eafa90c85a079169bfeb0e5f57fd0b45d44c092546fcd6fd9",
                "sha256:d3be11ac43ab1a3e979dac80843b42226d5d3cccd3986f2e03152720a4297cd7",
                "sha256:db603a1c235d110c860d5f39988ebc8218ee028f07a7cbc056ba6424372ca31b"
            ],
-            "version": "==4.5.2"
+            "version": "==4.7.4"
        },
        "pathspec": {
            "hashes": [
-                "sha256:e285ccc8b0785beadd4c18e5708b12bb8fcf529a1e61215b3feff1d1e559ea5c"
+                "sha256:163b0632d4e31cef212976cf57b43d9fd6b0bac6e67c26015d611a647d5e7424",
                "sha256:562aa70af2e0d434367d9790ad37aed893de47f1693e4201fd1d3dca15d19b96"
            ],
-            "version": "==0.6.0"
+            "version": "==0.7.0"
        },
        "progressbar2": {
            "hashes": [
@ -207,18 +197,17 @@
        },
        "pymisp": {
            "hashes": [
-                "sha256:17b145dbc39a1ba4ebce60e8b75a479d2c8fd3c2a239f32682f2e1a3636469ec",
+                "sha256:4359953881c70d8c851ba847ebd41fe636ecc155ee92a6b653dcae2d241a6fef",
-                "sha256:814023f346f9e1dcf6763d93450df44ff0157f2061c612a7eaf2020280f588a3",
+                "sha256:be4c2a2d311ba1aaeb73e1124e8a97ac4eec52a871e02d373c455936095aac72"
                "sha256:de67196f6a8916b9c52a84a1c45ea967c53fa9d2b3795b070ad2c1cbc28d79d7"
            ],
            "index": "pypi",
-            "version": "==2.4.117.2"
+            "version": "==2.4.120"
        },
        "pyrsistent": {
            "hashes": [
-                "sha256:eb6545dbeb1aa69ab1fb4809bfbf5a8705e44d92ef8fc7c2361682a47c46c778"
+                "sha256:cdc7b5e3ed77bed61270a47d35434a30617b9becdf2478af76ad2c6ade307280"
            ],
-            "version": "==0.15.5"
+            "version": "==0.15.7"
        },
        "python-dateutil": {
            "hashes": [
@ -236,22 +225,20 @@
        },
        "pyyaml": {
            "hashes": [
-                "sha256:0113bc0ec2ad727182326b61326afa3d1d8280ae1122493553fd6f4397f33df9",
+                "sha256:059b2ee3194d718896c0ad077dd8c043e5e909d9180f387ce42012662a4946d6",
-                "sha256:01adf0b6c6f61bd11af6e10ca52b7d4057dd0be0343eb9283c878cf3af56aee4",
+                "sha256:1cf708e2ac57f3aabc87405f04b86354f66799c8e62c28c5fc5f88b5521b2dbf",
-                "sha256:5124373960b0b3f4aa7df1707e63e9f109b5263eca5976c66e08b1c552d4eaf8",
+                "sha256:24521fa2890642614558b492b473bee0ac1f8057a7263156b02e8b14c88ce6f5",
-                "sha256:5ca4f10adbddae56d824b2c09668e91219bb178a1eee1faa56af6f99f11bf696",
+                "sha256:4fee71aa5bc6ed9d5f116327c04273e25ae31a3020386916905767ec4fc5317e",
-                "sha256:7907be34ffa3c5a32b60b95f4d95ea25361c951383a894fec31be7252b2b6f34",
+                "sha256:70024e02197337533eef7b85b068212420f950319cc8c580261963aefc75f811",
-                "sha256:7ec9b2a4ed5cad025c2278a1e6a19c011c80a3caaac804fd2d329e9cc2c287c9",
+                "sha256:74782fbd4d4f87ff04159e986886931456a1894c61229be9eaf4de6f6e44b99e",
-                "sha256:87ae4c829bb25b9fe99cf71fbb2140c448f534e24c998cc60f39ae4f94396a73",
+                "sha256:940532b111b1952befd7db542c370887a8611660d2b9becff75d39355303d82d",
-                "sha256:9de9919becc9cc2ff03637872a440195ac4241c80536632fffeb6a1e25a74299",
+                "sha256:cb1f2f5e426dc9f07a7681419fe39cee823bb74f723f36f70399123f439e9b20",
-                "sha256:a5a85b10e450c66b49f98846937e8cfca1db3127a9d5d1e31ca45c3d0bef4c5b",
+                "sha256:dbbb2379c19ed6042e8f11f2a2c66d39cceb8aeace421bfc29d085d93eda3689",
-                "sha256:b0997827b4f6a7c286c01c5f60384d218dca4ed7d9efa945c3e1aa623d5709ae",
+                "sha256:e3a057b7a64f1222b56e47bcff5e4b94c4f61faac04c7c4ecb1985e18caa3994",
-                "sha256:b631ef96d3222e62861443cc89d6563ba3eeb816eeb96b2629345ab795e53681",
+                "sha256:e9f45bd5b92c7974e59bcd2dcc8631a6b6cc380a904725fce7bc08872e691615"
                "sha256:bf47c0607522fdbca6c9e817a6e81b08491de50f3766a7a0e6a5be7905961b41",
                "sha256:f81025eddd0327c7d4cfe9b62cf33190e1e736cc6e97502b3ec425f574b3e7a8"
            ],
            "index": "pypi",
-            "version": "==5.1.2"
+            "version": "==5.3"
        },
        "requests": {
            "hashes": [
@ -262,10 +249,10 @@
        },
        "six": {
            "hashes": [
-                "sha256:1f1b7d42e254082a9db6279deae68afb421ceba6158efa6131de7b3003ee93fd",
+                "sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a",
-                "sha256:30f610279e8b2578cab6db20741130331735c781b56053c59c4076da27f06b66"
+                "sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c"
            ],
-            "version": "==1.13.0"
+            "version": "==1.14.0"
        },
        "typing-extensions": {
            "hashes": [
@ -278,10 +265,10 @@
        },
        "urllib3": {
            "hashes": [
-                "sha256:3de946ffbed6e6746608990594d08faac602528ac7015ac28d33cee6a45b7398",
+                "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
-                "sha256:9a107b99a5393caf59c7aa3c1249c16e6879447533d0887f4336dde834c7be86"
+                "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
            ],
-            "version": "==1.25.6"
+            "version": "==1.25.8"
        },
        "wrapt": {
            "hashes": [
@ -291,34 +278,40 @@
        },
        "yamllint": {
            "hashes": [
-                "sha256:24f05b7ff1a604120eeb5ff7afb7ed8792253bfa96ee83db9cec6d5c20feaf64",
+                "sha256:7318e189027951983c3cb4d6bcaa1e75deef7c752320ca3ce84e407f2551e8ce",
-                "sha256:d42dbb35b3d28722a8c5c25de4593add0a6215b2732eb6932d89f38482c3d01c"
+                "sha256:76912b6262fd7e0815d7b14c4c2bb2642c754d0aa38f2d3e4b4e21c77872a3bf"
            ],
            "index": "pypi",
-            "version": "==1.18.0"
+            "version": "==1.20.0"
        },
        "yarl": {
            "hashes": [
-                "sha256:024ecdc12bc02b321bc66b41327f930d1c2c543fa9a561b39861da9388ba7aa9",
+                "sha256:0c2ab325d33f1b824734b3ef51d4d54a54e0e7a23d13b86974507602334c2cce",
-                "sha256:2f3010703295fbe1aec51023740871e64bb9664c789cba5a6bdf404e93f7568f",
+                "sha256:0ca2f395591bbd85ddd50a82eb1fde9c1066fafe888c5c7cc1d810cf03fd3cc6",
-                "sha256:3890ab952d508523ef4881457c4099056546593fa05e93da84c7250516e632eb",
+                "sha256:2098a4b4b9d75ee352807a95cdf5f10180db903bc5b7270715c6bbe2551f64ce",
-                "sha256:3e2724eb9af5dc41648e5bb304fcf4891adc33258c6e14e2a7414ea32541e320",
+                "sha256:25e66e5e2007c7a39541ca13b559cd8ebc2ad8fe00ea94a2aad28a9b1e44e5ae",
-                "sha256:5badb97dd0abf26623a9982cd448ff12cb39b8e4c94032ccdedf22ce01a64842",
+                "sha256:26d7c90cb04dee1665282a5d1a998defc1a9e012fdca0f33396f81508f49696d",
-                "sha256:73f447d11b530d860ca1e6b582f947688286ad16ca42256413083d13f260b7a0",
+                "sha256:308b98b0c8cd1dfef1a0311dc5e38ae8f9b58349226aa0533f15a16717ad702f",
-                "sha256:7ab825726f2940c16d92aaec7d204cfc34ac26c0040da727cf8ba87255a33829",
+                "sha256:3ce3d4f7c6b69c4e4f0704b32eca8123b9c58ae91af740481aa57d7857b5e41b",
-                "sha256:b25de84a8c20540531526dfbb0e2d2b648c13fd5dd126728c496d7c3fea33310",
+                "sha256:58cd9c469eced558cd81aa3f484b2924e8897049e06889e8ff2510435b7ef74b",
-                "sha256:c6e341f5a6562af74ba55205dbd56d248daf1b5748ec48a0200ba227bb9e33f4",
+                "sha256:5b10eb0e7f044cf0b035112446b26a3a2946bca9d7d7edb5e54a2ad2f6652abb",
-                "sha256:c9bb7c249c4432cd47e75af3864bc02d26c9594f49c82e2a28624417f0ae63b8",
+                "sha256:6faa19d3824c21bcbfdfce5171e193c8b4ddafdf0ac3f129ccf0cdfcb083e462",
-                "sha256:e060906c0c585565c718d1c3841747b61c5439af2211e185f6739a9412dfbde1"
+                "sha256:944494be42fa630134bf907714d40207e646fd5a94423c90d5b514f7b0713fea",
                "sha256:a161de7e50224e8e3de6e184707476b5a989037dcb24292b391a3d66ff158e70",
                "sha256:a4844ebb2be14768f7994f2017f70aca39d658a96c786211be5ddbe1c68794c1",
                "sha256:c2b509ac3d4b988ae8769901c66345425e361d518aecbe4acbfc2567e416626a",
                "sha256:c9959d49a77b0e07559e579f38b2f3711c2b8716b8410b320bf9713013215a1b",
                "sha256:d8cdee92bc930d8b09d8bd2043cedd544d9c8bd7436a77678dd602467a993080",
                "sha256:e15199cdb423316e15f108f51249e44eb156ae5dba232cb73be555324a1d49c2"
            ],
-            "version": "==1.3.0"
+            "version": "==1.4.2"
        },
        "zipp": {
            "hashes": [
-                "sha256:3718b1cbcd963c7d4c5511a8240812904164b7f381b647143a89d3b98f9bcd8e",
+                "sha256:ccc94ed0909b58ffe34430ea5451f07bc0c76467d7081619a454bf5c98b89e28",
-                "sha256:f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335"
+                "sha256:feae2f18633c32fc71f2de629bfb3bd3c9325cd4419642b1f1da42ee488d9b98"
            ],
-            "version": "==0.6.0"
+            "version": "==2.1.0"
        }
    },
    "develop": {}
--- a/README.md
+++ b/README.md
@ -14,9 +14,9 @@ Sigma is for log files what [Snort](https://www.snort.org/) is for network traff
 This repository contains:
-* Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)
+1. Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)
-* Open repository for sigma signatures in the `./rules`subfolder
+2. Open repository for sigma signatures in the `./rules` subfolder
-* A converter that generate searches/queries for different SIEM systems [work in progress]
+3. A converter named `sigmac` located in the `./tools/` sub folder that generates search queries for different SIEM systems from Sigma rules
 ![sigma_description](./images/Sigma-description.png)
@ -33,7 +33,7 @@ The SANS webcast on Sigma contains a very good 20 min introduction to the projec
 # Use Cases
 * Describe your detection method in Sigma to make it sharable
-* Write and your SIEM searches in Sigma to avoid a vendor lock-in
+* Write your SIEM searches in Sigma to avoid a vendor lock-in
 * Share the signature in the appendix of your analysis along with IOCs and YARA rules
 * Share the signature in threat intel communities - e.g. via MISP
 * Provide Sigma signatures for malicious behaviour in your own application
@ -154,12 +154,17 @@ optional arguments:
 #### Single Rule Translation
 Translate a single rule
 ```
-tools/sigmac -t splunk rules/windows/sysmon/sysmon_susp_image_load.yml
+tools/sigmac -t splunk -c splunk-windows rules/windows/sysmon/sysmon_susp_image_load.yml
 ```
 #### Rule Set Translation
 Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`)
 ```
-tools/sigmac -I -t splunk -r rules/windows/sysmon/
+tools/sigmac -I -t splunk -c splunk-windows -r rules/windows/sysmon/
 ```
 #### Translate Only Rules of Level High or Critical
 Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`) and select only rules of level `high` and `critical`
 ```
 tools/sigmac -I -t splunk -c splunk-windows -f 'level>=high' -r rules/windows/sysmon/
 ```
 #### Rule Set Translation with Custom Config 
 Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
@ -300,6 +305,7 @@ These tools are not part of the main toolchain and maintained separately by thei
 * [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
 * [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
 * [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)
 # Contribution
--- a/rules-unsupported/net_dns_high_subdomain_rate.yml
+++ b/rules-unsupported/net_dns_high_subdomain_rate.yml
@ -0,0 +1,42 @@
 title: High DNS subdomain requests rate per domain
 id: 8198e9a8-e38f-4ba5-8f16-882b1c0f880e
 description: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/21
 modified: 2019/11/04
 tags:
    - attack.exfiltration
    - attack.t1048
 logsource:
    category: dns
 detection:
    dns_question_name:
        query: "*"
    default_list_of_well_known_domains:
        query_etld_plus_one: 
            - "akadns.net"
            - "akamaiedge.net"
            - "amazonaws.com"
            - "apple.com"
            - "apple-dns.net"
            - "cloudfront.net"
            - "icloud.com"
            - "in-addr.arpa"
            - "google.com"
            - "yahoo.com"
            - "dropbox.com"
            - "windowsupdate.com"
            - "microsoftonline.com"
            - "s-microsoft.com"
            - "office365.com"
            - "linkedin.com"
    timeframe: 15m
    condition: count(subdomain) per query_etld_plus_one per computer_name > 200 and not default_list_of_well_known_domains
    #    for each host in timeframe
    #                for each dns_question_etld_plus_one
    #                    if number of dns_question_name > 200
    #                        dns_question_etld_plus_one is not in default_list_of_well_known_domains
 falsepositives:
    - Legitimate domain name requested, which should be added to whitelist
 level: high
 status: experimental
--- a/rules-unsupported/net_dns_large_domain_name.yml
+++ b/rules-unsupported/net_dns_large_domain_name.yml
@ -0,0 +1,37 @@
 title: Large domain name request
 id: 14aa0d9e-c70a-4a49-bdc1-e5cbc4fc6af7
 description: Detects large DNS domain names
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/21
 modified: 2019/11/04
 tags:
    - attack.exfiltration
    - attack.t1048
 logsource:
    category: dns
 detection:
    selection:
        query_length: "> 70"              # IS MORE THAN 70 bytes
    default_list_of_well_known_domains:
        query_etld_plus_one:
            - "akadns.net"
            - "akamaiedge.net"
            - "amazonaws.com"
            - "apple.com"
            - "apple-dns.net"
            - "cloudfront.net"
            - "icloud.com"
            - "in-addr.arpa"
            - "google.com"
            - "yahoo.com"
            - "dropbox.com"
            - "windowsupdate.com"
            - "microsoftonline.com"
            - "s-microsoft.com"
            - "office365.com"
            - "linkedin.com"
    condition: selection and not default_list_of_well_known_domains
 falsepositives:
    - Legitimate domain name requested, which should be added to whitelist
 level: high
 status: experimental
--- a/rules-unsupported/net_possible_dns_rebinding.yml
+++ b/rules-unsupported/net_possible_dns_rebinding.yml
@ -0,0 +1,23 @@
 title: Possible DNS Rebinding
 id: ec5b8711-b550-4879-9660-568aaae2c3ea
 status: experimental
 description: 'Detects DNS-answer with TTL <10.'
 date: 2019/10/25
 author: Ilyas Ochkov, oscd.community
 references:
    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
 tags:
    - attack.command_and_control
    - attack.t1043
 logsource:
    product: dns
 detection:
    selection:
        answer: '*'
    filter1:
        ttl: '>0'
    filter2:
        ttl: '<10'
    timeframe: 30s
    condition: selection and filter1 and filter2 | count(answer) by src_ip > 3
 level: medium
--- a/rules-unsupported/sysmon_process_reimaging.yml
+++ b/rules-unsupported/sysmon_process_reimaging.yml
@ -0,0 +1,48 @@
 action: global
 title: Defense evasion via process reimaging
 id: 7fa4f550-850e-4117-b543-428c86ebb849
 description: Detects process reimaging defense evasion technique
 # where
 #             selection1: ImageFileName != selection1: OriginalFileName
 #             selection1: ParentProcessGuid = selection2: ProcessGuid
 #             selection1: Image = selection2: TargetFileName
 # and new field ImageFileName is coming from enrichment
 #             selection1: Image = ^.+\\<ImageFileName>$
 # Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
 # Rule logic is currently not supported by SIGMA.
 # Sysmon v.10.0 or newer is required for proper detection.
 status: experimental
 author: Alexey Balandin, oscd.community
 references:
    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
 tags:
    - attack.defense_evasion
 date: 2019/10/25
 detection:
    condition: all of them
 falsepositives:
    - unknown
 level: high
 ---
 logsource:
    product: windows
    service: sysmon
 detection:
    selection1:
        category: process_creation
 fields:
    - Image
    - OriginalFileName
    - ParentProcessGuid
 new_fields:
    - ImageFileName
 ---
 logsource:
    product: windows
    service: sysmon
 detection:
    selection2:
        EventID: 11
 fields:
    - ProcessGuid
    - TargetFileName
--- a/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml
+++ b/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml
@ -0,0 +1,34 @@
 title: Dumping ntds.dit remotely via DCSync
 id: 51238c62-2b29-4539-ad75-e94575368a12
 description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/10/24
 modified: 2019/11/13
 references:
    - https://twitter.com/gentilkiwi/status/1003236624925413376
    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
    - attack.credential_access
    - attack.t1003
 logsource:
    product: windows
    service: security
 detection:
    selection1:
        EventID: 4624
        ComputerName: '%DomainControllersNamesList%'
    selection2:
        IpAddress: '%DomainControllersIpsList%'
    selection3:
        EventID: 4662
        ComputerName: '%DomainControllersNamesList%'
        SubjectLogonId: '%SuspiciousTargetLogonIdList%'
        Properties|contains: 
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
    condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
 falsepositives:
    - Legitimate administrator adding new domain controller to already existing domain
 level: medium
 status: experimental
--- a/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml
+++ b/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml
@ -0,0 +1,30 @@
 title: Dumping ntds.dit remotely via NetSync
 id: 757b2a11-73e7-411a-bd46-141d906e0167
 description: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/11/01
 references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
    - attack.credential_access
    - attack.t1003
 logsource:
    product: windows
    service: security
 detection:
    selection1:
        EventID: 4624
        ComputerName: '%DomainControllersNamesList%'
    selection2:
        IpAddress: '%DomainControllersIpsList%'
    selection3:
        EventID: 5145
        ComputerName: '%DomainControllersNamesList%'
        ShareName|contains: '\IPC$'
        SubjectLogonId: '%SuspiciousTargetLogonIdList%'
        RelativeTargetName: 'netlogon'
    condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
 falsepositives:
    - Legitimate administrator adding new domain controller to already existing domain
 level: medium
 status: experimental
--- a/rules/application/app_python_sql_exceptions.yml
+++ b/rules/application/app_python_sql_exceptions.yml
@ -2,6 +2,7 @@ title: Python SQL Exceptions
 id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
 date: 2017/08/12
 references:
    - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
@ -18,4 +19,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
--- a/rules/application/app_sqlinjection_errors.yml
+++ b/rules/application/app_sqlinjection_errors.yml
@ -3,6 +3,7 @@ id: 8a670c6d-7189-4b1c-8017-a417ca84a086
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
 date: 2017/11/27
 references:
    - http://www.sqlinjection.net/errors
 logsource:
--- a/rules/application/appframework_django_exceptions.yml
+++ b/rules/application/appframework_django_exceptions.yml
@ -1,7 +1,8 @@
-title: Django framework exceptions
+title: Django Framework Exceptions
 id: fd435618-981e-4a7c-81f8-f78ce480d616
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/05
 references:
    - https://docs.djangoproject.com/en/1.11/ref/exceptions/
    - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
@ -29,4 +30,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
--- a/rules/application/appframework_ruby_on_rails_exceptions.yml
+++ b/rules/application/appframework_ruby_on_rails_exceptions.yml
@ -1,7 +1,8 @@
-title: Ruby on Rails framework exceptions
+title: Ruby on Rails Framework Exceptions
 id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/06
 references:
    - http://edgeguides.rubyonrails.org/security.html
    - http://guides.rubyonrails.org/action_controller_overview.html
@ -22,4 +23,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
--- a/rules/application/appframework_spring_exceptions.yml
+++ b/rules/application/appframework_spring_exceptions.yml
@ -1,7 +1,8 @@
-title: Spring framework exceptions
+title: Spring Framework Exceptions
 id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 date: 2017/08/06
 references:
    - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
@ -21,4 +22,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
--- a/rules/apt/apt_silence_downloader_v3.yml
+++ b/rules/apt/apt_silence_downloader_v3.yml
@ -0,0 +1,33 @@
 title: Silence.Downloader V3
 id: 170901d1-de11-4de7-bccb-8fa13678d857
 status: experimental
 description: Detects Silence downloader. These commands are hardcoded into the binary.
 author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
 date: 2019/11/01
 modified: 2019/11/22
 tags:
    - attack.persistence
    - attack.g0091
 logsource:
    category: process_creation
    product: windows
 detection:
    selection_recon:
        Image|endswith:
            - '\tasklist.exe'
            - '\qwinsta.exe'
            - '\ipconfig.exe'
            - '\hostname.exe'
        CommandLine|contains: '>>'
        CommandLine|endswith: 'temps.dat'
    selection_persistence:
        CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
    condition: selection_recon | near selection_persistence # requires both
 fields:
    - ComputerName
    - User
    - Image
    - CommandLine
 falsepositives:
    - Unknown
 level: high
--- a/rules/apt/apt_silence_eda.yml
+++ b/rules/apt/apt_silence_eda.yml
@ -0,0 +1,34 @@
 title: Silence.EDA Detection
 id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
 status: experimental
 description: Detects Silence empireDNSagent
 author: Alina Stepchenkova, Group-IB, oscd.community
 date: 2019/11/01
 modified: 2019/11/20
 tags:
    - attack.g0091
    - attack.s0363
 logsource:
    product: windows
    service: powershell
 detection:
    empire:
        ScriptBlockText|contains|all:           # better to randomise the order
            - 'System.Diagnostics.Process'
            - 'Stop-Computer'
            - 'Restart-Computer'
            - 'Exception in execution'
            - '$cmdargs'
            - 'Close-Dnscat2Tunnel'
    dnscat:
         ScriptBlockText|contains|all:          # better to randomise the order
            - 'set type=$LookupType`nserver'
            - '$Command | nslookup 2>&1 | Out-String'
            - 'New-RandomDNSField'
            - '[Convert]::ToString($SYNOptions, 16)'
            - '$Session.Dead = $True'
            - '$Session["Driver"] -eq'
    condition: empire and dnscat
 falsepositives:
    - Unknown
 level: critical
--- a/rules/cloud/aws_cloudtrail_disable_logging.yml
+++ b/rules/cloud/aws_cloudtrail_disable_logging.yml
@ -0,0 +1,24 @@
 title: AWS CloudTrail Important Change
 id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
 status: experimental
 author: vitaliy0x1
 date: 2020/01/21
 description: Detects disabling, deleting and updating of a Trail
 references:
  - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
 logsource:
  service: cloudtrail
 detection:
  selection_source:
    - eventSource: cloudtrail.amazonaws.com
  events:
    - eventName:
        - StopLogging
        - UpdateTrail
        - DeleteTrail
  condition: selection_source AND events
 level: medium
 falsepositives:
    - Valid change in a Trail
 tags:
  - attack.t1089
--- a/rules/cloud/aws_config_disable_recording.yml
+++ b/rules/cloud/aws_config_disable_recording.yml
@ -0,0 +1,21 @@
 title: AWS Config Disabling Channel/Recorder
 id: 07330162-dba1-4746-8121-a9647d49d297
 status: experimental
 author: vitaliy0x1
 date: 2020/01/21
 description: Detects AWS Config Service disabling
 logsource:
  service: cloudtrail
 detection:
  selection_source:
    - eventSource: config.amazonaws.com
  events:
    - eventName:
        - DeleteDeliveryChannel
        - StopConfigurationRecorder
  condition: selection_source AND events
 level: high
 falsepositives:
    - Valid change in AWS Config Service
 tags:
  - attack.t1089
--- a/rules/cloud/aws_ec2_download_userdata.yml
+++ b/rules/cloud/aws_ec2_download_userdata.yml
@ -0,0 +1,24 @@
 title: AWS EC2 Download Userdata
 id: 26ff4080-194e-47e7-9889-ef7602efed0c
 status: experimental
 author: faloker
 date: 2020/02/11
 description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
 references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
 logsource:
    service: cloudtrail
 detection:
    selection_source:
        - eventSource: ec2.amazonaws.com
    selection_requesttype:
        - requestParameters.attribute: userData
    selection_eventname:
        - eventName: DescribeInstanceAttribute
    timeframe: 30m
    condition: all of them | count() > 10
 level: medium
 falsepositives:
    - Assets management software like device42
 tags:
    - attack.t1020
--- a/rules/cloud/aws_ec2_startup_script_change.yml
+++ b/rules/cloud/aws_ec2_startup_script_change.yml
@ -0,0 +1,23 @@
 title: AWS EC2 Startup Shell Script Change
 id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
 status: experimental
 author: faloker
 date: 2020/02/12
 description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
 references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
 logsource:
    service: cloudtrail
 detection:
    selection_source:
        - eventSource: ec2.amazonaws.com
    selection_userdata:
        - requestParameters.userData: "*"
    selection_eventname:
        - eventName: ModifyInstanceAttribute
    condition: all of them
 level: high
 falsepositives:
    - Valid changes to the startup script
 tags:
    - attack.t1064
--- a/rules/cloud/aws_guardduty_disruption.yml
+++ b/rules/cloud/aws_guardduty_disruption.yml
@ -0,0 +1,21 @@
 title: AWS GuardDuty Important Change
 id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
 status: experimental
 author: faloker
 date: 2020/02/11
 description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
 references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
 logsource:
    service: cloudtrail
 detection:
    selection_source:
        - eventSource: guardduty.amazonaws.com
    selection_eventName:
        - eventName: CreateIPSet
    condition: all of them
 level: high
 falsepositives:
    - Valid change in the GuardDuty (e.g. to ignore internal scanners)
 tags:
    - attack.t1089
--- a/rules/cloud/aws_iam_backdoor_users_keys.yml
+++ b/rules/cloud/aws_iam_backdoor_users_keys.yml
@ -0,0 +1,29 @@
 title: AWS IAM Backdoor Users Keys
 id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
 status: experimental
 author: faloker
 date: 2020/02/12
 description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
 references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
 logsource:
    service: cloudtrail
 detection:
    selection_source:
        - eventSource: iam.amazonaws.com
    selection_eventname:
        - eventName: CreateAccessKey
    filter:
        userIdentity.arn|contains: responseElements.accessKey.userName
    condition: all of selection* and not filter
 fields:
    - userIdentity.arn
    - responseElements.accessKey.userName
    - errorCode
    - errorMessage
 level: medium
 falsepositives:
    - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
    - AWS API keys legitimate exchange workflows
 tags:
    - attack.t1098
--- a/rules/cloud/aws_rds_change_master_password.yml
+++ b/rules/cloud/aws_rds_change_master_password.yml
@ -0,0 +1,23 @@
 title: AWS RDS Master Password Change
 id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
 status: experimental
 author: faloker
 date: 2020/02/12
 description: Detects the change of database master password. It may be a part of data exfiltration.
 references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
 logsource:
    service: cloudtrail
 detection:
    selection_source:
        - eventSource: rds.amazonaws.com
    selection_modified_values:
        - responseElements.pendingModifiedValues.masterUserPassword: "*"
    selection_eventname:
        - eventName: ModifyDBInstance
    condition: all of them
 level: medium
 falsepositives:
    - Benign changes to a db instance
 tags:
    - attack.t1020
--- a/rules/cloud/aws_rds_public_db_restore.yml
+++ b/rules/cloud/aws_rds_public_db_restore.yml
@ -0,0 +1,23 @@
 title: Restore Public AWS RDS Instance
 id: c3f265c7-ff03-4056-8ab2-d486227b4599
 status: experimental
 author: faloker
 date: 2020/02/12
 description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
 references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
 logsource:
    service: cloudtrail
 detection:
    selection_source:
        - eventSource: rds.amazonaws.com
    selection_ispublic:
        - responseElements.publiclyAccessible: "true"
    selection_eventname:
        - eventName: RestoreDBInstanceFromDBSnapshot
    condition: all of them
 level: high
 falsepositives:
    - unknown
 tags:
    - attack.t1020
--- a/rules/cloud/aws_root_account_usage.yml
+++ b/rules/cloud/aws_root_account_usage.yml
@ -0,0 +1,21 @@
 title: AWS Root Credentials
 id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
 status: experimental
 author: vitaliy0x1
 date: 2020/01/21
 description: Detects AWS root account usage
 references:
  - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
 logsource:
  service: cloudtrail
 detection:
  selection_usertype:
    - userIdentity.type: Root
  selection_eventtype:
    - eventType: AwsServiceEvent
  condition: selection_usertype AND NOT selection_eventtype
 level: medium
 falsepositives:
    - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
 tags:
  - attack.t1078
--- a/rules/generic/generic_brute_force.yml
+++ b/rules/generic/generic_brute_force.yml
@ -0,0 +1,25 @@
 title: Brute Force
 id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
 description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
 tags:
    - attack.t1110
 author: Aleksandr Akhremchik, oscd.community
 date: 2019/10/25
 status: experimental
 logsource:
    category: authentication
 detection:
    selection:
         action: failure
    timeframe: 600s
    condition: selection | count(category) by dst_ip > 30
 fields:
    - src_ip
    - dst_ip
    - user
 falsepositives:
    - Inventarization
    - Penetration testing
    - Vulnerability scanner
    - Legitimate application
 level: medium
--- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml
+++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml
@ -1,4 +1,4 @@
-title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems
+title: Edit of .bash_profile and .bashrc
 id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
 status: experimental
 description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
@ -18,7 +18,7 @@ detection:
        type: 'PATH'
        name:
            - '/home/*/.bashrc'
-            - '/home/*/.bash_profile' 
+            - '/home/*/.bash_profile'
            - '/home/*/.profile'
            - '/etc/profile'
            - '/etc/shells'
--- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml
+++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml
@ -0,0 +1,34 @@
 title: Auditing Configuration Changes on Linux Host
 id: 977ef627-4539-4875-adf4-ed8f780c4922
 description: Detect changes in auditd configuration files
    # Example config for this one (place it at the top of audit.rules)
    # -w /etc/audit/ -p wa -k etc_modify_auditconfig
    # -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig
    # -w /etc/audisp/ -p wa -k etc_modify_audispconfig
 references:
    - https://github.com/Neo23x0/auditd/blob/master/audit.rules
    - self experience
 tags:
    - attack.defense_evasion
    - attack.t1054
 author: Mikhail Larin, oscd.community
 status: experimental
 date: 2019/10/25
 logsource:
    product: linux
    service: auditd
 detection:
    selection:
        type: PATH
        name:
            - /etc/audit/*
            - /etc/libaudit.conf
            - /etc/audisp/*
    condition: selection
 fields:
    - exe
    - comm
    - key
 falsepositives:
    - Legitimate administrative activity
 level: high
--- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
+++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
@ -0,0 +1,24 @@
 title: Modification of ld.so.preload
 id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
 description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
 status: experimental
 author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
 date: 2019/10/24
 modified: 2019/11/11
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
    - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
 tags:
    - attack.defense_evasion
    - attack.t1055
 logsource:
    product: linux
    service: auditd
 detection:
    selection:
        type: 'PATH'
        name: '/etc/ld.so.preload'
    condition: selection
 falsepositives:
    - Unknown
 level: high
--- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml
+++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml
@ -0,0 +1,33 @@
 title: Logging Configuration Changes on Linux Host
 id: c830f15d-6f6e-430f-8074-6f73d6807841
 description: Detect changes of syslog daemons configuration files
    # Example config for this one (place it at the top of audit.rules)
    # -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
    # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
    # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
 references:
    - self experience
 tags:
    - attack.defense_evasion
    - attack.t1054
 author: Mikhail Larin, oscd.community
 status: experimental
 date: 2019/10/25
 logsource:
    product: linux
    service: auditd
 detection:
    selection:
        type: 'PATH'
        name:
            - /etc/syslog.conf
            - /etc/rsyslog.conf
            - /etc/syslog-ng/syslog-ng.conf
    condition: selection
 fields:
    - exe
    - comm
    - key
 falsepositives:
    - Legitimate administrative activity
 level: high
--- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
+++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
@ -1,4 +1,4 @@
-title: Masquerading as Linux crond process
+title: Masquerading as Linux Crond Process
 id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
 status: experimental
 description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and
--- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml
+++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml
@ -1,4 +1,4 @@
-title: Detects Suspicious Commands on Linux systems
+title: Suspicious Commands Linux
 id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
 status: experimental
 description: Detects relevant commands often related to malware or hacking activity
@ -18,7 +18,7 @@ detection:
        type: 'EXECVE'
        a0: 'chmod'
        a1: 'u+s'
-    cmd3: 
+    cmd3:
        type: 'EXECVE'
        a0: 'cp'
        a1: '/bin/ksh'
@ -29,4 +29,4 @@ detection:
    condition: 1 of them
 falsepositives:
    - Admin activity
-level: medium
+level: medium
--- a/rules/linux/lnx_apt_equationgroup_lnx.yml
+++ b/rules/linux/lnx_apt_equationgroup_lnx.yml
@ -8,6 +8,7 @@ tags:
    - attack.g0020
    - attack.t1059
 author: Florian Roth
 date: 2017/04/09
 logsource:
    product: linux
 detection:
--- a/rules/linux/lnx_buffer_overflows.yml
+++ b/rules/linux/lnx_buffer_overflows.yml
@ -1,6 +1,8 @@
 title: Buffer Overflow Attempts
 id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
 description: Detects buffer overflow attempts in Unix system log files
 author: Florian Roth
 date: 2017/03/01
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
--- a/rules/linux/lnx_chattr_immutable_removal.yml
+++ b/rules/linux/lnx_chattr_immutable_removal.yml
@ -0,0 +1,23 @@
 title: Remove Immutable File Attribute
 id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
 description: Detects removing immutable file attribute
 status: experimental
 tags:
    - attack.defense_evasion
    - attack.t1222
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23
 logsource:
    product: linux
    service: auditd
 detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'chattr'
        a1|contains: '-i'
    condition: selection
 falsepositives:
    - Administrator interacting with immutable files (for instance backups)
 level: medium
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
--- a/rules/linux/lnx_clamav.yml
+++ b/rules/linux/lnx_clamav.yml
@ -1,6 +1,8 @@
 title: Relevant ClamAV Message
 id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
 description: Detects relevant ClamAV messages
 author: Florian Roth
 date: 2017/03/01
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
 logsource:
--- a/rules/linux/lnx_dd_delete_file.yml
+++ b/rules/linux/lnx_dd_delete_file.yml
@ -0,0 +1,25 @@
 title: Overwriting the File with Dev Zero or Null
 id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
 date: 2019/10/23
 description: Detects overwriting (effectively wiping/deleting) the file
 author: Jakob Weinzettl, oscd.community
 tags:
    - attack.impact
    - attack.t1485
 logsource:
    product: linux
    service: auditd
 detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'dd'   
        a1|contains:
            - 'if=/dev/null'    
            - 'if=/dev/zero'    
    condition: selection
 falsepositives:
    - Appending null bytes to files
    - Legitimate overwrite of files
 level: low
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml
--- a/rules/linux/lnx_file_or_folder_permissions.yml
+++ b/rules/linux/lnx_file_or_folder_permissions.yml
@ -0,0 +1,24 @@
 title: File or Folder Permissions Change
 description: Detects 
 id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
 status: experimental
 tags:
    - attack.defense_evasion
    - attack.t1222
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23
 logsource:
    product: linux
    service: auditd
 detection:
    selection:
        type: 'EXECVE'
        a0|contains:
            - 'chmod'
            - 'chown'
    condition: selection
 falsepositives:
    - User interracting with files permissions (normal/daily behaviour)
 level: low
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
--- a/rules/linux/lnx_pers_systemd_reload.yml
+++ b/rules/linux/lnx_pers_systemd_reload.yml
@ -0,0 +1,27 @@
 title: Systemd Service Reload or Start
 id: 2625cc59-0634-40d0-821e-cb67382a3dd7
 description: Detects a reload or a start of a service
 status: experimental
 tags:
    - attack.persistence
    - attack.t1501
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23
 logsource:
    product: linux
    service: auditd
 detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'systemctl'
        a1|contains:
            - 'daemon-reload'
            - 'start'
    condition: selection
 falsepositives:
    - Installation of legitimate service
    - Legitimate reconfiguration of service
 level: low
 references:
    - https://attack.mitre.org/techniques/T1501/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1501/T1501.yaml
--- a/rules/linux/lnx_shell_susp_log_entries.yml
+++ b/rules/linux/lnx_shell_susp_log_entries.yml
@ -2,6 +2,7 @@ title: Suspicious Log Entries
 id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
 description: Detects suspicious log entries in Linux log files
 author: Florian Roth
 date: 2017/03/25
 logsource:
    product: linux
 detection:
--- a/rules/linux/lnx_shellshock.yml
+++ b/rules/linux/lnx_shellshock.yml
@ -1,6 +1,8 @@
 title: Shellshock Expression
 id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
 description: Detects shellshock expressions in log files
 date: 2017/03/14
 author: Florian Roth
 references:
    - http://rubular.com/r/zxBfjWfFYs
 logsource:
--- a/rules/linux/lnx_susp_failed_logons_single_source.yml
+++ b/rules/linux/lnx_susp_failed_logons_single_source.yml
@ -1,5 +1,7 @@
-title: Multiple Failed Logins with Different Accounts from Single Source System
+title: Failed Logins with Different Accounts from Single Source System
 id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
 author: Florian Roth
 date: 2017/02/16
 description: Detects suspicious failed logins with different user accounts from a single source system
 logsource:
    product: linux
--- a/rules/linux/lnx_susp_vsftp.yml
+++ b/rules/linux/lnx_susp_vsftp.yml
@ -31,4 +31,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
--- a/rules/linux/modsecurity/modsec_mulitple_blocks.yml
+++ b/rules/linux/modsecurity/modsec_mulitple_blocks.yml
@ -1,6 +1,8 @@
 title: Multiple Modsecurity Blocks
 id: a06eea10-d932-4aa6-8ba9-186df72c8d23
 description: Detects multiple blocks by the mod_security module (Web Application Firewall)
 date: 2017/02/28
 author: Florian Roth
 logsource:
    product: linux
    service: modsecurity
@ -9,10 +11,9 @@ detection:
        - 'mod_security: Access denied'
        - 'ModSecurity: Access denied'
        - 'mod_security-message: Access denied'
-    timeframe: 120m 
+    timeframe: 120m
    condition: selection | count() > 6
 falsepositives:
    - Vulnerability scanners
    - Frequent attacks if system faces Internet
 level: medium
--- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml
+++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml
@ -0,0 +1,31 @@
 title: Cisco Clear Logs
 id: ceb407f6-8277-439b-951f-e4210e3ed956
 status: experimental
 description: Clear command history in network OS which is used for defense evasion.
 references:
    - https://attack.mitre.org/techniques/T1146/
    - https://attack.mitre.org/techniques/T1070/
 author: Austin Clark
 date: 2019/08/12
 tags:
    - attack.defense_evasion
    - attack.t1146
    - attack.t1070
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - src
    - CmdSet
    - User
    - Privilege_Level
    - Remote_Address
 detection:
    keywords:
        - 'clear logging'
        - 'clear archive'
    condition: keywords
 falsepositives:
    - Legitimate administrators may run these commands.
 level: high
--- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml
+++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml
@ -0,0 +1,39 @@
 title: Cisco Collect Data
 id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
 status: experimental
 description: Collect pertinent data from the configuration files
 references:
    - https://attack.mitre.org/techniques/T1087/
    - https://attack.mitre.org/techniques/T1003/
    - https://attack.mitre.org/techniques/T1081/
    - https://attack.mitre.org/techniques/T1005/
 author: Austin Clark
 date: 2019/08/11
 tags:
    - attack.discovery
    - attack.credential_access
    - attack.collection
    - attack.t1087
    - attack.t1003
    - attack.t1081
    - attack.t1005
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - src
    - CmdSet
    - User
    - Privilege_Level
    - Remote_Address
 detection:
    keywords:
        - 'show running-config'
        - 'show startup-config'
        - 'show archive config'
        - 'more'
    condition: keywords
 falsepositives:
    - Commonly run by administrators.
 level: low
--- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
+++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml
@ -0,0 +1,33 @@
 title: Cisco Crypto Commands
 id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
 status: experimental
 description: Show when private keys are being exported from the device, or when new certificates are installed.
 references:
    - https://attack.mitre.org/techniques/T1145/
    - https://attack.mitre.org/techniques/T1130/
 author: Austin Clark
 date: 2019/08/12
 tags:
    - attack.credential_access
    - attack.defense_evasion
    - attack.t1130
    - attack.t1145
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - src
    - CmdSet
    - User
    - Privilege_Level
    - Remote_Address
 detection:
    keywords:
        - 'crypto pki export'
        - 'crypto pki import'
        - 'crypto pki trustpoint'
    condition: keywords
 falsepositives:
    - Not commonly run by administrators.  Also whitelist your known good certificates.
 level: high
--- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml
+++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml
@ -0,0 +1,29 @@
 title: Cisco Disabling Logging
 id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
 status: experimental
 description: Turn off logging locally or remote
 references:
    - https://attack.mitre.org/techniques/T1089
 author: Austin Clark
 date: 2019/08/11
 tags:
    - attack.defense_evasion
    - attack.t1089
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - src
    - CmdSet
    - User
    - Privilege_Level
    - Remote_Address
 detection:
    keywords:
        - 'no logging'
        - 'no aaa new-model'
    condition: keywords
 falsepositives:
    - Unknown
 level: high
--- a/rules/network/cisco/aaa/cisco_cli_discovery.yml
+++ b/rules/network/cisco/aaa/cisco_cli_discovery.yml
@ -0,0 +1,46 @@
 title: Cisco Discovery
 id: 9705a6a1-6db6-4a16-a987-15b7151e299b
 status: experimental
 description: Find information about network devices that are not stored in config files.
 references:
    - https://attack.mitre.org/tactics/TA0007/
 author: Austin Clark
 date: 2019/08/12
 tags:
    - attack.discovery
    - attack.t1083
    - attack.t1201
    - attack.t1057
    - attack.t1018
    - attack.t1082
    - attack.t1016
    - attack.t1049
    - attack.t1033
    - attack.t1124
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - src
    - CmdSet
    - User
    - Privilege_Level
    - Remote_Address
 detection:
    keywords:
        - 'dir'
        - 'show processes'
        - 'show arp'
        - 'show cdp'
        - 'show version'
        - 'show ip route'
        - 'show ip interface'
        - 'show ip sockets'
        - 'show users'
        - 'show ssh'
        - 'show clock'
    condition: keywords
 falsepositives:
    - Commonly used by administrators for troubleshooting
 level: low
--- a/rules/network/cisco/aaa/cisco_cli_dos.yml
+++ b/rules/network/cisco/aaa/cisco_cli_dos.yml
@ -0,0 +1,28 @@
 title: Cisco Denial of Service
 id: d94a35f0-7a29-45f6-90a0-80df6159967c
 status: experimental
 description: Detect a system being shutdown or put into different boot mode
 references:
    - https://attack.mitre.org/techniques/T1499/
    - https://attack.mitre.org/techniques/T1495/
 author: Austin Clark
 date: 2019/08/15
 tags:
    - attack.impact
    - attack.t1499
    - attack.t1495
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - CmdSet
 detection:
    keywords:
        - 'shutdown'
        - 'config-register 0x2100'
        - 'config-register 0x2142'
    condition: keywords
 falsepositives:
    - Legitimate administrators may run these commands, though rarely.
 level: medium
--- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml
+++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml
@ -0,0 +1,31 @@
 title: Cisco Show Commands Input
 id: 71d65515-c436-43c0-841b-236b1f32c21e
 status: experimental
 description: See what files are being deleted from flash file systems
 references:
    - https://attack.mitre.org/techniques/T1107/
    - https://attack.mitre.org/techniques/T1488/
    - https://attack.mitre.org/techniques/T1487/
 author: Austin Clark
 date: 2019/08/12
 tags:
    - attack.defense_evasion
    - attack.impact
    - attack.t1107
    - attack.t1488
    - attack.t1487
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - CmdSet
 detection:
    keywords:
        - 'erase'
        - 'delete'
        - 'format'
    condition: keywords
 falsepositives:
    - Will be used sometimes by admins to clean up local flash space.
 level: medium
--- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml
+++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml
@ -0,0 +1,29 @@
 title: Cisco Show Commands Input
 id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
 status: experimental
 description: See what commands are being input into the device by other people, full credentials can be in the history
 references:
    - https://attack.mitre.org/techniques/T1056/
    - https://attack.mitre.org/techniques/T1139/
 author: Austin Clark
 date: 2019/08/11
 tags:
    - attack.collection
    - attack.credential_access
    - attack.t1139
    - attack.t1056
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - CmdSet
 detection:
    keywords:
        - 'show history'
        - 'show history all'
        - 'show logging'
    condition: keywords
 falsepositives:
    - Not commonly run by administrators, especially if remote logging is configured.
 level: medium
--- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml
+++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml
@ -0,0 +1,27 @@
 title: Cisco Local Accounts
 id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
 status: experimental
 description: Find local accounts being created or modified as well as remote authentication configurations
 references:
    - https://attack.mitre.org/techniques/T1098/
    - https://attack.mitre.org/techniques/T1136/
 author: Austin Clark
 date: 2019/08/12
 tags:
    - attack.persistence
    - attack.t1136
    - attack.t1098
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - CmdSet
 detection:
    keywords:
        - 'username'
        - 'aaa'
    condition: keywords
 falsepositives:
    - When remote authentication is in place, this should not change often.
 level: high
--- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml
+++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml
@ -0,0 +1,38 @@
 title: Cisco Modify Configuration
 id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
 status: experimental
 description: Modifications to a config that will serve an adversary's impacts or persistence
 references:
    - https://attack.mitre.org/techniques/T1100/
    - https://attack.mitre.org/techniques/T1168/
    - https://attack.mitre.org/techniques/T1493/
 author: Austin Clark
 date: 2019/08/12
 tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.impact
    - attack.t1493
    - attack.t1100
    - attack.t1168
    - attack.t1490
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - CmdSet
 detection:
    keywords:
        - 'ip http server'
        - 'ip https server'
        - 'kron policy-list'
        - 'kron occurrence'
        - 'policy-list'
        - 'access-list'
        - 'ip access-group'
        - 'archive maximum'
    condition: keywords
 falsepositives:
    - Legitimate administrators may run these commands.
 level: medium
--- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml
+++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml
@ -0,0 +1,39 @@
 title: Cisco Stage Data
 id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
 status: experimental
 description: Various protocols maybe used to put data on the device for exfil or infil
 references:
    - https://attack.mitre.org/techniques/T1074/
    - https://attack.mitre.org/techniques/T1105/
    - https://attack.mitre.org/techniques/T1498/
    - https://attack.mitre.org/techniques/T1002/
 author: Austin Clark
 date: 2019/08/12
 tags:
    - attack.collection
    - attack.lateral_movement
    - attack.command_and_control
    - attack.exfiltration
    - attack.impact
    - attack.t1074
    - attack.t1105
    - attack.t1492
    - attack.t1002
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - CmdSet
 detection:
    keywords:
        - 'tftp'
        - 'rcp'
        - 'puts'
        - 'copy'
        - 'configure replace'
        - 'archive tar'
    condition: keywords
 falsepositives:
    - Generally used to copy configs or IOS images.
 level: low
--- a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml
+++ b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml
@ -0,0 +1,27 @@
 title: Cisco Sniffing
 id: b9e1f193-d236-4451-aaae-2f3d2102120d
 status: experimental
 description: Show when a monitor or a span/rspan is setup or modified
 references:
    - https://attack.mitre.org/techniques/T1040
 author: Austin Clark
 date: 2019/08/11
 tags:
    - attack.credential_access
    - attack.discovery
    - attack.t1040
 logsource:
    product: cisco
    service: aaa
    category: accounting
 fields:
    - CmdSet
 detection:
    keywords:
        - 'monitor capture point'
        - 'set span'
        - 'set rspan'
    condition: keywords
 falsepositives:
    - Admins may setup new or modify old spans, or use a monitor for troubleshooting.
 level: medium
--- a/rules/network/net_apt_equationgroup_c2.yml
+++ b/rules/network/net_apt_equationgroup_c2.yml
@ -8,6 +8,7 @@ tags:
    - attack.command_and_control
    - attack.g0020
 author: Florian Roth
 date: 2017/04/15
 logsource:
    category: firewall
 detection:
--- a/rules/network/net_dns_c2_detection.yml
+++ b/rules/network/net_dns_c2_detection.yml
@ -9,7 +9,7 @@ references:
 author: Patrick Bareiss
 date: 2019/04/07
 logsource:
-    product: dns
+    category: dns
 detection:
    selection:
        parent_domain: '*'
@ -18,4 +18,5 @@ falsepositives:
    - Valid software, which uses dns for transferring data
 level: high
 tags:
-    - attack.t1043
+    - attack.t1048
    - attack.exfiltration
--- a/rules/network/net_high_dns_bytes_out.yml
+++ b/rules/network/net_high_dns_bytes_out.yml
@ -0,0 +1,29 @@
 action: global
 title: High DNS Bytes Out
 id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
 description: High DNS queries bytes amount from host per short period of time
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
 tags:
    - attack.exfiltration
    - attack.t1048
 falsepositives:
    - Legitimate high DNS bytes out rate to domain name which should be added to whitelist
 level: medium
 ---
 logsource:
    category: dns
 detection:
    selection:
        query: '*'
    timeframe: 1m
    condition: selection | sum(question_length) by src_ip > 300000
 ---
 logsource:
    category: firewall
 detection:
    selection:
        dst_port: 53
    timeframe: 1m
    condition: selection | sum(message_size) by src_ip > 300000
--- a/rules/network/net_high_dns_requests_rate.yml
+++ b/rules/network/net_high_dns_requests_rate.yml
@ -0,0 +1,29 @@
 action: global
 title: High DNS Requests Rate
 id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
 description: High DNS requests amount from host per short period of time
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
 tags:
    - attack.exfiltration
    - attack.t1048
 falsepositives:
    - Legitimate high DNS requests rate to domain name which should be added to whitelist
 level: medium
 ---
 logsource:
    category: dns
 detection:
    selection:
        query: '*'
    timeframe: 1m
    condition: selection | count() by src_ip > 1000
 ---
 logsource:
    category: firewall
 detection:
    selection:    
        dst_port: 53
    timeframe: 1m
    condition: selection | count() by src_ip > 1000
--- a/rules/network/net_high_null_records_requests_rate.yml
+++ b/rules/network/net_high_null_records_requests_rate.yml
@ -0,0 +1,19 @@
 title: High NULL Records Requests Rate
 id: 44ae5117-9c44-40cf-9c7c-7edad385ca70
 description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
 tags:
    - attack.exfiltration
    - attack.t1048
 logsource:
    category: dns
 detection:
    selection:    
        record_type: "NULL"
    timeframe: 1m
    condition: selection | count() by src_ip > 50
 falsepositives:
    - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist
 level: medium
--- a/rules/network/net_high_txt_records_requests_rate.yml
+++ b/rules/network/net_high_txt_records_requests_rate.yml
@ -0,0 +1,19 @@
 title: High TXT Records Requests Rate
 id: f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35
 description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
 status: experimental
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
 tags:
    - attack.exfiltration
    - attack.t1048
 logsource:
    category: dns
 detection:
    selection:
        record_type: "TXT"
    timeframe: 1m
    condition: selection | count() by src_ip > 50
 falsepositives:
    - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist
 level: medium
--- a/rules/network/net_susp_dns_txt_exec_strings.yml
+++ b/rules/network/net_susp_dns_txt_exec_strings.yml
@ -1,4 +1,4 @@
-title: DNS TXT Answer with possible execution strings
+title: DNS TXT Answer with Possible Execution Strings
 id: 8ae51330-899c-4641-8125-e39f2e07da72
 status: experimental
 description: Detects strings used in command execution in DNS TXT Answer
--- a/rules/network/net_susp_network_scan.yml
+++ b/rules/network/net_susp_network_scan.yml
@ -2,6 +2,7 @@ title: Network Scans
 id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 description: Detects many failed connection attempts to different ports or hosts
 author: Thomas Patzke
 date: 2017/02/19
 logsource:
    category: firewall
 detection:
--- a/rules/network/zeek_susp_kerberos_rc4.yml
+++ b/rules/network/zeek_susp_kerberos_rc4.yml
@ -0,0 +1,23 @@
 title: Kerberos Network Traffic RC4 Ticket Encryption
 id: 503fe26e-b5f2-4944-a126-eab405cc06e5
 status: experimental
 date: 2020/02/12
 description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
 references:
    - https://adsecurity.org/?p=3458
 tags:
    - attack.credential_access
    - attack.t1208
 logsource:
    product: zeek
    service: kerberos
 detection:
    selection:
        request_type: 'TGS'
        cipher: 'rc4-hmac'
    computer_acct:
        service: '$*'
    condition: selection and not computer_acct
 falsepositives:
    - normal enterprise SPN requests activity
 level: medium
--- a/rules/proxy/proxy_apt40.yml
+++ b/rules/proxy/proxy_apt40.yml
@ -5,6 +5,7 @@ description: Detects suspicious user agent string of APT40 Dropbox tool
 references:
    - Internal research from Florian Roth
 author: Thomas Patzke
 date: 2019/11/12
 logsource:
    category: proxy
 detection:
@ -18,4 +19,3 @@ fields:
 falsepositives:
    - Old browsers
 level: high
--- a/rules/proxy/proxy_cobalt_amazon.yml
+++ b/rules/proxy/proxy_cobalt_amazon.yml
@ -1,4 +1,4 @@
-title: CobaltStrike Malleable Amazon browsing traffic profile
+title: CobaltStrike Malleable Amazon Browsing Traffic Profile
 id: 953b895e-5cc9-454b-b183-7f3db555452e
 status: experimental
 description: Detects Malleable Amazon Profile
@ -6,6 +6,7 @@ references:
  - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
  - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
 author: Markus Neis
 date: 2019/11/12
 tags:
  - attack.t1102
 logsource:
--- a/rules/proxy/proxy_cobalt_ocsp.yml
+++ b/rules/proxy/proxy_cobalt_ocsp.yml
@ -5,6 +5,7 @@ description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
 references:
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
 author: Markus Neis
 date: 2019/11/12
 tags:
    - attack.t1102
 logsource:
@ -13,8 +14,8 @@ detection:
    selection:
      c-uri: '*/oscp/*'
      cs-host: 'ocsp.verisign.com'
-     
+
-    condition: selection 
+    condition: selection
 falsepositives:
    - Unknown
 level: high
--- a/rules/proxy/proxy_cobalt_onedrive.yml
+++ b/rules/proxy/proxy_cobalt_onedrive.yml
@ -1,10 +1,11 @@
-title: CobaltStrike Malleable OneDrive browsing traffic profile
+title: CobaltStrike Malleable OneDrive Browsing Traffic Profile
 id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
 status: experimental
 description: Detects Malleable OneDrive Profile
 references:
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
 author: Markus Neis
 date: 2019/11/12
 tags:
    - attack.t1102
 logsource:
@ -15,7 +16,7 @@ detection:
      c-uri: '*?manifest=wac'
      cs-host: 'onedrive.live.com'
    filter:
-      c-uri: 'http*://onedrive.live.com/*'     
+      c-uri: 'http*://onedrive.live.com/*'
    condition: selection and not filter
 falsepositives:
    - Unknown
--- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml
+++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml
@ -8,12 +8,13 @@ references:
    - https://www.spamhaus.org/statistics/tlds/
    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
 author: Florian Roth
-date: 2018/06/13
+date: 2017/11/07
 modified: 2018/06/13
 logsource:
    category: proxy
 detection:
    selection:
-        c-uri-extension: 
+        c-uri-extension:
            - 'exe'
            - 'vbs'
            - 'bat'
@ -32,8 +33,8 @@ detection:
            - 'sct'
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
-        r-dns: 
+        r-dns:
-            # Symantec / Chris Larsen analysis 
+            # Symantec / Chris Larsen analysis
            - '*.country'
            - '*.stream'
            - '*.gdn'
@ -60,7 +61,7 @@ detection:
            - '*.zip'
            - '*.cricket'
            - '*.space'
-            # McAfee report 
+            # McAfee report
            - '*.info'
            - '*.vn'
            - '*.cm'
@ -97,7 +98,7 @@ detection:
            - '*.gq'
            - '*.ml'
            - '*.ga'
-            # Custom 
+            # Custom
            - '*.pw'
    condition: selection
 fields:
--- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml
+++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml
@ -3,11 +3,12 @@ id: b5de2919-b74a-4805-91a7-5049accbaefe
 status: experimental
 description: Detects executable downloads from suspicious remote systems
 author: Florian Roth
 date: 2017/03/13
 logsource:
    category: proxy
 detection:
    selection:
-        c-uri-extension: 
+        c-uri-extension:
            - 'exe'
            - 'vbs'
            - 'bat'
@ -27,7 +28,7 @@ detection:
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
    filter:
-        r-dns: 
+        r-dns:
            - '*.com'
            - '*.org'
            - '*.net'
--- a/rules/proxy/proxy_empty_ua.yml
+++ b/rules/proxy/proxy_empty_ua.yml
@ -5,11 +5,12 @@ description: Detects suspicious empty user agent strings in proxy logs
 references:
    - https://twitter.com/Carlos_Perez/status/883455096645931008
 author: Florian Roth
 date: 2017/07/08
 logsource:
    category: proxy
 detection:
    selection:
-      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString 
+      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
      c-useragent: ''
    condition: selection
 fields:
--- a/rules/proxy/proxy_powershell_ua.yml
+++ b/rules/proxy/proxy_powershell_ua.yml
@ -5,6 +5,7 @@ description: Detects Windows PowerShell Web Access
 references:
    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
 author: Florian Roth
 date: 2017/03/13
 logsource:
    category: proxy
 detection:
--- a/rules/proxy/proxy_susp_flash_download_loc.yml
+++ b/rules/proxy/proxy_susp_flash_download_loc.yml
@ -5,6 +5,7 @@ description: Detects a flashplayer update from an unofficial location
 references:
    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 author: Florian Roth
 date: 2017/10/25
 logsource:
    category: proxy
 detection:
--- a/rules/proxy/proxy_ua_apt.yml
+++ b/rules/proxy/proxy_ua_apt.yml
@ -5,6 +5,7 @@ description: Detects suspicious user agent strings used in APT malware in proxy
 references:
    - Internal Research
 author: Florian Roth, Markus Neis
 date: 2019/11/12
 logsource:
    category: proxy
 detection:
@ -22,7 +23,7 @@ detection:
        - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/'  # Sofacy - Xtunnel
        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2'  # Sofacy - Xtunnel
        - 'Mozilla/4.0'  # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
-        - 'Netscape'  # Unit78020 Malware 
+        - 'Netscape'  # Unit78020 Malware
        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7'  # Unit78020 Malware
        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1'  # Winnti related
        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)'  # Winnti related
@ -34,7 +35,7 @@ detection:
        - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)'  # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
        - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
-        - 'Mozilla v5.1 *'  # Sofacy Zebrocy samples 
+        - 'Mozilla v5.1 *'  # Sofacy Zebrocy samples
        - 'MSIE 8.0'  # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)'  # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
        - 'Mozilla/4.0 (compatible; RMS)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
@ -43,6 +44,7 @@ detection:
        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*'  # KerrDown UA https://goo.gl/s2WU6o
        - 'Mozilla/5.0 (Windows NT 9; *'  # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
        - 'hots scot'  # Unkown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
        - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)'  # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
    condition: selection
 fields:
    - ClientIP
@ -51,4 +53,3 @@ fields:
 falsepositives:
    - Old browsers
 level: high
--- a/rules/proxy/proxy_ua_cryptominer.yml
+++ b/rules/proxy/proxy_ua_cryptominer.yml
@ -12,7 +12,7 @@ logsource:
 detection:
    selection:
      c-useragent:
-        # XMRig  
+        # XMRig
        - 'XMRig *'
        # CCMiner
        - 'ccminer*'
--- a/rules/proxy/proxy_ua_frameworks.yml
+++ b/rules/proxy/proxy_ua_frameworks.yml
@ -5,6 +5,7 @@ description: Detects suspicious user agent strings used by exploit / pentest fra
 references:
    - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
 author: Florian Roth
 date: 2017/07/08
 logsource:
    category: proxy
 detection:
--- a/rules/proxy/proxy_ua_hacktool.yml
+++ b/rules/proxy/proxy_ua_hacktool.yml
@ -6,6 +6,7 @@ references:
    - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
 author: Florian Roth
 date: 2017/07/08
 logsource:
    category: proxy
 detection:
--- a/rules/proxy/proxy_ua_malware.yml
+++ b/rules/proxy/proxy_ua_malware.yml
@ -9,6 +9,7 @@ references:
    - https://perishablepress.com/blacklist/ua-2013.txt
    - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
 author: Florian Roth
 date: 2017/07/08
 logsource:
    category: proxy
 detection:
@ -55,7 +56,9 @@ detection:
        # Ursnif
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
-        # Others 
+        # Emotet
        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)'  # https://twitter.com/webbthewombat/status/1225827092132179968
        # Others
        - '* pxyscand*'
        - '* asd'
        - '* mdms'
--- a/rules/proxy/proxy_ua_suspicious.yml
+++ b/rules/proxy/proxy_ua_suspicious.yml
@ -5,6 +5,7 @@ description: Detects suspicious malformed user agent strings in proxy logs
 references:
    - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
 author: Florian Roth
 date: 2017/07/08
 logsource:
    category: proxy
 detection:
@ -18,13 +19,13 @@ detection:
        - 'Mozilla/2.0 *'
        - 'Mozilla/1.0 *'
        - 'Mozilla *'  # missing slash
-        - ' Mozilla/*'  # leading space 
+        - ' Mozilla/*'  # leading space
        - 'Mozila/*'  # single 'l'
        - '_'
        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
-        - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880 
+        - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880
    falsepositives:
        c-useragent:
            - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
--- a/rules/proxy/proxy_ursnif_malware.yml
+++ b/rules/proxy/proxy_ursnif_malware.yml
@ -3,6 +3,7 @@ id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
 status: stable
 description: Detects download of Ursnif malware done by dropper documents.
 author: Thomas Patzke
 date: 2019/12/19
 logsource:
  category: proxy
 detection:
--- a/rules/web/web_apache_segfault.yml
+++ b/rules/web/web_apache_segfault.yml
@ -2,6 +2,7 @@ title: Apache Segmentation Fault
 id: 1da8ce0b-855d-4004-8860-7d64d42063b1
 description: Detects a segmentation fault error message caused by a creashing apacke worker process
 author: Florian Roth
 date: 2017/02/28
 references:
    - http://www.securityfocus.com/infocus/1633
 logsource:
@ -13,4 +14,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
--- a/rules/web/web_citrix_cve_2019_19781_exploit.yml
+++ b/rules/web/web_citrix_cve_2019_19781_exploit.yml
@ -0,0 +1,32 @@
 title: Citrix Netscaler Attack CVE-2019-19781
 description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
 id: ac5a6409-8c89-44c2-8d64-668c29a2d756
 references:
    - https://support.citrix.com/article/CTX267679
    - https://support.citrix.com/article/CTX267027
    - https://isc.sans.edu/diary/25686
    - https://twitter.com/mpgn_x64/status/1216787131210829826
    - https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md
 author: Arnim Rupp, Florian Roth
 status: experimental
 date: 2020/01/02
 modified: 2020/01/15
 logsource:
    category: webserver
    description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
 detection:
    selection:
        c-uri-path: 
            - '*/../vpns/*'
            - '*/vpns/cfg/smb.conf'
            - '*/vpns/portal/scripts/*.pl*'
    condition: selection
 fields:
    - client_ip
    - vhost
    - url
    - response
 falsepositives:
    - Unknown
 level: critical
--- a/rules/web/web_multiple_suspicious_resp_codes_single_source.yml
+++ b/rules/web/web_multiple_suspicious_resp_codes_single_source.yml
@ -1,7 +1,8 @@
-title: Multiple suspicious Response Codes caused by Single Client
+title: Multiple Suspicious Resp Codes Caused by Single Client
 id: 6fdfc796-06b3-46e8-af08-58f3505318af
 description: Detects possible exploitation activity or bugs in a web application
 author: Thomas Patzke
 date: 2017/02/19
 logsource:
    category: webserver
 detection:
--- a/rules/web/web_pulsesecure_cve-2019-11510.yml
+++ b/rules/web/web_pulsesecure_cve-2019-11510.yml
@ -4,6 +4,7 @@ description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamol
 references:
    - https://www.exploit-db.com/exploits/47297
 author: Florian Roth
 date: 2019/11/18
 logsource:
    category: webserver
 detection:
@ -17,4 +18,4 @@ fields:
    - response
 falsepositives:
    - Unknown
-level: critical
+level: critical
--- a/rules/web/web_source_code_enumeration.yml
+++ b/rules/web/web_source_code_enumeration.yml
@ -2,6 +2,7 @@ title: Source Code Enumeration Detection by Keyword
 id: 953d460b-f810-420a-97a2-cfca4c98e602
 description: Detects source code enumeration that use GET requests by keyword searches in URL strings
 author: James Ahearn
 date: 2019/06/08
 references:
    - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
    - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
@ -18,4 +19,4 @@ fields:
    - response
 falsepositives:
    - unknown
-level: medium
+level: medium
--- a/rules/web/web_webshell_keyword.yml
+++ b/rules/web/web_webshell_keyword.yml
@ -2,6 +2,7 @@ title: Webshell Detection by Keyword
 id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
 description: Detects webshells that use GET requests by keyword searches in URL strings
 author: Florian Roth
 date: 2017/02/19
 logsource:
    category: webserver
 detection:
@ -19,4 +20,3 @@ falsepositives:
    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
    - User searches in search boxes of the respective website
 level: high
--- a/rules/windows/builtin/win_GPO_scheduledtasks.yml
+++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml
@ -1,7 +1,8 @@
-title: Persistence and Execution at scale via GPO scheduled task
+title: Persistence and Execution at Scale via GPO Scheduled Task
 id: a8f29a7b-b137-4446-80a0-b804272f3da2
 description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale
 author: Samir Bousseaden
 date: 2019/04/03
 references:
    - https://twitter.com/menasec1/status/1106899890377052160
 tags:
@ -19,6 +20,6 @@ detection:
        RelativeTargetName: '*ScheduledTasks.xml'
        Accesses: '*WriteData*'
    condition: selection
-falsepositives: 
+falsepositives:
    - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
 level: high
--- a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
+++ b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
@ -4,7 +4,7 @@ description: backdooring domain object to grant the rights associated with DCSyn
    Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
 status: experimental
 date: 2019/04/03
-author: Samir Bousseaden
+author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
 references:
    - https://twitter.com/menasec1/status/1111556090137903104
    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
@ -18,9 +18,10 @@ detection:
    selection:
        EventID: 5136
        LDAPDisplayName: 'ntSecurityDescriptor'
-        Value: 
+        Value|contains: 
-         - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+         - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
-         - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
+         - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
         - '89e95b76-444d-4c62-991a-0facbeda640c'
    condition: selection
 falsepositives:
    - New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.
--- a/rules/windows/builtin/win_account_discovery.yml
+++ b/rules/windows/builtin/win_account_discovery.yml
@ -8,6 +8,7 @@ tags:
    - attack.t1087
 status: experimental
 author: Samir Bousseaden
 date: 2019/04/03
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_ad_object_writedac_access.yml
+++ b/rules/windows/builtin/win_ad_object_writedac_access.yml
@ -0,0 +1,26 @@
 title: AD Object WriteDAC Access
 id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
 description: Detects WRITE_DAC access to a domain object
 status: experimental
 date: 2019/09/12
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
 tags:
    - attack.defense_evasion
    - attack.t1222
 logsource:
    product: windows
    service: security
 detection:
    selection: 
        EventID: 4662
        ObjectServer: 'DS'
        AccessMask: 0x40000
        ObjectType:
            - '19195a5b-6da0-11d0-afd3-00c04fd930c9'
            - 'domainDNS'
    condition: selection
 falsepositives:
    - Unknown
 level: critical
--- a/rules/windows/builtin/win_ad_replication_non_machine_account.yml
+++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml
@ -0,0 +1,33 @@
 title: Active Directory Replication from Non Machine Account
 id: 17d619c1-e020-4347-957e-1d1207455c93
 description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
 status: experimental
 date: 2019/07/26
 modified: 2019/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md
 tags:
    - attack.credential_access
    - attack.t1003
 logsource:
    product: windows
    service: security
 detection:
    selection:
        EventID: 4662
        AccessMask: '0x100'
        Properties|contains:
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
            - '89e95b76-444d-4c62-991a-0facbeda640c'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and not filter
 fields:
    - ComputerName
    - SubjectDomainName
    - SubjectUserName
 falsepositives:
    - Unknown
 level: critical
--- a/rules/windows/builtin/win_admin_rdp_login.yml
+++ b/rules/windows/builtin/win_admin_rdp_login.yml
@ -9,6 +9,7 @@ tags:
    - car.2016-04-005
 status: experimental
 author: juju4
 date: 2017/10/29
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_admin_share_access.yml
+++ b/rules/windows/builtin/win_admin_share_access.yml
@ -6,6 +6,7 @@ tags:
    - attack.t1077
 status: experimental
 author: Florian Roth
 date: 2017/03/04
 logsource:
    product: windows
    service: security
@ -17,6 +18,6 @@ detection:
    filter:
        SubjectUserName: '*$'
    condition: selection and not filter
-falsepositives: 
+falsepositives:
    - Legitimate administrative activity
 level: low
--- a/rules/windows/builtin/win_alert_active_directory_user_control.yml
+++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml
@ -7,6 +7,7 @@ tags:
 references:
    - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 author: '@neu5ron'
 date: 2017/07/30
 logsource:
    product: windows
    service: security
@ -18,6 +19,6 @@ detection:
        Message:
            - '*SeEnableDelegationPrivilege*'
    condition: all of them
-falsepositives: 
+falsepositives:
    - Unknown
 level: high
--- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml
+++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
@ -6,6 +6,7 @@ references:
    - https://adsecurity.org/?p=3466
    - https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
 author: '@neu5ron'
 date: 2017/04/13
 tags:
    - attack.t1098
    - attack.credential_access
@ -19,9 +20,9 @@ detection:
    selection1:
        EventID: 4738
    filter1:
-        AllowedToDelegateTo: null
+        AllowedToDelegateTo: 
-    filter2:
+            - null
-        AllowedToDelegateTo: '-'
+            - '-'
    selection2:
        EventID: 5136
        AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
@ -31,8 +32,8 @@ detection:
        AttributeLDAPDisplayName: 'servicePrincipalName'
    selection4:
        EventID: 5136
-        AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'        
+        AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
    condition: (selection1 and not 1 of filter*) or selection2 or selection3 or selection4
-falsepositives: 
+falsepositives:
    - Unknown
 level: high
--- a/Show More
+++ b/Show More