Merge branch 'SigmaHQ:master' into master

2024-11-06 17:35:19 +00:00 · 2021-09-07 19:58:09 -06:00 · 2021-09-07 19:58:09 -06:00 · 932b7cf2ba
commit 932b7cf2ba
parent be442182fe d9edc9f0e3
181 changed files with 1871 additions and 298 deletions
--- a/rules/cloud/aws/aws_sts_assumerole_misuse.yml
+++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml
@ -12,8 +12,7 @@ logsource:
    service: cloudtrail
 detection:
    selection:
-        eventSource: sts.amazonaws.com
+        userIdentity.type: AssumedRole
        eventName: AssumeRole
        userIdentity.sessionContext.sessionIssuer.type: Role
    condition: selection
 level: low
--- a/rules/cloud/aws/aws_update_login_profile.yml
+++ b/rules/cloud/aws/aws_update_login_profile.yml
@ -15,11 +15,11 @@ detection:
        eventSource: iam.amazonaws.com
        eventName: UpdateLoginProfile
    filter:
-        userIdentity.arn|contains: responseElements.accessKey.userName
+        userIdentity.arn|contains: requestParameters.userName
    condition: selection_source and not filter
 fields:
    - userIdentity.arn
-    - responseElements.accessKey.userName
+    - requestParameters.userName
    - errorCode
    - errorMessage
 falsepositives:
--- a/rules/cloud/azure/azure_app_credential_modification.yml
+++ b/rules/cloud/azure/azure_app_credential_modification.yml
@ -0,0 +1,21 @@
 title: Azure Application Credential Modified
 id: cdeef967-f9a1-4375-90ee-6978c5f23974
 description: Identifies when a application credential is modified.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/09/02
 references:
    - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
 logsource:
  service: azure.activitylogs
 detection:
    selection:
        properties.message: "Update application - Certificates and secrets management"
    condition: selection
 level: medium
 tags:
    - attack.impact
 falsepositives:
 - Application credential added may be performed by a system administrator. 
 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
 - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/cloud/azure/azure_application_deleted.yml
+++ b/rules/cloud/azure/azure_application_deleted.yml
@ -0,0 +1,23 @@
 title: Azure Application Deleted
 id: 410d2a41-1e6d-452f-85e5-abdd8257a823
 description: Identifies when a application is deleted in Azure.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/09/03
 references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  service: azure.activitylogs
 detection:
    selection:
        properties.message:
            - Delete application
            - Hard Delete application
    condition: selection
 level: medium
 tags:
    - attack.defense_evasion
 falsepositives:
 - Application being deleted may be performed by a system administrator. 
 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
 - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml
+++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml
@ -0,0 +1,21 @@
 title: Azure Device No Longer Managed or Compliant
 id: 542b9912-c01f-4e3f-89a8-014c48cdca7d
 description: Identifies when a device in azure is no longer managed or compliant
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/09/03
 references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
 logsource:
  service: azure.activitylogs
 detection:
    selection:
        properties.message: 
            - Device no longer compliant
            - Device no longer managed
    condition: selection
 level: medium
 tags:
    - attack.impact
 falsepositives:
 - Administrator may have forgotten to review the device. 
--- a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
+++ b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
@ -0,0 +1,25 @@
 title: Azure Device or Configuration Modified or Deleted
 id: 46530378-f9db-4af9-a9e5-889c177d3881
 description: Identifies when a device or device configuration in azure is modified or deleted.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/09/03
 references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
 logsource:
  service: azure.activitylogs
 detection:
    selection:
        properties.message: 
            - Delete device
            - Delete device configuration
            - Update device
            - Update device configuration
    condition: selection
 level: medium
 tags:
    - attack.impact
 falsepositives:
 - Device or device configuration being modified or deleted may be performed by a system administrator. 
 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
 - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/cloud/azure/azure_federation_modified.yml
+++ b/rules/cloud/azure/azure_federation_modified.yml
@ -0,0 +1,23 @@
 title: Azure Domain Federation Settings Modified
 id: 352a54e1-74ba-4929-9d47-8193d67aba1e
 description: Identifies when an user or application modified the federation settings on the domain.
 author: Austin Songer
 status: experimental
 date: 2021/09/06
 references:
    - https://attack.mitre.org/techniques/T1078
 logsource:
  service: azure.signinlogs
 detection:
    selection:
        properties.message: Set federation settings on domain
    condition: selection
 level: medium
 tags:
    - attack.initial_access
    - attack.t1078
 falsepositives:
 - Federation Settings being modified or deleted may be performed by a system administrator. 
 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
 - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml
+++ b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml
@ -0,0 +1,24 @@
 title: Azure Network Firewall Policy Modified or Deleted
 id: 83c17918-746e-4bd9-920b-8e098bf88c23
 description: Identifies when a Firewall Policy is Modified or Deleted.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/09/02
 references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  service: azure.activitylogs
 detection:
    selection:
        properties.message: 
            - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE
            - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION
            - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION
            - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE
    condition: selection
 level: medium
 tags:
    - attack.impact
 falsepositives:
 - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
 - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml
+++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml
@ -0,0 +1,23 @@
 title: Azure Owner Removed From Application or Service Principal
 id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6
 description: Identifies when a owner is was removed from a application or service principal in Azure.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/09/03
 references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  service: azure.activitylogs
 detection:
    selection:
        properties.message: 
            - Remove owner from service principal
            - Remove owner from application
    condition: selection
 level: medium
 tags:
    - attack.defense_evasion
 falsepositives:
 - Owner being removed may be performed by a system administrator. 
 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
 - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/cloud/azure/azure_service_principal_created.yml
+++ b/rules/cloud/azure/azure_service_principal_created.yml
@ -0,0 +1,21 @@
 title: Azure Service Principal Created
 id: 0ddcff6d-d262-40b0-804b-80eb592de8e3
 description: Identifies when a service principal is created in Azure.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/09/02
 references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  service: azure.activitylogs
 detection:
    selection:
        properties.message: "Add service principal"
    condition: selection
 level: medium
 tags:
    - attack.defense_evasion
 falsepositives:
 - Service principal being created may be performed by a system administrator. 
 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
 - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/cloud/azure/azure_service_principal_removed.yml
+++ b/rules/cloud/azure/azure_service_principal_removed.yml
@ -0,0 +1,21 @@
 title: Azure Service Principal Removed
 id: 448fd1ea-2116-4c62-9cde-a92d120e0f08
 description: Identifies when a service principal was removed in Azure.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/09/03
 references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  service: azure.activitylogs
 detection:
    selection:
        properties.message: Remove service principal
    condition: selection
 level: medium
 tags:
    - attack.defense_evasion
 falsepositives:
 - Service principal being removed may be performed by a system administrator. 
 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
 - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/compliance/cleartext_protocols.yml
+++ b/rules/compliance/cleartext_protocols.yml
@ -1,6 +1,5 @@
 action: global
 title: Cleartext Protocol Usage
 id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
 status: stable
 description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption
    is used for all sensitive information in transit. Ensure that an encrypted channels is used  for all administrative account access.
@ -57,6 +56,7 @@ level: low
    # - PCI DSS 3.2 7.2
    # - PCI DSS 3.2 7.3
 ---
 id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
 logsource:
    product: netflow
 detection:
@ -80,6 +80,7 @@ detection:
            - 5904
    condition: selection
 ---
 id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
 logsource:
    category: firewall
 detection:
--- a/rules/linux/auditd/lnx_auditd_audio_capture.yml
+++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml
@ -0,0 +1,30 @@
 title: Audio Capture
 id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
 description: Detects attempts to record audio with arecord utility
    #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay 
 author: 'Pawel Mazur'
 status: experimental
 date: 2021/09/04
 references:
   - https://linux.die.net/man/1/arecord
   - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
   - https://attack.mitre.org/techniques/T1123/
 logsource:
   product: linux
   service: auditd
 detection:
   selection:
       type: EXECVE
       a0:
           - arecord
       a1:
           - '-vv'
       a2:
           - '-fdat'
   condition: selection
 tags:
   - attack.collection
   - attack.t1123
 falsepositives:
   - None
 level: low
--- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
+++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml
@ -1,6 +1,5 @@
 action: global
 title: CVE-2021-3156 Exploitation Attempt
 id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f
 status: experimental
 description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. |
             Alternative approach might be to look for flooding of auditd logs due to bruteforcing |
@ -21,6 +20,7 @@ logsource:
    product: linux
    service: auditd
 ---
 id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f
 detection:
    selection:
        type: 'EXECVE'
@ -43,6 +43,7 @@ detection:
        a4: '\'
    condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) | count() by host > 50
 ---
 id: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2
 detection:
    selection:
        type: 'SYSCALL'
--- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml
+++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml
@ -0,0 +1,33 @@
 title: Hidden Files and Directoriese
 id: d08722cd-3d09-449a-80b4-83ea2d9d4616
 description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
 author: 'Pawel Mazur'
 status: experimental
 date: 2021/09/06
 references:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md
   - https://attack.mitre.org/techniques/T1564/001/
 logsource:
   product: linux
   service: auditd
 detection:
   commands:
       type: EXECVE
       a0:
           - mkdir
           - touch
           - vim
           - nano
           - vi
   arguments:
       - a1|contains: '/.'
       - a1|startswith: '.'
       - a2|contains: '/.'
       - a2|startswith: '.'
   condition: commands and arguments
 tags:
   - attack.defense_evasion
   - attack.t1564.001
 falsepositives:
   - None
 level: low
--- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml
+++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml
@ -0,0 +1,31 @@
 title: System Information Discovery
 id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
 description: Detects System Information Discovery commands
 author: 'Pawel Mazur'
 status: experimental
 date: 2021/09/03
 references:
   - https://attack.mitre.org/techniques/T1082/
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
 logsource:
   product: linux
   service: auditd
 detection:
   selection:
       type: PATH
       name:
           - /etc/lsb-release
           - /etc/redhat-release
           - /etc/issue
   selection2:
       type: EXECVE
       a0:
           - uname
           - uptime
   condition: selection or selection2
 tags:
   - attack.discovery
   - attack.t1082
 falsepositives:
   - Legitimate administrative activity
 level: low
--- a/rules/linux/lnx_network_service_scanning.yml
+++ b/rules/linux/lnx_network_service_scanning.yml
@ -1,6 +1,5 @@
 action: global
 title: Linux Network Service Scanning
 id: 3e102cd9-a70d-4a7a-9508-403963092f31
 status: experimental
 description: Detects enumeration of local or remote network services.
 author: Alejandro Ortuno, oscd.community
@ -14,6 +13,7 @@ tags:
  - attack.discovery
  - attack.t1046
 ---
 id: 3e102cd9-a70d-4a7a-9508-403963092f31
 logsource:
  category: process_creation
  product: linux
@ -31,6 +31,7 @@ detection:
    CommandLine|contains: 'l'
  condition: (netcat and not netcat_listen_flag) or network_scanning_tools
 ---
 id: 3761e026-f259-44e6-8826-719ed8079408
 logsource:
  product: linux
  service: auditd
--- a/rules/linux/lnx_security_tools_disabling.yml
+++ b/rules/linux/lnx_security_tools_disabling.yml
@ -1,6 +1,5 @@
 action: global
 title: Disabling Security Tools
 id: e3a8a052-111f-4606-9aee-f28ebeb76776
 status: experimental
 description: Detects disabling security tools
 author: Ömer Günal, Alejandro Ortuno, oscd.community
@ -15,6 +14,7 @@ tags:
    - attack.t1562.004
    - attack.t1089 # an old one
 ---
 id: e3a8a052-111f-4606-9aee-f28ebeb76776
 logsource:
    category: process_creation
    product: linux
@ -84,6 +84,7 @@ detection:
          - 'falcon-sensor'
    condition: 1 of them
 ---
 id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
 logsource:
    product: linux
    service: syslog
--- a/rules/linux/lnx_sudo_cve_2019_14287.yml
+++ b/rules/linux/lnx_sudo_cve_2019_14287.yml
@ -1,6 +1,5 @@
 action: global
 title: Sudo Privilege Escalation CVE-2019-14287
 id: f74107df-b6c6-4e80-bf00-4170b658162b
 status: experimental
 description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
 author: Florian Roth
@ -21,11 +20,13 @@ tags:
    - attack.t1169 # an old one
    - attack.t1548.003
 ---
 id: f74107df-b6c6-4e80-bf00-4170b658162b
 detection:
    selection_keywords:
        - '* -u#*'
    condition: selection_keywords
 --- 
 id: 7fcc54cb-f27d-4684-84b7-436af096f858
 detection:
    selection_user:
        USER:
--- a/rules/linux/lnx_system_info_discovery.yml
+++ b/rules/linux/lnx_system_info_discovery.yml
@ -1,6 +1,5 @@
 action: global
 title: System Information Discovery
 id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
 status: stable
 description: Detects system information discovery commands
 author: Ömer Günal, oscd.community
@ -15,6 +14,7 @@ tags:
    - attack.discovery
    - attack.t1082
 ---
 id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
 logsource:
    product: linux
    category: process_creation
@ -30,6 +30,7 @@ detection:
          - '/lsmod'
    condition: selection
 ---
 id: 1f358e2e-cb63-43c3-b575-dfb072a6814f
 logsource:
    product: linux
    service: auditd
--- a/rules/network/net_high_dns_bytes_out.yml
+++ b/rules/network/net_high_dns_bytes_out.yml
@ -1,6 +1,5 @@
 action: global
 title: High DNS Bytes Out
 id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
 status: experimental
 description: High DNS queries bytes amount from host per short period of time
 author: Daniil Yugoslavskiy, oscd.community
@ -14,6 +13,7 @@ tags:
    - attack.t1048 # an old one
    - attack.t1048.003
 ---
 id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
 logsource:
    category: dns
 detection:
@ -22,6 +22,7 @@ detection:
    timeframe: 1m
    condition: selection | sum(question_length) by src_ip > 300000
 ---
 id: 3b6e327d-8649-4102-993f-d25786481589
 logsource:
    category: firewall
 detection:
--- a/rules/network/net_high_dns_requests_rate.yml
+++ b/rules/network/net_high_dns_requests_rate.yml
@ -1,6 +1,5 @@
 action: global
 title: High DNS Requests Rate
 id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
 status: experimental
 description: High DNS requests amount from host per short period of time
 author: Daniil Yugoslavskiy, oscd.community
@ -17,6 +16,7 @@ tags:
    - attack.t1071 # an old one
    - attack.t1071.004
 ---
 id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
 logsource:
    category: dns
 detection:
@ -25,6 +25,7 @@ detection:
    timeframe: 1m
    condition: selection | count() by src_ip > 1000
 ---
 id: 51186749-7415-46be-90e5-6914865c825a
 logsource:
    category: firewall
 detection:
--- a/rules/network/net_susp_network_scan.yml
+++ b/rules/network/net_susp_network_scan.yml
@ -1,6 +1,5 @@
 action: global
 title: Network Scans
 id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 status: experimental
 description: Detects many failed connection attempts to different ports or hosts
 author: Thomas Patzke
@ -21,12 +20,14 @@ tags:
    - attack.discovery
    - attack.t1046
 ---
 id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 detection:
    selection:
        action: denied
    timeframe: 24h
    condition: selection | count(dst_port) by src_ip > 10
 ---
 id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8
 detection:
    selection:
        action: denied
--- a/rules/network/zeek/zeek_dns_mining_pools.yml
+++ b/rules/network/zeek/zeek_dns_mining_pools.yml
@ -7,9 +7,9 @@ date: 2021/08/19
 modified: 2021/08/23
 author: Saw Winn Naung, Azure-Sentinel, @neu5ron
 level: low
-logsource:                     
+logsource:
-    service: dns  
+    service: dns
-    product: zeek 
+    product: zeek
 tags:
  - attack.t1035 # an old one
  - attack.t1569.002
@ -93,7 +93,7 @@ detection:
            - "0.0.0.0"
    exclude_rejected:
        rejected: "true"
-    condition: selection and not (exclude_answers OR exclude_rejected)
+    condition: selection and not (exclude_answers or exclude_rejected)
 falsepositives:
    - A DNS lookup does not necessarily  mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name".
 fields:
--- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml
+++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml
@ -44,7 +44,7 @@ detection:
      - '137'
      - '138'
      - '139'
-  condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios)
+  condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios)
 falsepositives:
  - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
  - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'
--- a/rules/proxy/proxy_ua_apt.yml
+++ b/rules/proxy/proxy_ua_apt.yml
@ -50,6 +50,7 @@ detection:
        - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)'  # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;'  # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
        - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0'  # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
        - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36'  # SideWalk malware used by Sparkling Goblin
    condition: selection
 fields:
    - ClientIP
--- a/rules/windows/builtin/win_apt_apt29_tor.yml
+++ b/rules/windows/builtin/win_apt_apt29_tor.yml
@ -1,6 +1,5 @@
 action: global
 title: APT29 Google Update Service Install
 id: c069f460-2b87-4010-8dcf-e45bab362624
 description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    so the service names and executable locations used by APT29 are specific enough to be detected in log files.
 references:
@ -26,6 +25,7 @@ falsepositives:
    - Unknown
 level: high
 ---
 id: c069f460-2b87-4010-8dcf-e45bab362624
 logsource:
    category: process_creation
    product: windows
--- a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
+++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml
@ -2,7 +2,7 @@ title: Arbitrary Shell Command Execution Via Settingcontent-Ms
 id: 24de4f3b-804c-4165-b442-5a06a2302c7e
 description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
 author: Sreeman
-date: 2020/13/03
+date: 2020/03/13
 modified: 2021/08/09
 references:
    - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
--- a/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml
+++ b/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml
@ -3,7 +3,7 @@ id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
 status: experimental
 description: 'Application Virtualization Utility is included with Microsoft Office.We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file'
 author: Sreeman
-date: 2020/13/03
+date: 2020/03/13
 modified: 2021/06/11
 tags: 
    - attack.t1218
--- a/rules/windows/builtin/win_av_relevant_match.yml
+++ b/rules/windows/builtin/win_av_relevant_match.yml
@ -36,3 +36,6 @@ detection:
 falsepositives:
    - Some software piracy tools (key generators, cracks) are classified as hack tools
 level: high
 tags:
    - attack.resource_development 
    - attack.t1588 
--- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml
+++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml
@ -1,6 +1,5 @@
 action: global
 title: CobaltStrike Service Installations
 id: 5a105d34-05fc-401e-8553-272b45c1522d
 description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
 author: Florian Roth, Wojciech Lesicki
 references:
@ -34,6 +33,7 @@ falsepositives:
    - Unknown
 level: critical
 ---
 id: 5a105d34-05fc-401e-8553-272b45c1522d
 logsource:
    product: windows
    service: system
@ -41,6 +41,7 @@ detection:
    selection_id:
        EventID: 7045
 ---
 id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml
@ -1,6 +1,5 @@
 action: global
 title: Invoke-Obfuscation CLIP+ Launcher
 id: f7385ee2-0e0c-11eb-adc1-0242ac120002
 description: Detects Obfuscated use of Clip.exe to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
@ -21,6 +20,7 @@ detection:
        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
    condition: selection and selection_eventid
 ---
 id: f7385ee2-0e0c-11eb-adc1-0242ac120002
 logsource:
    product: windows
    service: system
@ -28,6 +28,7 @@ detection:
    selection_eventid:
        EventID: 7045
 ---
 id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3
 logsource:
    product: windows
    category: driver_load
@ -35,6 +36,7 @@ detection:
    selection_eventid:
        EventID: 6
 ---
 id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml
@ -1,6 +1,5 @@
 action: global
 title: Invoke-Obfuscation Obfuscated IEX Invocation
 id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
 description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
 status: experimental
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
@ -17,11 +16,12 @@ detection:
        - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
-        - ImagePath|re: '\*mdr\*\W\s*\)\.Name'
+        - ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
        - ImagePath|re: '\$VerbosePreference\.ToString\('
        - ImagePath|re: '\String\]\s*\$VerbosePreference'
    condition: selection and selection_1
 ---
 id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
 logsource:
    product: windows
    service: system
@ -29,6 +29,7 @@ detection:
    selection:
        EventID: 7045
 ---
 id: e75c48bd-3434-4d61-94b7-ddfaa2c08487
 logsource:
    product: windows
    category: driver_load
@ -36,6 +37,7 @@ detection:
    selection:
        EventID: 6
 ---
 id: fd0f5778-d3cb-4c9a-9695-66759d04702a
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml
@ -1,6 +1,5 @@
 action: global
 title: Invoke-Obfuscation STDIN+ Launcher
 id: 72862bf2-0eb1-11eb-adc1-0242ac120002
 description: Detects Obfuscated use of stdin to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
@ -21,6 +20,7 @@ detection:
        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
    condition: selection and selection_eventid
 ---
 id: 72862bf2-0eb1-11eb-adc1-0242ac120002
 logsource:
    product: windows
    service: system
@ -28,6 +28,7 @@ detection:
    selection_eventid:
        EventID: 7045
 ---
 id: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e
 logsource:
    product: windows
    category: driver_load
@ -35,6 +36,7 @@ detection:
    selection_eventid:
        EventID: 6
 ---
 id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml
@ -1,6 +1,5 @@
 action: global
 title: Invoke-Obfuscation VAR+ Launcher
 id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
 description: Detects Obfuscated use of Environment Variables to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
@ -21,6 +20,7 @@ detection:
        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
    condition: all of them
 ---
 id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
 logsource:
    product: windows
    service: system
@ -28,10 +28,12 @@ detection:
    selection_eventid:
        EventID: 7045
 ---
 id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc
 logsource:
    product: windows
    category: process_creation
 ---
 id: dcf2db1f-f091-425b-a821-c05875b8925a
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml
@ -1,6 +1,5 @@
 action: global
 title: Invoke-Obfuscation COMPRESS OBFUSCATION
 id: 175997c5-803c-4b08-8bb0-70b099f47595
 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 status: experimental
 author: Timur Zinniatullin, oscd.community
@ -21,6 +20,7 @@ detection:
        ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
    condition: selection and selection_eventid
 ---
 id: 175997c5-803c-4b08-8bb0-70b099f47595
 logsource:
    product: windows
    service: system
@ -28,6 +28,7 @@ detection:
    selection_eventid:
        EventID: 7045
 ---
 id: c70731dd-0097-40ff-b112-f7032f29c16c
 logsource:
    product: windows
    category: driver_load
@ -35,6 +36,7 @@ detection:
    selection_eventid:
        EventID: 6
 ---
 id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
@ -1,6 +1,5 @@
 action: global
 title: Invoke-Obfuscation RUNDLL LAUNCHER
 id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
 description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
@ -21,6 +20,7 @@ detection:
        ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
    condition: selection and selection_eventid
 ---
 id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
 logsource:
    product: windows
    service: system
@ -28,6 +28,7 @@ detection:
    selection_eventid:
        EventID: 7045
 ---
 id: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c
 logsource:
    product: windows
    category: driver_load
@ -35,6 +36,7 @@ detection:
    selection_eventid:
        EventID: 6
 ---
 id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml
@ -1,6 +1,5 @@
 action: global
 title: Invoke-Obfuscation Via Stdin
 id: 487c7524-f892-4054-b263-8a0ace63fc25
 description: Detects Obfuscated Powershell via Stdin in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
@ -21,6 +20,7 @@ detection:
        ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
    condition: selection and selection_eventid
 ---
 id: 487c7524-f892-4054-b263-8a0ace63fc25
 logsource:
    product: windows
    service: system
@ -28,6 +28,7 @@ detection:
    selection_eventid:
        EventID: 7045
 ---
 id: 82b66143-53ee-4369-ab02-de2c70cd6352
 logsource:
    product: windows
    category: driver_load
@ -35,6 +36,7 @@ detection:
    selection_eventid:
        EventID: 6
 ---
 id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml
@ -1,6 +1,5 @@
 action: global
 title: Invoke-Obfuscation Via Use Clip
 id: 63e3365d-4824-42d8-8b82-e56810fefa0c
 description: Detects Obfuscated Powershell via use Clip.exe in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
@ -21,6 +20,7 @@ detection:
        ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
    condition: selection and selection_eventid
 ---
 id: 63e3365d-4824-42d8-8b82-e56810fefa0c
 logsource:
    product: windows
    service: system
@ -28,6 +28,7 @@ detection:
    selection_eventid:
        EventID: 7045
 ---
 id: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851
 logsource:
    product: windows
    category: driver_load
@ -35,6 +36,7 @@ detection:
    selection_eventid:
        EventID: 6
 ---
 id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml
@ -1,6 +1,5 @@
 action: global
 title: Invoke-Obfuscation Via Use MSHTA
 id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
 description: Detects Obfuscated Powershell via use MSHTA in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
@ -21,6 +20,7 @@ detection:
        ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
    condition: selection and selection_eventid
 ---
 id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
 logsource:
    product: windows
    service: system
@ -28,6 +28,7 @@ detection:
    selection_eventid:
        EventID: 7045
 ---
 id: a4e82ad2-7430-4ee8-b858-6ad6099773fa
 logsource:
    product: windows
    category: driver_load
@ -35,6 +36,7 @@ detection:
    selection_eventid:
        EventID: 6
 ---
 id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml
@ -1,6 +1,5 @@
 action: global
 title: Invoke-Obfuscation Via Use Rundll32
 id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
 description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
@ -21,6 +20,7 @@ detection:
        ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
    condition: selection and selection_eventid
 ---
 id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
 logsource:
    product: windows
    service: system
@ -28,6 +28,7 @@ detection:
    selection_eventid:
        EventID: 7045
 ---
 id: 4e1518d9-2136-4015-ab49-c31d7c8588e1
 logsource:
    product: windows
    category: driver_load
@ -35,6 +36,7 @@ detection:
    selection_eventid:
        EventID: 6
 ---
 id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
@ -1,6 +1,5 @@
 action: global
 title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
 id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
 description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
@ -21,6 +20,7 @@ detection:
        ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
    condition: selection and selection_eventid
 ---
 id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
 logsource:
    product: windows
    service: system
@ -28,6 +28,7 @@ detection:
    selection_eventid:
        EventID: 7045
 ---
 id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d
 logsource:
    product: windows
    category: driver_load
@ -35,6 +36,7 @@ detection:
    selection_eventid:
        EventID: 6
 ---
 id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_mal_creddumper.yml
+++ b/rules/windows/builtin/win_mal_creddumper.yml
@ -1,9 +1,7 @@
 ---
 action: global
 title: Credential Dumping Tools Service Execution
 description: Detects well-known credential dumping tools execution via service execution events
 author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
 date: 2017/03/05
 modified: 2021/03/18
 references:
@ -44,6 +42,7 @@ falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
 level: high
 ---
 id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
 logsource:
    product: windows
    service: system
@ -51,10 +50,12 @@ detection:
    selection:
        EventID: 7045
 ---
 id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2
 logsource:
    product: windows
    category: driver_load
 ---
 id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_mal_service_installs.yml
+++ b/rules/windows/builtin/win_mal_service_installs.yml
@ -1,6 +1,5 @@
 action: global
 title: Malicious Service Installations
 id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
 description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
 author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
 date: 2017/03/27
@ -24,6 +23,7 @@ falsepositives:
    - Penetration testing
 level: critical
 ---
 id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
 logsource:
    product: windows
    service: system
@ -39,6 +39,7 @@ detection:
    malsvc_apt29:
        ServiceName: 'Java(TM) Virtual Machine Support Service'
 ---
 id: cb062102-587e-4414-8efa-dbe3c7bf19c6
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml
+++ b/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml
@ -1,10 +1,9 @@
 action: global
 title: Metasploit Or Impacket Service Installation Via SMB PsExec
 id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
 description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
 author: Bartlomiej Czyz, Relativity
 date: 2021/01/21
 modified: 2021/07/23
 action: global
 references:
    - https://bczyz1.github.io/2021/01/30/psexec.html
 tags:
@ -32,6 +31,7 @@ falsepositives:
    - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
 level: high
 ---
 id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
 logsource:
    product: windows
    service: system
@ -39,10 +39,11 @@ detection:
    selection:
        EventID: 7045
 ---
- logsource:
+id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
-     product: windows
+logsource:
-     service: security
+    product: windows
- detection:
+    service: security
-     selection:
+detection:
-         EventID: 4697
+    selection:
        EventID: 4697
--- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@ -1,6 +1,5 @@
 action: global
 title: Meterpreter or Cobalt Strike Getsystem Service Installation
 id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
 author: Teymur Kheirkhabarov, Ecco, Florian Roth
 date: 2019/10/26
@ -48,6 +47,7 @@ falsepositives:
    - Highly unlikely
 level: critical
 ---
 id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
 logsource:
    product: windows
    service: system
@ -55,10 +55,12 @@ detection:
    selection:
        EventID: 7045
 ---
 id: d585ab5a-6a69-49a8-96e8-4a726a54de46
 logsource:
    product: windows
    category: driver_load
 ---
 id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_moriya_rootkit.yml
+++ b/rules/windows/builtin/win_moriya_rootkit.yml
@ -1,6 +1,5 @@
 action: global
 title: Moriya Rootkit
 id: 25b9c01c-350d-4b95-bed1-836d04a4f324
 description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
 status: experimental
 author: Bhabesh Raj
@ -16,6 +15,7 @@ tags:
    - attack.privilege_escalation
    - attack.t1543.003
 ---
 id: 25b9c01c-350d-4b95-bed1-836d04a4f324
 logsource:
    product: windows
    service: system
@ -25,6 +25,7 @@ detection:
        ServiceName: ZzNetSvc
    condition: selection
 ---
 id: a1507d71-0b60-44f6-b17c-bf53220fdd88
 logsource:
    product: windows
    category: file_event
--- a/rules/windows/builtin/win_net_ntlm_downgrade.yml
+++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml
@ -1,6 +1,5 @@
 action: global
 title: NetNTLM Downgrade Attack
 id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
 description: Detects NetNTLM downgrade attack
 references:
    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
@ -18,6 +17,7 @@ falsepositives:
    - Unknown
 level: critical
 ---
 id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
 logsource:
    product: windows
    category: registry_event
@ -34,6 +34,7 @@ detection:
 ---
 # Windows Security Eventlog: Process Creation with Full Command Line
 id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
 logsource:
    product: windows
    service: security
--- a/rules/windows/builtin/win_ntfs_vuln_exploit.yml
+++ b/rules/windows/builtin/win_ntfs_vuln_exploit.yml
@ -20,3 +20,6 @@ detection:
 falsepositives:
    - Unlikely
 level: critical
 tags:
    - attack.impact 
    - attack.t1499.001
--- a/rules/windows/builtin/win_petitpotam_network_share.yml
+++ b/rules/windows/builtin/win_petitpotam_network_share.yml
@ -0,0 +1,26 @@
 title: Possible PetitPotam Coerce Authentication Attempt
 id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
 description: Detect PetitPotam coerced authentication activity.
 author: Mauricio Velazco, Michael Haag
 date: 2021/09/02
 references:
    - https://github.com/topotam/PetitPotam
    - https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
 tags:
    - attack.credential_access
    - attack.t1187
 logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure'
 detection:
    selection:
        EventID: 5145
        ShareName|startswith: '\\'
        ShareName|endswith: '\IPC$'
        RelativeTargetName: lsarpc
        SubjectUserName: ANONYMOUS LOGON
    condition: selection
 falsepositives:
    - Unknown. Feedback welcomed.
 level: high
--- a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml
+++ b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml
@ -0,0 +1,33 @@
 title: PetitPotam Suspicious Kerberos TGT Request
 id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
 description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer
  certificate by abusing Active Directory Certificate Services in combination with
  PetitPotam, the next step would be to leverage the certificate for malicious purposes.
  One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool
  like Rubeus. This request will generate a 4768 event with some unusual fields depending
  on the environment. This analytic will require tuning, we recommend filtering Account_Name
  to the Domain Controller computer accounts.
 author: Mauricio Velazco, Michael Haag
 date: 2021/09/02
 references:
    - https://github.com/topotam/PetitPotam
    - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
    - https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
 tags:
    - attack.credential_access
    - attack.t1187
 logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Account Logon > Kerberos Authentication Service" must be configured for Success/Failure'
 detection:
    selection:
        EventID: 4768
        TargetUserName|endswith: '$'
        CertThumbprint: '*'
    filter_local:
        IpAddress: '::1'
    condition: selection and not filter_local
 falsepositives:
    - False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts.
 level: high
--- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml
+++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml
@ -1,6 +1,5 @@
 action: global
 title: PowerShell Scripts Installed as Services
 id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
 description: Detects powershell script installed as a Service
 status: experimental
 author: oscd.community, Natalia Shornikova
@ -21,6 +20,7 @@ falsepositives:
    - Unknown
 level: high
 ---
 id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
 logsource:
    product: windows
    service: system
@ -28,6 +28,7 @@ detection:
    service_creation:
        EventID: 7045
 ---
 id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
 logsource:
    product: windows
    service: sysmon
@ -35,6 +36,7 @@ detection:
    service_creation:
        EventID: 6
 ---
 id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
 logsource:
    product: windows
    service: security
--- a/rules/windows/powershell/win_powershell_web_request.yml
+++ b/rules/windows/powershell/win_powershell_web_request.yml
@ -1,8 +1,7 @@
 action: global
 title: Windows PowerShell Web Request
 id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
 status: experimental
-description: Detects the use of various web request methods (including aliases) via Windows PowerShell
+description: Detects the use of various web request methods (including aliases) via Windows PowerShell command
 references:
    - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
    - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
@ -19,6 +18,7 @@ falsepositives:
    - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
 level: medium
 ---
 id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
 logsource:
    category: process_creation
    product: windows
@ -32,6 +32,7 @@ detection:
            - 'Net.WebClient'
            - 'Start-BitsTransfer'
 ---
 id: 1139d2e2-84b1-4226-b445-354492eba8ba
 logsource:
    product: windows
    service: powershell
--- a/rules/windows/builtin/win_root_certificate_installed.yml
+++ b/rules/windows/builtin/win_root_certificate_installed.yml
@ -1,6 +1,5 @@
 action: global
 title: Root Certificate Installed
 id: 42821614-9264-4761-acfc-5772c3286f76
 status: experimental
 description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
 references:
@ -16,6 +15,7 @@ falsepositives:
 detection:
    condition: 1 of them
 ---
 id: 42821614-9264-4761-acfc-5772c3286f76
 logsource:
    product: windows
    service: powershell
@ -31,6 +31,7 @@ detection:
          - 'Import-Certificate'
          - 'Cert:\LocalMachine\Root'
 ---
 id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
 logsource:
    category: process_creation
    product: windows
--- a/rules/windows/builtin/win_scm_database_privileged_operation.yml
+++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml
@ -21,3 +21,6 @@ detection:
 falsepositives:
    - Unknown
 level: critical
 tags:
    - attack.privilege_escalation
    - attack.t1548
--- a/rules/windows/builtin/win_software_atera_rmm_agent_install.yml
+++ b/rules/windows/builtin/win_software_atera_rmm_agent_install.yml
@ -0,0 +1,22 @@
 title: Atera Agent Installation
 id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
 status: experimental
 description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
 references: 
  - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
 date: 2021/09/01
 author: Bhabesh Raj
 level: high
 logsource:                     
    service: application  
    product: windows 
 tags:
    - attack.t1219
 detection:
    selection:
        EventID: 1033
        Source: MsiInstaller
        Message|contains: AteraAgent
    condition: selection
 falsepositives:
    - Legitimate Atera agent installation
--- a/rules/windows/builtin/win_software_discovery.yml
+++ b/rules/windows/builtin/win_software_discovery.yml
@ -1,6 +1,5 @@
 action: global
 title: Detected Windows Software Discovery
 id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
 description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
 status: experimental
 author: Nikita Nazarov, oscd.community
@ -17,6 +16,7 @@ falsepositives:
 detection:
    condition: 1 of them
 ---
 id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
 logsource:
    product: windows
    service: powershell
@ -30,6 +30,7 @@ detection:
          - 'select-object'
          - 'format-table'
 ---
 id: e13f668e-7f95-443d-98d2-1816a7648a7b
 logsource:
    category: process_creation
    product: windows
--- a/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/windows/builtin/win_susp_athremotefxvgpudisablementcommand.yml
@ -1,6 +1,5 @@
 action: global
 title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
 id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
 status: experimental
 author: frack113
 date: 2021/07/13
@ -20,6 +19,7 @@ falsepositives:
    - Unknown
 level: medium
 ---
 id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
 logsource:
    product: windows
    category: process_creation
@ -34,6 +34,7 @@ detection:
            - '-RemoteFXvGPUDisablementFilePath'
    condition: selection_cmd and selection_opt
 ---
 id: f65e22f9-819e-4f96-9c7b-498364ae7a25
 logsource:
    product: windows
    service: powershell-classic
@ -49,6 +50,7 @@ detection:
            - '-RemoteFXvGPUDisablementFilePath'
    condition: selection_cmd and selection_opt
 ---
 id: 38a7625e-b2cb-485d-b83d-aff137d859f4
 logsource:
    product: windows
    service: powershell
--- a/rules/windows/builtin/win_susp_eventlog_cleared.yml
+++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml
@ -1,6 +1,5 @@
 action: global
 title: Eventlog Cleared
 id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
 related:
    - id: f2f01843-e7b8-4f95-a35a-d23584476423
      type: obsoletes
@ -21,6 +20,7 @@ falsepositives:
    - System provisioning (system reset before the golden image creation)
 level: high
 ---
 id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
 logsource:
    product: windows
    service: security
@ -31,6 +31,7 @@ detection:
            - 1102
    condition: selection
 ---
 id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
 logsource:
    product: windows
    service: system
--- a/rules/windows/builtin/win_susp_failed_guest_logon.yml
+++ b/rules/windows/builtin/win_susp_failed_guest_logon.yml
@ -25,3 +25,6 @@ fields:
    - User
 falsepositives:
    - Account fallback reasons (after failed login with specific account)
 tags:
    - attack.credential_access
    - attack.t1110.001
--- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml
@ -1,6 +1,5 @@
 action: global
 title: Failed Logins with Different Accounts from Single Source System
 id: e98374a6-e2d9-4076-9b5c-11bdb2569995
 description: Detects suspicious failed logins with different user accounts from a single source system
 author: Florian Roth
 date: 2017/01/10
@ -19,6 +18,7 @@ falsepositives:
    - Workstations with frequently changing users
 level: medium
 ---
 id: e98374a6-e2d9-4076-9b5c-11bdb2569995
 detection:
    selection1:
        EventID:
@ -28,6 +28,7 @@ detection:
        WorkstationName: '*'
    condition: selection1 | count(TargetUserName) by WorkstationName > 3    
 ---
 id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
 detection:
    selection2:
        EventID: 4776
--- a/rules/windows/builtin/win_susp_msmpeng_crash.yml
+++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml
@ -25,7 +25,7 @@ detection:
    keywords:
        - 'MsMpEng.exe'
        - 'mpengine.dll'
-    condition: 1 of selection* and keywords
+    condition: 1 of selection* and all of keywords
 falsepositives:
    - MsMpEng.exe can crash when C:\ is full
 level: high
--- a/rules/windows/builtin/win_susp_zip_compress.yml
+++ b/rules/windows/builtin/win_susp_zip_compress.yml
@ -1,6 +1,5 @@
 action: global
 title: Zip A Folder With PowerShell For Staging In Temp
 id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
 status: experimental
 author: frack113
 date: 2021/07/20
@ -14,6 +13,7 @@ falsepositives:
    - Unknown
 level: medium
 ---
 id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
 logsource:
    product: windows
    category: process_creation
@ -26,6 +26,7 @@ detection:
            - '$env:TEMP\'
    condition: selection 
 ---
 id: 71ff406e-b633-4989-96ec-bc49d825a412
 logsource:
    product: windows
    service: powershell-classic
@ -39,6 +40,7 @@ detection:
            - '$env:TEMP\'
    condition: selection 
 ---
 id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
 logsource:
    product: windows
    service: powershell
--- a/rules/windows/builtin/win_tap_driver_installation.yml
+++ b/rules/windows/builtin/win_tap_driver_installation.yml
@ -1,6 +1,5 @@
 action: global
 title: Tap Driver Installation
 id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
 description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
 status: experimental
 author: Daniil Yugoslavskiy, Ian Davis, oscd.community
@ -16,6 +15,7 @@ detection:
        ImagePath|contains: 'tap0901'
    condition: selection
 ---
 id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
 logsource:
    product: windows
    service: system
@ -23,10 +23,12 @@ detection:
    selection:
        EventID: 7045
 ---
 id: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb
 logsource:
    product: windows
    category: driver_load
 ---
 id: 9c8afa4d-0022-48f0-9456-3712466f9701
 logsource:
    product: windows
    service: security
--- a/rules/windows/file_event/sysmon_hack_dumpert.yml
+++ b/rules/windows/file_event/sysmon_hack_dumpert.yml
@ -1,6 +1,5 @@
 action: global
 title: Dumpert Process Dumper
 id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
 description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
 author: Florian Roth
 references:
@ -16,6 +15,7 @@ falsepositives:
    - Very unlikely
 level: critical
 ---
 id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
 logsource:
    category: process_creation
    product: windows
@ -24,6 +24,7 @@ detection:
        Imphash: '09D278F9DE118EF09163C6140255C690'
    condition: selection
 ---
 id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
 logsource:
    category: file_event
    product: windows
--- a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
+++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
@ -15,3 +15,6 @@ detection:
 falsepositives:
    - unknown
 level: high
 tags:
    - attack.command_and_control
    - attack.t1219
--- a/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml
+++ b/rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml
@ -0,0 +1,25 @@
 title: UAC Bypass Using Cleanmgr Temp File Creation
 id: 6a8a8a65-15ac-4722-adb7-c93c213c180a
 description: Detects the pattern of UAC bypass using cleanmgr.exe to create temporary files (UACMe 63)
 author: Christian Burkard
 date: 2021/08/30
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1548.002
 logsource:
    category: file_event
    product: windows
 detection:
    selection:
        Image: 'C:\Windows\system32\cleanmgr.exe'
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Local\Temp\'
        TargetFilename|endswith: '.dll'
    condition: selection
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml
+++ b/rules/windows/file_event/sysmon_uac_bypass_consent_comctl32.yml
@ -0,0 +1,23 @@
 title: UAC Bypass Using Consent and Comctl32 - File
 id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
 description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
 author: Christian Burkard
 date: 2021/08/23
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1548.002
 logsource:
    category: file_event
    product: windows
 detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\consent.exe.@'
        TargetFilename|endswith: '\comctl32.dll'
    condition: selection
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
+++ b/rules/windows/file_event/sysmon_uac_bypass_dotnet_profiler.yml
@ -0,0 +1,23 @@
 title: UAC Bypass Using .NET Code Profiler on MMC
 id: 93a19907-d4f9-4deb-9f91-aac4692776a6
 description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
 author: Christian Burkard
 date: 2021/08/30
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1548.002
 logsource:
    category: file_event
    product: windows
 detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll'
    condition: selection
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml
+++ b/rules/windows/file_event/sysmon_uac_bypass_ieinstal.yml
@ -0,0 +1,25 @@
 title: UAC Bypass Using IEInstal - File
 id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
 description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
 author: Christian Burkard
 date: 2021/08/30
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1548.002
 logsource:
    category: file_event
    product: windows
 detection:
    selection:
        Image: 'C:\Program Files\Internet Explorer\IEInstal.exe'
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Local\Temp\'
        TargetFilename|endswith: 'consent.exe'
    condition: selection
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml
+++ b/rules/windows/file_event/sysmon_uac_bypass_msconfig_gui.yml
@ -0,0 +1,23 @@
 title: UAC Bypass Using MSConfig Token Modification - File
 id: 41bb431f-56d8-4691-bb56-ed34e390906f
 description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
 author: Christian Burkard
 date: 2021/08/30
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1548.002
 logsource:
    category: file_event
    product: windows
 detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe'
    condition: selection
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml
+++ b/rules/windows/file_event/sysmon_uac_bypass_ntfs_reparse_point.yml
@ -0,0 +1,23 @@
 title: UAC Bypass Using NTFS Reparse Point - File
 id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
 description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
 author: Christian Burkard
 date: 2021/08/30
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1548.002
 logsource:
    category: file_event
    product: windows
 detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
    condition: selection
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/file_event/sysmon_uac_bypass_winsat.yml
+++ b/rules/windows/file_event/sysmon_uac_bypass_winsat.yml
@ -0,0 +1,25 @@
 title: UAC Bypass Abusing Winsat Path Parsing - File
 id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
 description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
 author: Christian Burkard
 date: 2021/08/30
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1548.002
 logsource:
    category: file_event
    product: windows
 detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith:
            - '\AppData\Local\Temp\system32\winsat.exe'
            - '\AppData\Local\Temp\system32\winmm.dll'
    condition: selection
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/file_event/sysmon_uac_bypass_wmp.yml
+++ b/rules/windows/file_event/sysmon_uac_bypass_wmp.yml
@ -0,0 +1,26 @@
 title: UAC Bypass Using Windows Media Player - File
 id: 68578b43-65df-4f81-9a9b-92f32711a951
 description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
 author: Christian Burkard
 date: 2021/08/23
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1548.002
 logsource:
    category: file_event
    product: windows
 detection:
    selection1:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll'
    selection2:
        Image: 'C:\Windows\system32\DllHost.exe'
        TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe'
    condition: 1 of selection*
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
+++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml
@ -23,7 +23,7 @@ detection:
        ImageLoaded|endswith:
            - '\dbghelp.dll'
            - '\dbgcore.dll'
-        Image|endswith: 
+        Image|endswith:
            - '\msbuild.exe'
            - '\cmd.exe'
            - '\svchost.exe'
@ -53,7 +53,7 @@ detection:
        Signed: "FALSE"
    filter:
        Image|contains: 'Visual Studio'
-    condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)
+    condition: (signedprocess and not filter) or (unsignedprocess and not filter)
 fields:
    - ComputerName
    - User
--- a/rules/windows/image_load/sysmon_tttracer_mod_load.yml
+++ b/rules/windows/image_load/sysmon_tttracer_mod_load.yml
@ -1,6 +1,5 @@
 action: global
 title: Time Travel Debugging Utility Usage
 id: e76c8240-d68f-4773-8880-5c6f63595aaf
 description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
@ -19,6 +18,7 @@ falsepositives:
    - Legitimate usage by software developers/testers
 level: high
 ---
 id: e76c8240-d68f-4773-8880-5c6f63595aaf
 logsource:
    product: windows
    category: image_load
@ -29,6 +29,7 @@ detection:
          - '\ttdwriter.dll'
          - '\ttdloader.dll'
 ---
 id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
 logsource:
    product: windows
    category: process_creation
--- a/rules/windows/image_load/win_susp_svchost_clfsw32.yml
+++ b/rules/windows/image_load/win_susp_svchost_clfsw32.yml
@ -0,0 +1,19 @@
 title: APT PRIVATELOG Image Load Pattern
 id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
 status: experimental
 description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
 references:
    - https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
 author: Florian Roth
 date: 2021/09/07
 logsource:
    category: image_load
    product: windows
 detection:
    selection:
        Image|endswith: '\svchost.exe'
        ImageLoaded|endswith: '\clfsw32.dll'
    condition: selection
 falsepositives:
    - Rarely observed
 level: high
--- a/rules/windows/malware/av_hacktool.yml
+++ b/rules/windows/malware/av_hacktool.yml
@ -23,3 +23,5 @@ fields:
 falsepositives:
    - Unlikely
 level: high
 tags:
    - attack.execution
--- a/rules/windows/malware/av_relevant_files.yml
+++ b/rules/windows/malware/av_relevant_files.yml
@ -72,3 +72,6 @@ fields:
 falsepositives:
    - Unlikely
 level: high
 tags:
    - attack.resource_development
    - attack.t1588
--- a/rules/windows/malware/win_mal_blue_mockingbird.yml
+++ b/rules/windows/malware/win_mal_blue_mockingbird.yml
@ -1,6 +1,5 @@
 action: global
 title: Blue Mockingbird
 id: c3198a27-23a0-4c2c-af19-e5328d49680e
 status: experimental
 description: Attempts to detect system changes made by Blue Mockingbird
 references:
@ -17,6 +16,7 @@ level: high
 detection:
    condition: 1 of them
 ---
 id: c3198a27-23a0-4c2c-af19-e5328d49680e
 logsource:
    category: process_creation
    product: windows
@ -27,6 +27,7 @@ detection:
      - 'sc config'
      - 'wercplsupporte.dll'
 ---
 id: ce239692-aa94-41b3-b32f-9cab259c96ea
 logsource:
  category: process_creation
  product: windows
@ -35,6 +36,7 @@ detection:
    Image|endswith: '\wmic.exe'
    CommandLine|endswith: 'COR_PROFILER'
 ---
 id: 92b0b372-a939-44ed-a11b-5136cf680e27
 logsource:
  product: windows
  category: registry_event
--- a/rules/windows/malware/win_mal_darkside.yml
+++ b/rules/windows/malware/win_mal_darkside.yml
@ -26,3 +26,6 @@ falsepositives:
    - Unknown
    - UAC bypass method used by other malware
 level: critical
 tags:
    - attack.execution
    - attack.t1204
--- a/rules/windows/malware/win_mal_ryuk.yml
+++ b/rules/windows/malware/win_mal_ryuk.yml
@ -24,3 +24,6 @@ detection:
 falsepositives:
    - Unlikely
 level: critical
 tags:
    - attack.execution
    - attack.t1204
--- a/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
+++ b/rules/windows/network_connection/sysmon_regsvr32_network_activity.yml
@ -1,6 +1,5 @@
 action: global
 title: Regsvr32 Network Activity
 id: c7e91a02-d771-4a6d-a700-42587e0b1095
 description: Detects network connections and DNS queries initiated by Regsvr32.exe
 references:
    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
@ -31,10 +30,12 @@ falsepositives:
    - unknown
 level: high
 ---
 id: c7e91a02-d771-4a6d-a700-42587e0b1095
 logsource:
    category: network_connection
    product: windows
 ---
 id: 36e037c4-c228-4866-b6a3-48eb292b9955
 logsource:
    category: dns_query
    product: windows
--- a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml
@ -31,3 +31,6 @@ detection:
 falsepositives:
    - unknown
 level: high
 tags:
    - attack.command_and_control
    - attack.t1105 
--- a/rules/windows/other/win_defender_amsi_trigger.yml
+++ b/rules/windows/other/win_defender_amsi_trigger.yml
@ -17,4 +17,7 @@ detection:
    condition: selection
 falsepositives:
    - unlikely
-level: high
+level: high
 tags:
    - attack.execution
    - attack.t1059 
--- a/rules/windows/other/win_defender_disabled.yml
+++ b/rules/windows/other/win_defender_disabled.yml
@ -1,6 +1,5 @@
 action: global
 title: Windows Defender Threat Detection Disabled
 id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 description: Detects disabling Windows Defender threat protection
 date: 2020/07/28
 modified: 2021/07/05
@ -16,7 +15,8 @@ tags:
 falsepositives:
    - Administrator actions
 level: high
---    
+---
 id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 logsource:
    product: windows
    service: windefend
@ -35,6 +35,7 @@ detection:
        Details: 'DWORD (0x00000001)'
    condition: 1 of them
 ---
 id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
 logsource:
    product: windows
    category: registry_event
@ -45,6 +46,7 @@ detection:
        Details: 'DWORD (0x00000001)'
    condition: tamper_registry
 ---
 id: 6c0a7755-6d31-44fa-80e1-133e57752680
 logsource:
    product: windows
    category: system
--- a/rules/windows/other/win_defender_exclusions.yml
+++ b/rules/windows/other/win_defender_exclusions.yml
@ -1,6 +1,5 @@
 action: global
 title: Windows Defender Exclusions Added
 id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
 description: Detects the Setting of Windows Defender Exclusions
 date: 2021/07/06
 author: Christian Burkard
@ -15,24 +14,22 @@ falsepositives:
    - Administrator actions
 level: medium
 ---
 id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
 logsource:
    product: windows
    service: windefend
 detection:
    selection1:
-        EventID:
+        EventID: 5007
-            - 5007
+        New Value|contains: '\Microsoft\Windows Defender\Exclusions'
        New Value|contains:
            - '\Microsoft\Windows Defender\Exclusions'
    condition: selection1
 ---
 id: a982fc9c-6333-4ffb-a51d-addb04e8b529
 logsource:
    product: windows
    category: registry_event
 detection:
    selection2:
-        EventID:
+        EventID: 13
-            - 13
+        TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
        TargetObject|contains:
            - '\Microsoft\Windows Defender\Exclusions'
    condition: selection2
--- a/rules/windows/other/win_defender_threat.yml
+++ b/rules/windows/other/win_defender_threat.yml
@ -20,3 +20,6 @@ detection:
 falsepositives:
    - unlikely
 level: high
 tags:
    - attack.execution
    - attack.t1059 
--- a/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml
+++ b/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml
@ -0,0 +1,23 @@
 title: Remove Exported Mailbox from Exchange Webserver
 id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
 status: experimental
 description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
 references:
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
 author: Christian Burkard
 date: 2021/08/27
 logsource:        
    service: msexchange-management
    product: windows
 detection:
    command: 
        - 'Remove-MailboxExportRequest'
        - ' -Identity '
        - ' -Confirm "False"'
    condition: all of command
 falsepositives:
    - unknown
 level: high
 tags:
    - attack.defense_evasion
    - attack.t1070
--- a/rules/windows/other/win_tool_psexec.yml
+++ b/rules/windows/other/win_tool_psexec.yml
@ -1,6 +1,5 @@
 action: global
 title: PsExec Tool Execution
 id: 42c575ea-e41e-41f1-b248-8093c3e82a28
 status: experimental
 description: Detects PsExec service installation and execution events (service and Sysmon)
 author: Thomas Patzke
@ -28,6 +27,7 @@ falsepositives:
    - unknown
 level: low
 ---
 id: 42c575ea-e41e-41f1-b248-8093c3e82a28
 logsource:
    product: windows
    service: system
@ -40,6 +40,7 @@ detection:
        EventID: 7036
        ServiceName: 'PSEXESVC'
 ---
 id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
 logsource:
    category: process_creation
    product: windows
@ -50,6 +51,7 @@ detection:
            - 'NT AUTHORITY\SYSTEM'
            - 'AUTORITE NT\Sys' # French language settings
 ---
 id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
 logsource:
     category: pipe_created
     product: windows
@ -57,6 +59,7 @@ detection:
     sysmon_pipecreated:
         PipeName: '\PSEXESVC'
 ---
 id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
 logsource:
     category: file_event
     product: windows
--- a/rules/windows/other/win_wmi_persistence.yml
+++ b/rules/windows/other/win_wmi_persistence.yml
@ -1,6 +1,5 @@
 action: global
 title: WMI Persistence
 id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
 status: experimental
 description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
 author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
@ -18,6 +17,7 @@ falsepositives:
    - Unknown (data set is too small; further testing needed)
 level: medium
 ---
 id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
 logsource:
    product: windows
    service: wmi #native windows detection
@ -34,6 +34,7 @@ detection:
        EventID: 5859
    condition: (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration)
 ---
 id: f033f3f3-fd24-4995-97d8-a3bb17550a88
 logsource:
    product: windows
    service: security
--- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
+++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml
@ -16,7 +16,7 @@ tags:
 logsource:
   product: windows
   category: pipe_created
-   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
+   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
 detection:
   selection_MSSE:
      PipeName|contains|all: 
--- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
+++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike_re.yml
@ -6,7 +6,7 @@ references:
    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
    - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
 date: 2021/07/30
-modifed: 2021/08/26
+modified: 2021/09/02
 author: Florian Roth
 tags:
    - attack.defense_evasion
@ -15,34 +15,28 @@ tags:
 logsource:
   product: windows
   category: pipe_created
-   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
+   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
 detection:
   selection:
-      - PipeName|re: '\\mojo\.5688\.8052\.183894939787088877[0-9a-f]{2}'
+      - PipeName|re: '\\\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}'
-      - PipeName|re: '\\mojo\.5688\.8052\.35780273329370473[0-9a-f]{2}'
+      - PipeName|re: '\\\\wkssvc_?[0-9a-f]{2}'
-      - PipeName|re: '\\wkssvc[0-9a-f]{2}'
+      - PipeName|re: '\\\\ntsvcs[0-9a-f]{2}'
-      - PipeName|re: '\\wkssvc_[0-9a-f]{2}'
+      - PipeName|re: '\\\\DserNamePipe[0-9a-f]{2}'
-      - PipeName|re: '\\ntsvcs[0-9a-f]{2}'
+      - PipeName|re: '\\\\SearchTextHarvester[0-9a-f]{2}'
-      - PipeName|re: '\\DserNamePipe[0-9a-f]{2}'
+      - PipeName|re: '\\\\mypipe\-(?:f|h)[0-9a-f]{2}'
-      - PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}'
+      - PipeName|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}'
-      - PipeName|re: '\\mypipe\-f[0-9a-f]{2}'
+      - PipeName|re: '\\\\ntsvcs_[0-9a-f]{2}'
-      - PipeName|re: '\\mypipe\-h[0-9a-f]{2}'
+      - PipeName|re: '\\\\scerpc_?[0-9a-f]{2}'
-      - PipeName|re: '\\windows\.update\.manager[0-9a-f]{2}'
+      - PipeName|re: '\\\\PGMessagePipe[0-9a-f]{2}'
-      - PipeName|re: '\\windows\.update\.manager[0-9a-f]{3}'
+      - PipeName|re: '\\\\MsFteWds[0-9a-f]{2}'
-      - PipeName|re: '\\ntsvcs_[0-9a-f]{2}'
+      - PipeName|re: '\\\\f4c3[0-9a-f]{2}'
-      - PipeName|re: '\\scerpc_[0-9a-f]{2}'
+      - PipeName|re: '\\\\fullduplex_[0-9a-f]{2}'
-      - PipeName|re: '\\scerpc[0-9a-f]{2}'
+      - PipeName|re: '\\\\msrpc_[0-9a-f]{4}'
-      - PipeName|re: '\\PGMessagePipe[0-9a-f]{2}'
+      - PipeName|re: '\\\\win\\\\msrpc_[0-9a-f]{2}'
-      - PipeName|re: '\\MsFteWds[0-9a-f]{2}'
+      - PipeName|re: '\\\\f53f[0-9a-f]{2}'
-      - PipeName|re: '\\f4c3[0-9a-f]{2}'
+      - PipeName|re: '\\\\rpc_[0-9a-f]{2}'
-      - PipeName|re: '\\fullduplex_[0-9a-f]{2}'
+      - PipeName|re: '\\\\spoolss_[0-9a-f]{2}'
-      - PipeName|re: '\\msrpc_[0-9a-f]{4}'
+      - PipeName|re: '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'
      - PipeName|re: '\\win\\msrpc_[0-9a-f]{2}'
      - PipeName|re: '\\f53f[0-9a-f]{2}'
      - PipeName|re: '\\rpc_[0-9a-f]{2}'
      - PipeName|re: '\\spoolss_[0-9a-f]{2}'
      - PipeName|re: '\\windows\.update\.manager[0-9a-f]{3}'
      - PipeName|re: '\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,'
   condition: selection
 falsepositives:
   - Unknown
--- a/rules/windows/pipe_created/sysmon_mal_namedpipes.yml
+++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml
@ -34,6 +34,7 @@ detection:
         - '\Posh*' #PoshC2 default 
         - '\jaccdpqnvbrrxlaf' #PoshC2 default 
         - '\csexecsvc' #CSEXEC default
         - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'  # LiquidSnake https://github.com/RiccardoAncarani/LiquidSnake
   condition: selection
 tags:
    - attack.defense_evasion
--- a/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
+++ b/rules/windows/pipe_created/sysmon_susp_cobaltstrike_pipe_patterns.yml
@ -15,7 +15,7 @@ tags:
 logsource:
   product: windows
   category: pipe_created
-   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.'
+   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
 detection:
   selection_malleable_profiles:
      - PipeName|startswith:
--- a/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml
+++ b/rules/windows/pipe_created/sysmon_susp_wmi_consumer_namedpipe.yml
@ -0,0 +1,19 @@
 title: WMI Event Consumer Created Named Pipe
 id: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb
 status: experimental
 description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe
 references:
    - https://github.com/RiccardoAncarani/LiquidSnake
 date: 2021/09/01
 author: Florian Roth
 logsource:
   product: windows
   category: pipe_created
   definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself or use this extended version that logs the Named Pipes used in this Sigma repo (https://github.com/Neo23x0/sysmon-config)'
 detection:
   selection:
      Image|endswith: '\scrcons.exe'
   condition: selection
 falsepositives:
   - Unknown
 level: high
--- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
@ -1,6 +1,5 @@
 action: global
 title: Alternate PowerShell Hosts
 id: 64e8e417-c19a-475a-8d19-98ea705394cc
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: test
 date: 2019/08/11
@ -18,6 +17,7 @@ falsepositives:
    - Citrix ConfigSync.ps1
 level: medium   
 ---
 id: 64e8e417-c19a-475a-8d19-98ea705394cc
 logsource:
    product: windows
    service: powershell
@ -30,6 +30,7 @@ detection:
        ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
    condition: selection and not filter        
 ---
 id: d7326048-328b-4d5e-98af-86e84b17c765
 logsource:
    product: windows
    service: powershell-classic
--- a/rules/windows/powershell/powershell_invoke_nightmare.yml
+++ b/rules/windows/powershell/powershell_invoke_nightmare.yml
@ -1,8 +1,9 @@
 title: PrintNightmare Powershell Exploitation
 id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
-status: experimental
+status: test
 description: Detects Commandlet name for PrintNightmare exploitation.
 date: 2021/08/09
 modified: 2021/08/31
 references:
    - https://github.com/calebstewart/CVE-2021-1675
 author: Max Altgelt, Tobias Michalski
@ -13,8 +14,10 @@ logsource:
 detection:
  selection:
      EventID: 4104
-      ScriptBlockText: Invoke-Nightmare
+      ScriptBlockText|contains: Invoke-Nightmare
  condition: selection
 falsepositives:
    - Unknown
 level: high
 tags:
    - attack.privilege_escalation
--- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml
@ -23,7 +23,7 @@ detection:
        - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
-        - ScriptBlockText|re: '\*mdr\*\W\s*\)\.Name'
+        - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name'
        - ScriptBlockText|re: '\$VerbosePreference\.ToString\('
        - ScriptBlockText|re: '\String\]\s*\$VerbosePreference'
    selection_3:
@ -33,7 +33,7 @@ detection:
        - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
        - Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
-        - Payload|re: '\*mdr\*\W\s*\)\.Name'
+        - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name'
        - Payload|re: '\$VerbosePreference\.ToString\('
        - Payload|re: '\String\]\s*\$VerbosePreference'
    condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 )
--- a/rules/windows/powershell/powershell_ntfs_ads_access.yml
+++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml
@ -4,6 +4,7 @@ status: experimental
 description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
 references:
    - http://www.powertheshell.com/ntfsstreams/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
 tags:
    - attack.defense_evasion
    - attack.t1564.004
--- a/Show More
+++ b/Show More