dataStore.json

{
    "rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml",
        "creation_Date": "2024-08-07T17:54:57.119559",
        "modification_Date": "2024-08-07T20:37:07.379109",
        "lastUpdate_Date": "2024-08-07T20:37:07.379117",
        "sigmaRule": "title: AgentExecutor PowerShell Execution\nid: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61\nrelated:\n    - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab\n      type: similar\nstatus: test\ndescription: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument\nauthor: Nasreddine Bencherchali (Nextron Systems), memory-shards\nreferences:\n    - https://twitter.com/lefterispan/status/1286259016436514816\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/\n    - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension\n    - https://twitter.com/jseerden/status/1247985304667066373/photo/1\ndate: 2022/12/24\nmodified: 2024/08/07\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image: '\\AgentExecutor.exe'\n        - OriginalFileName: 'AgentExecutor.exe'\n    selection_cli:\n        # Example:\n        #   AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]\n        # Note:\n        #   - If [timeoutSeconds] is NULL then it defaults to 60000\n        #   - If [enforceSignatureCheck] is:\n        #       - \"NULL\" or \"1\" then a PowerShell instance is spawned with the args: \"-NoProfile -executionPolicy allsigned -file \"\n        #       - Else a PowerShell instance is spawned with the args: \"-NoProfile -executionPolicy bypass -file \"\n        #   - [powershellPath] is always concatendated to \"powershell.exe\"\n        CommandLine|contains:\n            - ' -powershell' # Also covers the \"-powershellDetection\" flag\n            - ' -remediationScript'\n    filter_main_intune:\n        ParentImage|endswith: '\\Microsoft.Management.Services.IntuneWindowsAgent.exe'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate\nlevel: medium\n",
        "summary": "This Sigma rule detects the execution of the AgentExecutor.exe binary, which can be abused to execute PowerShell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in a specified path. It provides detection criteria for the process creation event on Windows systems, including command line arguments and parent process filtering. The rule includes references and information on how to adjust for false positives related to legitimate use via Intune management.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4955 from @joshnck - Fix `agentexecutor.exe` related rules"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml",
        "creation_Date": "2024-08-07T17:54:58.773900",
        "modification_Date": "2024-08-07T20:37:07.379197",
        "lastUpdate_Date": "2024-08-07T20:37:07.379203",
        "sigmaRule": "title: Suspicious AgentExecutor PowerShell Execution\nid: c0b40568-b1e9-4b03-8d6c-b096da6da9ab\nrelated:\n    - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61\n      type: similar\nstatus: test\ndescription: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument\nauthor: Nasreddine Bencherchali (Nextron Systems), memory-shards\nreferences:\n    - https://twitter.com/lefterispan/status/1286259016436514816\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/\n    - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension\n    - https://twitter.com/jseerden/status/1247985304667066373/photo/1\ndate: 2022/12/24\nmodified: 2024/08/07\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\AgentExecutor.exe'\n        - OriginalFileName: 'AgentExecutor.exe'\n    selection_cli:\n        # Example:\n        #   AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]\n        # Note:\n        #   - If [timeoutSeconds] is NULL then it defaults to 60000\n        #   - If [enforceSignatureCheck] is:\n        #       - \"NULL\" or \"1\" then a PowerShell instance is spawned with the args: \"-NoProfile -executionPolicy allsigned -file \"\n        #       - Else a PowerShell instance is spawned with the args: \"-NoProfile -executionPolicy bypass -file \"\n        #   - [powershellPath] is always concatendated to \"powershell.exe\"\n        CommandLine|contains:\n            - ' -powershell' # Also covers the \"-powershellDetection\" flag\n            - ' -remediationScript'\n    filter_main_pwsh:\n        CommandLine|contains:\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\'\n            - 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\'\n    filter_main_intune:\n        ParentImage|endswith: '\\Microsoft.Management.Services.IntuneWindowsAgent.exe'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects the execution of the AgentExecutor.exe binary, which can be used as a LOLBIN to execute PowerShell scripts with the \"Bypass\" ExecutionPolicy or any binary named \"powershell.exe\" located in a specific path. The rule includes specific indicators in the process creation logs to identify this suspicious activity.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4955 from @joshnck - Fix `agentexecutor.exe` related rules"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml",
        "creation_Date": "2024-08-07T17:54:59.815710",
        "modification_Date": "2024-08-07T20:37:07.393284",
        "lastUpdate_Date": "2024-08-07T20:37:07.393290",
        "sigmaRule": "title: Potential Persistence Via Outlook Home Page\nid: ddd171b5-2cc6-4975-9e78-f0eccd08cc76\nrelated:\n    - id: 487bb375-12ef-41f6-baae-c6a1572b4dd1\n      type: similar\nstatus: test\ndescription: |\n    Detects potential persistence activity via outlook home page.\n    An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70\n    - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us\n    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change\nauthor: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand\ndate: 2021/06/09\nmodified: 2024/08/07\ntags:\n    - attack.persistence\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\Software\\Microsoft\\Office\\'\n            - '\\Outlook\\WebView\\'\n        TargetObject|endswith: '\\URL'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects potential persistence activity via the Outlook home page, where an attacker can set a custom home page to achieve code execution and persistence by editing the WebView registry keys. The rule looks for registry changes in the path '\\Software\\Microsoft\\Office\\' and '\\Outlook\\WebView\\' that end with '\\URL'. The detection level is high, and there are no known false positives.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4941 from @dbertho - Update Outlook Persistence related rules / Specula"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml",
        "creation_Date": "2024-08-07T17:55:01.204876",
        "modification_Date": "2024-08-07T20:37:07.393370",
        "lastUpdate_Date": "2024-08-07T20:37:07.393374",
        "sigmaRule": "title: Potential Persistence Via Outlook Today Page\nid: 487bb375-12ef-41f6-baae-c6a1572b4dd1\nrelated:\n    - id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76\n      type: similar\nstatus: test\ndescription: |\n    Detects potential persistence activity via outlook today page.\n    An attacker can set a custom page to execute arbitrary code and link to it via the registry values \"URL\" and \"UserDefinedUrl\".\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74\n    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change\nauthor: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand\ndate: 2021/06/10\nmodified: 2024/08/07\ntags:\n    - attack.persistence\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_main:\n        TargetObject|contains|all:\n            - 'Software\\Microsoft\\Office\\'\n            - '\\Outlook\\Today\\'\n    selection_value_stamp:\n        TargetObject|endswith: '\\Stamp'\n        Details: 'DWORD (0x00000001)'\n    selection_value_url:\n        TargetObject|endswith:\n            - '\\URL'\n            - '\\UserDefinedUrl'\n    filter_main_office:\n        Image|startswith:\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    condition: selection_main and 1 of selection_value_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects potential persistence activity via the Outlook Today page by monitoring registry values \"URL\" and \"UserDefinedUrl\" for arbitrary code execution. The rule looks for specific registry paths and values related to Microsoft Office, excluding certain known legitimate processes associated with Office. The rule has a high level of detection and was authored by Tobias Michalski, David Bertho, and Eirik Sveen from Storebrand.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4941 from @dbertho - Update Outlook Persistence related rules / Specula"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml",
        "creation_Date": "2024-08-07T17:55:02.703396",
        "modification_Date": "2024-08-07T20:37:07.407924",
        "lastUpdate_Date": "2024-08-07T20:37:07.407930",
        "sigmaRule": "title: System File Execution Location Anomaly\nid: e4a6b256-3e47-40fc-89d2-7a477edd6915\nrelated:\n    - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule\n      type: derived\nstatus: experimental\ndescription: |\n    Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.\nreferences:\n    - https://twitter.com/GelosSnake/status/934900723426439170\n    - https://asec.ahnlab.com/en/39828/\nauthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2017/11/27\nmodified: 2024/07/16\ntags:\n    - attack.defense_evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\atbroker.exe'\n            - '\\audiodg.exe'\n            - '\\bcdedit.exe'\n            - '\\bitsadmin.exe'\n            - '\\certreq.exe'\n            - '\\certutil.exe'\n            - '\\cmstp.exe'\n            - '\\conhost.exe'\n            - '\\consent.exe'\n            - '\\cscript.exe'\n            - '\\csrss.exe'\n            - '\\dashost.exe'\n            - '\\defrag.exe'\n            - '\\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/\n            - '\\dism.exe'\n            - '\\dllhost.exe'\n            - '\\dllhst3g.exe'\n            - '\\dwm.exe'\n            - '\\eventvwr.exe'\n            - '\\logonui.exe'\n            - '\\LsaIso.exe'\n            - '\\lsass.exe'\n            - '\\lsm.exe'\n            - '\\msiexec.exe'\n            - '\\ntoskrnl.exe'\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\runonce.exe'\n            - '\\RuntimeBroker.exe'\n            - '\\schtasks.exe'\n            - '\\services.exe'\n            - '\\sihost.exe'\n            - '\\smartscreen.exe'\n            - '\\smss.exe'\n            - '\\spoolsv.exe'\n            - '\\svchost.exe'\n            - '\\taskhost.exe'\n            - '\\Taskmgr.exe'\n            - '\\userinit.exe'\n            - '\\wininit.exe'\n            - '\\winlogon.exe'\n            - '\\winver.exe'\n            - '\\wlanext.exe'\n            - '\\wscript.exe'\n            - '\\wsl.exe'\n            - '\\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/\n    filter_main_generic:\n        Image|startswith:\n            - 'C:\\$WINDOWS.~BT\\'\n            - 'C:\\$WinREAgent\\'\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SystemTemp\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\uus\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_optional_system32:\n        Image|contains: '\\SystemRoot\\System32\\'\n    filter_main_powershell:\n        Image:\n            - 'C:\\Program Files\\PowerShell\\7\\pwsh.exe'\n            - 'C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe'\n    filter_main_wsl_windowsapps:\n        Image|startswith: 'C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux'\n        Image|endswith: '\\wsl.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects the execution of a Windows system binary from an uncommon location, which could indicate a potential security threat. The rule specifies a list of system binaries to monitor and includes filters for common system directories, PowerShell, and Windows Subsystem for Linux. If the binary is executed from an unexpected location, the rule triggers an alert.",
        "modification_count": 7,
        "comment_history": [
            "Merge PR #4946 from @swachchhanda000 - Add `Suspicious Process Masquerading As SvcHost.EXE`",
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml",
        "creation_Date": "2024-08-07T17:55:03.929090",
        "modification_Date": "2024-08-07T20:37:07.408005",
        "lastUpdate_Date": "2024-08-07T20:37:07.408009",
        "sigmaRule": "title: Suspicious Process Masquerading As SvcHost.EXE\nid: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd\nrelated:\n    - id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d\n      type: similar\n    - id: e4a6b256-3e47-40fc-89d2-7a477edd6915\n      type: similar\nstatus: experimental\ndescription: |\n    Detects a suspicious process that is masquerading as the legitimate \"svchost.exe\" by naming its binary \"svchost.exe\" and executing from an uncommon location.\n    Adversaries often disguise their malicious binaries by naming them after legitimate system processes like \"svchost.exe\" to evade detection.\nreferences:\n    - https://tria.ge/240731-jh4crsycnb/behavioral2\n    - https://redcanary.com/blog/threat-detection/process-masquerading/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024/08/07\ntags:\n    - attack.defense_evasion\n    - attack.t1036.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\svchost.exe'\n    filter_main_img_location:\n        Image:\n            - 'C:\\Windows\\System32\\svchost.exe'\n            - 'C:\\Windows\\SysWOW64\\svchost.exe'\n    filter_main_ofn:\n        OriginalFileName: 'svchost.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects a suspicious process masquerading as the legitimate \"svchost.exe\" by using that name for its binary and executing from an uncommon location. Adversaries often use this tactic to avoid detection. The rule provides filters based on image location and original file name to reduce false positives. The detection level is high, and false positives are considered unlikely.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4946 from @swachchhanda000 - Add `Suspicious Process Masquerading As SvcHost.EXE`"
        ]
    },
    "rules/windows/image_load/image_load_side_load_dbgmodel.yml": {
        "filename": "rules/windows/image_load/image_load_side_load_dbgmodel.yml",
        "creation_Date": "2024-08-07T17:55:05.908394",
        "modification_Date": "2024-08-07T20:37:07.421380",
        "lastUpdate_Date": "2024-08-07T20:37:07.421385",
        "sigmaRule": "title: Potential DLL Sideloading Of DbgModel.DLL\nid: fef394cd-f44d-4040-9b18-95d92fe278c0\nstatus: experimental\ndescription: Detects potential DLL sideloading of \"DbgModel.dll\"\nreferences:\n    - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html\nauthor: Gary Lobermier\ndate: 2024/07/11\nmodified: 2024/08/06\ntags:\n    - attack.defense_evasion\n    - attack.t1574.002\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\dbgmodel.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_optional_windbg:\n        ImageLoaded|startswith: 'C:\\Program Files\\WindowsApps\\Microsoft.WinDbg_'\n    filter_optional_windows_kits:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\Windows Kits\\'\n            - 'C:\\Program Files\\Windows Kits\\'\n    filter_optional_dell_instrumentation:\n        ImageLoaded|startswith: 'C:\\Program Files\\Dell\\DTP\\InstrumentationSubAgent\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLL mentioned in this rule\nlevel: medium\n",
        "summary": "This Sigma Rule detects potential DLL sideloading of \"DbgModel.dll\" by monitoring image loads in Windows systems. It provides filters for specific file paths where the DLL should be loaded from to reduce false positives. The rule was authored by Gary Lobermier and last modified on August 6, 2024. The level of severity is marked as medium.",
        "modification_count": 7,
        "comment_history": [
            "Merge PR #4952 from @joshnck - Fix `Potential DLL Sideloading Of DbgModel.DLL`",
            "Merge PR #4928 from @nasbench - Fix FPs and issues found in testing",
            "Merge PR #4906 from @fornotes - Update and add new dll sideloading rules"
        ]
    },
    "rules/windows/builtin/security/win_security_atsvc_task.yml": {
        "filename": "rules/windows/builtin/security/win_security_atsvc_task.yml",
        "creation_Date": "2024-08-07T17:55:07.074734",
        "modification_Date": "2024-08-07T20:37:07.433727",
        "lastUpdate_Date": "2024-08-07T20:37:07.433733",
        "sigmaRule": "title: Remote Task Creation via ATSVC Named Pipe\nid: f6de6525-4509-495a-8a82-1f8b0ed73a00\nstatus: test\ndescription: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe\nreferences:\n    - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html\nauthor: Samir Bousseaden\ndate: 2019/04/03\nmodified: 2024/08/01\ntags:\n    - attack.lateral_movement\n    - attack.persistence\n    - car.2013-05-004\n    - car.2015-04-001\n    - attack.t1053.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\IPC$' # looking for the string \\\\*\\IPC$\n        RelativeTargetName: atsvc\n        AccessList|contains: 'WriteData'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects remote task creation via at.exe or API interacting with ATSVC named pipe on a Windows security service. The rule looks for certain Event IDs, Share Names, and access permissions to identify this activity. The rule level is medium and there are currently no known false positives. It was authored by Samir Bousseaden and last modified on 2024/08/01.",
        "modification_count": 6,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`",
            "Merge PR #4945 from @GtUGtHGtNDtEUaE - Fix typo in field name for rules leveraging EID 5145"
        ]
    },
    "rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml": {
        "filename": "rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml",
        "creation_Date": "2024-08-07T17:55:08.792096",
        "modification_Date": "2024-08-07T20:37:07.433814",
        "lastUpdate_Date": "2024-08-07T20:37:07.433818",
        "sigmaRule": "title: Persistence and Execution at Scale via GPO Scheduled Task\nid: a8f29a7b-b137-4446-80a0-b804272f3da2\nstatus: test\ndescription: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale\nreferences:\n    - https://twitter.com/menasec1/status/1106899890377052160\n    - https://www.secureworks.com/blog/ransomware-as-a-distraction\nauthor: Samir Bousseaden\ndate: 2019/04/03\nmodified: 2024/08/01\ntags:\n    - attack.persistence\n    - attack.lateral_movement\n    - attack.t1053.005\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\SYSVOL' # looking for the string \\\\*\\SYSVOL\n        RelativeTargetName|endswith: 'ScheduledTasks.xml'\n        AccessList|contains:\n            - 'WriteData'\n            - '%%4417'\n    condition: selection\nfalsepositives:\n    - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks\nlevel: high\n",
        "summary": "This Sigma Rule detects lateral movement using GPO scheduled tasks, commonly used to deploy ransomware at scale. It looks for EventID 5145 with a ShareName containing \\\\*\\SYSVOL, ending with ScheduledTasks.xml, and containing specific access permissions. False positives may occur if the source IP is not localhost, so monitoring both local and remote changes to GPO scheduled tasks is recommended.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4945 from @GtUGtHGtNDtEUaE - Fix typo in field name for rules leveraging EID 5145"
        ]
    },
    "rules/windows/builtin/security/win_security_svcctl_remote_service.yml": {
        "filename": "rules/windows/builtin/security/win_security_svcctl_remote_service.yml",
        "creation_Date": "2024-08-07T17:55:09.918386",
        "modification_Date": "2024-08-07T20:37:07.433877",
        "lastUpdate_Date": "2024-08-07T20:37:07.433880",
        "sigmaRule": "title: Remote Service Activity via SVCCTL Named Pipe\nid: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3\nstatus: test\ndescription: Detects remote service activity via remote access to the svcctl named pipe\nreferences:\n    - https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html\nauthor: Samir Bousseaden\ndate: 2019/04/03\nmodified: 2024/08/01\ntags:\n    - attack.lateral_movement\n    - attack.persistence\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\IPC$' # looking for the string \\\\*\\IPC$\n        RelativeTargetName: svcctl\n        AccessList|contains: 'WriteData'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects remote service activity via remote access to the svcctl named pipe on a Windows system. It looks for specific event logs with EventID 5145, checking for the presence of '\\\\*\\IPC$' in ShareName, 'svcctl' in RelativeTargetName, and 'WriteData' in AccessList. The rule requires the advanced audit policy setting \"Object Access > Audit Detailed File Share\" to be configured for Success/Failure. The rule's author is Samir Bousseaden and it was last modified on August 1, 2024.",
        "modification_count": 6,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`",
            "Merge PR #4945 from @GtUGtHGtNDtEUaE - Fix typo in field name for rules leveraging EID 5145"
        ]
    },
    "rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml": {
        "filename": "rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml",
        "creation_Date": "2024-08-07T17:55:12.036927",
        "modification_Date": "2024-08-07T20:37:07.446400",
        "lastUpdate_Date": "2024-08-07T20:37:07.446405",
        "sigmaRule": "title: Userdomain Variable Enumeration\nid: 43311e65-84d8-42a5-b3d4-c94d9b67038f\nstatus: test\ndescription: Detects suspicious enumeration of the domain the user is associated with.\nreferences:\n    - https://www.arxiv-vanity.com/papers/2008.04676/\n    - https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/\nauthor: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'\ndate: 2023/02/09\nmodified: 2024/08/01\ntags:\n    - attack.discovery\n    - attack.t1016\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: 'echo '\n        CommandLine|contains|expand: '%userdomain%'\n    condition: selection\nfalsepositives:\n    - Certain scripts or applications may leverage this.\nlevel: low\n",
        "summary": "This Sigma Rule detects suspicious enumeration of the domain the user is associated with by looking for processes that contain the 'echo' command and the user domain variable. This can indicate potential malicious activity. False positives may occur with legitimate scripts or applications that use this functionality.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4944 from @YamatoSecurity - Add missing `expand` modifier"
        ]
    },
    "rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml": {
        "filename": "rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml",
        "creation_Date": "2024-08-07T17:55:13.005405",
        "modification_Date": "2024-08-07T20:37:07.459034",
        "lastUpdate_Date": "2024-08-07T20:37:07.459042",
        "sigmaRule": "title: Potential Raspberry Robin Aclui Dll SideLoading\nid: 0f3a9db2-c17a-480e-a723-d1f1c547ab6a\nstatus: experimental\ndescription: |\n    Detects potential sideloading of malicious \"aclui.dll\" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.\nreferences:\n    - https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/\n    - https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/\n    - https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\n    - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n    - https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024/07/31\ntags:\n    - detection.emerging_threats\n    - attack.defense_evasion\n    - attack.privilege_escalation\n    - attack.t1574.001\n    - attack.t1574.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\OleView.exe'\n        ImageLoaded|endswith: '\\aclui.dll'\n    filter_main_legit_oleview_paths:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Windows Kits\\'\n            - 'C:\\Program Files\\Microsoft SDKs\\'\n    filter_optional_known_oleview_paths:\n        Image|contains: '\\Windows Resource Kit\\'\n    filter_main_is_signed:\n        Signed: 'true'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects potential sideloading of malicious \"aclui.dll\" by OleView, as observed in Raspberry-Robin variants reported by chekpoint research in February 2024. The rule specifies selection criteria for image loading and filters out legitimate OleView paths, requiring the image to not meet any of the filter conditions to trigger the detection. The rule is tagged for emerging threats, defense evasion, privilege escalation, and specific attack techniques.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4763 from @swachchhanda000 - New rules related to Raspberry Robin TTPs"
        ]
    },
    "rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml": {
        "filename": "rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml",
        "creation_Date": "2024-08-07T17:55:14.313744",
        "modification_Date": "2024-08-07T20:37:07.459125",
        "lastUpdate_Date": "2024-08-07T20:37:07.459131",
        "sigmaRule": "title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap\nid: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43\nstatus: experimental\ndescription: |\n    Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.\n    Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.\nreferences:\n    - https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt\n    - https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect\n    - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024/07/31\ntags:\n    - detection.emerging_threats\n    - attack.t1112\n    - attack.defense_evasion\nlogsource:\n    category: registry_set\n    product: windows\n    definition: 'Requirements: The registry key \"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\\" and its sub keys must be monitored'\ndetection:\n    selection_registry_image:\n        - Image|contains:\n              - '\\AppData\\Local\\Temp\\'\n              - '\\Downloads\\'\n              - '\\Users\\Public\\'\n              - '\\Windows\\Temp\\'\n        - Image|endswith: '\\control.exe'\n    selection_registry_object:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\'\n    selection_value_enable:\n        TargetObject|endswith:\n            - '\\IntranetName'\n            - '\\ProxyByPass'\n            - '\\UNCAsIntranet'\n        Details|contains: 'DWORD (0x00000001)'\n    selection_value_disable:\n        TargetObject|endswith: '\\AutoDetect'\n        Details|contains: 'DWORD (0x00000000)'\n    condition: all of selection_registry_* and 1 of selection_value_*\nfalsepositives:\n    - Unknown\n# Note: can be upgraded to medium after an initial baseline\nlevel: low\n",
        "summary": "This Sigma Rule detects registry modifications related to proxy configuration on a system, potentially linked to the Raspberry Robin malware. The malware may change proxy settings to bypass security measures and maintain control over compromised systems. The rule specifies criteria for monitoring registry keys and values to identify unauthorized changes. It provides references to behavioral patterns associated with Raspberry Robin and recommends monitoring specific registry keys related to Internet Settings ZoneMap. The rule is classified as experimental and has a low level of severity but can be upgraded to medium after establishing a baseline.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4763 from @swachchhanda000 - New rules related to Raspberry Robin TTPs"
        ]
    },
    "rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml": {
        "filename": "rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml",
        "creation_Date": "2024-08-07T17:55:16.205407",
        "modification_Date": "2024-08-07T20:37:07.489222",
        "lastUpdate_Date": "2024-08-07T20:37:07.489227",
        "sigmaRule": "title: DMP/HDMP File Creation\nid: 3a525307-d100-48ae-b3b9-0964699d7f97\nstatus: test\ndescription: Detects the creation of a file with the \".dmp\"/\".hdmp\" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/09/07\ntags:\n    - attack.defense_evasion\n    - detection.threat_hunting\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '.dmp'\n            - '.dump'\n            - '.hdmp'\n    condition: selection\nfalsepositives:\n    - Likely during crashes of software\nlevel: low\n",
        "summary": "This Sigma Rule detects the creation of files with the \".dmp\"/\".hdmp\" extension, which are often created by software during a crash. Memory dumps can contain sensitive information such as credentials. It is recommended to determine the source of the crash. The rule applies to Windows file events and has a low severity level.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml": {
        "filename": "rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml",
        "creation_Date": "2024-08-07T17:55:17.192458",
        "modification_Date": "2024-08-07T20:37:07.489306",
        "lastUpdate_Date": "2024-08-07T20:37:07.489310",
        "sigmaRule": "title: Scheduled Task Created - FileCreation\nid: a762e74f-4dce-477c-b023-4ed81df600f9\nstatus: test\ndescription: Detects the creation of a scheduled task via file creation.\nreferences:\n    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/\n    - https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5\nauthor: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team\ndate: 2023/09/27\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1053.005\n    - attack.s0111\n    - car.2013-08-001\n    - detection.threat_hunting\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains:\n            - ':\\Windows\\System32\\Tasks\\'\n            - ':\\Windows\\SysWOW64\\Tasks\\'\n            - ':\\Windows\\Tasks\\'\n    condition: selection\nfalsepositives:\n    - Normal behaviour on Windows\nlevel: low\n",
        "summary": "The Sigma rule detects the creation of a scheduled task through file creation on a Windows system. It provides references to resources for further information on task scheduling and abstracting scheduled tasks. The rule is authored by the Center for Threat Informed Defense (CTID) Summiting the Pyramid Team and is tagged for various types of attacks and detections. The rule specifies that normal behavior on Windows may trigger false positives and is rated as a low-level detection.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml": {
        "filename": "rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml",
        "creation_Date": "2024-08-07T17:55:18.649440",
        "modification_Date": "2024-08-07T20:37:07.489376",
        "lastUpdate_Date": "2024-08-07T20:37:07.489380",
        "sigmaRule": "title: Diskshadow Child Process Spawned\nid: 56b1dde8-b274-435f-a73a-fb75eb81262a\nrelated:\n    - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location\n      type: similar\n    - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution\n      type: similar\n    - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE\n      type: similar\n    - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution\n      type: similar\nstatus: test\ndescription: Detects any child process spawning from \"Diskshadow.exe\". This could be due to executing Diskshadow in interpreter mode or script mode and using the \"exec\" flag to launch other applications.\nreferences:\n    - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration\n    - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\nauthor: Harjot Singh @cyb3rjy0t\ndate: 2023/09/15\ntags:\n    - attack.defense_evasion\n    - attack.t1218\n    - attack.execution\n    - detection.threat_hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\diskshadow.exe'\n    filter_main_werfault:\n        Image|endswith: ':\\Windows\\System32\\WerFault.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Likely from legitimate usage of Diskshadow in Interpreter mode.\nlevel: medium\n",
        "summary": "This Sigma Rule detects any child process spawning from \"Diskshadow.exe\", which could indicate the use of Diskshadow in interpreter mode or script mode with the \"exec\" flag to launch other applications. The rule includes references to articles detailing VSS evasion, persistence, and Active Directory database extraction using Diskshadow. The rule is authored by Harjot Singh and has a medium level of severity.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml": {
        "filename": "rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml",
        "creation_Date": "2024-08-07T17:55:19.812227",
        "modification_Date": "2024-08-07T20:37:07.489439",
        "lastUpdate_Date": "2024-08-07T20:37:07.489442",
        "sigmaRule": "title: Scheduled Task Created - Registry\nid: 93ff0ceb-e0ef-4586-8cd8-a6c277d738e3\nstatus: test\ndescription: Detects the creation of a scheduled task via Registry keys.\nreferences:\n    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/\n    - https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5\nauthor: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team\ndate: 2023/09/27\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.s0111\n    - attack.t1053.005\n    - car.2013-08-001\n    - detection.threat_hunting\nlogsource:\n    product: windows\n    category: registry_event\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\'\n            - '\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\'\n    condition: selection\nfalsepositives:\n    - Likely as this is a normal behaviour on Windows\nlevel: low\n",
        "summary": "This Sigma rule detects the creation of a scheduled task via Registry keys on a Windows system. The rule looks for specific strings in the TargetObject field of registry events related to scheduled tasks. This activity is considered to be a normal behavior on Windows, so there may be false positives. The rule is classified as low severity.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml": {
        "filename": "rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml",
        "creation_Date": "2024-08-07T17:55:20.882769",
        "modification_Date": "2024-08-07T20:37:07.489500",
        "lastUpdate_Date": "2024-08-07T20:37:07.489503",
        "sigmaRule": "title: AWS Identity Center Identity Provider Change\nid: d3adb3ef-b7e7-4003-9092-1924c797db35\nstatus: test\ndescription: |\n    Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.\n    A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.\nreferences:\n    - https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html\n    - https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html\n    - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html\nauthor: Michael McIntyre @wtfender\ndate: 2023/09/27\ntags:\n    - attack.persistence\n    - attack.t1556\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource:\n            - 'sso-directory.amazonaws.com'\n            - 'sso.amazonaws.com'\n        eventName:\n            - 'AssociateDirectory'\n            - 'DisableExternalIdPConfigurationForDirectory'\n            - 'DisassociateDirectory'\n            - 'EnableExternalIdPConfigurationForDirectory'\n    condition: selection\nfalsepositives:\n    - Authorized changes to the AWS account's identity provider\nlevel: high\n",
        "summary": "This Sigma Rule detects changes in the AWS Identity Center (formerly AWS SSO) identity provider, which could allow attackers to gain persistent access or escalate privileges through user impersonation. The rule looks for specific events in the CloudTrail logs related to changes in the identity provider configuration. False positives may occur if authorized changes are made to the identity provider.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml": {
        "filename": "rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml",
        "creation_Date": "2024-08-07T17:55:22.116474",
        "modification_Date": "2024-08-07T20:37:07.489558",
        "lastUpdate_Date": "2024-08-07T20:37:07.489561",
        "sigmaRule": "title: Malicious IP Address Sign-In Failure Rate\nid: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd\nstatus: test\ndescription: Indicates sign-in from a malicious IP address based on high failure rates.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023/09/07\ntags:\n    - attack.t1090\n    - attack.command_and_control\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'maliciousIPAddress'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n",
        "summary": "This Sigma Rule detects sign-in attempts from a malicious IP address based on high failure rates. It is focused on identifying potential security threats and recommends further investigation of flagged sessions in the context of other user sign-ins. The rule is set at a high level of severity.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml": {
        "filename": "rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml",
        "creation_Date": "2024-08-07T17:55:23.066922",
        "modification_Date": "2024-08-07T20:37:07.489619",
        "lastUpdate_Date": "2024-08-07T20:37:07.489623",
        "sigmaRule": "title: Malicious IP Address Sign-In Suspicious\nid: 36440e1c-5c22-467a-889b-593e66498472\nstatus: test\ndescription: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023/09/07\ntags:\n    - attack.t1090\n    - attack.command_and_control\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'suspiciousIPAddress'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n",
        "summary": "The Sigma Rule with ID 36440e1c-5c22-467a-889b-593e66498472 identifies suspicious sign-ins from a known malicious IP address. It indicates that the sign-in comes from an IP address that is recognized as malicious at the time of the sign-in. The rule is associated with Azure risk detection service and is categorized as a high-level alert. It is recommended to investigate the flagged sessions in the context of other user sign-ins to determine the severity of the threat.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml": {
        "filename": "rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml",
        "creation_Date": "2024-08-07T17:55:24.636981",
        "modification_Date": "2024-08-07T20:37:07.489675",
        "lastUpdate_Date": "2024-08-07T20:37:07.489678",
        "sigmaRule": "title: Primary Refresh Token Access Attempt\nid: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1\nstatus: test\ndescription: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023/09/07\ntags:\n    - attack.t1528\n    - attack.credential_access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'attemptedPrtAccess'\n    condition: selection\nfalsepositives:\n    - This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated.\nlevel: high\n",
        "summary": "The Sigma Rule indicates an access attempt to the Primary Refresh Token (PRT) resource, which can be used for lateral movement within an organization or for credential theft. The rule includes references to Microsoft documentation on identity protection risks and unusual sign-ins. It applies to Azure's risk detection service and has a high-level detection alert for attempted PRT access. False positives are rare but should be remediated when detected.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml": {
        "filename": "rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml",
        "creation_Date": "2024-08-07T17:55:25.804103",
        "modification_Date": "2024-08-07T20:37:07.489730",
        "lastUpdate_Date": "2024-08-07T20:37:07.489734",
        "sigmaRule": "title: Azure AD Threat Intelligence\nid: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba\nstatus: test\ndescription: Indicates user activity that is unusual for the user or consistent with known attack patterns.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023/09/07\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.defense_evasion\n    - attack.privilege_escalation\n    - attack.initial_access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'investigationsThreatIntelligence'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n",
        "summary": "This Sigma Rule for Azure AD Threat Intelligence indicates user activity that is unusual for the user or consistent with known attack patterns. It includes references to Microsoft documentation for more information on the threat intelligence features. The rule focuses on riskEventType 'investigationsThreatIntelligence' in the riskdetection service of Azure. False positives should be investigated in the context of other sign-ins from the user to verify any suspicious activity.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml": {
        "filename": "rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml",
        "creation_Date": "2024-08-07T17:55:27.071721",
        "modification_Date": "2024-08-07T20:37:07.489780",
        "lastUpdate_Date": "2024-08-07T20:37:07.489783",
        "sigmaRule": "title: Stale Accounts In A Privileged Role\nid: e402c26a-267a-45bd-9615-bd9ceda6da85\nstatus: test\ndescription: Identifies when an account hasn't signed in during the past n number of days.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023/09/14\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege_escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'staleSignInAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate if potential generic account that cannot be removed.\nlevel: high\n",
        "summary": "This Sigma Rule detects stale accounts in a privileged role by identifying when an account has not signed in during a specified number of days. It is a high-level detection rule for Azure Privileged Identity Management (PIM) service. The rule utilizes the riskEventType field to identify staleSignInAlertIncident incidents. False positives may occur for generic accounts that cannot be removed.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml": {
        "filename": "rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml",
        "creation_Date": "2024-08-07T17:55:28.128372",
        "modification_Date": "2024-08-07T20:37:07.489904",
        "lastUpdate_Date": "2024-08-07T20:37:07.489909",
        "sigmaRule": "title: Invalid PIM License\nid: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8\nstatus: test\ndescription: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023/09/14\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege_escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'invalidLicenseAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate if licenses have expired.\nlevel: high\n",
        "summary": "This Sigma Rule detects when an organization does not have the proper license for Microsoft's Privileged Identity Management (PIM) and is out of compliance. It is identified by an 'invalidLicenseAlertIncident' risk event type in the Azure PIM service. False positives may occur if licenses have expired.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml": {
        "filename": "rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml",
        "creation_Date": "2024-08-07T17:55:29.630513",
        "modification_Date": "2024-08-07T20:37:07.489976",
        "lastUpdate_Date": "2024-08-07T20:37:07.489982",
        "sigmaRule": "title: Roles Assigned Outside PIM\nid: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb\nstatus: test\ndescription: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023/09/14\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege_escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration'\n    condition: selection\nfalsepositives:\n    - Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.\nlevel: high\n",
        "summary": "This Sigma Rule detects when a privilege role has been assigned outside of Privileged Identity Management (PIM), which could indicate a potential attack. It recommends investigating these instances and preventing future assignments from occurring in unauthorized locations.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml": {
        "filename": "rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml",
        "creation_Date": "2024-08-07T17:55:30.760550",
        "modification_Date": "2024-08-07T20:37:07.490040",
        "lastUpdate_Date": "2024-08-07T20:37:07.490043",
        "sigmaRule": "title: Roles Activated Too Frequently\nid: 645fd80d-6c07-435b-9e06-7bc1b5656cba\nstatus: test\ndescription: Identifies when the same privilege role has multiple activations by the same user.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023/09/14\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege_escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'sequentialActivationRenewalsAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate where if active time period for a role is set too short.\nlevel: high\n",
        "summary": "The Sigma Rule identifies when the same privilege role is activated multiple times by the same user, indicating potential security risks such as privilege escalation or persistence attacks. The rule is specific to Microsoft Azure's Privileged Identity Management (PIM) service and can help organizations detect and prevent unauthorized role activations. The rule provides detection criteria and recommendations for investigating false positives related to short active time periods for roles.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml": {
        "filename": "rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml",
        "creation_Date": "2024-08-07T17:55:31.868468",
        "modification_Date": "2024-08-07T20:37:07.490095",
        "lastUpdate_Date": "2024-08-07T20:37:07.490099",
        "sigmaRule": "title: Roles Activation Doesn't Require MFA\nid: 94a66f46-5b64-46ce-80b2-75dcbe627cc0\nstatus: test\ndescription: Identifies when a privilege role can be activated without performing mfa.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023/09/14\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege_escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'noMfaOnRoleActivationAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate if user is performing MFA at sign-in.\nlevel: high\n",
        "summary": "This Sigma Rule is used for identifying when a privilege role can be activated without performing MFA (Multi-Factor Authentication). The rule focuses on detecting instances where MFA is not required for role activation within Azure Privileged Identity Management (PIM). The rule includes detection criteria, potential false positives, and references for further information.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml": {
        "filename": "rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml",
        "creation_Date": "2024-08-07T17:55:32.988027",
        "modification_Date": "2024-08-07T20:37:07.490147",
        "lastUpdate_Date": "2024-08-07T20:37:07.490150",
        "sigmaRule": "title: Roles Are Not Being Used\nid: 8c6ec464-4ae4-43ac-936a-291da66ed13d\nstatus: test\ndescription: Identifies when a user has been assigned a privilege role and are not using that role.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023/09/14\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege_escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'redundantAssignmentAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate if potential generic account that cannot be removed.\nlevel: high\n",
        "summary": "This Sigma rule detects when a user has been assigned a privilege role in Azure PIM but is not using that role, which could indicate a security issue. The rule specifies the detection criteria and provides references for further information. It has a high level of severity.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml": {
        "filename": "rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml",
        "creation_Date": "2024-08-07T17:55:33.943096",
        "modification_Date": "2024-08-07T20:37:07.490197",
        "lastUpdate_Date": "2024-08-07T20:37:07.490203",
        "sigmaRule": "title: Too Many Global Admins\nid: 7bbc309f-e2b1-4eb1-8369-131a367d67d3\nstatus: test\ndescription: Identifies an event where there are there are too many accounts assigned the Global Administrator role.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023/09/14\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege_escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'tooManyGlobalAdminsAssignedToTenantAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate if threshold setting in PIM is too low.\nlevel: high\n",
        "summary": "This Sigma Rule detects an event where there are too many accounts assigned the Global Administrator role in Azure Privileged Identity Management (PIM). It provides a detection condition and suggests investigating the threshold setting in PIM if false positives occur. The rule is categorized as high risk and can help prevent attacks related to privilege escalation and persistence.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/m365/audit/microsoft365_disabling_mfa.yml": {
        "filename": "rules/cloud/m365/audit/microsoft365_disabling_mfa.yml",
        "creation_Date": "2024-08-07T17:55:35.405155",
        "modification_Date": "2024-08-07T20:37:07.490252",
        "lastUpdate_Date": "2024-08-07T20:37:07.490257",
        "sigmaRule": "title: Disabling Multi Factor Authentication\nid: 60de9b57-dc4d-48b9-a6a0-b39e0469f876\nstatus: test\ndescription: Detects disabling of Multi Factor Authentication.\nreferences:\n    - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/\nauthor: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)\ndate: 2023/09/18\ntags:\n    - attack.persistence\n    - attack.t1556\nlogsource:\n    service: audit\n    product: m365\ndetection:\n    selection:\n        Operation|contains: 'Disable Strong Authentication.'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects the disabling of Multi Factor Authentication in Microsoft 365. It looks for the operation containing \"Disable Strong Authentication\" in the audit log. The rule was authored by the Splunk Threat Research Team and adapted by Harjot Singh. The detection level is set to high with false positives considered unlikely.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml": {
        "filename": "rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml",
        "creation_Date": "2024-08-07T17:55:36.655738",
        "modification_Date": "2024-08-07T20:37:07.490312",
        "lastUpdate_Date": "2024-08-07T20:37:07.490317",
        "sigmaRule": "title: New Federated Domain Added\nid: 58f88172-a73d-442b-94c9-95eaed3cbb36\nrelated:\n    - id: 42127bdd-9133-474f-a6f1-97b6c08a4339\n      type: similar\nstatus: test\ndescription: Detects the addition of a new Federated Domain.\nreferences:\n    - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/\n    - https://o365blog.com/post/aadbackdoor/\nauthor: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)\ndate: 2023/09/18\ntags:\n    - attack.persistence\n    - attack.t1136.003\nlogsource:\n    service: audit\n    product: m365\ndetection:\n    selection_domain:\n        Operation|contains: 'domain'\n    selection_operation:\n        Operation|contains:\n            - 'add'\n            - 'new'\n    condition: all of selection_*\nfalsepositives:\n    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.\nlevel: medium\n",
        "summary": "This Sigma Rule detects the addition of a new Federated Domain within the Microsoft 365 environment. The rule looks for specific keywords related to the operation such as 'domain', 'add', and 'new'. Although the creation of a new Federated domain is not always malicious, it is recommended to closely monitor these events as they could potentially indicate federated credential abuse or a backdoor via federated identities at a similar or different cloud provider. The rule was authored by the Splunk Threat Research Team and Harjot Singh.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/okta/okta_identity_provider_created.yml": {
        "filename": "rules/cloud/okta/okta_identity_provider_created.yml",
        "creation_Date": "2024-08-07T17:55:37.976906",
        "modification_Date": "2024-08-07T20:37:07.490372",
        "lastUpdate_Date": "2024-08-07T20:37:07.490375",
        "sigmaRule": "title: Okta Identity Provider Created\nid: 969c7590-8c19-4797-8c1b-23155de6e7ac\nstatus: test\ndescription: Detects when a new identity provider is created for Okta.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\nauthor: kelnage\ndate: 2023/09/07\ntags:\n    - attack.persistence\n    - attack.t1098.001\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype: 'system.idp.lifecycle.create'\n    condition: selection\nfalsepositives:\n    - When an admin creates a new, authorised identity provider.\nlevel: medium\n",
        "summary": "Sigma Rule ID 969c7590-8c19-4797-8c1b-23155de6e7ac detects when a new identity provider is created for Okta. It uses eventtype 'system.idp.lifecycle.create' to identify the event, and may have false positives when an admin creates a new, authorized identity provider. The rule is categorized under attack persistence and technique t1098.001. Detection of this event could indicate a potential security issue and the rule is tagged with a medium level of severity.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/okta/okta_suspicious_activity_enduser_report.yml": {
        "filename": "rules/cloud/okta/okta_suspicious_activity_enduser_report.yml",
        "creation_Date": "2024-08-07T17:55:39.547343",
        "modification_Date": "2024-08-07T20:37:07.490422",
        "lastUpdate_Date": "2024-08-07T20:37:07.490425",
        "sigmaRule": "title: Okta Suspicious Activity Reported by End-user\nid: 07e97cc6-aed1-43ae-9081-b3470d2367f1\nstatus: test\ndescription: Detects when an Okta end-user reports activity by their account as being potentially suspicious.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md\nauthor: kelnage\ndate: 2023/09/07\ntags:\n    - attack.resource_development\n    - attack.t1586.003\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype: 'user.account.report_suspicious_activity_by_enduser'\n    condition: selection\nfalsepositives:\n    - If an end-user incorrectly identifies normal activity as suspicious.\nlevel: high\n",
        "summary": "This Sigma Rule detects when an Okta end-user reports activity by their account as potentially suspicious. The rule specifies the event type that triggers the detection and provides references to Okta API documentation for more information. False positives may occur if an end-user mistakenly identifies normal activity as suspicious. The level of severity for this rule is high.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml": {
        "filename": "rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml",
        "creation_Date": "2024-08-07T17:55:40.921854",
        "modification_Date": "2024-08-07T20:37:07.490472",
        "lastUpdate_Date": "2024-08-07T20:37:07.490475",
        "sigmaRule": "title: Okta User Session Start Via An Anonymising Proxy Service\nid: bde30855-5c53-4c18-ae90-1ff79ebc9578\nstatus: test\ndescription: Detects when an Okta user session starts where the user is behind an anonymising proxy service.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\nauthor: kelnage\ndate: 2023/09/07\ntags:\n    - attack.defense_evasion\n    - attack.t1562.006\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype: 'user.session.start'\n        securitycontext.isproxy: 'true'\n    condition: selection\nfalsepositives:\n    - If a user requires an anonymising proxy due to valid justifications.\nlevel: high\n",
        "summary": "This Sigma Rule detects when an Okta user session starts with the user behind an anonymising proxy service. The rule looks for events of type 'user.session.start' with security context indicating the use of a proxy. False positives may occur if a user has valid reasons for using an anonymising proxy.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml": {
        "filename": "rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml",
        "creation_Date": "2024-08-07T17:55:42.405150",
        "modification_Date": "2024-08-07T20:37:07.490524",
        "lastUpdate_Date": "2024-08-07T20:37:07.490529",
        "sigmaRule": "title: Sysinternals Tools AppX Versions Execution\nid: d29a20b2-be4b-4827-81f2-3d8a59eab5fc\nstatus: test\ndescription: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/01/16\nmodified: 2023/09/12\ntags:\n    - attack.defense_evasion\n    - attack.execution\nlogsource:\n    product: windows\n    service: appmodel-runtime\ndetection:\n    selection:\n        EventID: 201\n        ImageName:\n            - 'procdump.exe'\n            - 'psloglist.exe'\n            - 'psexec.exe'\n            - 'livekd.exe'\n            - 'ADExplorer.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of the applications from the Windows Store\nlevel: low\n",
        "summary": "This Sigma Rule detects the execution of Sysinternals tools through an AppX package. Attackers may use these tools, such as psexec and procdump, to evade detection by using non-standard system paths. The rule looks for specific Event IDs and image names related to these tools in the Windows appmodel-runtime service. Legitimate usage from the Windows Store could trigger false positives.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml": {
        "filename": "rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml",
        "creation_Date": "2024-08-07T17:55:43.681923",
        "modification_Date": "2024-08-07T20:37:07.490580",
        "lastUpdate_Date": "2024-08-07T20:37:07.490583",
        "sigmaRule": "title: DNS Query To Ufile.io - DNS Client\nid: 090ffaad-c01a-4879-850c-6d57da98452d\nrelated:\n    - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b\n      type: similar\nstatus: test\ndescription: Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration\nreferences:\n    - https://thedfirreport.com/2021/12/13/diavol-ransomware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/01/16\nmodified: 2023/09/18\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    product: windows\n    service: dns-client\n    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'\ndetection:\n    selection:\n        EventID: 3008\n        QueryName|contains: 'ufile.io'\n    condition: selection\nfalsepositives:\n    - DNS queries for \"ufile\" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take\nlevel: low\n",
        "summary": "This Sigma Rule detects DNS queries to \"ufile.io\", a domain known to be abused by malware and threat actors for data exfiltration. It specifies the event ID and query name to look for in the Windows DNS Client Events/Operational Event Log. The rule's level is classified as low, and it emphasizes the need to investigate further before taking any action on DNS queries for \"ufile\" that may not be malicious.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml": {
        "filename": "rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml",
        "creation_Date": "2024-08-07T17:55:45.364412",
        "modification_Date": "2024-08-07T20:37:07.490638",
        "lastUpdate_Date": "2024-08-07T20:37:07.490641",
        "sigmaRule": "title: Service Registry Key Read Access Request\nid: 11d00fff-5dc3-428c-8184-801f292faec0\nstatus: test\ndescription: |\n    Detects \"read access\" requests on the services registry key.\n    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\n    Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.\nreferences:\n    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness\nauthor: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team\ndate: 2023/09/28\ntags:\n    - attack.defense_evasion\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1574.011\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: SACLs must be enabled for \"READ_CONTROL\" on the registry keys used in this rule'\ndetection:\n    selection:\n        EventID: 4663\n        ObjectName|contains|all:\n            - '\\SYSTEM\\'\n            - 'ControlSet\\Services\\'\n        AccessList|contains: '%%1538' # READ_CONTROL\n    condition: selection\nfalsepositives:\n    - Likely from legitimate applications reading their key. Requires heavy tuning\nlevel: low\n",
        "summary": "This Sigma Rule detects \"read access\" requests on the services registry key to prevent adversaries from executing malicious payloads by hijacking registry entries used by services. Adversaries may exploit weaknesses in permissions for registry keys related to services to launch their own code when a service starts. The rule requires SACLs to be enabled for \"READ_CONTROL\" on the registry keys. It may result in false positives from legitimate applications reading their key and requires heavy tuning.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml": {
        "filename": "rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml",
        "creation_Date": "2024-08-07T17:55:46.672446",
        "modification_Date": "2024-08-07T20:37:07.490695",
        "lastUpdate_Date": "2024-08-07T20:37:07.490698",
        "sigmaRule": "title: DNS Server Discovery Via LDAP Query\nid: a21bcd7e-38ec-49ad-b69a-9ea17e69509e\nstatus: test\ndescription: Detects DNS server discovery via LDAP query requests from uncommon applications\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04\nauthor: frack113\ndate: 2022/08/20\nmodified: 2023/09/18\ntags:\n    - attack.discovery\n    - attack.t1482\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|startswith: '_ldap.'\n    filter_main_generic:\n        Image|contains:\n            - ':\\Program Files\\'\n            - ':\\Program Files (x86)\\'\n            - ':\\Windows\\'\n    filter_main_defender:\n        Image|contains: ':\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        Image|endswith: '\\MsMpEng.exe'\n    filter_main_unknown:\n        Image: '<unknown process>'\n    filter_optional_azure:\n        Image|startswith: 'C:\\WindowsAzure\\GuestAgent'\n    filter_main_null:\n        Image: null\n    filter_optional_browsers:\n        # Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.\n        Image|endswith:\n            - '\\chrome.exe'\n            - '\\firefox.exe'\n            - '\\opera.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Likely\n# Note: Incrase the level once a baseline is established\nlevel: low\n",
        "summary": "This Sigma rule detects DNS server discovery via LDAP query requests from uncommon applications on Windows systems. The rule looks for DNS queries starting with '_ldap.' and filters out common applications such as those in Program Files, Windows Defender, and browsers. The rule has a low level of certainty and may have false positives. It's based on Atomic Red Team's T1016 and Microsoft's ADTS documentation.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml": {
        "filename": "rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml",
        "creation_Date": "2024-08-07T17:55:47.938827",
        "modification_Date": "2024-08-07T20:37:07.490745",
        "lastUpdate_Date": "2024-08-07T20:37:07.490748",
        "sigmaRule": "title: DNS Query To Remote Access Software Domain From Non-Browser App\nid: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52\nrelated:\n    - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f\n      type: obsoletes\n    - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d\n      type: obsoletes\n    - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4\n      type: obsoletes\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution\n    - https://redcanary.com/blog/misbehaving-rats/\n    - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\nauthor: frack113, Connor Martin\ndate: 2022/07/11\nmodified: 2023/09/12\ntags:\n    - attack.command_and_control\n    - attack.t1219\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection_generic:\n        QueryName|endswith:\n            - 'agent.jumpcloud.com'\n            - 'agentreporting.atera.com'\n            - 'ammyy.com'\n            - 'api.parsec.app'\n            - 'api.playanext.com'\n            - 'api.splashtop.com'\n            - 'app.atera.com'\n            - 'assist.zoho.com'\n            - 'authentication.logmeininc.com'\n            - 'beyondtrustcloud.com'\n            - 'cdn.kaseya.net'\n            - 'client.teamviewer.com'\n            - 'comserver.corporate.beanywhere.com'\n            - 'control.connectwise.com'\n            - 'downloads.zohocdn.com'\n            - 'dwservice.net'\n            - 'express.gotoassist.com'\n            - 'getgo.com'\n            - 'integratedchat.teamviewer.com'\n            - 'join.zoho.com'\n            - 'kickstart.jumpcloud.com'\n            - 'license.bomgar.com'\n            - 'logmein-gateway.com'\n            - 'logmein.com'\n            - 'logmeincdn.http.internapcdn.net'\n            - 'n-able.com'\n            - 'net.anydesk.com'\n            - 'netsupportsoftware.com' # For NetSupport Manager RAT\n            - 'parsecusercontent.com'\n            - 'pubsub.atera.com'\n            - 'relay.kaseya.net'\n            - 'relay.screenconnect.com'\n            - 'relay.splashtop.com'\n            - 'remotedesktop-pa.googleapis.com'\n            - 'remoteutilities.com' # Usage of Remote Utilities RAT\n            - 'secure.logmeinrescue.com'\n            - 'services.vnc.com'\n            - 'static.remotepc.com'\n            - 'swi-rc.com'\n            - 'swi-tc.com'\n            - 'telemetry.servers.qetqo.com'\n            - 'tmate.io'\n            - 'zohoassist.com'\n    selection_rustdesk:  # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern\n        QueryName|endswith: '.rustdesk.com'\n        QueryName|startswith: 'rs-'\n    # Exclude browsers for legitimate visits of the domains mentioned above\n    # Add missing browsers you use and exclude the ones you don't\n    filter_optional_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_optional_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_optional_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_optional_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_optional_safari:\n        Image|endswith: '\\safari.exe'\n    filter_optional_defender:\n        Image|endswith:\n            - '\\MsMpEng.exe' # Microsoft Defender executable\n            - '\\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable\n    filter_optional_brave:\n        Image|endswith: '\\brave.exe'\n        Image|startswith: 'C:\\Program Files\\BraveSoftware\\'\n    filter_optional_maxthon:\n        Image|contains: '\\AppData\\Local\\Maxthon\\'\n        Image|endswith: '\\maxthon.exe'\n    filter_optional_opera:\n        Image|contains: '\\AppData\\Local\\Programs\\Opera\\'\n        Image|endswith: '\\opera.exe'\n    filter_optional_seamonkey:\n        Image|startswith:\n            - 'C:\\Program Files\\SeaMonkey\\'\n            - 'C:\\Program Files (x86)\\SeaMonkey\\'\n        Image|endswith: '\\seamonkey.exe'\n    filter_optional_vivaldi:\n        Image|contains: '\\AppData\\Local\\Vivaldi\\'\n        Image|endswith: '\\vivaldi.exe'\n    filter_optional_whale:\n        Image|startswith:\n            - 'C:\\Program Files\\Naver\\Naver Whale\\'\n            - 'C:\\Program Files (x86)\\Naver\\Naver Whale\\'\n        Image|endswith: '\\whale.exe'\n    filter_optional_tor:\n        Image|contains: '\\Tor Browser\\'\n    filter_optional_whaterfox:\n        Image|startswith:\n            - 'C:\\Program Files\\Waterfox\\'\n            - 'C:\\Program Files (x86)\\Waterfox\\'\n        Image|endswith: '\\Waterfox.exe'\n    filter_optional_midori:\n        Image|contains: '\\AppData\\Local\\Programs\\midori-ng\\'\n        Image|endswith: '\\Midori Next Generation.exe'\n    filter_optional_slimbrowser:\n        Image|startswith:\n            - 'C:\\Program Files\\SlimBrowser\\'\n            - 'C:\\Program Files (x86)\\SlimBrowser\\'\n        Image|endswith: '\\slimbrowser.exe'\n    filter_optional_flock:\n        Image|contains: '\\AppData\\Local\\Flock\\'\n        Image|endswith: '\\Flock.exe'\n    filter_optional_phoebe:\n        Image|contains: '\\AppData\\Local\\Phoebe\\'\n        Image|endswith: '\\Phoebe.exe'\n    filter_optional_falkon:\n        Image|startswith:\n            - 'C:\\Program Files\\Falkon\\'\n            - 'C:\\Program Files (x86)\\Falkon\\'\n        Image|endswith: '\\falkon.exe'\n    filter_optional_avant:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Avant Browser\\'\n            - 'C:\\Program Files\\Avant Browser\\'\n        Image|endswith: '\\avant.exe'\n    condition: 1 of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Likely with other browser software. Apply additional filters for any other browsers you might use.\nlevel: medium\n",
        "summary": "The Sigma Rule identifies potentially malicious activity involving remote access software being used for command and control purposes by monitoring DNS queries to specific domains associated with these tools. The rule specifies a list of domains related to popular remote access software and provides filters to exclude legitimate browser activity.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml": {
        "filename": "rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml",
        "creation_Date": "2024-08-07T17:55:48.910120",
        "modification_Date": "2024-08-07T20:37:07.490794",
        "lastUpdate_Date": "2024-08-07T20:37:07.490797",
        "sigmaRule": "title: DNS Query Tor .Onion Address - Sysmon\nid: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544\nrelated:\n    - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2\n      type: similar\nstatus: test\ndescription: Detects DNS queries to an \".onion\" address related to Tor routing networks\nreferences:\n    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/\nauthor: frack113\ndate: 2022/02/20\nmodified: 2023/09/18\ntags:\n    - attack.command_and_control\n    - attack.t1090.003\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|contains: '.onion'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects DNS queries to a .onion address related to Tor routing networks on Windows systems. The rule can help identify potential use of Tor for command and control purposes (attack.command_and_control). The detection criteria is based on the QueryName containing '.onion'. False positives are listed as unknown, and the rule is rated at a high severity level.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/dns_query/dns_query_win_ufile_io_query.yml": {
        "filename": "rules/windows/dns_query/dns_query_win_ufile_io_query.yml",
        "creation_Date": "2024-08-07T17:55:49.977071",
        "modification_Date": "2024-08-07T20:37:07.490848",
        "lastUpdate_Date": "2024-08-07T20:37:07.490851",
        "sigmaRule": "title: DNS Query To Ufile.io\nid: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b\nrelated:\n    - id: 090ffaad-c01a-4879-850c-6d57da98452d\n      type: similar\nstatus: test\ndescription: Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration\nreferences:\n    - https://thedfirreport.com/2021/12/13/diavol-ransomware/\nauthor: yatinwad, TheDFIRReport\ndate: 2022/06/23\nmodified: 2023/09/18\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|contains: 'ufile.io'\n    condition: selection\nfalsepositives:\n    - DNS queries for \"ufile\" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take\nlevel: low\n",
        "summary": "This Sigma Rule detects DNS queries to \"ufile.io,\" which has been used by malware and threat actors for data exfiltration. It is a low-level detection, and false positives may occur with legitimate DNS queries for \"ufile.\"",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml",
        "creation_Date": "2024-08-07T17:55:50.873476",
        "modification_Date": "2024-08-07T20:37:07.490904",
        "lastUpdate_Date": "2024-08-07T20:37:07.490907",
        "sigmaRule": "title: Potentially Suspicious DMP/HDMP File Creation\nid: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c\nrelated:\n    - id: 3a525307-d100-48ae-b3b9-0964699d7f97\n      type: similar\nstatus: test\ndescription: Detects the creation of a file with the \".dmp\"/\".hdmp\" extension by a shell or scripting application such as \"cmd\", \"powershell\", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/09/07\ntags:\n    - attack.defense_evasion\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n        TargetFilename|endswith:\n            - '.dmp'\n            - '.dump'\n            - '.hdmp'\n    condition: selection\nfalsepositives:\n    - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.\nlevel: medium\n",
        "summary": "This Sigma rule detects the creation of a file with the \".dmp\" or \".hdmp\" extension by shell or scripting applications like \"cmd\" or \"powershell.\" These files are often generated by software during a crash and may contain sensitive information. It is important to investigate the source of the crash. The rule provides selection criteria for monitoring such file creations on Windows systems and includes a note about potential false positives.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml",
        "creation_Date": "2024-08-07T17:55:52.314477",
        "modification_Date": "2024-08-07T20:37:07.490955",
        "lastUpdate_Date": "2024-08-07T20:37:07.490959",
        "sigmaRule": "title: OneNote Attachment File Dropped In Suspicious Location\nid: 7fd164ba-126a-4d9c-9392-0d4f7c243df0\nstatus: test\ndescription: Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments\nreferences:\n    - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/\n    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/01/22\nmodified: 2023/09/19\ntags:\n    - attack.defense_evasion\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains:\n            # Note: add more common locations for drops such as download folders and the like. Or baseline legitimate locations and alert on everything else\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n            - ':\\Temp\\'\n        TargetFilename|endswith:\n            - '.one'\n            - '.onepkg'\n    filter_main_onenote:\n        Image|contains: ':\\Program Files\\Microsoft Office\\'\n        Image|endswith: '\\ONENOTE.EXE'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate usage of \".one\" or \".onepkg\" files from those locations\nlevel: medium\n",
        "summary": "This Sigma Rule detects the creation of files with the \".one\" or \".onepkg\" extension in suspicious or uncommon locations, which could indicate attackers abusing OneNote attachments. The rule specifies several suspicious locations to monitor for these file types and includes a filter to ensure legitimate usage of OneNote attachments is not flagged as malicious. The rule is considered a medium level alert.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml": {
        "filename": "rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml",
        "creation_Date": "2024-08-07T17:55:53.492747",
        "modification_Date": "2024-08-07T20:37:07.491012",
        "lastUpdate_Date": "2024-08-07T20:37:07.491015",
        "sigmaRule": "title: Amsi.DLL Loaded Via LOLBIN Process\nid: 6ec86d9e-912e-4726-91a2-209359b999b9\nstatus: test\ndescription: Detects loading of \"Amsi.dll\" by a living of the land process. This could be an indication of a \"PowerShell without PowerShell\" attack\nreferences:\n    - Internal Research\n    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/06/01\nmodified: 2023/09/20\ntags:\n    - attack.defense_evasion\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\amsi.dll'\n        Image|endswith:\n            # TODO: Add more interesting processes\n            - '\\ExtExport.exe'\n            - '\\odbcconf.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects the loading of \"Amsi.dll\" by a LOLBIN (Living off the land binary) process, which could indicate a \"PowerShell without PowerShell\" attack. The rule includes a list of interesting processes to monitor for this activity. The rule's author is Nasreddine Bencherchali, and it was last modified on September 20, 2023.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/image_load/image_load_rundll32_remote_share_load.yml": {
        "filename": "rules/windows/image_load/image_load_rundll32_remote_share_load.yml",
        "creation_Date": "2024-08-07T17:55:54.976734",
        "modification_Date": "2024-08-07T20:37:07.491060",
        "lastUpdate_Date": "2024-08-07T20:37:07.491063",
        "sigmaRule": "title: Remote DLL Load Via Rundll32.EXE\nid: f40017b3-cb2e-4335-ab5d-3babf679c1de\nstatus: test\ndescription: Detects a remote DLL load event via \"rundll32.exe\".\nreferences:\n    - https://github.com/gabe-k/themebleed\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/09/18\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\rundll32.exe'\n        ImageLoaded|startswith: '\\\\\\\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects a remote DLL load event via \"rundll32.exe\" on Windows systems. The rule looks for rundll32.exe processes loading DLL files from remote locations. The author is Nasreddine Bencherchali and the rule was last updated on September 18, 2023. It has a medium level of severity and there are currently no known false positives for this rule.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/image_load/image_load_susp_dll_load_system_process.yml": {
        "filename": "rules/windows/image_load/image_load_susp_dll_load_system_process.yml",
        "creation_Date": "2024-08-07T17:55:56.238627",
        "modification_Date": "2024-08-07T20:37:07.491109",
        "lastUpdate_Date": "2024-08-07T20:37:07.491112",
        "sigmaRule": "title: DLL Load By System Process From Suspicious Locations\nid: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c\nstatus: test\ndescription: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as \"C:\\Users\\Public\"\nreferences:\n    - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/07/17\nmodified: 2023/09/18\ntags:\n    - attack.defense_evasion\n    - attack.t1070\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Image|startswith: 'C:\\Windows\\'\n        ImageLoaded|startswith:\n            # TODO: Add more suspicious paths as you see fit in your env\n            - 'C:\\Users\\Public\\'\n            - 'C:\\PerfLogs\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects when a system process loads a DLL from a suspicious location or a location with permissive permissions, such as \"C:\\Users\\Public\". The rule looks for image loads that start with 'C:\\Windows\\' and checks if the image loaded starts with 'C:\\Users\\Public\\' or 'C:\\PerfLogs\\'. This rule was authored by Nasreddine Bencherchali and is tagged with defense evasion and T1070.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/image_load/image_load_susp_python_image_load.yml": {
        "filename": "rules/windows/image_load/image_load_susp_python_image_load.yml",
        "creation_Date": "2024-08-07T17:55:57.809863",
        "modification_Date": "2024-08-07T20:37:07.491162",
        "lastUpdate_Date": "2024-08-07T20:37:07.491168",
        "sigmaRule": "title: Python Image Load By Non-Python Process\nid: cbb56d62-4060-40f7-9466-d8aaf3123f83\nstatus: test\ndescription: Detects the image load of \"Python Core\" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.\nreferences:\n    - https://www.py2exe.org/\n    - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/\nauthor: Patrick St. John, OTR (Open Threat Research)\ndate: 2020/05/03\nmodified: 2023/09/18\ntags:\n    - attack.defense_evasion\n    - attack.t1027.002\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Description: 'Python Core'\n    filter_main_generic:\n        - Image|contains: 'Python'  # FPs with python38.dll, python.exe etc.\n        - Image|startswith:\n              - 'C:\\Program Files\\'\n              - 'C:\\Program Files (x86)\\'\n              - 'C:\\ProgramData\\Anaconda3\\' # Comment out if you don't use Anaconda in your environment\n    filter_optional_aurora:\n        Image: null\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate Py2Exe Binaries\n    - Known false positive caused with Python Anaconda\nlevel: medium\n",
        "summary": "This Sigma rule detects the image load of \"Python Core\" by a non-Python process, which could indicate a Python script bundled with Py2Exe. The rule specifies filters to exclude known false positives such as legitimate Py2Exe binaries and instances involving Python Anaconda.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/network_connection/net_connection_win_python.yml": {
        "filename": "rules/windows/network_connection/net_connection_win_python.yml",
        "creation_Date": "2024-08-07T17:55:58.698813",
        "modification_Date": "2024-08-07T20:37:07.491219",
        "lastUpdate_Date": "2024-08-07T20:37:07.491223",
        "sigmaRule": "title: Python Initiated Connection\nid: bef0bc5a-b9ae-425d-85c6-7b2d705980c6\nstatus: test\ndescription: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python\n    - https://pypi.org/project/scapy/\nauthor: frack113\ndate: 2021/12/10\nmodified: 2023/09/07\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: network_connection\n    product: windows\n    definition: 'Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type'\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|contains: 'python'\n    filter_optional_conda:\n        # Related to anaconda updates. Command example: \"conda update conda\"\n        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage\n        ParentImage: C:\\ProgramData\\Anaconda3\\Scripts\\conda.exe\n        CommandLine|contains|all:\n            - ':\\ProgramData\\Anaconda3\\Scripts\\conda-script.py'\n            - 'update'\n    filter_optional_conda_jupyter_notebook:\n        # Related to anaconda opening an instance of Jupyter Notebook\n        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage\n        ParentImage: C:\\ProgramData\\Anaconda3\\python.exe\n        CommandLine|contains: 'C:\\ProgramData\\Anaconda3\\Scripts\\jupyter-notebook-script.py'\n    filter_main_local_communication:\n        # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances\n        DestinationIp: 127.0.0.1\n        SourceIp: 127.0.0.1\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.\nlevel: medium\n",
        "summary": "The Sigma Rule titled \"Python Initiated Connection\" detects a Python process initiating a network connection, which could indicate either legitimate package installation or potentially malicious communication with a command and control server. The rule includes filters to distinguish between benign and suspicious Python connections, such as filtering out specific Anaconda updates and Jupyter Notebook instances. False positives may occur with legitimate Python scripts using the socket library, so additional filters and baseline assessments are recommended before deployment.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml": {
        "filename": "rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml",
        "creation_Date": "2024-08-07T17:55:59.933735",
        "modification_Date": "2024-08-07T20:37:07.491268",
        "lastUpdate_Date": "2024-08-07T20:37:07.491272",
        "sigmaRule": "title: PsExec Tool Execution From Suspicious Locations - PipeName\nid: 41504465-5e3a-4a5b-a5b4-2a0baadd4463\nrelated:\n    - id: f3f3a972-f982-40ad-b63c-bca6afdfad7c\n      type: derived\nstatus: test\ndescription: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack\nreferences:\n    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/08/04\nmodified: 2023/09/20\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    category: pipe_created\n    product: windows\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName: '\\PSEXESVC'\n        Image|contains: # Add or remove locations depending on how and if you execute Psexec in your env\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n    condition: selection\nfalsepositives:\n    - Rare legitimate use of psexec from the locations mentioned above. This will require initial tuning based on your environment.\nlevel: medium\n",
        "summary": "This Sigma Rule detects suspicious PsExec tool executions from potentially malicious locations, such as '\\Users\\Public\\', '\\Windows\\Temp\\', '\\AppData\\Local\\Temp\\', '\\Desktop\\', and '\\Downloads\\'. This could indicate that the tool is being used in an attack. Detection involves monitoring Named Pipe Events using Sysmon config and verifying the configuration. False positives may occur if PsExec is legitimately used from the mentioned locations, requiring tuning based on the environment.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml",
        "creation_Date": "2024-08-07T17:56:01.214473",
        "modification_Date": "2024-08-07T20:37:07.491318",
        "lastUpdate_Date": "2024-08-07T20:37:07.491321",
        "sigmaRule": "title: 7Zip Compressing Dump Files\nid: ec570e53-4c76-45a9-804d-dc3f355ff7a7\nrelated:\n    - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc\n      type: derived\nstatus: test\ndescription: Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.\nreferences:\n    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/09/27\nmodified: 2023/09/12\ntags:\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Description|contains: '7-Zip'\n        - Image|endswith:\n              - '\\7z.exe'\n              - '\\7zr.exe'\n              - '\\7za.exe'\n        - OriginalFileName:\n              - '7z.exe'\n              - '7za.exe'\n    selection_extension:\n        CommandLine|contains:\n            - '.dmp'\n            - '.dump'\n            - '.hdmp'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally\n    - Legitimate use of 7z to compress WER \".dmp\" files for troubleshooting\nlevel: medium\n",
        "summary": "This Sigma rule detects the execution of 7z to compress files with a \".dmp\" or \".dump\" extension, which could indicate a step in the process of dump file exfiltration. The rule specifies conditions related to process creation on Windows, looking for specific keywords and file extensions in the command line. It also provides information on false positives and the level of severity for this detection.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml",
        "creation_Date": "2024-08-07T17:56:02.513602",
        "modification_Date": "2024-08-07T20:37:07.491365",
        "lastUpdate_Date": "2024-08-07T20:37:07.491367",
        "sigmaRule": "title: Suspicious AddinUtil.EXE CommandLine Execution\nid: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8\nstatus: test\ndescription: |\n    Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.\nreferences:\n    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\nauthor: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)\ndate: 2023/09/18\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\addinutil.exe'\n        - OriginalFileName: 'AddInUtil.exe'\n    selection_susp_1_flags:\n        CommandLine|contains:\n            - '-AddInRoot:'\n            - '-PipelineRoot:'\n    selection_susp_1_paths:\n        CommandLine|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n    selection_susp_2:\n        CommandLine|contains:\n            - '-AddInRoot:.'\n            - '-AddInRoot:\".\"'\n            - '-PipelineRoot:.'\n            - '-PipelineRoot:\".\"'\n        CurrentDirectory|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n    condition: selection_img and (all of selection_susp_1_* or selection_susp_2)\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects suspicious execution of AddinUtil.exe with uncommon Addinroot or Pipelineroot paths that may point to malicious payloads in the adversary's Addins.Store. It monitors for specific command line parameters and paths commonly used by adversaries to evade detection. The rule is considered high severity and there are currently no known false positives.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml",
        "creation_Date": "2024-08-07T17:56:03.618714",
        "modification_Date": "2024-08-07T20:37:07.491414",
        "lastUpdate_Date": "2024-08-07T20:37:07.491417",
        "sigmaRule": "title: Uncommon Child Process Of AddinUtil.EXE\nid: b5746143-59d6-4603-8d06-acbd60e166ee\nstatus: test\ndescription: |\n    Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.\nreferences:\n    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\nauthor: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)\ndate: 2023/09/18\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\addinutil.exe'\n    filter_main_werfault:\n        Image|endswith:\n            - ':\\Windows\\System32\\conhost.exe'\n            - ':\\Windows\\System32\\werfault.exe'\n            - ':\\Windows\\SysWOW64\\werfault.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe), which could indicate potential abuse of the binary to proxy execution via a custom Addins.Store payload. The rule looks for processes that are children of AddInutil.exe and filters out common processes like conhost.exe and werfault.exe. It is tagged as attack defense evasion and attack t1218 and has a medium detection level.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml",
        "creation_Date": "2024-08-07T17:56:04.969441",
        "modification_Date": "2024-08-07T20:37:07.491466",
        "lastUpdate_Date": "2024-08-07T20:37:07.491469",
        "sigmaRule": "title: Uncommon AddinUtil.EXE CommandLine Execution\nid: 4f2cd9b6-4a17-440f-bb2a-687abb65993a\nstatus: test\ndescription: |\n    Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.\nreferences:\n    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\nauthor: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)\ndate: 2023/09/18\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\addinutil.exe'\n        - OriginalFileName: 'AddInUtil.exe'\n    selection_cli:\n        CommandLine|contains:\n            - '-AddInRoot:'\n            - '-PipelineRoot:'\n    filter_main_addinroot:\n        CommandLine|contains:\n            - '-AddInRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA'\n            - '-AddInRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA'\n            - '-PipelineRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA'\n            - '-PipelineRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects the execution of Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. The adversary may use uncommon paths pointing to their malicious payload. The rule specifies conditions and filters to identify this behavior in Windows process creation logs.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml",
        "creation_Date": "2024-08-07T17:56:06.346010",
        "modification_Date": "2024-08-07T20:37:07.491517",
        "lastUpdate_Date": "2024-08-07T20:37:07.491520",
        "sigmaRule": "title: AddinUtil.EXE Execution From Uncommon Directory\nid: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348\nstatus: test\ndescription: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.\nreferences:\n    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\nauthor: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)\ndate: 2023/09/18\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\addinutil.exe'\n        - OriginalFileName: 'AddInUtil.exe'\n    filter_main_legit_location:\n        Image|contains:\n            - ':\\Windows\\Microsoft.NET\\Framework\\'\n            - ':\\Windows\\Microsoft.NET\\Framework64\\'\n            - ':\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects the execution of the Add-In deployment cache updating utility (AddInUtil.exe) from a non-standard directory on a Windows system. It specifies criteria for identifying the executable and filters out legitimate locations where it may be found. The rule is classified as a medium level threat with no known false positives.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml",
        "creation_Date": "2024-08-07T17:56:07.684655",
        "modification_Date": "2024-08-07T20:37:07.491571",
        "lastUpdate_Date": "2024-08-07T20:37:07.491574",
        "sigmaRule": "title: Chromium Browser Headless Execution To Mockbin Like Site\nid: 1c526788-0abe-4713-862f-b520da5e5316\nstatus: test\ndescription: Detects the execution of a Chromium based browser process with the \"headless\" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).\nreferences:\n    - https://www.zscaler.com/blogs/security-research/steal-it-campaign\nauthor: X__Junior (Nextron Systems)\ndate: 2023/09/11\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        Image|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\msedge.exe'\n            - '\\opera.exe'\n            - '\\vivaldi.exe'\n    selection_headless:\n        CommandLine|contains: '--headless'\n    selection_url:\n        CommandLine|contains:\n            - '://run.mocky'\n            - '://mockbin'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects the execution of a Chromium-based browser process with the \"headless\" flag and a URL pointing to the mockbin.org service, which could be used to exfiltrate data. It provides a method to identify potentially malicious activities involving browser processes and specific URLs.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml",
        "creation_Date": "2024-08-07T17:56:08.875753",
        "modification_Date": "2024-08-07T20:37:07.491618",
        "lastUpdate_Date": "2024-08-07T20:37:07.491621",
        "sigmaRule": "title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE\nid: 044ba588-dff4-4918-9808-3f95e8160606\nstatus: test\ndescription: Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share\nreferences:\n    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/09/27\nmodified: 2023/09/12\ntags:\n    - attack.credential_access\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Example: copy \\\\<host>\\\\<folder>\\\\process.dmp C:\\Users\\process.dmp\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'copy '\n            - ' \\\\\\\\'\n        CommandLine|contains:\n            - '.dmp'\n            - '.dump'\n            - '.hdmp'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects the usage of the copy command in cmd.exe to copy files with the \".dmp\" or \".dump\" extension from a remote share. It provides examples of command line parameters to look for and specifies the conditions that need to be met for the rule to trigger. The rule has a high level of severity and there are no specified false positives.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml",
        "creation_Date": "2024-08-07T17:56:10.150825",
        "modification_Date": "2024-08-07T20:37:07.491664",
        "lastUpdate_Date": "2024-08-07T20:37:07.491667",
        "sigmaRule": "title: Greedy File Deletion Using Del\nid: 204b17ae-4007-471b-917b-b917b315c5db\nstatus: test\ndescription: Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.\nreferences:\n    - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase\nauthor: frack113 , X__Junior (Nextron Systems)\ndate: 2021/12/02\nmodified: 2023/09/11\ntags:\n    - attack.defense_evasion\n    - attack.t1070.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Example:\n    #   del C:\\ProgramData\\*.dll & exit\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_del:\n        CommandLine|contains:\n            - 'del '\n            - 'erase '\n    selection_extensions:\n        CommandLine|contains:\n            - '\\\\\\*.au3'\n            - '\\\\\\*.dll'\n            - '\\\\\\*.exe'\n            - '\\\\\\*.js'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "Sigma Rule ID 204b17ae-4007-471b-917b-b917b315c5db detects the execution of the \"del\" command in Windows, which is often used by malware to delete files using wildcard expressions. This behavior is commonly seen in malicious activities to remove evidence or delete content of folders containing malware infections. The rule provides specific criteria for detection, including the presence of specific file extensions and the use of the del command in the command line.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml",
        "creation_Date": "2024-08-07T17:56:11.595190",
        "modification_Date": "2024-08-07T20:37:07.491712",
        "lastUpdate_Date": "2024-08-07T20:37:07.491715",
        "sigmaRule": "title: Potentially Suspicious Child Process Of DiskShadow.EXE\nid: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8\nrelated:\n    - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location\n      type: similar\n    - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution\n      type: similar\n    - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned\n      type: similar\n    - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution\n      type: similar\nstatus: test\ndescription: Detects potentially suspicious child processes of \"Diskshadow.exe\". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.\nreferences:\n    - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration\n    - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\n    - https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf\n    - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware\n    - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/09/15\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\diskshadow.exe'\n        Image|endswith:\n            # Note: add or remove additional binaries according to your org needs\n            - '\\certutil.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\wscript.exe'\n    condition: selection\nfalsepositives:\n    - False postitve can occur in cases where admin scripts levreage the \"exec\" flag to execute applications\nlevel: medium\n",
        "summary": "This Sigma Rule detects potentially suspicious child processes of \"Diskshadow.exe,\" which may indicate an attempt to bypass parent/child relationship detection or application whitelisting rules. The rule provides a selection of binaries commonly associated with malicious activity for comparison, with potential false positives occurring in cases where admin scripts leverage the \"exec\" flag to execute applications.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml",
        "creation_Date": "2024-08-07T17:56:12.699383",
        "modification_Date": "2024-08-07T20:37:07.491764",
        "lastUpdate_Date": "2024-08-07T20:37:07.491767",
        "sigmaRule": "title: Diskshadow Script Mode - Execution From Potential Suspicious Location\nid: fa1a7e52-3d02-435b-81b8-00da14dd66c1\nrelated:\n    - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution\n      type: similar\n    - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE\n      type: similar\n    - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned\n      type: similar\n    - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution\n      type: similar\nstatus: test\ndescription: Detects execution of \"Diskshadow.exe\" in script mode using the \"/s\" flag where the script is located in a potentially suspicious location.\nreferences:\n    - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration\n    - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\n    - https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf\n    - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware\n    - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/09/15\nmodifier: 2024/03/05\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'diskshadow.exe'\n        - Image|endswith: '\\diskshadow.exe'\n    selection_cli:\n        CommandLine|contains|windash: '-s '\n    selection_paths:\n        CommandLine|contains:\n            # Note: Add additional susp paths based on your org needs\n            - ':\\Temp\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\'\n            - '\\AppData\\Roaming\\'\n            - '\\ProgramData\\'\n            - '\\Users\\Public\\'\n    condition: all of selection_*\nfalsepositives:\n    - False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs.\nlevel: medium\n",
        "summary": "This Sigma Rule detects the execution of \"Diskshadow.exe\" in script mode with the \"/s\" flag, where the script is located in a potentially suspicious location. It provides related rules and references for further information. The rule includes detection criteria based on process creation events on Windows, with selection of image, command line, and paths to identify suspicious activity. False positives may occur if the script is executed from the specified paths, and organizations are advised to apply additional filters as needed. The rule is classified as a medium level alert.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_driverquery_recon.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_driverquery_recon.yml",
        "creation_Date": "2024-08-07T17:56:14.049389",
        "modification_Date": "2024-08-07T20:37:07.491810",
        "lastUpdate_Date": "2024-08-07T20:37:07.491813",
        "sigmaRule": "title: Potential Recon Activity Using DriverQuery.EXE\nid: 9fc3072c-dc8f-4bf7-b231-18950000fadd\nrelated:\n    - id: a20def93-0709-4eae-9bd2-31206e21e6b2\n      type: similar\nstatus: test\ndescription: Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers\nreferences:\n    - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\n    - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/\n    - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/01/19\nmodified: 2023/09/29\ntags:\n    - attack.discovery\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: 'driverquery.exe'\n        - OriginalFileName: 'drvqry.exe'\n    selection_parent:\n        - ParentImage|endswith:\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - ParentImage|contains:\n              - '\\AppData\\Local\\'\n              - '\\Users\\Public\\'\n              - '\\Windows\\Temp\\'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage by some scripts might trigger this as well\nlevel: high\n",
        "summary": "This Sigma Rule detects potential reconnaissance activity using the \"driverquery\" utility to gather information on installed drivers. It looks for instances of driverquery.exe being executed by specific parent processes such as cscript.exe, mshta.exe, regsvr32.exe, rundll32.exe, and wscript.exe, and in specific locations like AppData\\Local, Users\\Public, and Windows\\Temp. Legitimate usage by some scripts may trigger false positives.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_driverquery_usage.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_driverquery_usage.yml",
        "creation_Date": "2024-08-07T17:56:15.350852",
        "modification_Date": "2024-08-07T20:37:07.491856",
        "lastUpdate_Date": "2024-08-07T20:37:07.491859",
        "sigmaRule": "title: DriverQuery.EXE Execution\nid: a20def93-0709-4eae-9bd2-31206e21e6b2\nrelated:\n    - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd\n      type: similar\nstatus: test\ndescription: Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers\nreferences:\n    - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\n    - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/\n    - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/01/19\nmodified: 2023/09/29\ntags:\n    - attack.discovery\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: 'driverquery.exe'\n        - OriginalFileName: 'drvqry.exe'\n    filter_main_other: # These are covered in 9fc3072c-dc8f-4bf7-b231-18950000fadd to avoid duplicate alerting\n        - ParentImage|endswith:\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - ParentImage|contains:\n              - '\\AppData\\Local\\'\n              - '\\Users\\Public\\'\n              - '\\Windows\\Temp\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate use by third party tools in order to investigate installed drivers\nlevel: medium # Level could be reduced to low if this utility is often used in your environment\n",
        "summary": "The Sigma rule detects the execution of the \"driverquery\" utility, which can be used for recon on installed drivers. It specifies conditions for detecting the utility's usage and includes references for further reading. The rule also mentions potential false positives and provides a medium level of severity for alerts.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_renamed_autoit.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_renamed_autoit.yml",
        "creation_Date": "2024-08-07T17:56:16.392809",
        "modification_Date": "2024-08-07T20:37:07.491904",
        "lastUpdate_Date": "2024-08-07T20:37:07.491907",
        "sigmaRule": "title: Renamed AutoIt Execution\nid: f4264e47-f522-4c38-a420-04525d5b880f\nstatus: test\ndescription: |\n    Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.\n    AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.\n    Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.\nreferences:\n    - https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w\n    - https://www.autoitscript.com/site/\nauthor: Florian Roth (Nextron Systems)\ndate: 2023/06/04\nmodified: 2023/09/19\ntags:\n    - attack.defense_evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains:\n            - ' /AutoIt3ExecuteScript'\n            - ' /ErrorStdOut'\n    selection_2:\n        - Imphash:\n              - 'fdc554b3a8683918d731685855683ddf'  # AutoIt v2 - doesn't cover all binaries\n              - 'cd30a61b60b3d60cecdb034c8c83c290'  # AutoIt v2 - doesn't cover all binaries\n              - 'f8a00c72f2d667d2edbb234d0c0ae000'  # AutoIt v3 - doesn't cover all binaries\n        - Hashes|contains:\n              - 'IMPHASH=FDC554B3A8683918D731685855683DDF'  # AutoIt v2 - doesn't cover all binaries\n              - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290'  # AutoIt v2 - doesn't cover all binaries\n              - 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000'  # AutoIt v3 - doesn't cover all binaries\n    selection_3:\n        OriginalFileName:\n            - 'AutoIt3.exe'\n            - 'AutoIt2.exe'\n            - 'AutoIt.exe'\n    filter_main_legit_name:\n        Image|endswith:\n            - '\\AutoIt.exe'\n            - '\\AutoIt2.exe'\n            - '\\AutoIt3_x64.exe'\n            - '\\AutoIt3.exe'\n    condition: 1 of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects the execution of a renamed AutoIt2.exe or AutoIt3.exe, which are scripting languages used for automation tasks on Windows systems. Attackers can misuse AutoIt to create and distribute malware, making a renamed AutoIt executable particularly suspicious. The rule includes criteria such as specific command line parameters, imphashes, file names, and file paths to identify potentially malicious activity.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml",
        "creation_Date": "2024-08-07T17:56:18.529748",
        "modification_Date": "2024-08-07T20:37:07.491957",
        "lastUpdate_Date": "2024-08-07T20:37:07.491960",
        "sigmaRule": "title: Suspicious WebDav Client Execution Via Rundll32.EXE\nid: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555\nstatus: test\ndescription: |\n    Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\nreferences:\n    - https://twitter.com/aceresponder/status/1636116096506818562\n    - https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/\n    - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/\n    - https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png\n    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/\nauthor: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2023/03/16\nmodified: 2023/09/18\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\n    - cve.2023.23397\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\svchost.exe'\n        ParentCommandLine|contains: '-s WebClient'\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains: 'C:\\windows\\system32\\davclnt.dll,DavSetCookie'\n        CommandLine|re: '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}'\n    filter_local_ips:\n        CommandLine|contains:\n            - '://10.' # 10.0.0.0/8\n            - '://192.168.' # 192.168.0.0/16\n            - '://172.16.' # 172.16.0.0/12\n            - '://172.17.'\n            - '://172.18.'\n            - '://172.19.'\n            - '://172.20.'\n            - '://172.21.'\n            - '://172.22.'\n            - '://172.23.'\n            - '://172.24.'\n            - '://172.25.'\n            - '://172.26.'\n            - '://172.27.'\n            - '://172.28.'\n            - '://172.29.'\n            - '://172.30.'\n            - '://172.31.'\n            - '://127.' # 127.0.0.0/8\n            - '://169.254.' # 169.254.0.0/16\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects instances of \"svchost.exe\" spawning \"rundll32.exe\" with specific command arguments related to WebDav, which could indicate exfiltration, code execution, or exploitation of CVE-2023-23397. The rule includes specific filters to exclude common local IP ranges and has a high level of confidence.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml",
        "creation_Date": "2024-08-07T17:56:20.204468",
        "modification_Date": "2024-08-07T20:37:07.492003",
        "lastUpdate_Date": "2024-08-07T20:37:07.492006",
        "sigmaRule": "title: Renamed Visual Studio Code Tunnel Execution\nid: 2cf29f11-e356-4f61-98c0-1bdb9393d6da\nstatus: test\ndescription: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel\nreferences:\n    - https://ipfyx.fr/post/visual-studio-code-tunnel/\n    - https://badoption.eu/blog/2023/01/31/code_c2.html\n    - https://code.visualstudio.com/docs/remote/tunnels\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/09/28\ntags:\n    - attack.command_and_control\n    - attack.t1071.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_image_only_tunnel:\n        OriginalFileName: null\n        CommandLine|endswith: '.exe tunnel'\n    selection_image_tunnel_args:\n        CommandLine|contains|all:\n            - '.exe tunnel'\n            - '--name '\n            - '--accept-server-license-terms'\n    selection_image_tunnel_service:\n        CommandLine|contains|all:\n            - 'tunnel '\n            - 'service'\n            - 'internal-run'\n            - 'tunnel-service.log'\n    selection_parent_tunnel:\n        ParentCommandLine|endswith: ' tunnel'\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - '/d /c '\n            - '\\servers\\Stable-'\n            - 'code-server.cmd'\n    filter_main_parent_code:\n        ParentImage|endswith:\n            - '\\code-tunnel.exe'\n            - '\\code.exe'\n    filter_main_image_code:\n        Image|endswith:\n            - '\\code-tunnel.exe'\n            - '\\code.exe'\n    condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects renamed Visual Studio Code tunnel execution, which attackers can exploit to establish a command and control channel. It includes various detection criteria based on process creation events in Windows. The rule was authored by Nasreddine Bencherchali and references related articles. The detection criteria involve identifying specific command line parameters and parent processes associated with Visual Studio Code tunnel execution. The rule has a high level of detection and potential false positives are listed as unknown.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml",
        "creation_Date": "2024-08-07T17:56:21.597034",
        "modification_Date": "2024-08-07T20:37:07.492049",
        "lastUpdate_Date": "2024-08-07T20:37:07.492052",
        "sigmaRule": "title: Winrar Compressing Dump Files\nid: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc\nrelated:\n    - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7\n      type: similar\nstatus: test\ndescription: Detects execution of WinRAR in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.\nreferences:\n    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/01/04\nmodified: 2023/09/12\ntags:\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\rar.exe'\n              - '\\winrar.exe'\n        - Description: 'Command line RAR'\n    selection_extension:\n        CommandLine|contains:\n            - '.dmp'\n            - '.dump'\n            - '.hdmp'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of WinRAR with a command line in which \".dmp\" or \".dump\" appears accidentally\n    - Legitimate use of WinRAR to compress WER \".dmp\" files for troubleshooting\nlevel: medium\n",
        "summary": "This Sigma rule detects the execution of WinRAR to compress files with a \".dmp\" or \".dump\" extension, which could indicate a step in the process of dump file exfiltration. It provides specific selection criteria for detecting this activity and lists potential false positives, such as legitimate use of WinRAR for troubleshooting purposes. The rule is considered a medium-level detection.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml",
        "creation_Date": "2024-08-07T17:56:22.911602",
        "modification_Date": "2024-08-07T20:37:07.492096",
        "lastUpdate_Date": "2024-08-07T20:37:07.492099",
        "sigmaRule": "title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE\nid: 68bcd73b-37ef-49cb-95fc-edc809730be6\nrelated:\n    - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant\n      type: similar\n    - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae\n      type: similar\nstatus: test\ndescription: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts\nreferences:\n    - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py\n    - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1\n    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/06/20\nmodified: 2023/09/11\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'wmic.exe'\n        - Image|endswith: '\\WMIC.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' service get '\n            - 'name,displayname,pathname,startmode'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects potential unquoted service path reconnaissance using Wmic.EXE, a known WMI reconnaissance method often used by pentesters and attackers. The rule looks for the presence of 'wmic.exe' in process creation events on Windows systems, along with specific command line parameters related to service path enumeration. The rule has a medium severity level and may have some false positives.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml",
        "creation_Date": "2024-08-07T17:56:24.106430",
        "modification_Date": "2024-08-07T20:37:07.492142",
        "lastUpdate_Date": "2024-08-07T20:37:07.492145",
        "sigmaRule": "title: Application Terminated Via Wmic.EXE\nid: 49d9671b-0a0a-4c09-8280-d215bfd30662\nrelated:\n    - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products\n      type: derived\nstatus: test\ndescription: Detects calls to the \"terminate\" function via wmic in order to kill an application\nreferences:\n    - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\n    - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/09/11\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'call'\n            - 'terminate'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects calls to the \"terminate\" function via wmic.exe in order to kill an application on Windows systems. The rule includes specific conditions for detection based on process creation events. The rule is authored by Nasreddine Bencherchali from Nextron Systems and is currently in a test status. More information and references can be found in the description.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml",
        "creation_Date": "2024-08-07T17:56:25.362184",
        "modification_Date": "2024-08-07T20:37:07.492347",
        "lastUpdate_Date": "2024-08-07T20:37:07.492353",
        "sigmaRule": "title: Uncommon Microsoft Office Trusted Location Added\nid: f742bde7-9528-42e5-bd82-84f51a8387d2\nrelated:\n    - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac\n      type: derived\nstatus: test\ndescription: Detects changes to registry keys related to \"Trusted Location\" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.\nreferences:\n    - Internal Research\n    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/06/21\nmodified: 2023/09/29\ntags:\n    - attack.defense_evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'Security\\Trusted Locations\\Location'\n        TargetObject|endswith: '\\Path'\n    filter_exclude_known_paths:\n        Details|contains:\n            - '%APPDATA%\\Microsoft\\Templates'\n            - '%%APPDATA%%\\Microsoft\\Templates'\n            - '%APPDATA%\\Microsoft\\Word\\Startup'\n            - '%%APPDATA%%\\Microsoft\\Word\\Startup'\n            - ':\\Program Files (x86)\\Microsoft Office\\root\\Templates\\'\n            - ':\\Program Files\\Microsoft Office (x86)\\Templates'\n            - ':\\Program Files\\Microsoft Office\\root\\Templates\\'\n            - ':\\Program Files\\Microsoft Office\\Templates\\'\n    filter_main_office_click_to_run:\n        Image|contains: ':\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    filter_main_office_apps:\n        Image|contains:\n            - ':\\Program Files\\Microsoft Office\\'\n            - ':\\Program Files (x86)\\Microsoft Office\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*\nfalsepositives:\n    - Other unknown legitimate or custom paths need to be filtered to avoid false positives\nlevel: high\n",
        "summary": "This Sigma Rule detects changes to registry keys related to \"Trusted Location\" in Microsoft Office where the path is set to something uncommon. Attackers may add additional trusted locations to bypass macro security restrictions. The rule filters out known paths related to Microsoft Office templates and ClickToRun, reducing false positives.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_persistence_search_order.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_persistence_search_order.yml",
        "creation_Date": "2024-08-07T17:56:26.434109",
        "modification_Date": "2024-08-07T20:37:07.492432",
        "lastUpdate_Date": "2024-08-07T20:37:07.492436",
        "sigmaRule": "title: Potential Persistence Via COM Search Order Hijacking\nid: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12\nstatus: test\ndescription: Detects potential COM object hijacking leveraging the COM Search Order\nreferences:\n    - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/\nauthor: Maxime Thiebaut (@0xThiebaut), oscd.community, C\u00e9dric Hien\ndate: 2020/04/14\nmodified: 2023/09/28\ntags:\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection: # Detect new COM servers in the user hive\n        TargetObject|contains: '\\CLSID\\'\n        TargetObject|endswith: '\\InprocServer32\\(Default)'\n    filter_main_generic:\n        Details|contains: # Exclude privileged directories and observed FPs\n            - '%%systemroot%%\\system32\\'\n            - '%%systemroot%%\\SysWow64\\'\n    filter_main_onedrive:\n        Details|contains:\n            # Related To OneDrive\n            - '\\AppData\\Local\\Microsoft\\OneDrive\\'\n            - '\\FileCoAuthLib64.dll'\n            - '\\FileSyncShell64.dll'\n            - '\\FileSyncApi64.dll'\n    filter_main_health_service:\n        Image|endswith: ':\\WINDOWS\\system32\\SecurityHealthService.exe'\n    filter_main_teams:\n        Details|contains|all:\n            - '\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\'\n            - '\\Microsoft.Teams.AddinLoader.dll'\n    filter_main_dropbox:\n        Details|contains|all:\n            - '\\AppData\\Roaming\\Dropbox\\'\n            - '\\DropboxExt64.*.dll'\n    filter_main_trend_micro:\n        Details|endswith: 'TmopIEPlg.dll' # TrendMicro osce\n    filter_main_update:\n        Image|endswith:\n            - ':\\WINDOWS\\system32\\wuauclt.exe'\n            - ':\\WINDOWS\\system32\\svchost.exe'\n    filter_main_defender:\n        Image|contains:\n            - ':\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n            - ':\\Program Files\\Windows Defender\\'\n        Image|endswith: '\\MsMpEng.exe'\n    filter_main_nvidia:\n        Details|contains: '\\FileRepository\\nvmdi.inf'\n    filter_main_edge:\n        Image|endswith: '\\MicrosoftEdgeUpdateComRegisterShell64.exe'\n    filter_main_dx:\n        Image|endswith: ':\\WINDOWS\\SYSTEM32\\dxdiag.exe'\n    filter_main_python:\n        Details|endswith:\n            - ':\\Windows\\pyshellext.amd64.dll'\n            - ':\\Windows\\pyshellext.dll'\n    filter_main_bonjourlib:\n        Details|endswith:\n            - ':\\Windows\\system32\\dnssdX.dll'\n            - ':\\Windows\\SysWOW64\\dnssdX.dll'\n    filter_main_printextensionmanager:\n        Details|endswith: ':\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll'\n    filter_main_programfiles:\n        Details|contains:\n            - ':\\Program Files\\'\n            - ':\\Program Files (x86)\\'\n    filter_main_programdata:\n        Details|contains: ':\\ProgramData\\Microsoft\\'\n    filter_main_gameservice:\n        Details|contains: ':\\WINDOWS\\system32\\GamingServicesProxy.dll'\n    filter_main_poqexec:\n        Image|endswith: ':\\Windows\\System32\\poqexec.exe'\n        Details|contains: ':\\Windows\\System32\\Autopilot.dll'\n    filter_main_sec_health_svc:\n        Image|endswith: ':\\Windows\\system32\\SecurityHealthService.exe'\n        Details|contains: ':\\Windows\\System32\\SecurityHealth'\n    filter_main_inprocserver:\n        Image|endswith:\n            - ':\\Windows\\System32\\poqexec.exe'\n            - ':\\Windows\\System32\\regsvr32.exe'\n        TargetObject|endswith: '\\InProcServer32\\(Default)'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level\nlevel: medium\n",
        "summary": "This Sigma Rule detects potential COM object hijacking by monitoring for new COM servers in the user hive that do not belong to privileged directories. It includes filters to exclude known false positives related to OneDrive, security health services, Microsoft Teams, Dropbox, TrendMicro, Windows updates, Windows Defender, NVIDIA, Microsoft Edge, DirectX, Python, Bonjour, printer extensions, program files, program data, game services, and specific executable files. The rule has a medium level of severity and may produce false positives for some installed utilities.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml",
        "creation_Date": "2024-08-07T17:56:28.175799",
        "modification_Date": "2024-08-07T20:37:07.492497",
        "lastUpdate_Date": "2024-08-07T20:37:07.492501",
        "sigmaRule": "title: UAC Bypass via Event Viewer\nid: 7c81fec3-1c1d-43b0-996a-46753041b1b6\nstatus: test\ndescription: Detects UAC bypass method using Windows event viewer\nreferences:\n    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100\nauthor: Florian Roth (Nextron Systems)\ndate: 2017/03/19\nmodified: 2023/09/28\ntags:\n    - attack.defense_evasion\n    - attack.privilege_escalation\n    - attack.t1548.002\n    - car.2019-04-001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: '\\mscfile\\shell\\open\\command'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects a UAC bypass method using Windows Event Viewer by monitoring registry changes that involve a specific file path related to Event Viewer. The rule has a high level of severity and was created by Florian Roth.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/sysmon/sysmon_file_block_executable.yml": {
        "filename": "rules/windows/sysmon/sysmon_file_block_executable.yml",
        "creation_Date": "2024-08-07T17:56:29.201610",
        "modification_Date": "2024-08-07T20:37:07.492556",
        "lastUpdate_Date": "2024-08-07T20:37:07.492560",
        "sigmaRule": "title: Sysmon Blocked Executable\nid: 23b71bc5-953e-4971-be4c-c896cda73fc2\nstatus: test\ndescription: Triggers on any Sysmon \"FileBlockExecutable\" event, which indicates a violation of the configured block policy\nreferences:\n    - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/08/16\nmodified: 2023/09/16\ntags:\n    - attack.defense_evasion\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    selection:\n        EventID: 27  # this is fine, we want to match any FileBlockExecutable event\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule triggers on any Sysmon \"FileBlockExecutable\" event, indicating a violation of the configured block policy. The rule has a high level of severity and is unlikely to result in false positives. It was authored by Nasreddine Bencherchali and last modified on September 16, 2023.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml": {
        "filename": "rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml",
        "creation_Date": "2024-08-07T17:56:30.215874",
        "modification_Date": "2024-08-07T20:37:07.492609",
        "lastUpdate_Date": "2024-08-07T20:37:07.492612",
        "sigmaRule": "title: Suspicious Scripting in a WMI Consumer\nid: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0\nstatus: test\ndescription: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers\nreferences:\n    - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\n    - https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19\n    - https://github.com/RiccardoAncarani/LiquidSnake\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro\ndate: 2019/04/15\nmodified: 2023/09/09\ntags:\n    - attack.execution\n    - attack.t1059.005\nlogsource:\n    product: windows\n    category: wmi_event\ndetection:\n    selection_destination:\n        - Destination|contains|all:\n              - 'new-object'\n              - 'net.webclient'\n              - '.downloadstring'\n        - Destination|contains|all:\n              - 'new-object'\n              - 'net.webclient'\n              - '.downloadfile'\n        - Destination|contains:\n              - ' iex('\n              - ' -nop '\n              - ' -noprofile '\n              - ' -decode '\n              - ' -enc '\n              - 'WScript.Shell'\n              - 'System.Security.Cryptography.FromBase64Transform'\n    condition: selection_destination\nfields:\n    - User\n    - Operation\nfalsepositives:\n    - Legitimate administrative scripts\nlevel: high\n",
        "summary": "This Sigma rule detects suspicious commands related to scripting or PowerShell in WMI Event Consumers. It looks for specific strings in the destination field such as 'new-object', 'net.webclient', '.downloadstring', 'iex(', '-nop', '-noprofile', '-decode', '-enc', 'WScript.Shell', and 'System.Security.Cryptography.FromBase64Transform'. False positives may occur with legitimate administrative scripts.",
        "modification_count": 5,
        "comment_history": [
            "Merge PR #4942 from @nasbench - promote older rules status from experimental to test"
        ]
    },
    "rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml": {
        "filename": "rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml",
        "creation_Date": "2024-08-07T17:59:36.070244",
        "modification_Date": "2024-08-07T17:59:36.070289",
        "lastUpdate_Date": "2024-08-07T17:59:36.981445",
        "sigmaRule": "title: Potential CSharp Streamer RAT Loading .NET Executable Image\nid: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82\nstatus: experimental\ndescription: |\n    Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.\nreferences:\n    - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections\n    - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\nauthor: Luca Di Bartolomeo\ndate: 2024/06/22\ntags:\n    - attack.command_and_control\n    - attack.t1219\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|re: '\\\\AppData\\\\Local\\\\Temp\\\\dat[0-9A-Z]{4}\\.tmp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool. The rule is tagged as high level and is considered experimental.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4885 from @LucaInfoSec - Add `Potential CSharp Streamer RAT Loading .NET Executable Image`"
        ]
    },
    "rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml": {
        "filename": "rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml",
        "creation_Date": "2024-08-07T17:59:36.994368",
        "modification_Date": "2024-08-07T17:59:36.994416",
        "lastUpdate_Date": "2024-08-07T17:59:39.554000",
        "sigmaRule": "title: Clipboard Data Collection Via Pbpaste\nid: d8af0da1-2959-40f9-a3e4-37a6aa1228b7\nstatus: experimental\ndescription: |\n    Detects execution of the \"pbpaste\" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout).\n    The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands.\n    It can also be used in shell scripts that may require clipboard content as input.\n    Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information.\n    Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.\nreferences:\n    - https://www.loobins.io/binaries/pbpaste/\n    - https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b\n    - https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF\nauthor: Daniel Cortez\ndate: 2024/07/30\ntags:\n    - attack.collection\n    - attack.credential_access\n    - attack.t1115\n    - detection.threat_hunting\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/pbpaste'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n",
        "summary": "- The rule detects the execution of the \"pbpaste\" utility in macOS, which retrieves clipboard contents and writes them to standard output.\n- The utility is commonly used to create files, pass content to other commands, or provide input in shell scripts.\n- Attackers can exploit this utility to access sensitive information, like passwords, from the user's clipboard.\n- The rule helps in hunting for potential misuse of the utility by examining the parent process and suspicious command line content.\n- References include links to information on the \"pbpaste\" utility and potential password dumping techniques on macOS.\n- The rule was authored by Daniel Cortez in July 2024 and is tagged with categories like attack collection, credential access, and threat hunting.\n- It applies to macOS process creation events where the image ends with '/pbpaste'.\n- False positives may occur with legitimate administrative actions, and the severity level is medium.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4929 from @DefenderDaniel - Add `Clipboard Data Collection Via Pbpaste`"
        ]
    },
    "rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml": {
        "filename": "rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml",
        "creation_Date": "2024-08-07T17:59:39.575905",
        "modification_Date": "2024-08-07T17:59:39.575954",
        "lastUpdate_Date": "2024-08-07T17:59:40.486687",
        "sigmaRule": "title: Access To Chromium Browsers Sensitive Files By Uncommon Applications\nid: c5f37810-a85f-4186-81e9-33f23abb4141\nstatus: experimental\ndescription: |\n    Detects file access requests to chromium based browser sensitive files by uncommon processes.\n    Could indicate potential attempt of stealing sensitive information.\nreferences:\n    - Internal Research\nauthor: X__Junior (Nextron Systems)\ndate: 2024/07/29\ntags:\n    - attack.t1003\n    - attack.credential_access\n    - detection.threat_hunting\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|contains:\n            - '\\User Data\\Default\\Cookies'\n            - '\\User Data\\Default\\History'\n            - '\\User Data\\Default\\Network\\Cookies'\n            - '\\User Data\\Default\\Web Data'\n    filter_main_system:\n        Image: System\n    filter_main_generic:\n        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_optional_defender:\n        Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n        Image|endswith:\n            - '\\MpCopyAccelerator.exe'\n            - '\\MsMpEng.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Antivirus, Anti-Spyware, Anti-Malware Software\n    - Backup software\n    - Legitimate software installed on partitions other than \"C:\\\"\n    - Searching software such as \"everything.exe\"\nlevel: low\n",
        "summary": "This Sigma Rule detects file access requests to sensitive files of Chromium-based browsers by uncommon processes, which could indicate an attempt to steal sensitive information. The rule includes specific file paths to monitor and filters out common system processes and known defender applications to reduce false positives. The level of detection is low.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules"
        ]
    },
    "rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml": {
        "filename": "rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml",
        "creation_Date": "2024-08-07T17:59:40.486782",
        "modification_Date": "2024-08-07T17:59:40.486794",
        "lastUpdate_Date": "2024-08-07T17:59:41.447372",
        "sigmaRule": "title: Access To Browser Credential Files By Uncommon Applications\nid: 91cb43db-302a-47e3-b3c8-7ede481e27bf\nstatus: experimental\ndescription: |\n    Detects file access requests to browser credential stores by uncommon processes.\n    Could indicate potential attempt of credential stealing.\n    Requires heavy baselining before usage\nreferences:\n    - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\n    - https://github.com/lclevy/firepwd\nauthor: frack113, X__Junior (Nextron Systems)\ndate: 2022/04/09\nmodified: 2024/07/29\ntags:\n    - attack.t1003\n    - attack.credential_access\n    - detection.threat_hunting\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection_ie:\n        FileName|endswith: '\\Appdata\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat'\n    selection_firefox:\n        FileName|endswith:\n            - '\\cookies.sqlite'\n            - '\\places.sqlite'\n            - 'release\\key3.db'  # Firefox\n            - 'release\\key4.db'  # Firefox\n            - 'release\\logins.json' # Firefox\n    selection_chromium:\n        FileName|contains:\n            - '\\User Data\\Default\\Login Data'\n            - '\\User Data\\Local State'\n    filter_main_system:\n        Image: System\n    filter_main_generic:\n        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_optional_defender:\n        Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n        Image|endswith:\n            - '\\MpCopyAccelerator.exe'\n            - '\\MsMpEng.exe'\n    filter_optional_thor:\n        Image|endswith:\n            - '\\thor.exe'\n            - '\\thor64.exe'\n    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Antivirus, Anti-Spyware, Anti-Malware Software\n    - Backup software\n    - Legitimate software installed on partitions other than \"C:\\\"\n    - Searching software such as \"everything.exe\"\nlevel: low\n",
        "summary": "This Sigma rule detects file access requests to browser credential stores by uncommon processes, which could indicate potential credential stealing. It requires heavy baselining before usage and has specific selection criteria for Internet Explorer, Firefox, and Chromium browser files. The rule includes filters to avoid false positives from specific software types.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules"
        ]
    },
    "rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml": {
        "filename": "rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml",
        "creation_Date": "2024-08-07T17:59:41.447474",
        "modification_Date": "2024-08-07T17:59:41.447486",
        "lastUpdate_Date": "2024-08-07T17:59:42.627565",
        "sigmaRule": "title: Access To Windows Outlook Mail Files By Uncommon Applications\nid: fc3e237f-2fef-406c-b90d-b3ae7e02fa8f\nstatus: experimental\ndescription: |\n    Detects file access requests to Windows Outlook Mail by uncommon processes.\n    Could indicate potential attempt of credential stealing.\n    Requires heavy baselining before usage\nreferences:\n    - https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2\n    - https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows\nauthor: frack113\ndate: 2024/05/10\nmodified: 2024/07/29\ntags:\n    - attack.t1070.008\n    - attack.defense_evasion\n    - detection.threat_hunting\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection_unistore:\n        FileName|contains: '\\AppData\\Local\\Comms\\Unistore\\data'\n    selection_unistoredb:\n        FileName|endswith: '\\AppData\\Local\\Comms\\UnistoreDB\\store.vol'\n    filter_main_system:\n        Image: 'System'\n    filter_main_generic:\n        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_optional_defender:\n        Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n        Image|endswith:\n            - '\\MpCopyAccelerator.exe'\n            - '\\MsMpEng.exe'\n    filter_optional_thor:\n        Image|endswith:\n            - '\\thor64.exe'\n            - '\\thor.exe'\n    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Antivirus, Anti-Spyware, Anti-Malware Software\n    - Backup software\n    - Legitimate software installed on partitions other than \"C:\\\"\n    - Searching software such as \"everything.exe\"\n# Note: Increase after initial baseline\nlevel: low\n",
        "summary": "This Sigma Rule detects file access requests to Windows Outlook Mail by uncommon processes, which could indicate a potential attempt of credential stealing. It requires heavy baselining before usage to minimize false positives. The rule includes filters to avoid false positives from third-party software, antivirus, backup software, and legitimate software installed on partitions other than \"C:\\\". The rule has a low severity level.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules"
        ]
    },
    "rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml": {
        "filename": "rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml",
        "creation_Date": "2024-08-07T17:59:42.627816",
        "modification_Date": "2024-08-07T17:59:42.627828",
        "lastUpdate_Date": "2024-08-07T17:59:43.801042",
        "sigmaRule": "title: Access To .Reg/.Hive Files By Uncommon Applications\nid: 337a31c6-46c4-46be-886a-260d7aa78cac\nstatus: experimental\ndescription: Detects file access requests to files ending with either the \".hive\"/\".reg\" extension, usually associated with Windows Registry backups.\nreferences:\n    - https://github.com/tccontre/Reg-Restore-Persistence-Mole\nauthor: frack113\ndate: 2023/09/15\nmodified: 2024/07/29\ntags:\n    - attack.t1112\n    - attack.defense_evasion\n    - detection.threat_hunting\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|endswith:\n            - '.hive'\n            - '.reg'\n    filter_main_generic:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required.\nlevel: low\n",
        "summary": "This Sigma Rule detects file access requests to files ending with either the \".hive\" or \".reg\" extension, commonly associated with Windows Registry backups. It specifies requirements for the Microsoft-Windows-Kernel-File ETW provider and includes filters to exclude common system directories. The rule has a low level of severity and may result in false positives from third-party software installed in the user context.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_browsers_credential_access.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_browsers_credential_access.yml",
        "creation_Date": "2024-08-07T17:59:43.801140",
        "modification_Date": "2024-08-07T18:00:49.269194",
        "lastUpdate_Date": "2024-08-07T18:00:49.269216",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, an error message should be displayed or an appropriate response should be provided to inform the user.",
        "modification_count": 2,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules",
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml",
        "creation_Date": "2024-08-07T17:59:44.510851",
        "modification_Date": "2024-08-07T18:00:50.749308",
        "lastUpdate_Date": "2024-08-07T18:00:50.749323",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, an error will occur.",
        "modification_count": 2,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules",
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml",
        "creation_Date": "2024-08-07T17:59:45.069228",
        "modification_Date": "2024-08-07T18:00:52.574491",
        "lastUpdate_Date": "2024-08-07T18:00:52.574505",
        "sigmaRule": "title: Credential Manager Access By Uncommon Applications\nid: 407aecb1-e762-4acf-8c7b-d087bcff3bb6\nstatus: experimental\ndescription: |\n    Detects suspicious processes based on name and location that access the windows credential manager and vault.\n    Which can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\nreferences:\n    - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz\n    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/10/11\nmodified: 2024/07/29\ntags:\n    - attack.t1003\n    - attack.credential_access\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|contains:\n            - '\\AppData\\Local\\Microsoft\\Credentials\\'\n            - '\\AppData\\Roaming\\Microsoft\\Credentials\\'\n            - '\\AppData\\Local\\Microsoft\\Vault\\'\n            - '\\ProgramData\\Microsoft\\Vault\\'\n    filter_system_folders:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason).\n# Increase level after false positives filters are good enough\nlevel: medium\n",
        "summary": "This Sigma Rule detects suspicious processes that access the Windows credential manager and vault, which can indicate credential stealing. It looks for processes in specific file paths related to the credential manager and vault, while filtering out legitimate system folders. The rule may have false positives with legitimate software accessing these files. The rule has a medium level of severity.",
        "modification_count": 2,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules",
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_susp_credhist.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_susp_credhist.yml",
        "creation_Date": "2024-08-07T17:59:46.082174",
        "modification_Date": "2024-08-07T18:00:52.574730",
        "lastUpdate_Date": "2024-08-07T18:00:52.574741",
        "sigmaRule": "title: Access To Windows Credential History File By Uncommon Applications\nid: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2\nstatus: experimental\ndescription: |\n    Detects file access requests to the Windows Credential History File by an uncommon application.\n    This can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\nreferences:\n    - https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist\n    - https://www.passcape.com/windows_password_recovery_dpapi_credhist\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/10/17\nmodified: 2024/07/29\ntags:\n    - attack.credential_access\n    - attack.t1555.004\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|endswith: '\\Microsoft\\Protect\\CREDHIST'\n    filter_main_system_folders:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_main_explorer:\n        Image: 'C:\\Windows\\explorer.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\n# Increase level after false positives filters are good enough\nlevel: medium\n",
        "summary": "This Sigma Rule detects file access requests to the Windows Credential History File by an uncommon application, which could indicate credential stealing activities. The rule focuses on detecting usage of the mimikatz \"dpapi::credhist\" function. It specifies file paths and system folders to filter out common applications and excludes file access requests initiated by Windows Explorer. The rule is currently tagged as experimental and has a medium detection level.",
        "modification_count": 2,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules",
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml",
        "creation_Date": "2024-08-07T17:59:47.551082",
        "modification_Date": "2024-08-07T17:59:47.551094",
        "lastUpdate_Date": "2024-08-07T17:59:49.363026",
        "sigmaRule": "title: Access To Crypto Currency Wallets By Uncommon Applications\nid: f41b0311-44f9-44f0-816d-dd45e39d4bc8\nstatus: experimental\ndescription: |\n    Detects file access requests to crypto currency files by uncommon processes.\n    Could indicate potential attempt of crypto currency wallet stealing.\nreferences:\n    - Internal Research\nauthor: X__Junior (Nextron Systems)\ndate: 2024/07/29\ntags:\n    - attack.t1003\n    - attack.credential_access\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        - FileName|contains:\n              - '\\AppData\\Roaming\\Ethereum\\keystore\\'\n              - '\\AppData\\Roaming\\EthereumClassic\\keystore\\'\n              - '\\AppData\\Roaming\\monero\\wallets\\'\n        - FileName|endswith:\n              - '\\AppData\\Roaming\\Bitcoin\\wallet.dat'\n              - '\\AppData\\Roaming\\BitcoinABC\\wallet.dat'\n              - '\\AppData\\Roaming\\BitcoinSV\\wallet.dat'\n              - '\\AppData\\Roaming\\DashCore\\wallet.dat'\n              - '\\AppData\\Roaming\\DogeCoin\\wallet.dat'\n              - '\\AppData\\Roaming\\Litecoin\\wallet.dat'\n              - '\\AppData\\Roaming\\Ripple\\wallet.dat'\n              - '\\AppData\\Roaming\\Zcash\\wallet.dat'\n    filter_main_system:\n        Image: System\n    filter_main_generic:\n        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_optional_defender:\n        Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n        Image|endswith:\n            - '\\MpCopyAccelerator.exe'\n            - '\\MsMpEng.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Antivirus, Anti-Spyware, Anti-Malware Software\n    - Backup software\n    - Legitimate software installed on partitions other than \"C:\\\"\n    - Searching software such as \"everything.exe\"\nlevel: medium\n",
        "summary": "This Sigma Rule detects file access requests to crypto currency files by uncommon processes, which could indicate potential attempts of stealing crypto currency wallets. The rule focuses on specific file paths related to Ethereum, Monero, Bitcoin, Dash, DogeCoin, Litecoin, Ripple, Zcash, and other cryptocurrencies. It includes filters to avoid false positives from antivirus, backup software, and other legitimate applications. The rule is tagged as attack.t1003 and attack.credential_access, and has a medium severity level.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml",
        "creation_Date": "2024-08-07T17:59:49.363107",
        "modification_Date": "2024-08-07T18:00:52.574931",
        "lastUpdate_Date": "2024-08-07T18:00:52.574942",
        "sigmaRule": "title: Access To Windows DPAPI Master Keys By Uncommon Applications\nid: 46612ae6-86be-4802-bc07-39b59feb1309\nstatus: experimental\ndescription: |\n    Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.\n    This can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\nreferences:\n    - http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/\n    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/10/17\nmodified: 2024/07/29\ntags:\n    - attack.credential_access\n    - attack.t1555.004\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|contains:\n            - '\\Microsoft\\Protect\\S-1-5-18\\' # For System32\n            - '\\Microsoft\\Protect\\S-1-5-21-' # For Users\n    filter_system_folders:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\n# Increase level after false positives filters are good enough\nlevel: medium\n",
        "summary": "This Sigma rule detects file access requests to the Windows Data Protection API Master keys by uncommon applications, which could indicate credential stealing. It includes references to resources on offensive user DPAPI abuse and extracting passwords. The rule specifies criteria for detecting such activity in the file_access category on Windows systems using the Microsoft-Windows-Kernel-File ETW provider. The rule's author is Nasreddine Bencherchali, and it was last modified on July 29, 2024.",
        "modification_count": 2,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules",
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_susp_gpo_files.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_susp_gpo_files.yml",
        "creation_Date": "2024-08-07T17:59:50.668345",
        "modification_Date": "2024-08-07T18:00:53.392981",
        "lastUpdate_Date": "2024-08-07T18:00:53.393007",
        "sigmaRule": "title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications\nid: d51694fe-484a-46ac-92d6-969e76d60d10\nrelated:\n    - id: 8344c19f-a023-45ff-ad63-a01c5396aea0\n      type: derived\nstatus: experimental\ndescription: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.\nreferences:\n    - https://github.com/vletoux/pingcastle\nauthor: frack113\ndate: 2023/12/21\nmodified: 2024/07/29\ntags:\n    - attack.credential_access\n    - attack.t1552.006\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|startswith: '\\\\'\n        FileName|contains|all:\n            - '\\sysvol\\'\n            - '\\Policies\\'\n        FileName|endswith:\n            - 'audit.csv'\n            - 'Files.xml'\n            - 'GptTmpl.inf'\n            - 'groups.xml'\n            - 'Registry.pol'\n            - 'Registry.xml'\n            - 'scheduledtasks.xml'\n            - 'scripts.ini'\n            - 'services.xml'\n    filter_main_generic:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_main_explorer:\n        Image: 'C:\\Windows\\explorer.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects file access requests to potentially sensitive files hosted on the Windows Sysvol share by uncommon applications that do not fall under the specified filter conditions. It specifies file names and paths to be monitored and includes filters for common system locations. The rule aims to prevent unauthorized access to sensitive information stored in Sysvol files.",
        "modification_count": 2,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules",
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_susp_reg_and_hive.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_susp_reg_and_hive.yml",
        "creation_Date": "2024-08-07T17:59:51.636253",
        "modification_Date": "2024-08-07T18:00:53.393194",
        "lastUpdate_Date": "2024-08-07T18:00:53.393205",
        "sigmaRule": "file does not exist",
        "summary": "If a file cannot be found, it does not exist.",
        "modification_count": 2,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules",
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml",
        "creation_Date": "2024-08-07T17:59:52.295300",
        "modification_Date": "2024-08-07T18:00:53.393416",
        "lastUpdate_Date": "2024-08-07T18:00:53.393427",
        "sigmaRule": "title: Microsoft Teams Sensitive File Access By Uncommon Applications\nid: 65744385-8541-44a6-8630-ffc824d7d4cc\nstatus: experimental\ndescription: |\n    Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/\n    - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens\nauthor: '@SerkinValery'\ndate: 2024/07/22\ntags:\n    - attack.credential_access\n    - attack.t1528\nlogsource:\n    product: windows\n    category: file_access\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|contains:\n            - '\\Microsoft\\Teams\\Cookies'\n            - '\\Microsoft\\Teams\\Local Storage\\leveldb'\n    filter_main_legit_location:\n        # Note: its best to filter the full path to avoid false negatives\n        Image|endswith: '\\Microsoft\\Teams\\current\\Teams.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects file access attempts to sensitive Microsoft Teams files (leveldb, cookies) by uncommon processes. It provides references to articles about security vulnerabilities related to Microsoft Teams storing authentication tokens as cleartext. The rule is in an experimental status, authored by '@SerkinValery', and tagged with attack.credential_access and attack.t1528. It specifies the logsource as Windows file access events, requiring the Microsoft-Windows-Kernel-File ETW provider. The detection criteria include specific file names and filtering out legitimate access by the Teams.exe process. There are no listed false positives, and the rule is classified as medium severity.",
        "modification_count": 2,
        "comment_history": [
            "Merge PR #4934 from @X-Junior - Update and add new `file_access` rules",
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "deprecated/windows/file_event_win_susp_clr_logs.yml": {
        "filename": "deprecated/windows/file_event_win_susp_clr_logs.yml",
        "creation_Date": "2024-08-07T17:59:53.984946",
        "modification_Date": "2024-08-07T17:59:53.984993",
        "lastUpdate_Date": "2024-08-07T17:59:55.509546",
        "sigmaRule": "title: Suspicious CLR Logs Creation\nid: e4b63079-6198-405c-abd7-3fe8b0ce3263\nstatus: deprecated\ndescription: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.\nreferences:\n    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\n    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/\n    - https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml\nauthor: omkar72, oscd.community, Wojciech Lesicki\ndate: 2020/10/12\nmodified: 2023/01/05\ntags:\n    - attack.execution\n    - attack.defense_evasion\n    - attack.t1059.001\n    - attack.t1218\nlogsource:\n    category: file_event\n    product: windows\n    definition: Check your sysmon configuration for monitoring UsageLogs folder. In SwiftOnSecurity configuration we have that thanks @SBousseaden\ndetection:\n    selection:\n        TargetFilename|contains|all:\n            - '\\AppData\\Local\\Microsoft\\CLR'\n            - '\\UsageLogs\\'\n        TargetFilename|contains:\n            - 'mshta'\n            - 'cscript'\n            - 'wscript'\n            - 'regsvr32'\n            - 'wmic'\n            - 'rundll32'\n            - 'svchost'\n    condition: selection\nfalsepositives:\n    - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675\nlevel: high\n",
        "summary": "This Sigma Rule detects suspicious .NET assembly executions by monitoring the creation of CLR logs in the UsageLogs folder on Windows systems. It specifically looks for certain file names related to common tools like mshta, cscript, wscript, regsvr32, wmic, rundll32, and svchost. The rule was deprecated on January 5, 2023, and may have false positives in cases involving Rundll32.exe with specific command line parameters. The rule provides references to blog posts and GitHub repositories for additional context and detection implementation.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml": {
        "filename": "rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml",
        "creation_Date": "2024-08-07T17:59:55.509632",
        "modification_Date": "2024-08-07T17:59:55.509643",
        "lastUpdate_Date": "2024-08-07T17:59:56.557997",
        "sigmaRule": "title: DNS RCE CVE-2020-1350\nid: b5281f31-f9cc-4d0d-95d0-45b91c45b487\nstatus: test\ndescription: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process\nreferences:\n    - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\n    - https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2020/07/15\nmodified: 2022/07/12\ntags:\n    - attack.initial_access\n    - attack.t1190\n    - attack.execution\n    - attack.t1569.002\n    - cve.2020.1350\n    - detection.emerging_threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\System32\\dns.exe'\n    filter:\n        Image|endswith:\n            - '\\System32\\werfault.exe'\n            - '\\System32\\conhost.exe'\n            - '\\System32\\dnscmd.exe'\n            - '\\System32\\dns.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown but benign sub processes of the Windows DNS service dns.exe\nlevel: critical\n",
        "summary": "This Sigma Rule detects exploitation of the DNS Remote Code Execution (RCE) vulnerability reported in CVE-2020-1350 by identifying suspicious subprocesses. The rule looks for specific image paths related to the Windows DNS service and filters out known benign subprocesses to reduce false positives. It has a critical level of severity when triggered.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml": {
        "filename": "rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml",
        "creation_Date": "2024-08-07T17:59:56.558039",
        "modification_Date": "2024-08-07T17:59:56.558043",
        "lastUpdate_Date": "2024-08-07T17:59:57.814208",
        "sigmaRule": "title: Remote Task Creation via ATSVC Named Pipe - Zeek\nid: dde85b37-40cd-4a94-b00c-0b8794f956b5\nrelated:\n    - id: f6de6525-4509-495a-8a82-1f8b0ed73a00\n      type: derived\nstatus: test\ndescription: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe\nreferences:\n    - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html\nauthor: 'Samir Bousseaden, @neu5rn'\ndate: 2020/04/03\nmodified: 2022/12/27\ntags:\n    - attack.lateral_movement\n    - attack.persistence\n    - car.2013-05-004\n    - car.2015-04-001\n    - attack.t1053.002\nlogsource:\n    product: zeek\n    service: smb_files\ndetection:\n    selection:\n        path: '\\\\\\*\\IPC$'\n        name: 'atsvc'\n        # Accesses: '*WriteData*'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This rule detects remote task creation via at.exe or API interacting with the ATSVC named pipe in Zeek, with a medium severity level. The rule looks for activity on the '\\\\*\\IPC$' path with the name 'atsvc' and the access pattern '*WriteData*'. There are no specific false positives identified for this rule.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml": {
        "filename": "rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml",
        "creation_Date": "2024-08-07T17:59:57.814286",
        "modification_Date": "2024-08-07T17:59:57.814297",
        "lastUpdate_Date": "2024-08-07T17:59:59.207945",
        "sigmaRule": "title: Possible Impacket SecretDump Remote Activity - Zeek\nid: 92dae1ed-1c9d-4eff-a567-33acbd95b00e\nstatus: test\ndescription: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'\nreferences:\n    - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html\nauthor: 'Samir Bousseaden, @neu5ron'\ndate: 2020/03/19\nmodified: 2021/11/27\ntags:\n    - attack.credential_access\n    - attack.t1003.002\n    - attack.t1003.004\n    - attack.t1003.003\nlogsource:\n    product: zeek\n    service: smb_files\ndetection:\n    selection:\n        path|contains|all:\n            - '\\'\n            - 'ADMIN$'\n        name|contains: 'SYSTEM32\\'\n        name|endswith: '.tmp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule is designed to detect possible AD credential dumping using impacket secretdump HKTL activity. It is based on the SIGMA rule for Windows systems. The rule looks for specific indicators in Zeek logs related to SMB file activity, such as paths containing '\\', 'ADMIN$', file names containing 'SYSTEM32\\', and files ending with '.tmp'. The detection level is set to high, with no known false positives listed. The rule was authored by Samir Bousseaden and last modified on November 27, 2021.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml": {
        "filename": "rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml",
        "creation_Date": "2024-08-07T17:59:59.208029",
        "modification_Date": "2024-08-07T17:59:59.208040",
        "lastUpdate_Date": "2024-08-07T18:00:00.647768",
        "sigmaRule": "title: Suspicious PsExec Execution - Zeek\nid: f1b3a22a-45e6-4004-afb5-4291f9c21166\nrelated:\n    - id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82\n      type: derived\nstatus: test\ndescription: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one\nreferences:\n    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html\nauthor: Samir Bousseaden, @neu5ron, Tim Shelton\ndate: 2020/04/02\nmodified: 2022/12/27\ntags:\n    - attack.lateral_movement\n    - attack.t1021.002\nlogsource:\n    product: zeek\n    service: smb_files\ndetection:\n    selection:\n        path|contains|all:\n            - '\\\\'\n            - '\\IPC$'\n        name|endswith:\n            - '-stdin'\n            - '-stdout'\n            - '-stderr'\n    filter:\n        name|startswith: 'PSEXESVC'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects suspicious execution of PsExec or PaExec with a renamed service name. It helps filter out noise when PsExec is used for legitimate purposes or if the attacker uses a different PsExec client. The rule specifies criteria for selection and filtering to identify potential malicious activity. The rule is considered to have a high level of importance.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules/windows/builtin/security/win_security_account_discovery.yml": {
        "filename": "rules/windows/builtin/security/win_security_account_discovery.yml",
        "creation_Date": "2024-08-07T18:00:00.647841",
        "modification_Date": "2024-08-07T18:00:00.647851",
        "lastUpdate_Date": "2024-08-07T18:00:01.907136",
        "sigmaRule": "title: AD Privileged Users or Groups Reconnaissance\nid: 35ba1d85-724d-42a3-889f-2e2362bcaf23\nstatus: test\ndescription: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs\nreferences:\n    - https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html\nauthor: Samir Bousseaden\ndate: 2019/04/03\nmodified: 2022/07/13\ntags:\n    - attack.discovery\n    - attack.t1087.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: enable Object Access SAM on your Domain Controllers'\ndetection:\n    selection:\n        EventID: 4661\n        ObjectType:\n            - 'SAM_USER'\n            - 'SAM_GROUP'\n    selection_object:\n        - ObjectName|endswith:\n              - '-512'\n              - '-502'\n              - '-500'\n              - '-505'\n              - '-519'\n              - '-520'\n              - '-544'\n              - '-551'\n              - '-555'\n        - ObjectName|contains: 'admin'\n    filter:\n        SubjectUserName|endswith: '$'\n    condition: selection and selection_object and not filter\nfalsepositives:\n    - If source account name is not an admin then its super suspicious\nlevel: high\n",
        "summary": "This Sigma rule detects reconnaissance activities by privileged users or groups based on EventID 4661 and known privileged users or groups SIDs. It requires enabling Object Access SAM on Domain Controllers. The rule looks for specific ObjectTypes (SAM_USER, SAM_GROUP), ObjectNames (ending with specific SIDs or containing 'admin'), and filters out non-administrative SubjectUserNames. It has a high detection level and provides a false positive if the source account name is not an admin.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules/windows/builtin/security/win_security_impacket_psexec.yml": {
        "filename": "rules/windows/builtin/security/win_security_impacket_psexec.yml",
        "creation_Date": "2024-08-07T18:00:01.907550",
        "modification_Date": "2024-08-07T18:00:01.907559",
        "lastUpdate_Date": "2024-08-07T18:00:03.355612",
        "sigmaRule": "title: Impacket PsExec Execution\nid: 32d56ea1-417f-44ff-822b-882873f5f43b\nstatus: test\ndescription: Detects execution of Impacket's psexec.py.\nreferences:\n    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html\nauthor: Bhabesh Raj\ndate: 2020/12/14\nmodified: 2022/09/22\ntags:\n    - attack.lateral_movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection1:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\IPC$' # looking for the string \\\\*\\IPC$\n        RelativeTargetName|contains:\n            - 'RemCom_stdin'\n            - 'RemCom_stdout'\n            - 'RemCom_stderr'\n    condition: selection1\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects the execution of Impacket's psexec.py tool by looking for specific event IDs, share names, and file names on Windows systems. The rule requires the audit policy setting \"Object Access > Audit Detailed File Share\" to be configured for Success/Failure. This detection is classified as a high level threat related to lateral movement and T1021.002 attack techniques.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules/windows/builtin/security/win_security_impacket_secretdump.yml": {
        "filename": "rules/windows/builtin/security/win_security_impacket_secretdump.yml",
        "creation_Date": "2024-08-07T18:00:03.355686",
        "modification_Date": "2024-08-07T18:00:03.355697",
        "lastUpdate_Date": "2024-08-07T18:00:04.465679",
        "sigmaRule": "title: Possible Impacket SecretDump Remote Activity\nid: 252902e3-5830-4cf6-bf21-c22083dfd5cf\nstatus: test\ndescription: Detect AD credential dumping using impacket secretdump HKTL\nreferences:\n    - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html\nauthor: Samir Bousseaden, wagga\ndate: 2019/04/03\nmodified: 2022/08/11\ntags:\n    - attack.credential_access\n    - attack.t1003.002\n    - attack.t1003.004\n    - attack.t1003.003\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\ADMIN$'  # looking for the string  \\\\*\\ADMIN$\n        RelativeTargetName|contains|all:\n            - 'SYSTEM32\\'\n            - '.tmp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects possible AD credential dumping using Impacket SecretDump HKTL by looking for Event ID 5145 with specific share and file name patterns on a Windows security log. The rule requires the advanced audit policy setting \"Object Access > Audit Detailed File Share\" to be configured for Success/Failure. False positives are unknown, and the level of detection is considered high.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules/windows/builtin/security/win_security_susp_psexec.yml": {
        "filename": "rules/windows/builtin/security/win_security_susp_psexec.yml",
        "creation_Date": "2024-08-07T18:00:04.465766",
        "modification_Date": "2024-08-07T18:00:04.465788",
        "lastUpdate_Date": "2024-08-07T18:00:06.387766",
        "sigmaRule": "title: Suspicious PsExec Execution\nid: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82\nstatus: test\ndescription: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one\nreferences:\n    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html\nauthor: Samir Bousseaden\ndate: 2019/04/03\nmodified: 2022/08/11\ntags:\n    - attack.lateral_movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection1:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\IPC$' # looking for the string \\\\*\\IPC$\n        RelativeTargetName|endswith:\n            - '-stdin'\n            - '-stdout'\n            - '-stderr'\n    filter:\n        RelativeTargetName|startswith: 'PSEXESVC'\n    condition: selection1 and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects suspicious execution of PsExec or PAExec with a renamed service name. It helps filter out noise from legitimate PsExec usage or if an attacker uses a different PsExec client. The rule is based on the advanced audit policy setting \"Object Access > Audit Detailed File Share\" for Success/Failure. The detection criteria include looking for specific EventID 5145 with ShareName '\\\\*\\IPC$', and filtering for files starting with 'PSEXESVC' but ending with '-stdin', '-stdout', or '-stderr'. The rule's author is Samir Bousseaden, and it was last modified on August 11, 2022.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules/windows/file/file_event/file_event_win_net_cli_artefact.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_net_cli_artefact.yml",
        "creation_Date": "2024-08-07T18:00:06.388192",
        "modification_Date": "2024-08-07T18:00:06.388201",
        "lastUpdate_Date": "2024-08-07T18:00:07.889796",
        "sigmaRule": "title: Suspicious DotNET CLR Usage Log Artifact\nid: e0b06658-7d1d-4cd3-bf15-03467507ff7c\nrelated:\n    - id: 4508a70e-97ef-4300-b62b-ff27992990ea\n      type: derived\n    - id: e4b63079-6198-405c-abd7-3fe8b0ce3263\n      type: obsoletes\nstatus: test\ndescription: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.\nreferences:\n    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/\n    - https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml\n    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008\n    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\nauthor: frack113, omkar72, oscd.community, Wojciech Lesicki\ndate: 2022/11/18\nmodified: 2023/02/23\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: file_event\n    product: windows\n    definition: 'Requirements: UsageLogs folder must be monitored by the sysmon configuration'\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\UsageLogs\\cmstp.exe.log'\n            - '\\UsageLogs\\cscript.exe.log'\n            - '\\UsageLogs\\mshta.exe.log'\n            - '\\UsageLogs\\msxsl.exe.log'\n            - '\\UsageLogs\\regsvr32.exe.log'\n            - '\\UsageLogs\\rundll32.exe.log'\n            - '\\UsageLogs\\svchost.exe.log'\n            - '\\UsageLogs\\wscript.exe.log'\n            - '\\UsageLogs\\wmic.exe.log'\n    filter_main_rundll32:\n        # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity\n        ParentImage|endswith: '\\MsiExec.exe'\n        ParentCommandLine|contains: ' -Embedding'\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains|all:\n            - 'Temp'\n            - 'zzzzInvokeManagedCustomActionOutOfProc'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675\nlevel: high\n",
        "summary": "This Sigma rule detects the creation of Usage Log files by the Common Language Runtime (CLR) in DotNET applications. These log files are named after the executing process once the assembly is finished executing for the first time in the user session context. The rule provides detection criteria, such as specific file names and associated processes, to identify suspicious activity. Additionally, it includes filters to reduce false positives. The rule is tagged with defense evasion and refers to related articles for further investigation.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml": {
        "filename": "rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml",
        "creation_Date": "2024-08-07T18:00:07.889987",
        "modification_Date": "2024-08-07T18:00:07.889999",
        "lastUpdate_Date": "2024-08-07T18:00:09.388761",
        "sigmaRule": "title: DotNet CLR DLL Loaded By Scripting Applications\nid: 4508a70e-97ef-4300-b62b-ff27992990ea\nstatus: test\ndescription: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.\nreferences:\n    - https://github.com/tyranid/DotNetToJScript\n    - https://thewover.github.io/Introducing-Donut/\n    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\n    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008\nauthor: omkar72, oscd.community\ndate: 2020/10/14\nmodified: 2023/02/23\ntags:\n    - attack.execution\n    - attack.privilege_escalation\n    - attack.t1055\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\cmstp.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\msxsl.exe'\n            - '\\regsvr32.exe'\n            # - '\\svchost.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n        ImageLoaded|endswith:\n            - '\\clr.dll'\n            - '\\mscoree.dll'\n            - '\\mscorlib.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects .NET CLR DLLs being loaded by scripting applications like wscript or cscript, which could indicate potential suspicious execution. It provides references to tools like DotNetToJScript and Donut, and includes detection criteria for specific image names and DLL files being loaded. This rule is considered high level and falls under the tags of attack.execution, attack.privilege_escalation, and attack.t1055.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules/windows/process_access/proc_access_win_lsass_memdump.yml": {
        "filename": "rules/windows/process_access/proc_access_win_lsass_memdump.yml",
        "creation_Date": "2024-08-07T18:00:09.388865",
        "modification_Date": "2024-08-07T18:00:09.388916",
        "lastUpdate_Date": "2024-08-07T18:00:10.838326",
        "sigmaRule": "title: Potential Credential Dumping Activity Via LSASS\nid: 5ef9853e-4d0e-4a70-846f-a9ca37d876da\nstatus: experimental\ndescription: |\n    Detects process access requests to the LSASS process with specific call trace calls and access masks.\n    This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.\nreferences:\n    - https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html\n    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md\n    - https://research.splunk.com/endpoint/windows_possible_credential_dumping/\nauthor: Samir Bousseaden, Michael Haag\ndate: 2019/04/03\nmodified: 2024/03/02\ntags:\n    - attack.credential_access\n    - attack.t1003.001\n    - attack.s0002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        GrantedAccess|contains:\n            - '0x1038'\n            - '0x1438'\n            - '0x143a'\n            - '0x1fffff' # Too many false positives\n            # - '0x01000'  # Too many false positives\n            # - '0x1010'   # Too many false positives\n            # - '0x1400'  # Too many false positives\n            # - '0x1410' # Too many false positives\n            # - '0x40'   # Too many false positives\n        CallTrace|contains:\n            - 'dbgcore.dll'\n            - 'dbghelp.dll'\n            - 'kernel32.dll'\n            - 'kernelbase.dll'\n            - 'ntdll.dll'\n    filter_main_system_user:\n        SourceUser|contains: # Covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    filter_optional_thor:\n        CallTrace|contains|all:\n            - ':\\Windows\\Temp\\asgard2-agent\\'\n            - '\\thor\\thor64.exe+'\n            - '|UNKNOWN('\n        GrantedAccess: '0x103800'\n    filter_optional_sysmon:\n        SourceImage|endswith: ':\\Windows\\Sysmon64.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects potential credential dumping activity via the LSASS process by monitoring process access requests with specific call trace calls and access masks. This behavior is commonly seen in credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump, and Taskmgr dumping feature. The rule includes specific selection criteria, filters, and conditions to reduce false positives.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net`"
        ]
    },
    "rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml": {
        "filename": "rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml",
        "creation_Date": "2024-08-07T18:00:10.859596",
        "modification_Date": "2024-08-07T18:00:10.859658",
        "lastUpdate_Date": "2024-08-07T18:00:13.012222",
        "sigmaRule": "title: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group\nid: c408acfe-2870-41df-8d2f-9f4daa4555ed\nstatus: experimental\ndescription: |\n    Detects execution of the \"net.exe\" command in order to add a group named \"ESX Admins\".\n    This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\n    VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\nauthor: frack113\ndate: 2024/07/29\ntags:\n    - attack.execution\n    - cve.2024.37085\n    - detection.emerging_threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_net_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_net_cmd:\n        CommandLine|contains|all:\n            - '/add'\n            - '/domain'\n            - 'ESX Admins'\n            - 'group'\n    selection_powershell_img:\n        - Image|endswith:\n              - '\\PowerShell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.exe'\n              - 'pwsh.dll'\n    selection_powershell_cli:\n        CommandLine|contains|all:\n            - 'New-ADGroup'\n            - 'ESX Admins'\n    condition: all of selection_net_* or all of selection_powershell_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects the execution of the \"net.exe\" command to add a group named \"ESX Admins\", which could indicate a potential exploitation attempt of CVE-2024-37085. This vulnerability allows an attacker to elevate their privileges to full administrative access on a domain-joined ESXi hypervisor. The detection criteria include specific commands and processes related to adding the \"ESX Admins\" group.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4938 from @frack113 - Add CVE-2024-37085 detection rules"
        ]
    },
    "rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml": {
        "filename": "rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml",
        "creation_Date": "2024-08-07T18:00:13.012316",
        "modification_Date": "2024-08-07T18:00:13.012327",
        "lastUpdate_Date": "2024-08-07T18:00:14.696413",
        "sigmaRule": "title: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity\nid: 47a1658b-67a4-48e2-8ab1-c10437fc0148\nstatus: experimental\ndescription: |\n    Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\n    This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\n    VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/07/30\ntags:\n    - attack.execution\n    - cve.2024.37085\n    - detection.emerging_threats\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4727\n            - 4728\n            - 4731\n            - 4737\n            - 4754\n            - 4755\n            - 4756\n    keyword_group:\n        - 'ESX Admins'\n    condition: selection and keyword_group\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects any creation or modification of a Windows domain group named \"ESX Admins\", which may indicate a potential exploitation attempt of CVE-2024-37085. This vulnerability allows attackers to gain full administrative access on a domain-joined ESXi hypervisor. VMware ESXi hypervisors consider any member of the \"ESX Admins\" domain group to have full administrative access. The rule specifies Event IDs and keywords to look for in Windows security logs to detect this suspicious activity. The level of this rule is set to high.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4938 from @frack113 - Add CVE-2024-37085 detection rules"
        ]
    },
    "rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml": {
        "filename": "rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml",
        "creation_Date": "2024-08-07T18:00:14.713460",
        "modification_Date": "2024-08-07T18:00:14.713503",
        "lastUpdate_Date": "2024-08-07T18:00:16.115872",
        "sigmaRule": "title: Github Fork Private Repositories Setting Enabled/Cleared\nid: 69b3bd1e-b38a-462f-9a23-fbdbf63d2294\nstatus: experimental\ndescription: |\n    Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).\nreferences:\n    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking\nauthor: Romain Gaillard (@romain-gaillard)\ndate: 2024/07/29\ntags:\n    - attack.persistence\n    - attack.t1020\n    - attack.t1537\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'private_repository_forking.clear' # An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.\n            - 'private_repository_forking.enable' # An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.\n    condition: selection\nfalsepositives:\n    - Allowed administrative activities.\nlevel: medium\n",
        "summary": "This Sigma rule detects changes in the policy setting that allows forks of private and internal repositories on Github. It looks for events where the policy setting is either enabled or cleared by an enterprise owner. The rule considers such events as potential indicators of an attack persistence tactic (T1020) or an abuse of functionality (T1537). This rule is categorized as experimental and has a medium level of severity.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4931 from @romain-gaillard - Add additional GitHub audit detection rules "
        ]
    },
    "rules/cloud/github/github_repo_or_org_transferred.yml": {
        "filename": "rules/cloud/github/github_repo_or_org_transferred.yml",
        "creation_Date": "2024-08-07T18:00:16.115998",
        "modification_Date": "2024-08-07T18:00:16.116013",
        "lastUpdate_Date": "2024-08-07T18:00:17.911642",
        "sigmaRule": "title: Github Repository/Organization Transferred\nid: 04ad83ef-1a37-4c10-b57a-81092164bf33\nstatus: experimental\ndescription: Detects when a repository or an organization is being transferred to another location.\nreferences:\n    - https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository\n    - https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership\n    - https://docs.github.com/en/migrations\n    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration\nauthor: Romain Gaillard (@romain-gaillard)\ndate: 2024/07/29\ntags:\n    - attack.persistence\n    - attack.t1020\n    - attack.t1537\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.\n            - 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.\n            - 'org.transfer' # An organization was transferred between enterprise accounts.\n            - 'repo.transfer_outgoing' # A repository was transferred to another repository network.\n    condition: selection\nfalsepositives:\n    - Allowed administrative activities.\nlevel: medium\n",
        "summary": "This Sigma rule detects when a repository or an organization is being transferred to another location on Github. It provides references to Github documentation on transferring repositories and organizations, as well as on migrations. The rule specifies actions to detect such transfers, such as creating a migration file or transferring organizations and repositories between accounts. The rule requires enabling the audit log streaming feature to receive relevant logs. It notes that administrative activities may also trigger false positives. The rule is categorized as having a medium level of severity.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4931 from @romain-gaillard - Add additional GitHub audit detection rules "
        ]
    },
    "rules/cloud/github/github_ssh_certificate_config_changed.yml": {
        "filename": "rules/cloud/github/github_ssh_certificate_config_changed.yml",
        "creation_Date": "2024-08-07T18:00:17.911729",
        "modification_Date": "2024-08-07T18:00:17.911741",
        "lastUpdate_Date": "2024-08-07T18:00:19.331931",
        "sigmaRule": "title: Github SSH Certificate Configuration Changed\nid: 2f575940-d85e-4ddc-af13-17dad6f1a0ef\nstatus: experimental\ndescription: Detects when changes are made to the SSH certificate configuration of the organization.\nreferences:\n    - https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities\n    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority\nauthor: Romain Gaillard (@romain-gaillard)\ndate: 2024/07/29\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1078.004\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'ssh_certificate_authority.create' # An SSH certificate authority for an organization or enterprise was created.\n            - 'ssh_certificate_requirement.disable' # The requirement for members to use SSH certificates to access an organization resources was disabled.\n    condition: selection\nfalsepositives:\n    - Allowed administrative activities.\nlevel: medium\n",
        "summary": "This Sigma rule detects changes made to the SSH certificate configuration of an organization on GitHub. It monitors for events such as creating an SSH certificate authority or disabling the requirement for members to use SSH certificates for access. To use this rule, the audit log streaming feature must be enabled on GitHub. The rule is classified as medium severity and may have false positives in the case of allowed administrative activities.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4931 from @romain-gaillard - Add additional GitHub audit detection rules "
        ]
    },
    "rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml": {
        "filename": "rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml",
        "creation_Date": "2024-08-07T18:00:19.365753",
        "modification_Date": "2024-08-07T18:00:19.365813",
        "lastUpdate_Date": "2024-08-07T18:00:20.702396",
        "sigmaRule": "title: Remote Thread Created In Shell Application\nid: a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f\nstatus: experimental\ndescription: |\n    Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\n    It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\nreferences:\n    - https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/\n    - https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/\nauthor: Splunk Research Team\ndate: 2024/07/29\ntags:\n    - attack.defense_evasion\n    - attack.t1055\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        TargetImage|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects remote thread creation in command shell applications like \"Cmd.EXE\" and \"PowerShell.EXE\", often used by malware like IcedID. Malicious code is injected and executed within legitimate processes using this technique. The rule is still experimental and has a medium level of detection accuracy.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4933 from @fornotes - Add `Remote Thread Created In Shell Application`"
        ]
    },
    "rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml": {
        "filename": "rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml",
        "creation_Date": "2024-08-07T18:00:20.720023",
        "modification_Date": "2024-08-07T18:00:20.720084",
        "lastUpdate_Date": "2024-08-07T18:00:22.072090",
        "sigmaRule": "title: Potential APT FIN7 Exploitation Activity\nid: 6676896b-2cce-422d-82af-5a1abe65e241\nstatus: experimental\ndescription: |\n    Detects potential APT FIN7 exploitation activity as reported by Google.\n    In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\nreferences:\n    - https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/\nauthor: Alex Walston (@4ayymm)\ndate: 2024/07/29\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1059.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_notepad_plus:\n        ParentImage|endswith: '\\notepad++.exe'\n        Image|endswith: '\\cmd.exe'\n    selection_rdpinit:\n        ParentImage|endswith: '\\rdpinit.exe'\n        Image|endswith: '\\notepad++.exe'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects potential APT FIN7 exploitation activity by identifying specific Windows process chains used by FIN7 to gain initial access, such as using compromised Remote Desktop Protocol (RDP) credentials to login to a target server. The rule references a Google report on FIN7 activity and includes conditions for detecting the activity. The false positive rate is listed as unknown, and the overall severity level of the rule is medium.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4936 from @Alex-Walston - Add `Potential APT FIN7 Exploitation Activity`"
        ]
    },
    "rules/web/proxy_generic/proxy_ua_apt.yml": {
        "filename": "rules/web/proxy_generic/proxy_ua_apt.yml",
        "creation_Date": "2024-08-07T18:00:22.095079",
        "modification_Date": "2024-08-07T18:00:22.095139",
        "lastUpdate_Date": "2024-08-07T18:00:23.470329",
        "sigmaRule": "title: APT User Agent\nid: 6ec820f2-e963-4801-9127-d8b2dce4d31b\nstatus: test\ndescription: Detects suspicious user agent strings used in APT malware in proxy logs\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems), Markus Neis\ndate: 2019/11/12\nmodified: 2024/02/15\ntags:\n    - attack.command_and_control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent:\n         # APT Related\n            - 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace\n            - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://www.cisa.gov/news-events/alerts/2017/02/10/enhanced-analysis-grizzly-steppe\n            - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp\n            - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp\n            - 'webclient' # Naikon APT\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT\n            - 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut\n            - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel\n            - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel\n            - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel\n            - 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021\n            - 'Netscape' # Unit78020 Malware\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related\n            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf\n            - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597\n            - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\n            - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\n            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\n            - 'Mozilla v5.1 *' # Sofacy Zebrocy samples\n            - 'MSIE 8.0' # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\n            - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/\n            - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details\n            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*' # KerrDown UA\n            - 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018\n            - 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20\n            - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/\n            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware\n            - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/\n            - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\n            - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin\n            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/\n            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\n            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/\n            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001'  # RedCurl Downloader APT https://www.facct.ru/blog/redcurl-2024\n    condition: selection\nfields:\n    - ClientIP\n    - c-uri\n    - c-useragent\nfalsepositives:\n    - Old browsers\nlevel: high\n",
        "summary": "The Sigma Rule detects suspicious user agent strings used in APT malware in proxy logs. It includes a list of specific user agents associated with various APT malware groups, allowing for the identification of potential malicious activity. The rule specifies the selection criteria and fields to be included in the detection process, with a high confidence level and a note about potential false positives related to old browsers.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4928 from @nasbench - Fix FPs and issues found in testing"
        ]
    },
    "rules/web/proxy_generic/proxy_ua_frameworks.yml": {
        "filename": "rules/web/proxy_generic/proxy_ua_frameworks.yml",
        "creation_Date": "2024-08-07T18:00:23.470406",
        "modification_Date": "2024-08-07T18:00:23.470417",
        "lastUpdate_Date": "2024-08-07T18:00:24.838628",
        "sigmaRule": "title: Exploit Framework User Agent\nid: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f\nstatus: test\ndescription: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs\nreferences:\n    - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/\nauthor: Florian Roth (Nextron Systems)\ndate: 2017/07/08\nmodified: 2021/11/27\ntags:\n    - attack.command_and_control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent:\n        # Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2\n            - 'Internet Explorer *'\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/\n\n        # Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/\n            - 'Mozilla/4.0 (compatible; Metasploit RSPEC)'\n            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'\n            - 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'\n            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads\n\n        # Metasploit Update by Florian Roth 08.07.2017\n            - 'Mozilla/5.0'\n            - 'Mozilla/4.0 (compatible; SPIPE/1.0'\n        # - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'  # too many false positives expected\n        # - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'  # too many false positives expected\n            - 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'\n            - 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb\n            - 'X-FORWARDED-FOR'\n            - 'DotDotPwn v2.1'\n            - 'SIPDROID'\n            - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\n\n        # Empire\n            - 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205     Firefox/27.0 Iceweasel/25.3.0'\n\n        # Exploits\n            - '*wordpress hash grabber*'\n            - '*exploit*'\n    condition: selection\nfields:\n    - ClientIP\n    - c-uri\n    - c-useragent\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects suspicious user agent strings used by exploit and pentest frameworks like Metasploit in proxy logs. It includes specific user agent strings associated with Cobalt Strike, Metasploit Framework, Empire, and various exploits. The rule aims to help identify potential command and control activity and attacks within an organization's network.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4928 from @nasbench - Fix FPs and issues found in testing"
        ]
    },
    "rules/web/proxy_generic/proxy_ua_malware.yml": {
        "filename": "rules/web/proxy_generic/proxy_ua_malware.yml",
        "creation_Date": "2024-08-07T18:00:24.838739",
        "modification_Date": "2024-08-07T18:00:24.838750",
        "lastUpdate_Date": "2024-08-07T18:00:26.946685",
        "sigmaRule": "title: Malware User Agent\nid: 5c84856b-55a5-45f1-826f-13f37250cf4e\nstatus: test\ndescription: Detects suspicious user agent strings used by malware in proxy logs\nreferences:\n    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules\n    - http://www.botopedia.org/search?searchword=scan&searchphrase=all\n    - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html\n    - https://perishablepress.com/blacklist/ua-2013.txt\n    - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents\n    - https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q\n    - https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large\n    - https://twitter.com/crep1x/status/1635034100213112833\nauthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2017/07/08\nmodified: 2024/04/14\ntags:\n    - attack.command_and_control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent:\n            # RATs\n            - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\n            - 'HttpBrowser/1.0' # HTTPBrowser RAT\n            - '*<|>*' # Houdini / Iniduoh / njRAT\n            - 'nsis_inetc (mozilla)' # ZeroAccess\n            - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre\n            # Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'\n            # Malware\n            - '*zeroup*' # W32/Renos.Downloader\n            - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy\n            - '* adlib/*'\n            - '* tiny' # Trojan Downloader\n            - '* BGroom *' # Trojan Downloader\n            - '* changhuatong'\n            - '* CholTBAgent'\n            - 'Mozilla/5.0 WinInet'\n            - 'RookIE/1.0'\n            - 'M' # HkMain\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives\n            - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes\n            - 'backdoorbot'\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality\n            - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality\n            - 'Opera' # Trojan Keragany\n            - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit\n            - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect\n            - 'MSIE' # Toby web shell\n            - '*(Charon; Inferno)' # Loki Bot\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony\n            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection\n            - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again\n            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/\n            # Ursnif\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'\n            # Emotet\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968\n            # Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)\n            - 'Mozilla/5.0 (Windows NT 6.1)'\n            - 'AppleWebkit/587.38 (KHTML, like Gecko)'\n            - 'Chrome/91.0.4472.77'\n            - 'Safari/537.36'\n            - 'Edge/91.0.864.37'\n            - 'Firefox/89.0'\n            - 'Gecko/20100101'\n            # Others\n            - '* pxyscand*'\n            - '* asd'\n            - '* mdms'\n            - 'sample'\n            - 'nocase'\n            - 'Moxilla'\n            - 'Win32 *'\n            - '*Microsoft Internet Explorer*'\n            - 'agent *'\n            - 'AutoIt' # Suspicious - base-lining recommended\n            - 'IczelionDownLoad'\n            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/\n            - 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\n            - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\n            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg\n            - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update\n            - 'antSword/v2.1' # AntSword Webshell UA\n            - 'rqwrwqrqwrqw'  # Racoon Stealer\n            - 'qwrqrwrqwrqwr'  # Racoon Stealer\n            - 'rc2.0/client'  # Racoon Stealer\n            - 'TakeMyPainBack'  # Racoon Stealer\n            - 'xxx' # Racoon Stealer\n            - '20112211' # Racoon Stealer\n            - '23591' # Racoon Stealer\n            - '901785252112' # Racoon Stealer\n            - '1235125521512' # Racoon Stealer\n            - '125122112551' # Racoon Stealer\n            - 'B1D3N_RIM_MY_ASS' # Racoon Stealer\n            - 'AYAYAYAY1337' # Racoon Stealer\n            - 'iMightJustPayMySelfForAFeature' # Racoon Stealer\n            - 'ForAFeature' # Racoon Stealer\n            - 'Ares_ldr_v_*' # AresLoader\n            # - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader\n            - 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db\n            - 'CLCTR' # https://github.com/silence-is-best/c2db\n            - 'uploader' # https://github.com/silence-is-best/c2db\n            - 'agent' # https://github.com/silence-is-best/c2db\n            - 'License' # https://github.com/silence-is-best/c2db\n            - 'vb wininet' # https://github.com/silence-is-best/c2db\n            - 'Client' # https://github.com/silence-is-best/c2db\n            - 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880\n            - 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880\n            - 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880\n            - 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880\n            - 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880\n            - 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880\n            - 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880\n            - 'DuckTales' # Racoon Stealer\n            - 'Zadanie' # Racoon Stealer\n            - 'GunnaWunnaBlueTips' # Racoon Stealer\n            - 'Xlmst' # Racoon Stealer\n            - 'GeekingToTheMoon' # Racoon Stealer\n            - 'SunShineMoonLight' # Racoon Stealer\n            - 'BunnyRequester' # BunnyStealer\n            - 'BunnyTasks' # BunnyStealer\n            - 'BunnyStealer' # BunnyStealer\n            - 'BunnyLoader_Dropper' # BunnyStealer\n            - 'BunnyLoader' # BunnyStealer\n            - 'BunnyShell' # BunnyStealer\n            - 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/\n            - '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301\n            - 'SouthSide' # Racoon Stealer\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects suspicious user agent strings used by malware in proxy logs. The rule includes various user agent strings associated with different types of malware, such as RATs, ZeroAccess, Dyre/Upatre, Fareit, Pony, Ursnif, Emotet, Lockbit, Quasar RAT, and others. The rule also includes user agents used by web shells, stealer malware like Racoon Stealer and BunnyStealer, ransomware like SparkRAT, and other malware like AresLoader and B4B3RAT. This rule is designed to help identify potential malware activity based on the user agent string present in the proxy logs.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4928 from @nasbench - Fix FPs and issues found in testing"
        ]
    },
    "rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml": {
        "filename": "rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml",
        "creation_Date": "2024-08-07T18:00:26.946817",
        "modification_Date": "2024-08-07T18:00:26.946830",
        "lastUpdate_Date": "2024-08-07T18:00:27.972999",
        "sigmaRule": "title: NTLM Logon\nid: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b\nstatus: test\ndescription: Detects logons using NTLM, which could be caused by a legacy source or attackers\nreferences:\n    - https://twitter.com/JohnLaTwC/status/1004895028995477505\nauthor: Florian Roth (Nextron Systems)\ndate: 2018/06/08\nmodified: 2024/07/22\ntags:\n    - attack.lateral_movement\n    - attack.t1550.002\nlogsource:\n    product: windows\n    service: ntlm\n    definition: Requires events from Microsoft-Windows-NTLM/Operational\ndetection:\n    selection:\n        EventID: 8002\n    condition: selection\nfalsepositives:\n    - Legacy hosts\nlevel: low\n",
        "summary": "This Sigma Rule detects logons using NTLM, which could be caused by a legacy source or attackers. It focuses on EventID 8002 from Microsoft-Windows-NTLM/Operational logs on Windows systems. It is categorized as a low-level alert and may have false positives from legacy hosts.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4928 from @nasbench - Fix FPs and issues found in testing"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml",
        "creation_Date": "2024-08-07T18:00:27.973375",
        "modification_Date": "2024-08-07T18:00:27.973384",
        "lastUpdate_Date": "2024-08-07T18:00:29.235800",
        "sigmaRule": "title: Potential Commandline Obfuscation Using Unicode Characters\nid: e0552b19-5a83-4222-b141-b36184bb8d79\nrelated:\n    - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9\n      type: obsoletes\nstatus: test\ndescription: |\n    Detects potential commandline obfuscation using unicode characters.\n    Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\nreferences:\n    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http\nauthor: frack113, Florian Roth (Nextron Systems)\ndate: 2022/01/15\nmodified: 2024/07/22\ntags:\n    - attack.defense_evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_spacing_modifiers:\n        CommandLine|contains: # spacing modifier letters that get auto-replaced\n            - '\u02e3' # 0x02E3\n            - '\u02ea' # 0x02EA\n            - '\u02e2' # 0x02E2\n    selection_unicode_slashes: # forward slash alternatives\n        CommandLine|contains:\n            - '\u2215' # 0x22FF\n            - '\u2044' # 0x206F\n    selection_unicode_hyphens: # hyphen alternatives\n        CommandLine|contains:\n            - '\u2015' # 0x2015\n            - '\u2014' # 0x2014\n    selection_other:\n        CommandLine|contains:\n            - '\u00af'\n            - '\u00ae'\n            - '\u00b6'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects potential commandline obfuscation using unicode characters by looking for spacing modifier letters, forward slash alternatives, hyphen alternatives, and other unicode characters in the command line of process creation events on Windows systems. Adversaries may use these techniques to hide or obfuscate malicious commands. The rule was last modified on July 22, 2024, and has a high detection level.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4928 from @nasbench - Fix FPs and issues found in testing"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml",
        "creation_Date": "2024-08-07T18:00:29.235932",
        "modification_Date": "2024-08-07T18:00:29.235947",
        "lastUpdate_Date": "2024-08-07T18:00:30.644483",
        "sigmaRule": "title: Suspicious SYSTEM User Process Creation\nid: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09\nstatus: test\ndescription: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)\nreferences:\n    - Internal Research\n    - https://tools.thehacker.recipes/mimikatz/modules\nauthor: Florian Roth (Nextron Systems), David ANDRE (additional keywords)\ndate: 2021/12/20\nmodified: 2024/07/22\ntags:\n    - attack.credential_access\n    - attack.defense_evasion\n    - attack.privilege_escalation\n    - attack.t1134\n    - attack.t1003\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        IntegrityLevel: System\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    selection_special:\n        - Image|endswith:\n              - '\\calc.exe'\n              - '\\cscript.exe'\n              - '\\forfiles.exe'\n              - '\\hh.exe'\n              - '\\mshta.exe'\n              - '\\ping.exe'\n              - '\\wscript.exe'\n        - CommandLine|contains:\n              # - 'sc stop ' # stops a system service # causes FPs\n              - ' -NoP '  # Often used in malicious PowerShell commands\n              - ' -W Hidden '  # Often used in malicious PowerShell commands\n              - ' -decode '  # Used with certutil\n              - ' /decode '  # Used with certutil\n              - ' /urlcache '  # Used with certutil\n              - ' -urlcache '  # Used with certutil\n              - ' -e* JAB'  # PowerShell encoded commands\n              - ' -e* SUVYI'  # PowerShell encoded commands\n              - ' -e* SQBFAFgA'  # PowerShell encoded commands\n              - ' -e* aWV4I'  # PowerShell encoded commands\n              - ' -e* IAB'  # PowerShell encoded commands\n              - ' -e* PAA'  # PowerShell encoded commands\n              - ' -e* aQBlAHgA'  # PowerShell encoded commands\n              - 'vssadmin delete shadows'  # Ransomware\n              - 'reg SAVE HKLM'  # save registry SAM - syskey extraction\n              - ' -ma '  # ProcDump\n              - 'Microsoft\\Windows\\CurrentVersion\\Run'  # Run key in command line - often in combination with REG ADD\n              - '.downloadstring('  # PowerShell download command\n              - '.downloadfile('  # PowerShell download command\n              - ' /ticket:'  # Rubeus\n              - 'dpapi::'     # Mimikatz\n              - 'event::clear'        # Mimikatz\n              - 'event::drop'     # Mimikatz\n              - 'id::modify'      # Mimikatz\n              - 'kerberos::'       # Mimikatz\n              - 'lsadump::'      # Mimikatz\n              - 'misc::'     # Mimikatz\n              - 'privilege::'       # Mimikatz\n              - 'rpc::'      # Mimikatz\n              - 'sekurlsa::'       # Mimikatz\n              - 'sid::'        # Mimikatz\n              - 'token::'      # Mimikatz\n              - 'vault::cred'     # Mimikatz\n              - 'vault::list'     # Mimikatz\n              - ' p::d '  # Mimikatz\n              - ';iex('  # PowerShell IEX\n              - 'MiniDump'  # Process dumping method apart from procdump\n              - 'net user '\n    filter_main_ping:\n        CommandLine|contains: 'ping 127.0.0.1 -n'\n    filter_vs:\n        Image|endswith: '\\PING.EXE'\n        ParentCommandLine|contains: '\\DismFoDInstall.cmd'\n    filter_config_mgr:\n        ParentImage|contains: ':\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\'\n    filter_java:\n        ParentImage|contains:\n            - ':\\Program Files (x86)\\Java\\'\n            - ':\\Program Files\\Java\\'\n        ParentImage|endswith: '\\bin\\javaws.exe'\n        Image|contains:\n            - ':\\Program Files (x86)\\Java\\'\n            - ':\\Program Files\\Java\\'\n        Image|endswith: '\\bin\\jp2launcher.exe'\n        CommandLine|contains: ' -ma '\n    condition: all of selection* and not 1 of filter_*\nfalsepositives:\n    - Administrative activity\n    - Scripts and administrative tools used in the monitored environment\n    - Monitoring activity\nlevel: high\n",
        "summary": "This Sigma rule detects suspicious process creations by the SYSTEM user on Windows machines, focusing on specific program names and command line parameters commonly associated with malicious activities. It includes filters to exclude known benign activities, with the goal of minimizing false positives. The rule is designed to alert on potentially malicious behavior such as privilege escalation, credential access, and defense evasion.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4928 from @nasbench - Fix FPs and issues found in testing"
        ]
    },
    "rules/windows/file/file_event/file_event_win_anydesk_artefact.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_anydesk_artefact.yml",
        "creation_Date": "2024-08-07T18:00:30.674574",
        "modification_Date": "2024-08-07T18:00:30.674654",
        "lastUpdate_Date": "2024-08-07T18:00:32.739137",
        "sigmaRule": "title: Anydesk Temporary Artefact\nid: 0b9ad457-2554-44c1-82c2-d56a99c42377\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows\nauthor: frack113\ndate: 2022/02/11\nmodified: 2024/07/20\ntags:\n    - attack.command_and_control\n    - attack.t1219\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains:\n            - '\\AppData\\Roaming\\AnyDesk\\user.conf'\n            - '\\AppData\\Roaming\\AnyDesk\\system.conf'\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n",
        "summary": "This Sigma Rule detects the presence of AnyDesk artifacts, which can be used by adversaries to establish a command and control channel on target systems within networks. Legitimate desktop support and remote access software can be abused for malicious purposes, and these tools may be allowed by application control within the target environment. Detection is based on the presence of specific files related to AnyDesk in the AppData\\Roaming directory.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4924 from @fornotes - Fix `Anydesk Temporary Artefact`"
        ]
    },
    "rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml": {
        "filename": "rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml",
        "creation_Date": "2024-08-07T18:00:32.756444",
        "modification_Date": "2024-08-07T18:00:32.756505",
        "lastUpdate_Date": "2024-08-07T18:00:33.774657",
        "sigmaRule": "title: Potential BOINC Software Execution (UC-Berkeley Signature)\nid: 0090b851-3543-42db-828c-02fee986ff0b\nstatus: experimental\ndescription: |\n    Detects the use of software that is related to the University of California, Berkeley via metadata information.\n    This indicates it may be related to BOINC software and can be used maliciously if unauthorized.\nreferences:\n    - https://boinc.berkeley.edu/\n    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\nauthor: Matt Anderson (Huntress)\ndate: 2024/07/23\ntags:\n    - attack.execution\n    - attack.defense_evasion\n    - attack.t1553\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Description: 'University of California, Berkeley'\n    condition: selection\nfalsepositives:\n    - This software can be used for legitimate purposes when installed intentionally.\nlevel: informational\n",
        "summary": "This Sigma rule detects the potential execution of BOINC software that is related to the University of California, Berkeley based on metadata information. It warns that this software can be used maliciously if unauthorized and provides references for further information. The rule is currently experimental and should be used for informational purposes.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC"
        ]
    },
    "rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml": {
        "filename": "rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml",
        "creation_Date": "2024-08-07T18:00:33.774742",
        "modification_Date": "2024-08-07T18:00:33.774754",
        "lastUpdate_Date": "2024-08-07T18:00:35.696686",
        "sigmaRule": "title: Headless Process Launched Via Conhost.EXE\nid: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc\nrelated:\n    - id: 056c7317-9a09-4bd4-9067-d051312752ea\n      type: derived\nstatus: experimental\ndescription: |\n    Detects the launch of a child process via \"conhost.exe\" with the \"--headless\" flag.\n    The \"--headless\" flag hides the windows from the user upon execution.\nreferences:\n    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/07/23\ntags:\n    - attack.defense_evasion\n    - attack.t1059.001\n    - attack.t1059.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\conhost.exe'\n        ParentCommandLine|contains: '--headless'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "Sigma Rule ID: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc detects the launch of a child process via \"conhost.exe\" with the \"--headless\" flag, which hides windows from the user upon execution. This rule is categorized under attack defense evasion and references a blog post on fake browser updates leading to BOINC volunteer computing software. The rule is authored by Nasreddine Bencherchali (Nextron Systems) and is considered experimental with a medium level of severity.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml",
        "creation_Date": "2024-08-07T18:00:35.696774",
        "modification_Date": "2024-08-07T18:00:35.696785",
        "lastUpdate_Date": "2024-08-07T18:00:37.190950",
        "sigmaRule": "title: Powershell Executed From Headless ConHost Process\nid: 056c7317-9a09-4bd4-9067-d051312752ea\nrelated:\n    - id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc\n      type: derived\nstatus: experimental\ndescription: |\n    Detects the use of powershell commands from headless ConHost window.\n    The \"--headless\" flag hides the windows from the user upon execution.\nreferences:\n    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\nauthor: Matt Anderson (Huntress)\ndate: 2024/07/23\ntags:\n    - attack.defense_evasion\n    - attack.t1059.001\n    - attack.t1059.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\conhost.exe'\n        - OriginalFileName: 'CONHOST.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - '--headless'\n            - 'powershell'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects the use of PowerShell commands executed from a headless ConHost window, where the \"--headless\" flag is used to hide the window from the user. This behavior is often associated with defense evasion techniques. The rule looks for instances where the ConHost process is running with the \"--headless\" flag and the 'powershell' command in the command line. The detection level is medium.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_renamed_boinc.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_renamed_boinc.yml",
        "creation_Date": "2024-08-07T18:00:37.191027",
        "modification_Date": "2024-08-07T18:00:37.191038",
        "lastUpdate_Date": "2024-08-07T18:00:38.418999",
        "sigmaRule": "title: Renamed BOINC Client Execution\nid: 30d07da2-83ab-45d8-ae75-ec7c0edcaffc\nstatus: experimental\ndescription: Detects the execution of a renamed BOINC binary.\nreferences:\n    - https://boinc.berkeley.edu/\n    - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details\n    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\nauthor: Matt Anderson (Huntress)\ndate: 2024/07/23\ntags:\n    - attack.defense_evasion\n    - attack.t1553\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: 'BOINC.exe'\n    filter_main_legit_name:\n        Image|endswith: '\\BOINC.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects the execution of a renamed BOINC binary on a Windows system. The rule looks for instances where the OriginalFileName is 'BOINC.exe' but the Image does not end with '\\BOINC.exe'. It is tagged as part of the attack defense evasion and attack T1553 categories, with a medium detection level. The rule is currently experimental and was authored by Matt Anderson from Huntress.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml",
        "creation_Date": "2024-08-07T18:00:38.419051",
        "modification_Date": "2024-08-07T18:00:38.419058",
        "lastUpdate_Date": "2024-08-07T18:00:39.668810",
        "sigmaRule": "title: Process Launched Without Image Name\nid: f208d6d8-d83a-4c2c-960d-877c37da84e5\nstatus: experimental\ndescription: Detect the use of processes with no name (\".exe\"), which can be used to evade Image-based detections.\nreferences:\n    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\nauthor: Matt Anderson (Huntress)\ndate: 2024/07/23\ntags:\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\.exe'\n    condition: selection\nfalsepositives:\n    - Rare legitimate software.\nlevel: medium\n",
        "summary": "This Sigma Rule detects processes launched without an image name (\".exe\") which can be used to evade image-based detections. It provides a way to detect suspicious activities in the process creation category on Windows systems. The rule was authored by Matt Anderson and is still considered experimental as of July 23, 2024. False positives may occur with rare legitimate software.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC"
        ]
    },
    "deprecated/windows/file_event_win_access_susp_teams.yml": {
        "filename": "deprecated/windows/file_event_win_access_susp_teams.yml",
        "creation_Date": "2024-08-07T18:00:39.705592",
        "modification_Date": "2024-08-07T18:00:39.705691",
        "lastUpdate_Date": "2024-08-07T18:00:41.052496",
        "sigmaRule": "title: Suspicious File Event With Teams Objects\nid: 6902955a-01b7-432c-b32a-6f5f81d8f624\nstatus: deprecated\ndescription: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/\n    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens\nauthor: '@SerkinValery'\ndate: 2022/09/16\nmodified: 2024/07/22\ntags:\n    - attack.credential_access\n    - attack.t1528\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains:\n            - '\\Microsoft\\Teams\\Cookies'\n            - '\\Microsoft\\Teams\\Local Storage\\leveldb'\n    filter:\n        Image|contains: '\\Microsoft\\Teams\\current\\Teams.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule, titled \"Suspicious File Event With Teams Objects,\" has been deprecated. It is designed to detect unauthorized access to authentication tokens and accounts in the Microsoft Teams desktop application. The rule specifies certain file paths and processes to monitor for suspicious activity. The detection criteria includes specific file paths and excludes certain processes related to Microsoft Teams. The rule is tagged with credentials access and a specific attack technique. The level of severity is classified as high.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "deprecated/windows/file_event_win_access_susp_unattend_xml.yml": {
        "filename": "deprecated/windows/file_event_win_access_susp_unattend_xml.yml",
        "creation_Date": "2024-08-07T18:00:41.052737",
        "modification_Date": "2024-08-07T18:00:41.052760",
        "lastUpdate_Date": "2024-08-07T18:00:47.035151",
        "sigmaRule": "title: Suspicious Unattend.xml File Access\nid: 1a3d42dd-3763-46b9-8025-b5f17f340dfb\nstatus: deprecated\ndescription: |\n    Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\n    If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md\nauthor: frack113\ndate: 2021/12/19\nmodified: 2024/07/22\ntags:\n    - attack.credential_access\n    - attack.t1552.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '\\unattend.xml'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects suspicious access to the unattend.xml file within the Panther directory, where installation logs are stored. This file commonly contains credentials and answers used during the unattended Windows installation process. The rule will display the contents of the file if accessed. The rule is tagged as attack.credential_access and attack.t1552.001, and has a medium severity level.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml": {
        "filename": "rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml",
        "creation_Date": "2024-08-07T18:00:47.035288",
        "modification_Date": "2024-08-07T18:00:47.035301",
        "lastUpdate_Date": "2024-08-07T18:00:48.519576",
        "sigmaRule": "title: Unattend.XML File Access Attempt\nid: 76a26006-0942-430b-8249-bd51d448f8e5\nstatus: experimental\ndescription: |\n    Detects attempts to access the \"unattend.xml\" file, where credentials might be stored.\n    This file is used during the unattended windows install process.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md\nauthor: frack113\ndate: 2024/07/22\ntags:\n    - attack.credential_access\n    - attack.t1552.001\n    - detection.threat_hunting\nlogsource:\n    product: windows\n    category: file_access\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|endswith: '\\Panther\\unattend.xml'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n",
        "summary": "This Sigma Rule detects attempts to access the \"unattend.xml\" file, where credentials might be stored, during the unattended Windows install process. It has an experimental status and a low level of severity. The rule's logsource is Windows file access with specific requirements for detection. There are no known false positives associated with this rule.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_browser_credential_access.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_browser_credential_access.yml",
        "creation_Date": "2024-08-07T18:00:48.519659",
        "modification_Date": "2024-08-07T18:00:48.519670",
        "lastUpdate_Date": "2024-08-07T18:00:49.268935",
        "sigmaRule": "file does not exist",
        "summary": "If the file being accessed cannot be found, an error message will be displayed stating that the file does not exist.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_credential_manager_access.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_credential_manager_access.yml",
        "creation_Date": "2024-08-07T18:00:49.269248",
        "modification_Date": "2024-08-07T18:00:49.269256",
        "lastUpdate_Date": "2024-08-07T18:00:50.141760",
        "sigmaRule": "file does not exist",
        "summary": "If the file being referenced does not exist, the Sigma Rule does not apply.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml",
        "creation_Date": "2024-08-07T18:00:50.141890",
        "modification_Date": "2024-08-07T18:00:50.141903",
        "lastUpdate_Date": "2024-08-07T18:00:50.748722",
        "sigmaRule": "file does not exist",
        "summary": "If the file does not exist, there is a failure in the detection rule.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_outlook_mail_credential_access.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_outlook_mail_credential_access.yml",
        "creation_Date": "2024-08-07T18:00:50.749379",
        "modification_Date": "2024-08-07T18:00:50.749387",
        "lastUpdate_Date": "2024-08-07T18:00:51.339833",
        "sigmaRule": "file does not exist",
        "summary": "The Sigma Rule is indicating that a specific file does not exist in the system or location being referenced.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml",
        "creation_Date": "2024-08-07T18:00:51.340101",
        "modification_Date": "2024-08-07T18:00:51.340159",
        "lastUpdate_Date": "2024-08-07T18:00:51.914505",
        "sigmaRule": "file does not exist",
        "summary": "If the specified file does not exist, then the Sigma Rule will not be applicable or execute any actions.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml",
        "creation_Date": "2024-08-07T18:00:51.914587",
        "modification_Date": "2024-08-07T18:00:51.914598",
        "lastUpdate_Date": "2024-08-07T18:00:52.573847",
        "sigmaRule": "file does not exist",
        "summary": "If the file does not exist, then no properties or attributes of the file can be analyzed.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_access/file_access_win_susp_gpo_access_file.yml": {
        "filename": "rules/windows/file/file_access/file_access_win_susp_gpo_access_file.yml",
        "creation_Date": "2024-08-07T18:00:52.574968",
        "modification_Date": "2024-08-07T18:00:52.574976",
        "lastUpdate_Date": "2024-08-07T18:00:53.392300",
        "sigmaRule": "file does not exist",
        "summary": "If the file does not exist, then an error message will be displayed.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_event/file_event_win_access_susp_teams.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_access_susp_teams.yml",
        "creation_Date": "2024-08-07T18:00:53.393454",
        "modification_Date": "2024-08-07T18:00:53.393462",
        "lastUpdate_Date": "2024-08-07T18:00:54.366005",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, it means that the specified file cannot be found or accessed.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml",
        "creation_Date": "2024-08-07T18:00:54.366260",
        "modification_Date": "2024-08-07T18:00:54.366316",
        "lastUpdate_Date": "2024-08-07T18:00:54.923839",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, it could indicate a potential issue or oversight.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4920 from @fornotes - Update `file_access` based rules"
        ]
    },
    "rules/cloud/github/github_disable_high_risk_configuration.yml": {
        "filename": "rules/cloud/github/github_disable_high_risk_configuration.yml",
        "creation_Date": "2024-08-07T18:00:54.951255",
        "modification_Date": "2024-08-07T18:00:54.951328",
        "lastUpdate_Date": "2024-08-07T18:00:56.287601",
        "sigmaRule": "title: Github High Risk Configuration Disabled\nid: 8622c92d-c00e-463c-b09d-fd06166f6794\nstatus: test\ndescription: Detects when a user disables a critical security feature for an organization.\nreferences:\n    - https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization\n    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions\n    - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository\n    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2023/01/29\nmodified: 2024/07/22\ntags:\n    - attack.credential_access\n    - attack.defense_evasion\n    - attack.persistence\n    - attack.t1556\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'business_advanced_security.disabled_for_new_repos'\n            - 'business_advanced_security.disabled_for_new_user_namespace_repos'\n            - 'business_advanced_security.disabled'\n            - 'business_advanced_security.user_namespace_repos_disabled'\n            - 'org.advanced_security_disabled_for_new_repos'\n            - 'org.advanced_security_disabled_on_all_repos'\n            - 'org.advanced_security_policy_selected_member_disabled'\n            - 'org.disable_oauth_app_restrictions'\n            - 'org.disable_two_factor_requirement'\n            - 'repo.advanced_security_disabled'\n    condition: selection\nfalsepositives:\n    - Approved administrator/owner activities.\nlevel: high\n",
        "summary": "This Sigma rule detects when a user disables a critical security feature for an organization on GitHub. It specifies the actions and conditions that indicate a high risk configuration being disabled, such as advanced security features, OAuth app restrictions, two-factor authentication, and more. The rule provides references for managing security settings and reviewing audit logs on GitHub.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4922 from @romain-gaillard - Update `Github High Risk Configuration Disabled`"
        ]
    },
    "rules/cloud/github/github_secret_scanning_feature_disabled.yml": {
        "filename": "rules/cloud/github/github_secret_scanning_feature_disabled.yml",
        "creation_Date": "2024-08-07T18:00:56.319298",
        "modification_Date": "2024-08-07T18:00:56.319413",
        "lastUpdate_Date": "2024-08-07T18:00:57.422315",
        "sigmaRule": "title: Github Secret Scanning Feature Disabled\nid: 3883d9a0-fd0f-440f-afbb-445a2a799bb8\nstatus: experimental\ndescription: Detects if the secret scanning feature is disabled for an enterprise or repository.\nreferences:\n    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024/03/07\nmodified: 2024/07/19\ntags:\n    - attack.defense_evasion\n    - attack.t1562.001\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'business_secret_scanning.disable'\n            - 'business_secret_scanning.disabled_for_new_repos'\n            - 'repository_secret_scanning.disable'\n            - 'secret_scanning_new_repos.disable'\n            - 'secret_scanning.disable'\n    condition: selection\nfalsepositives:\n    - Allowed administrative activities.\nlevel: high\n",
        "summary": "This Sigma Rule detects if the secret scanning feature is disabled for a GitHub enterprise or repository. By monitoring specific actions related to secret scanning being disabled, the rule aims to alert organizations to potential security risks. The rule requires audit log streaming to be enabled for detection. Allowed administrative activities may result in false positives.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4921 from @romain-gaillard - update `Github Secret Scanning Feature Disabled`"
        ]
    },
    ".github/workflows/goodlog-tests.yml": {
        "filename": ".github/workflows/goodlog-tests.yml",
        "creation_Date": "2024-08-07T18:00:57.452528",
        "modification_Date": "2024-08-07T18:00:57.452625",
        "lastUpdate_Date": "2024-08-07T18:00:58.819705",
        "sigmaRule": "# This workflow will install Python dependencies, run tests and lint with a single version of Python\n# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions\n\nname: Goodlog Tests\n\non:\n  push:\n    branches:\n      - \"*\"\n    paths:\n      - \".github/workflows/goodlog-tests.yml\"\n      - \".github/workflows/known-FPs.csv\"\n      - \"deprecated/**.yml\"\n      - \"rules-compliance/**.yml\"\n      - \"rules-dfir/**.yml\"\n      - \"rules-emerging-threats/**.yml\"\n      - \"rules-placeholder/**.yml\"\n      - \"rules-threat-hunting/**.yml\"\n      - \"rules/**.yml\"\n      - \"tests/thor.yml\"\n      - \"unsupported/**.yml\"\n  pull_request:\n    branches:\n      - master\n    paths:\n      - \".github/workflows/goodlog-tests.yml\"\n      - \".github/workflows/known-FPs.csv\"\n      - \"deprecated/**.yml\"\n      - \"rules-compliance/**.yml\"\n      - \"rules-dfir/**.yml\"\n      - \"rules-emerging-threats/**.yml\"\n      - \"rules-placeholder/**.yml\"\n      - \"rules-threat-hunting/**.yml\"\n      - \"rules/**.yml\"\n      - \"tests/thor.yml\"\n      - \"unsupported/**.yml\"\n\n  # Allows you to run this workflow manually from the Actions tab\n  workflow_dispatch:\n\nenv:\n  EVTX_BASELINE_VERSION: v0.8\n\njobs:\n  check-baseline-win7:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 7 32-bit baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz\n        tar xzf win7-x86.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: |\n        chmod +x .github/workflows/matchgrep.sh\n        ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win10:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 10 baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz\n        tar xzf win10-client.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: |\n        chmod +x .github/workflows/matchgrep.sh\n        ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win11:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 11 baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz\n        tar xzf win11-client.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: |\n        chmod +x .github/workflows/matchgrep.sh\n        ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win11-2023:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 11 baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client-2023.tgz\n        tar xzf win11-client-2023.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: |\n        chmod +x .github/workflows/matchgrep.sh\n        ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win2022:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 2022 baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz\n        tar xzf win2022-evtx.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win2022-domain-controller:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 2022 baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz\n        tar xzf win2022-ad.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win2022-0-20348-azure:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 2022.0.20348 Azure baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz\n        tar xzf win2022-0-20348-azure.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: |\n        chmod +x .github/workflows/matchgrep.sh\n        ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n",
        "summary": "This Sigma Rule workflow is designed to run tests on different versions of Windows baselines using the evtx-sigma-checker tool. It checks for Sigma matches in the baselines and excludes known false positives. The workflow is triggered on push and pull requests to specific branches and can also be manually run from the Actions tab.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4918 from @joshnck - Update `goodlog-tests.yml`"
        ]
    },
    "rules/category/antivirus/av_exploiting.yml": {
        "filename": "rules/category/antivirus/av_exploiting.yml",
        "creation_Date": "2024-08-07T18:00:58.847038",
        "modification_Date": "2024-08-07T18:00:58.847099",
        "lastUpdate_Date": "2024-08-07T18:01:00.234178",
        "sigmaRule": "title: Antivirus Exploitation Framework Detection\nid: 238527ad-3c2c-4e4f-a1f6-92fd63adb864\nstatus: stable\ndescription: Detects a highly relevant Antivirus alert that reports an exploitation framework.\nreferences:\n    - https://www.nextron-systems.com/?s=antivirus\n    - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797\n    - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424\n    - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2018/09/09\nmodified: 2024/07/17\ntags:\n    - attack.execution\n    - attack.t1203\n    - attack.command_and_control\n    - attack.t1219\nlogsource:\n    category: antivirus\ndetection:\n    selection:\n        Signature|contains:\n            - 'Backdoor.Cobalt'\n            - 'Brutel'\n            - 'BruteR'\n            - 'CobaltStr'\n            - 'CobaltStrike'\n            - 'COBEACON'\n            - 'Cometer'\n            - 'Exploit.Script.CVE'\n            - 'IISExchgSpawnCMD'\n            - 'Metasploit'\n            - 'Meterpreter'\n            - 'MeteTool'\n            - 'Mpreter'\n            - 'MsfShell'\n            - 'PowerSploit'\n            - 'Razy'\n            - 'Rozena'\n            - 'Sbelt'\n            - 'Seatbelt'\n            - 'Sliver'\n            - 'Swrort'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n",
        "summary": "This Sigma rule detects a highly relevant Antivirus alert that reports an exploitation framework based on specific signatures related to various malicious tools and scripts. The rule was authored by Florian Roth and Arnim Rupp, and was last modified in July 2024. The detection criteria include keywords like 'CobaltStrike', 'Metasploit', 'PowerSploit', and others. The rule is considered critical and false positives are unlikely.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4917 from @Neo23x0 - Update antivirus related rules"
        ]
    },
    "rules/category/antivirus/av_hacktool.yml": {
        "filename": "rules/category/antivirus/av_hacktool.yml",
        "creation_Date": "2024-08-07T18:01:00.234275",
        "modification_Date": "2024-08-07T18:01:00.234283",
        "lastUpdate_Date": "2024-08-07T18:01:01.695915",
        "sigmaRule": "title: Antivirus Hacktool Detection\nid: fa0c05b6-8ad3-468d-8231-c1cbccb64fba\nstatus: stable\ndescription: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.\nreferences:\n    - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/\n    - https://www.nextron-systems.com/?s=antivirus\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2021/08/16\nmodified: 2024/07/17\ntags:\n    - attack.execution\n    - attack.t1204\nlogsource:\n    category: antivirus\ndetection:\n    selection:\n        - Signature|startswith:\n              - 'Adfind'\n              - 'ATK/'\n              - 'Exploit.Script.CVE'\n              - 'HKTL'\n              - 'HTOOL'\n              - 'PWS.'\n              - 'PWSX'\n              - 'SecurityTool'\n              # - 'FRP.'\n        - Signature|contains:\n              - 'Adfind'\n              - 'ATK/'  # Sophos\n              - 'Brutel'\n              - 'BruteR'\n              - 'Cobalt'\n              - 'COBEACON'\n              - 'Cometer'\n              - 'DumpCreds'\n              - 'FastReverseProxy'\n              - 'Hacktool'\n              - 'Impacket'\n              - 'Keylogger'\n              - 'Koadic'\n              - 'Lazagne'\n              - 'Mimikatz'\n              - 'Nighthawk'\n              - 'PentestPowerShell'\n              - 'Potato'\n              - 'PowerSploit'\n              - 'PowerSSH'\n              - 'PshlSpy'\n              - 'PSWTool'\n              - 'PWCrack'\n              - 'PWDump'\n              - 'Rozena'\n              - 'Sbelt'\n              - 'Seatbelt'\n              - 'SecurityTool'\n              - 'SharpDump'\n              - 'Shellcode'\n              - 'Sliver'\n              - 'Splinter'\n              - 'Swrort'\n              - 'TurtleLoader'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma rule detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. It includes a list of signatures to look for in the Antivirus logs to identify potential threats. The rule was authored by Florian Roth (Nextron Systems) and Arnim Rupp, with references to additional resources for Antivirus event analysis. The rule is considered stable and has a high detection level with a low likelihood of false positives.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4917 from @Neo23x0 - Update antivirus related rules"
        ]
    },
    "rules/category/antivirus/av_password_dumper.yml": {
        "filename": "rules/category/antivirus/av_password_dumper.yml",
        "creation_Date": "2024-08-07T18:01:01.696124",
        "modification_Date": "2024-08-07T18:01:01.696146",
        "lastUpdate_Date": "2024-08-07T18:01:02.759354",
        "sigmaRule": "title: Antivirus Password Dumper Detection\nid: 78cc2dd2-7d20-4d32-93ff-057084c38b93\nstatus: stable\ndescription: Detects a highly relevant Antivirus alert that reports a password dumper.\nreferences:\n    - https://www.nextron-systems.com/?s=antivirus\n    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619\n    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448\nauthor: Florian Roth (Nextron Systems)\ndate: 2018/09/09\nmodified: 2024/07/17\ntags:\n    - attack.credential_access\n    - attack.t1003\n    - attack.t1558\n    - attack.t1003.001\n    - attack.t1003.002\nlogsource:\n    category: antivirus\ndetection:\n    selection:\n        - Signature|startswith: 'PWS'\n        - Signature|contains:\n              - 'DumpCreds'\n              - 'DumpLsass'\n              - 'HTool/WCE'\n              - 'Kekeo'\n              - 'LsassDump'\n              - 'Mimikatz'\n              - 'Outflank'\n              - 'PShlSpy'\n              - 'PSWTool'\n              - 'PWCrack'\n              - 'PWDump'\n              - 'PWS.'\n              - 'PWSX'\n              - 'Rubeus'\n              - 'SecurityTool'\n              - 'SharpDump'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n",
        "summary": "This Sigma Rule detects a highly relevant antivirus alert that reports the presence of a password dumper. The rule looks for specific signatures and keywords related to password dumping tools such as Mimikatz, LsassDump, and PWDump. False positives are deemed unlikely, and the rule is classified as critical in terms of severity.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4917 from @Neo23x0 - Update antivirus related rules"
        ]
    },
    "rules/category/antivirus/av_ransomware.yml": {
        "filename": "rules/category/antivirus/av_ransomware.yml",
        "creation_Date": "2024-08-07T18:01:02.759916",
        "modification_Date": "2024-08-07T18:01:02.759951",
        "lastUpdate_Date": "2024-08-07T18:01:04.211159",
        "sigmaRule": "title: Antivirus Ransomware Detection\nid: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f\nstatus: test\ndescription: Detects a highly relevant Antivirus alert that reports ransomware.\nreferences:\n    - https://www.nextron-systems.com/?s=antivirus\n    - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916\n    - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7\n    - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045\n    - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d\n    - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2022/05/12\nmodified: 2023/02/03\ntags:\n    - attack.t1486\nlogsource:\n    category: antivirus\ndetection:\n    selection:\n        Signature|contains:\n            - 'BlackWorm'\n            - 'Crypter'\n            - 'CRYPTES'\n            - 'Cryptor'\n            - 'Destructor'\n            - 'Filecoder'\n            - 'GandCrab'\n            - 'GrandCrab'\n            - 'Krypt'\n            - 'Locker'\n            - 'Phobos'\n            - 'Ransom'\n            - 'Ryuk'\n            - 'Ryzerlo'\n            - 'Tescrypt'\n            - 'TeslaCrypt'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n",
        "summary": "This Sigma Rule detects a highly relevant Antivirus alert that reports ransomware based on a selection of keywords related to ransomware variants. The rule was authored by Florian Roth and Arnim Rupp, with the last modification made on February 3, 2023. The detection criteria include keywords such as 'Ransom', 'GandCrab', 'Phobos', 'Ryuk', and others commonly associated with ransomware. The rule is classified as critical, and false positives are considered unlikely.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4917 from @Neo23x0 - Update antivirus related rules"
        ]
    },
    "rules/category/antivirus/av_relevant_files.yml": {
        "filename": "rules/category/antivirus/av_relevant_files.yml",
        "creation_Date": "2024-08-07T18:01:04.211368",
        "modification_Date": "2024-08-07T18:01:04.211381",
        "lastUpdate_Date": "2024-08-07T18:01:05.110863",
        "sigmaRule": "title: Antivirus Relevant File Paths Alerts\nid: c9a88268-0047-4824-ba6e-4d81ce0b907c\nstatus: test\ndescription: Detects an Antivirus alert in a highly relevant file path or with a relevant file name.\nreferences:\n    - https://www.nextron-systems.com/?s=antivirus\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2018/09/09\nmodified: 2024/07/17\ntags:\n    - attack.resource_development\n    - attack.t1588\nlogsource:\n    category: antivirus\ndetection:\n    selection_path:\n        Filename|contains:\n            - ':\\PerfLogs\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Default\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\'\n            - '/www/'\n            - '\\Client\\'\n            - '\\inetpub\\'\n            - '\\tsclient\\'\n            - 'apache'\n            - 'nginx'\n            - 'tomcat'\n            - 'weblogic'\n    selection_ext:\n        Filename|endswith:\n            - '.asax'\n            - '.ashx'\n            - '.asmx'\n            - '.asp'\n            - '.aspx'\n            - '.bat'\n            - '.cfm'\n            - '.cgi'\n            - '.chm'\n            - '.cmd'\n            - '.dat'\n            - '.ear'\n            - '.gif'\n            - '.hta'\n            - '.jpeg'\n            - '.jpg'\n            - '.jsp'\n            - '.jspx'\n            - '.lnk'\n            - '.msc'\n            - '.php'\n            - '.pl'\n            - '.png'\n            - '.ps1'\n            - '.psm1'\n            - '.py'\n            - '.pyc'\n            - '.rb'\n            - '.scf'\n            - '.sct'\n            - '.sh'\n            - '.svg'\n            - '.txt'\n            - '.vbe'\n            - '.vbs'\n            - '.war'\n            - '.wll'\n            - '.wsf'\n            - '.wsh'\n            - '.xll'\n            - '.xml'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects an Antivirus alert in highly relevant file paths or with relevant file extensions. The rule specifies certain file paths and file extensions that are commonly associated with malicious activity. The rule has a high level of certainty and false positives are considered unlikely.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4917 from @Neo23x0 - Update antivirus related rules"
        ]
    },
    "rules/category/antivirus/av_webshell.yml": {
        "filename": "rules/category/antivirus/av_webshell.yml",
        "creation_Date": "2024-08-07T18:01:05.111079",
        "modification_Date": "2024-08-07T18:01:05.111099",
        "lastUpdate_Date": "2024-08-07T18:01:06.298350",
        "sigmaRule": "title: Antivirus Web Shell Detection\nid: fdf135a2-9241-4f96-a114-bb404948f736\nstatus: test\ndescription: |\n    Detects a highly relevant Antivirus alert that reports a web shell.\n    It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.\nreferences:\n    - https://www.nextron-systems.com/?s=antivirus\n    - https://github.com/tennc/webshell\n    - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection\n    - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection\n    - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection\n    - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection\n    - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection\n    - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection\n    - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection\n    - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2018/09/09\nmodified: 2024/07/17\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    category: antivirus\ndetection:\n    selection:\n        - Signature|startswith:\n              - 'ASP.'\n              - 'IIS/BackDoor'\n              - 'JAVA/Backdoor'\n              - 'JSP.'\n              - 'Perl.'\n              - 'PHP.'\n              - 'Troj/ASP'\n              - 'Troj/JSP'\n              - 'Troj/PHP'\n              - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops\n        - Signature|contains:\n              - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops\n              - 'ASP:'\n              - 'ASP.Agent'\n              - 'ASP/'\n              - 'ASP/Agent'\n              - 'Aspdoor'\n              - 'ASPXSpy'\n              - 'Backdoor.ASP'\n              - 'Backdoor.Java'\n              - 'Backdoor.JSP'\n              - 'Backdoor.PHP'\n              - 'Backdoor.VBS'\n              - 'Backdoor/ASP'\n              - 'Backdoor/Java'\n              - 'Backdoor/JSP'\n              - 'Backdoor/PHP'\n              - 'Backdoor/VBS'\n              - 'C99shell'\n              - 'Chopper'\n              - 'filebrowser'\n              - 'JSP_'\n              - 'JSP:'\n              - 'JSP.Agent'\n              - 'JSP/'\n              - 'JSP/Agent'\n              - 'Perl:'\n              - 'Perl/'\n              - 'PHP_'\n              - 'PHP:'\n              - 'PHP.Agent'\n              - 'PHP/'\n              - 'PHP/Agent'\n              - 'PHPShell'\n              - 'PShlSpy'\n              - 'SinoChoper'\n              - 'Trojan.ASP'\n              - 'Trojan.JSP'\n              - 'Trojan.PHP'\n              - 'Trojan.VBS'\n              - 'VBS.Agent'\n              - 'VBS/Agent'\n              - 'Webshell'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma rule is designed for detecting antivirus alerts related to web shells. It contains specific strings typically associated with web shells for filtering out false positives. The rule should be customized with specific strings used by the organization's antivirus solution. The rule was authored by Florian Roth and Arnim Rupp in 2018 and was last modified in 2024. It has a high level of severity.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4917 from @Neo23x0 - Update antivirus related rules"
        ]
    },
    "rules/windows/builtin/application/Other/win_av_relevant_match.yml": {
        "filename": "rules/windows/builtin/application/Other/win_av_relevant_match.yml",
        "creation_Date": "2024-08-07T18:01:06.298557",
        "modification_Date": "2024-08-07T18:01:06.298569",
        "lastUpdate_Date": "2024-08-07T18:01:07.503230",
        "sigmaRule": "title: Relevant Anti-Virus Signature Keywords In Application Log\nid: 78bc5783-81d9-4d73-ac97-59f6db4f72a8\nstatus: test\ndescription: |\n    Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.\nreferences:\n    - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31\n    - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed\n    - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01\n    - https://www.nextron-systems.com/?s=antivirus\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2017/02/19\nmodified: 2024/07/17\ntags:\n    - attack.resource_development\n    - attack.t1588\nlogsource:\n    product: windows\n    service: application\ndetection:\n    keywords:\n        - 'Adfind'\n        - 'ASP/BackDoor '\n        - 'ATK/'\n        - 'Backdoor.ASP'\n        - 'Backdoor.Cobalt'\n        - 'Backdoor.JSP'\n        - 'Backdoor.PHP'\n        - 'Blackworm'\n        - 'Brutel'\n        - 'BruteR'\n        - 'Chopper'\n        - 'Cobalt'\n        - 'COBEACON'\n        - 'Cometer'\n        - 'CRYPTES'\n        - 'Cryptor'\n        - 'Destructor'\n        - 'DumpCreds'\n        - 'Exploit.Script.CVE'\n        - 'FastReverseProxy'\n        - 'Filecoder'\n        - 'GrandCrab '\n        - 'HackTool'\n        - 'HKTL'\n        - 'HTool'\n        - 'IISExchgSpawnCMD'\n        - 'Impacket'\n        - 'JSP/BackDoor '\n        - 'Keylogger'\n        - 'Koadic'\n        - 'Krypt'\n        - 'Lazagne'\n        - 'Metasploit'\n        - 'Meterpreter'\n        - 'MeteTool'\n        - 'mikatz'\n        - 'Mimikatz'\n        - 'Mpreter'\n        - 'MsfShell'\n        - 'Nighthawk'\n        - 'Packed.Generic.347'\n        - 'PentestPowerShell'\n        - 'Phobos'\n        - 'PHP/BackDoor '\n        - 'Potato'\n        - 'PowerSploit'\n        - 'PowerSSH'\n        - 'PshlSpy'\n        - 'PSWTool'\n        - 'PWCrack'\n        - 'PWDump'\n        - 'Ransom'\n        - 'Rozena'\n        - 'Ryzerlo'\n        - 'Sbelt'\n        - 'Seatbelt'\n        - 'SecurityTool '\n        - 'SharpDump'\n        - 'Shellcode'\n        - 'Sliver'\n        - 'Splinter'\n        - 'Swrort'\n        - 'Tescrypt'\n        - 'TeslaCrypt'\n        - 'TurtleLoader'\n        - 'Valyria'\n        - 'Webshell'\n        # - 'FRP.'\n        # - 'Locker'\n        # - 'PWS.'\n        # - 'PWSX'\n        # - 'Razy'\n        # - 'Ryuk'\n    filter_optional_generic:\n        - 'anti_ransomware_service.exe'\n        - 'Crack'\n        - 'cyber-protect-service.exe'\n        - 'Keygen'\n    filter_optional_information:\n        Level: 4  # Information level\n    filter_optional_restartmanager:\n        Provider_Name: 'Microsoft-Windows-RestartManager'\n    condition: keywords and not 1 of filter_optional_*\nfalsepositives:\n    - Some software piracy tools (key generators, cracks) are classified as hack tools\nlevel: high\n",
        "summary": "This Sigma Rule detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords. It includes keywords related to various types of malware and viruses. The rule also includes optional filters for specific processes and information levels to reduce false positives. The rule is authored by Florian Roth and Arnim Rupp and was last modified in 2024.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4917 from @Neo23x0 - Update antivirus related rules"
        ]
    },
    "deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml": {
        "filename": "deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml",
        "creation_Date": "2024-08-07T18:01:07.553820",
        "modification_Date": "2024-08-07T18:03:00.434154",
        "lastUpdate_Date": "2024-08-07T18:03:00.434181",
        "sigmaRule": "title: Potential Persistence Via COM Hijacking From Suspicious Locations\nid: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77\nstatus: deprecated\ndescription: Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a suspicious or unusual location.\nreferences:\n    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/07/28\nmodified: 2024/07/16\ntags:\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\CLSID\\'\n        TargetObject|endswith:\n            - '\\InprocServer32\\(Default)'\n            - '\\LocalServer32\\(Default)'\n        Details|contains: # Add more suspicious paths and locations\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n            - '\\System32\\spool\\drivers\\color\\' # as seen in the knotweed blog\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n            - '%appdata%'\n            - '%temp%'\n            - '%tmp%'\n    condition: selection\nfalsepositives:\n    - Probable legitimate applications. If you find these please add them to an exclusion list\nlevel: high\n",
        "summary": "This Sigma rule detects potential COM object hijacking by looking for instances where the \"Server\" (In/Out) in the registry points to suspicious or unusual locations such as '\\AppData\\Local\\Temp\\', '\\System32\\spool\\drivers\\color\\', or '%appdata%'. It is now deprecated and may have false positives due to legitimate applications using similar paths.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml": {
        "filename": "rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml",
        "creation_Date": "2024-08-07T18:01:08.626174",
        "modification_Date": "2024-08-07T18:03:00.471818",
        "lastUpdate_Date": "2024-08-07T18:03:00.471829",
        "sigmaRule": "title: OceanLotus Registry Activity\nid: 4ac5fc44-a601-4c06-955b-309df8c4e9d4\nstatus: test\ndescription: Detects registry keys created in OceanLotus (also known as APT32) attacks\nreferences:\n    - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\n    - https://github.com/eset/malware-ioc/tree/master/oceanlotus\nauthor: megan201296, Jonhnathan Ribeiro\ndate: 2019/04/14\nmodified: 2023/09/28\ntags:\n    - attack.defense_evasion\n    - attack.t1112\n    - detection.emerging_threats\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection_clsid:\n        TargetObject|contains: '\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model'\n    selection_hkcu:\n        TargetObject|contains:\n            # HKCU\\SOFTWARE\\Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\n            - 'Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\'\n            # HKCU\\SOFTWARE\\Classes\\AppX3bbba44c6cae4d9695755183472171e2\\\n            - 'Classes\\AppX3bbba44c6cae4d9695755183472171e2\\'\n            # HKCU\\SOFTWARE\\Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\n            - 'Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\'\n            - 'Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model'\n    selection_appx_1:\n        TargetObject|contains: '\\SOFTWARE\\App\\'\n    selection_appx_2:\n        TargetObject|contains:\n            - 'AppXbf13d4ea2945444d8b13e2121cb6b663\\'\n            - 'AppX70162486c7554f7f80f481985d67586d\\'\n            - 'AppX37cc7fdccd644b4f85f4b22d5a3f105a\\'\n        TargetObject|endswith:\n            - 'Application'\n            - 'DefaultIcon'\n    condition: selection_clsid or selection_hkcu or all of selection_appx_*\nfalsepositives:\n    - Unknown\nlevel: critical\n",
        "summary": "This Sigma rule detects registry keys created in OceanLotus (APT32) attacks by looking for specific patterns in the registry events on Windows systems. The rule includes selections for CLSID, HKCU, and AppX registry keys associated with OceanLotus activity. The rule is considered critical and has been authored by megan201296 and Jonhnathan Ribeiro.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4916 from @frack113 - Move some rules to Emerging-Threats folder"
        ]
    },
    "rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml": {
        "filename": "rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml",
        "creation_Date": "2024-08-07T18:01:09.885698",
        "modification_Date": "2024-08-07T18:03:00.472082",
        "lastUpdate_Date": "2024-08-07T18:03:00.472086",
        "sigmaRule": "title: OilRig APT Registry Persistence\nid: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5\nrelated:\n    - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System\n      type: similar\n    - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security\n      type: similar\n    - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation\n      type: similar\nstatus: test\ndescription: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report\nreferences:\n    - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf\nauthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community\ndate: 2018/03/23\nmodified: 2023/03/08\ntags:\n    - attack.persistence\n    - attack.g0049\n    - attack.t1053.005\n    - attack.s0111\n    - attack.t1543.003\n    - attack.defense_evasion\n    - attack.t1112\n    - attack.command_and_control\n    - attack.t1071.004\n    - detection.emerging_threats\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n",
        "summary": "This Sigma Rule detects OilRig registry persistence, as reported by Nyotron in their March 2018 report. It focuses on detecting specific registry keys related to OilRig APT activity. The rule specifies the target objects to monitor and sets a critical level of alert for any matches. The rule is designed for Windows systems and has a low likelihood of false positives.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4916 from @frack113 - Move some rules to Emerging-Threats folder"
        ]
    },
    "rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml": {
        "filename": "rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml",
        "creation_Date": "2024-08-07T18:01:11.090491",
        "modification_Date": "2024-08-07T18:03:00.472606",
        "lastUpdate_Date": "2024-08-07T18:03:00.472610",
        "sigmaRule": "title: Potential Ursnif Malware Activity - Registry\nid: 21f17060-b282-4249-ade0-589ea3591558\nstatus: test\ndescription: Detects registry keys related to Ursnif malware.\nreferences:\n    - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/\n    - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/\nauthor: megan201296\ndate: 2019/02/13\nmodified: 2023/02/07\ntags:\n    - attack.execution\n    - attack.t1112\n    - detection.emerging_threats\nlogsource:\n    product: windows\n    category: registry_add\ndetection:\n    selection:\n        EventType: CreateKey\n        TargetObject|contains: '\\Software\\AppDataLow\\Software\\Microsoft\\'\n    filter:\n        TargetObject|contains:\n            - '\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\Internet Explorer\\'\n            - '\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\RepService\\'\n            - '\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\IME\\'\n            - '\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\Edge\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects registry keys related to Ursnif malware by looking for certain patterns in the registry entries on a Windows system. The rule specifies the EventType as CreateKey and checks for specific strings in the TargetObject key. It filters out certain strings to reduce false positives. The rule has a high level of severity and was last modified on February 7, 2023.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4916 from @frack113 - Move some rules to Emerging-Threats folder"
        ]
    },
    "rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml": {
        "filename": "rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml",
        "creation_Date": "2024-08-07T18:01:12.281351",
        "modification_Date": "2024-08-07T18:03:00.472829",
        "lastUpdate_Date": "2024-08-07T18:03:00.472833",
        "sigmaRule": "title: Leviathan Registry Key Activity\nid: 70d43542-cd2d-483c-8f30-f16b436fd7db\nstatus: test\ndescription: Detects registry key used by Leviathan APT in Malaysian focused campaign\nreferences:\n    - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\nauthor: Aidan Bracher\ndate: 2020/07/07\nmodified: 2023/09/19\ntags:\n    - attack.persistence\n    - attack.t1547.001\n    - detection.emerging_threats\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd'\n    condition: selection\nlevel: critical\n",
        "summary": "This Sigma Rule detects registry key activity associated with the Leviathan APT group in a Malaysian-focused campaign. The rule focuses on a specific registry key path and is categorized as a critical level detection for Windows registry events.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4916 from @frack113 - Move some rules to Emerging-Threats folder"
        ]
    },
    "rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml": {
        "filename": "rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml",
        "creation_Date": "2024-08-07T18:01:13.126619",
        "modification_Date": "2024-08-07T18:03:00.434526",
        "lastUpdate_Date": "2024-08-07T18:03:00.434536",
        "sigmaRule": "title: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21\nid: 6c7defa9-69f8-4c34-b815-41fce3931754\nstatus: experimental\ndescription: |\n    Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.\nreferences:\n    - https://www.tenable.com/security/research/tra-2023-11\n    - https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py\n    - https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal\nauthor: Nasreddine Bencherchali (Nextron Systems), Rohit Jain\ndate: 2024/06/25\ntags:\n    - detection.emerging_threats\n    - attack.initial_access\n    - attack.t1190\n    - cve.2023.1389\nlogsource:\n    category: proxy\ndetection:\n    selection_uri:\n        cs-method:\n            - 'GET'\n            - 'POST'\n        cs-uri|contains|all:\n            - '/cgi-bin/luci/;stok=/locale'\n            - 'form=country'\n    selection_keyword:\n        - 'operation=write'\n        - 'country=$('\n    condition: all of selection_*\nfalsepositives:\n    - Vulnerability Scanners\nlevel: medium\n",
        "summary": "This Sigma Rule detects potential exploitation attempts of CVE-2023-1389, an Unauthenticated Command Injection in TP-Link Archer AX21. It looks for specific HTTP requests involving certain URIs and keywords that could indicate a command injection attempt. The rule is tagged with different threat categories and provides references to related research and code samples. It is set at a medium detection level and may have false positives with vulnerability scanners.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml": {
        "filename": "rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml",
        "creation_Date": "2024-08-07T18:01:14.402956",
        "modification_Date": "2024-08-07T18:03:00.434788",
        "lastUpdate_Date": "2024-08-07T18:03:00.434794",
        "sigmaRule": "title: Forest Blizzard APT - File Creation Activity\nid: b92d1d19-f5c9-4ed6-bbd5-7476709dc389\nstatus: experimental\ndescription: |\n    Detects the creation of specific files inside of ProgramData directory.\n    These files were seen being created by Forest Blizzard as described by MSFT.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/04/23\nmodified: 2024/07/11\ntags:\n    - attack.defense_evasion\n    - attack.t1562.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_programdata_driver_store:\n        TargetFilename|startswith:\n            - 'C:\\ProgramData\\Microsoft\\v'\n            - 'C:\\ProgramData\\Adobe\\v'\n            - 'C:\\ProgramData\\Comms\\v'\n            - 'C:\\ProgramData\\Intel\\v'\n            - 'C:\\ProgramData\\Kaspersky Lab\\v'\n            - 'C:\\ProgramData\\Bitdefender\\v'\n            - 'C:\\ProgramData\\ESET\\v'\n            - 'C:\\ProgramData\\NVIDIA\\v'\n            - 'C:\\ProgramData\\UbiSoft\\v'\n            - 'C:\\ProgramData\\Steam\\v'\n        TargetFilename|contains:\n            - '\\prnms003.inf_'\n            - '\\prnms009.inf_'\n    selection_programdata_main:\n        TargetFilename|startswith: 'C:\\ProgramData\\'\n    selection_programdata_files_1:\n        TargetFilename|endswith:\n            - '.save'\n            - '\\doit.bat'\n            - '\\execute.bat'\n            - '\\servtask.bat'\n        # Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events\n    selection_programdata_files_2:\n        TargetFilename|contains: '\\wayzgoose'\n        TargetFilename|endswith: '.dll'\n    condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects the creation of specific files inside the ProgramData directory on Windows systems. The files are associated with the Forest Blizzard post-compromise tool, as described by Microsoft. The rule includes multiple file selection criteria based on file names and locations. The rule has a high detection level and the likelihood of false positives is considered unlikely.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml": {
        "filename": "rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml",
        "creation_Date": "2024-08-07T18:01:15.518695",
        "modification_Date": "2024-08-07T18:03:00.435054",
        "lastUpdate_Date": "2024-08-07T18:03:00.435060",
        "sigmaRule": "title: Creation of an Executable by an Executable\nid: 297afac9-5d02-4138-8c58-b977bac60556\nstatus: experimental\ndescription: Detects the creation of an executable by another executable.\nreferences:\n    - Internal Research\nauthor: frack113\ndate: 2022/03/09\nmodified: 2023/11/06\ntags:\n    - attack.resource_development\n    - attack.t1587.001\n    - detection.threat_hunting\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '.exe'\n        TargetFilename|endswith: '.exe'\n    filter_main_generic_1:\n        Image|endswith:\n            - ':\\Windows\\System32\\msiexec.exe'\n            - ':\\Windows\\system32\\cleanmgr.exe'\n            - ':\\Windows\\explorer.exe'\n            - ':\\WINDOWS\\system32\\dxgiadaptercache.exe'\n            - ':\\WINDOWS\\system32\\Dism.exe'\n            - ':\\Windows\\System32\\wuauclt.exe'\n    filter_main_update:\n        # Security_UserID: S-1-5-18\n        # Example:\n        #   TargetFilename: C:\\Windows\\SoftwareDistribution\\Download\\803d1df4c931df4f3e50a022cda56e88\\WindowsUpdateBox.exe\n        Image|endswith: ':\\WINDOWS\\system32\\svchost.exe'\n        TargetFilename|contains: ':\\Windows\\SoftwareDistribution\\Download\\'\n    filter_main_upgrade:\n        Image|endswith: ':\\Windows\\system32\\svchost.exe'\n        TargetFilename|contains|all:\n            # Example:\n            #   This example was seen during windows upgrade\n            #   TargetFilename: :\\WUDownloadCache\\803d1df4c931df4f3e50a022cda56e29\\WindowsUpdateBox.exe\n            - ':\\WUDownloadCache\\'\n            - '\\WindowsUpdateBox.exe'\n    filter_main_windows_update_box:\n        # This FP was seen during Windows Upgrade\n        # ParentCommandLine: C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s wuauserv\n        Image|contains: ':\\WINDOWS\\SoftwareDistribution\\Download\\'\n        Image|endswith: '\\WindowsUpdateBox.Exe'\n        TargetFilename|contains: ':\\$WINDOWS.~BT\\Sources\\'\n    filter_main_tiworker:\n        Image|contains: ':\\Windows\\WinSxS\\'\n        Image|endswith: '\\TiWorker.exe'\n    filter_main_programfiles:\n        - Image|contains:\n              - ':\\Program Files\\'\n              - ':\\Program Files (x86)\\'\n        - TargetFilename|contains:\n              - ':\\Program Files\\'\n              - ':\\Program Files (x86)\\'\n    filter_main_defender:\n        Image|contains:\n            - ':\\ProgramData\\Microsoft\\Windows Defender\\'\n            - ':\\Program Files\\Windows Defender\\'\n    filter_main_windows_apps:\n        TargetFilename|contains: '\\AppData\\Local\\Microsoft\\WindowsApps\\'\n    filter_main_teams:\n        Image|endswith: '\\AppData\\Local\\Microsoft\\Teams\\Update.exe'\n        TargetFilename|endswith:\n            - '\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe'\n            - '\\AppData\\Local\\Microsoft\\Teams\\stage\\Squirrel.exe'\n            - '\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempb\\'\n    filter_main_mscorsvw:\n        # Example:\n        #   ParentCommandLine: \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngen.exe\" ExecuteQueuedItems /LegacyServiceBehavior\n        #   Image: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe\n        #       TargetFilename: C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Temp\\4f8c-0\\MSBuild.exe\n        #       TargetFilename: C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Temp\\49bc-0\\testhost.net47.x86.exe\n        #       TargetFilename: C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Temp\\39d8-0\\fsc.exe\n        Image|contains: ':\\Windows\\Microsoft.NET\\Framework\\'\n        Image|endswith: '\\mscorsvw.exe'\n        TargetFilename|contains: ':\\Windows\\assembly\\NativeImages_'\n    filter_main_vscode:\n        Image|contains: '\\AppData\\Local\\'\n        Image|endswith: '\\Microsoft VS Code\\Code.exe'\n        TargetFilename|contains: '\\.vscode\\extensions\\'\n    filter_main_githubdesktop:\n        Image|endswith: '\\AppData\\Local\\GitHubDesktop\\Update.exe'\n        # Example TargetFileName:\n        #   \\AppData\\Local\\SquirrelTemp\\tempb\\lib\\net45\\GitHubDesktop_ExecutionStub.exe\n        #   \\AppData\\Local\\SquirrelTemp\\tempb\\lib\\net45\\squirrel.exe\n        TargetFilename|contains: '\\AppData\\Local\\SquirrelTemp\\'\n    filter_main_windows_temp:\n        - Image|contains: ':\\WINDOWS\\TEMP\\'\n        - TargetFilename|contains: ':\\WINDOWS\\TEMP\\'\n    filter_optional_python:\n        Image|contains: '\\Python27\\python.exe'\n        TargetFilename|contains:\n            - '\\Python27\\Lib\\site-packages\\'\n            - '\\Python27\\Scripts\\'\n            - '\\AppData\\Local\\Temp\\'\n    filter_optional_squirrel:\n        Image|contains: '\\AppData\\Local\\SquirrelTemp\\Update.exe'\n        TargetFilename|contains: '\\AppData\\Local'\n    filter_main_temp_installers:\n        - Image|contains: '\\AppData\\Local\\Temp\\'\n        - TargetFilename|contains: '\\AppData\\Local\\Temp\\'\n    filter_optional_chrome:\n        Image|endswith: '\\ChromeSetup.exe'\n        TargetFilename|contains: '\\Google'\n    filter_main_dot_net:\n        Image|contains: ':\\Windows\\Microsoft.NET\\Framework'\n        Image|endswith: '\\mscorsvw.exe'\n        TargetFilename|contains: ':\\Windows\\assembly'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    # Please contribute to FP to increase the level\n    - Software installers\n    - Update utilities\n    - 32bit applications launching their 64bit versions\nlevel: low\n",
        "summary": "This Sigma Rule detects the creation of an executable file by another executable on a Windows system. It includes various filters to target specific scenarios such as Windows updates, program installations, and specific software applications. The rule has a low level of confidence and may generate false positives for software installers, update utilities, and 32-bit applications launching their 64-bit versions.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml": {
        "filename": "rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml",
        "creation_Date": "2024-08-07T18:01:16.695194",
        "modification_Date": "2024-08-07T18:03:00.435267",
        "lastUpdate_Date": "2024-08-07T18:03:00.435274",
        "sigmaRule": "title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address\nid: cfed2f44-16df-4bf3-833a-79405198b277\nstatus: test\ndescription: |\n    Detects Dllhost.EXE initiating a network connection to a non-local IP address.\n    Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.\n    An initial baseline is recommended before deployment.\nreferences:\n    - https://redcanary.com/blog/child-processes/\n    - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08\nauthor: bartblaze\ndate: 2020/07/13\nmodified: 2024/07/16\ntags:\n    - attack.defense_evasion\n    - attack.t1218\n    - attack.execution\n    - attack.t1559.001\n    - detection.threat_hunting\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\dllhost.exe'\n        Initiated: 'true'\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '::1/128'  # IPv6 loopback\n            - '10.0.0.0/8'\n            - '127.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - 'fc00::/7'  # IPv6 private addresses\n            - 'fe80::/10'  # IPv6 link-local addresses\n    filter_main_msrange:\n        DestinationIp|cidr:\n            - '20.184.0.0/13' # Microsoft Corporation\n            - '20.192.0.0/10' # Microsoft Corporation\n            - '23.72.0.0/13'  # Akamai International B.V.\n            - '51.10.0.0/15'  # Microsoft Corporation\n            - '51.103.0.0/16' # Microsoft Corporation\n            - '51.104.0.0/15' # Microsoft Corporation\n            - '52.224.0.0/11'  # Microsoft Corporation\n            - '150.171.0.0/19'  # Microsoft Corporation\n            - '204.79.197.0/24' # Microsoft Corporation'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Communication to other corporate systems that use IP addresses from public address spaces\nlevel: medium\n",
        "summary": "This Sigma rule detects when the Dllhost.EXE process initiates a network connection to a non-local IP address, excluding Microsoft's own IP range. It is recommended to establish a baseline before deploying this rule. The rule includes filters for excluding certain IP ranges and has a medium level of severity.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml": {
        "filename": "rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml",
        "creation_Date": "2024-08-07T18:01:17.823510",
        "modification_Date": "2024-08-07T18:03:00.435516",
        "lastUpdate_Date": "2024-08-07T18:03:00.435524",
        "sigmaRule": "title: Msiexec.EXE Initiated Network Connection Over HTTP\nid: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f\nstatus: test\ndescription: |\n    Detects a network connection initiated by an \"Msiexec.exe\" process over port 80 or 443.\n    Adversaries might abuse \"msiexec.exe\" to install and execute remotely hosted packages.\n    Use this rule to hunt for potentially anomalous or suspicious communications.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md\nauthor: frack113\ndate: 2022/01/16\nmodified: 2024/07/16\ntags:\n    - attack.defense_evasion\n    - attack.t1218.007\n    - detection.threat_hunting\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith: '\\msiexec.exe'\n        DestinationPort:\n            - 80\n            - 443\n    condition: selection\nfalsepositives:\n    - Likely\nlevel: low\n",
        "summary": "This Sigma rule detects network connections initiated by the \"Msiexec.exe\" process over port 80 or 443, which adversaries may abuse to remotely install and execute packages. It is used to hunt for potentially suspicious communications. The rule is tagged with defense evasion, threat hunting, and a specific attack technique. The detection criteria include the process \"Msiexec.exe\" initiating a connection on ports 80 or 443. The false positive rate is likely low.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml": {
        "filename": "rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml",
        "creation_Date": "2024-08-07T18:01:19.459410",
        "modification_Date": "2024-08-07T18:03:00.435938",
        "lastUpdate_Date": "2024-08-07T18:03:00.435944",
        "sigmaRule": "title: Potential Shellcode Injection\nid: 250ae82f-736e-4844-a68b-0b5e8cc887da\nstatus: test\ndescription: Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.\nreferences:\n    - https://github.com/EmpireProject/PSInject\nauthor: Bhabesh Raj\ndate: 2022/03/11\nmodified: 2024/07/02\ntags:\n    - attack.defense_evasion\n    - attack.privilege_escalation\n    - attack.t1055\n    - detection.threat_hunting\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        GrantedAccess:\n            - '0x147a'\n            - '0x1f3fff'\n        CallTrace|contains: 'UNKNOWN'\n    filter_main_wmiprvse:\n        SourceImage: 'C:\\Windows\\System32\\Wbem\\Wmiprvse.exe'\n        TargetImage: 'C:\\Windows\\system32\\lsass.exe'\n    filter_optional_dell_folders:\n        # If dell software is installed we get matches like these\n        # Example 1:\n        #   SourceImage: C:\\Program Files\\Dell\\SupportAssistAgent\\bin\\SupportAssistAgent.exe\n        #   TargetImage: C:\\Program Files\\Dell\\TechHub\\Dell.TechHub.exe\n        #   GrantedAccess: 0x1F3FFF\n        # Example 2:\n        #   SourceImage: C:\\Program Files (x86)\\Dell\\UpdateService\\DCF\\Dell.DCF.UA.Bradbury.API.SubAgent.exe\n        #   TargetImage: C:\\Program Files\\Dell\\TechHub\\Dell.TechHub.exe\n        #   GrantedAccess: 0x1F3FFF\n        # Example 3:\n        #   SourceImage: C:\\Program Files\\Dell\\TechHub\\Dell.TechHub.exe\n        #   TargetImage: C:\\Program Files (x86)\\Dell\\UpdateService\\DCF\\Dell.DCF.UA.Bradbury.API.SubAgent.exe\n        #   GrantedAccess: 0x1F3FFF\n        SourceImage|startswith:\n            - 'C:\\Program Files\\Dell\\'\n            - 'C:\\Program Files (x86)\\Dell\\'\n        TargetImage|startswith:\n            - 'C:\\Program Files\\Dell\\'\n            - 'C:\\Program Files (x86)\\Dell\\'\n    filter_optional_dell_specifc:\n        SourceImage: 'C:\\Program Files (x86)\\Dell\\UpdateService\\ServiceShell.exe'\n        TargetImage: 'C:\\Windows\\Explorer.EXE'\n    filter_optional_visual_studio:\n        SourceImage|startswith: 'C:\\Program Files\\Microsoft Visual Studio\\'\n        TargetImage|startswith: 'C:\\Program Files\\Microsoft Visual Studio\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects potential shellcode injection used by tools like Metasploit's migrate and Empire's psinject on Windows systems. It looks for specific access permissions and suspicious process behavior, filtering out known benign processes related to Dell, Visual Studio, and Windows operations. The rule's conditions aim to reduce false positives and classify detections as medium severity.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml": {
        "filename": "rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml",
        "creation_Date": "2024-08-07T18:01:20.616278",
        "modification_Date": "2024-08-07T18:03:00.436183",
        "lastUpdate_Date": "2024-08-07T18:03:00.436187",
        "sigmaRule": "title: Password Protected Compressed File Extraction Via 7Zip\nid: b717b8fd-6467-4d7d-b3d3-27f9a463af77\nstatus: test\ndescription: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.\nreferences:\n    - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/03/10\nmodified: 2024/07/16\ntags:\n    - attack.collection\n    - attack.t1560.001\n    - detection.threat_hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Description|contains: '7-Zip'\n        - Image|endswith:\n              - '\\7z.exe'\n              - '\\7zr.exe'\n              - '\\7za.exe'\n        - OriginalFileName:\n              - '7z.exe'\n              - '7za.exe'\n    selection_password:\n        CommandLine|contains|all:\n            - ' -p'\n            - ' x '\n            - ' -o'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate activity is expected since extracting files with a password can be common in some environment.\nlevel: low\n",
        "summary": "This Sigma Rule detects the usage of 7zip utilities (7z.exe, 7za.exe, and 7zr.exe) to extract password-protected zip files. It looks for specific command line parameters related to password-protected extraction and checks for the presence of 7zip executable files. Legitimate activity is expected since extracting files with a password is common in some environments.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml": {
        "filename": "rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml",
        "creation_Date": "2024-08-07T18:01:22.117130",
        "modification_Date": "2024-08-07T18:03:00.436768",
        "lastUpdate_Date": "2024-08-07T18:03:00.436777",
        "sigmaRule": "title: Potentially Suspicious PowerShell Child Processes\nid: e4b6d2a7-d8a4-4f19-acbd-943c16d90647\nstatus: test\ndescription: |\n    Detects potentially suspicious child processes spawned by PowerShell.\n    Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.\nreferences:\n    - https://twitter.com/ankit_anubhav/status/1518835408502620162\nauthor: Florian Roth (Nextron Systems), Tim Shelton\ndate: 2022/04/26\nmodified: 2024/07/16\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.threat_hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        Image|endswith:\n            - '\\bash.exe'\n            - '\\bitsadmin.exe'\n            - '\\certutil.exe'\n            - '\\cscript.exe'\n            - '\\forfiles.exe'\n            - '\\hh.exe'\n            - '\\mshta.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\schtasks.exe'\n            - '\\scrcons.exe'\n            - '\\scriptrunner.exe'\n            - '\\sh.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n    filter_optional_amazon:\n        ParentCommandLine|contains: '\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\'  # AWS Workspaces\n        CommandLine|contains: '\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\'  # AWS Workspaces\n    filter_main_certutil_verify_store:\n        Image|endswith: '\\certutil.exe'\n        CommandLine|contains: '-verifystore '\n    filter_main_wmic:\n        Image|endswith: '\\wmic.exe'\n        CommandLine|contains:\n            - 'qfe list'\n            - 'diskdrive '\n            - 'csproduct '\n            - 'computersystem '\n            - ' os '\n            - ''\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - False positives are to be expected from PowerShell scripts that might make use of additional binaries such as \"mshta\", \"bitsadmin\", etc. Apply additional filters for those scripts.\nlevel: medium\n",
        "summary": "This Sigma rule detects potentially suspicious child processes spawned by PowerShell, focusing on specific processes that may indicate malicious activity. It includes filters for common tools used by attackers, such as certutil and wmic, and provides guidance on handling false positives related to PowerShell scripts using additional binaries. It is recommended for threat hunting to identify anomalies initiated by PowerShell scripts and commands.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml": {
        "filename": "rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml",
        "creation_Date": "2024-08-07T18:01:23.848583",
        "modification_Date": "2024-08-07T18:03:00.436961",
        "lastUpdate_Date": "2024-08-07T18:03:00.436968",
        "sigmaRule": "title: DLL Call by Ordinal Via Rundll32.EXE\nid: e79a9e79-eb72-4e78-a628-0e7e8f59e89c\nstatus: stable\ndescription: Detects calls of DLLs exports by ordinal numbers via rundll32.dll.\nreferences:\n    - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\n    - https://github.com/Neo23x0/DLLRunner\n    - https://twitter.com/cyb3rops/status/1186631731543236608\n    - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019/10/22\nmodified: 2024/07/16\ntags:\n    - attack.defense_evasion\n    - attack.t1218.011\n    - detection.threat_hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - ',#'\n            - ', #'\n            - '.dll #'  # Sysmon removes , in its log\n            - '.ocx #'  # HermeticWizard\n    filter_optional_edge:\n        CommandLine|contains|all:\n            - 'EDGEHTML.dll'\n            - '#141'\n    filter_optional_vsbuild_dll:\n        ParentImage|contains:\n            - '\\Msbuild\\Current\\Bin\\'\n            - '\\VC\\Tools\\MSVC\\'\n            - '\\Tracker.exe'\n        CommandLine|contains:\n            - '\\FileTracker32.dll,#1'\n            - '\\FileTracker32.dll\",#1'\n            - '\\FileTracker64.dll,#1'\n            - '\\FileTracker64.dll\",#1'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment.\n    - Windows control panel elements have been identified as source (mmc).\nlevel: medium\n",
        "summary": "This Sigma Rule detects calls of DLL exports by ordinal numbers via rundll32.exe on Windows systems. It includes specific indicators to filter out known false positives and provides references for further information. The rule was authored by Florian Roth and last modified in July 2024. It has a medium detection level and may have false positives depending on the scripts and administrative tools used in the environment.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml": {
        "filename": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml",
        "creation_Date": "2024-08-07T18:01:25.416917",
        "modification_Date": "2024-08-07T18:03:00.437103",
        "lastUpdate_Date": "2024-08-07T18:03:00.437108",
        "sigmaRule": "title: Potential Suspicious Execution From GUID Like Folder Names\nid: 90b63c33-2b97-4631-a011-ceb0f47b77c3\nstatus: test\ndescription: |\n    Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks.\n    Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.\nreferences:\n    - https://twitter.com/Kostastsale/status/1565257924204986369\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/09/01\nmodified: 2023/03/02\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - detection.threat_hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Uncomment this section and remove the filter if you want the rule to be more specific to processes\n    # selection_img:\n    #     Image|endswith:\n    #         - '\\rundll32.exe'\n    selection_folder:\n        CommandLine|contains:\n            # Add more suspicious or unexpected paths\n            - '\\AppData\\Roaming\\'\n            - '\\AppData\\Local\\Temp\\' # This could generate some FP with some installers creating folders with GUID\n    selection_guid:\n        CommandLine|contains|all:\n            - '\\{'\n            - '}\\'\n    filter_main_image_guid:\n        Image|contains|all:\n            - '\\{'\n            - '}\\'\n    filter_main_null:\n        Image: null\n    filter_main_driver_inst:  # DrvInst.exe \"4\" \"0\" \"C:\\Users\\venom\\AppData\\Local\\Temp\\{a0753cc2-fcea-4d49-a787-2290b564b06f}\\nvvhci.inf\" \"9\" \"43a2fa8e7\" \"00000000000001C0\" \"WinSta0\\Default\" \"00000000000001C4\" \"208\" \"c:\\program files\\nvidia corporation\\installer2\\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}\"\n        Image: 'C:\\Windows\\System32\\drvinst.exe'\n    filter_main_msiexec:\n        Image:\n            - 'C:\\Windows\\System32\\msiexec.exe'\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n    condition: all of selection_* and not 1 of filter*\nfalsepositives:\n    - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly\nlevel: low\n",
        "summary": "This Sigma rule detects potential suspicious execution of a GUID-like folder name located in suspicious locations, such as %TEMP%, especially in relation to IcedID attacks. It is used to hunt for potentially suspicious activity stemming from uncommon folders. The rule includes filters to reduce false positives related to legitimate installers creating folders with GUID-like names.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml": {
        "filename": "rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml",
        "creation_Date": "2024-08-07T18:01:26.476721",
        "modification_Date": "2024-08-07T18:03:00.437362",
        "lastUpdate_Date": "2024-08-07T18:03:00.437366",
        "sigmaRule": "title: Windows LAPS Credential Dump From Entra ID\nid: a4b25073-8947-489c-a8dd-93b41c23f26d\nstatus: experimental\ndescription: Detects when an account dumps the LAPS password from Entra ID.\nreferences:\n    - https://twitter.com/NathanMcNulty/status/1785051227568632263\n    - https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/\n    - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487\nauthor: andrewdanis\ndate: 2024/06/26\ntags:\n    - attack.t1098.005\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        category: 'Device'\n        activityType|contains: 'Recover device local administrator password'\n        additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id'\n    condition: selection\nfalsepositives:\n    - Approved activity performed by an Administrator.\nlevel: high\n",
        "summary": "This Sigma Rule detects when an account dumps the Local Administrator Password Solution (LAPS) password from Entra ID by monitoring Azure audit logs for specific activity related to recovering device local administrator passwords. The rule may result in false positives if the activity is approved and performed by an administrator.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml": {
        "filename": "rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml",
        "creation_Date": "2024-08-07T18:01:27.680300",
        "modification_Date": "2024-08-07T18:03:00.437569",
        "lastUpdate_Date": "2024-08-07T18:03:00.437573",
        "sigmaRule": "title: MSSQL Add Account To Sysadmin Role\nid: 08200f85-2678-463e-9c32-88dce2f073d1\nstatus: test\ndescription: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role\nreferences:\n    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/07/13\nmodified: 2024/06/26\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 33205\n        Data|contains|all:\n            - 'object_name:sysadmin'\n            - 'statement:alter server role [sysadmin] add member '\n    condition: selection\nfalsepositives:\n    - Rare legitimate administrative activity\nlevel: high\n",
        "summary": "This Sigma rule detects when an attacker attempts to backdoor an MSSQL server by adding a backdoor account to the sysadmin fixed server role. It specifically looks for EventID 33205 in the application log with specific criteria related to adding a member to the sysadmin role. It has a high severity level and may have rare false positives related to legitimate administrative activity.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml": {
        "filename": "rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml",
        "creation_Date": "2024-08-07T18:01:29.193158",
        "modification_Date": "2024-08-07T18:03:00.437759",
        "lastUpdate_Date": "2024-08-07T18:03:00.437763",
        "sigmaRule": "title: MSSQL Disable Audit Settings\nid: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df\nstatus: test\ndescription: Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server\nreferences:\n    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/\n    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16\n    - https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/07/13\nmodified: 2024/06/26\ntags:\n    - attack.defense_evasion\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 33205\n        Data|contains:\n            - 'statement:ALTER SERVER AUDIT'\n            - 'statement:DROP SERVER AUDIT'\n    condition: selection\nfalsepositives:\n    - This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up\nlevel: high\n",
        "summary": "Sigma Rule ID 350dfb37-3706-4cdc-9e2e-5e24bc3a46df detects when an attacker attempts to disable or delete audit logs on a MSSQL server by calling the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction. It looks for Event ID 33205 in the Windows application log and specific strings in the event data indicating these actions. This rule has a high level of severity and is designed to alert administrators to potentially malicious activity.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml": {
        "filename": "rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml",
        "creation_Date": "2024-08-07T18:01:31.032014",
        "modification_Date": "2024-08-07T18:03:00.437992",
        "lastUpdate_Date": "2024-08-07T18:03:00.437997",
        "sigmaRule": "title: MSSQL Server Failed Logon\nid: 218d2855-2bba-4f61-9c85-81d0ea63ac71\nrelated:\n    - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d\n      type: similar\nstatus: experimental\ndescription: Detects failed logon attempts from clients to MSSQL server.\nreferences:\n    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/\n    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html\nauthor: Nasreddine Bencherchali (Nextron Systems), j4son\ndate: 2023/10/11\nmodified: 2024/06/26\ntags:\n    - attack.credential_access\n    - attack.t1110\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: Must enable MSSQL authentication.'\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 18456\n    condition: selection\nfalsepositives:\n    - This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them\nlevel: low\n",
        "summary": "This Sigma Rule detects failed logon attempts from clients to MSSQL servers by looking for EventID 18456 in the Windows application log. It is recommended to enable MSSQL authentication for this rule to work properly. False positives may occur if users change an account's password used for authentication via a job or automated process. The rule is considered experimental and has a low impact level.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml": {
        "filename": "rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml",
        "creation_Date": "2024-08-07T18:01:32.670687",
        "modification_Date": "2024-08-07T18:03:00.438987",
        "lastUpdate_Date": "2024-08-07T18:03:00.438993",
        "sigmaRule": "title: MSSQL Server Failed Logon From External Network\nid: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d\nrelated:\n    - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71\n      type: similar\nstatus: experimental\ndescription: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.\nreferences:\n    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/\n    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html\nauthor: j4son\ndate: 2023/10/11\nmodified: 2024/06/26\ntags:\n    - attack.credential_access\n    - attack.t1110\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: Must enable MSSQL authentication.'\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 18456\n    filter_main_local_ips:\n        Data|contains:\n            - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8\n            - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12\n            - 'CLIENT: 172.17.'\n            - 'CLIENT: 172.18.'\n            - 'CLIENT: 172.19.'\n            - 'CLIENT: 172.20.'\n            - 'CLIENT: 172.21.'\n            - 'CLIENT: 172.22.'\n            - 'CLIENT: 172.23.'\n            - 'CLIENT: 172.24.'\n            - 'CLIENT: 172.25.'\n            - 'CLIENT: 172.26.'\n            - 'CLIENT: 172.27.'\n            - 'CLIENT: 172.28.'\n            - 'CLIENT: 172.29.'\n            - 'CLIENT: 172.30.'\n            - 'CLIENT: 172.31.'\n            - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16\n            - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8\n            - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects failed logon attempts from external network clients to an MSSQL server, which may indicate a brute force attack. The rule requires enabling MSSQL authentication and filters out logon attempts from local IP ranges. The detection criteria include the Provider_Name containing 'MSSQL' and EventID 18456.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml": {
        "filename": "rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml",
        "creation_Date": "2024-08-07T18:01:33.697927",
        "modification_Date": "2024-08-07T18:03:00.439148",
        "lastUpdate_Date": "2024-08-07T18:03:00.439152",
        "sigmaRule": "title: MSSQL SPProcoption Set\nid: b3d57a5c-c92e-4b48-9a79-5f124b7cf964\nstatus: test\ndescription: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started\nreferences:\n    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/\n    - https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/07/13\nmodified: 2024/06/26\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: MSSQL audit policy to monitor for \"sp_procoption\" must be enabled in order to receive this event in the application log'\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 33205\n        Data|contains|all:\n            - 'object_name:sp_procoption'\n            - 'statement:EXEC'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the feature by administrators (rare)\nlevel: high\n",
        "summary": "The Sigma rule \"MSSQL SPProcoption Set\" detects when a stored procedure is set or cleared for automatic execution in MSSQL. This rule is important because a stored procedure set to automatic execution runs every time an instance of SQL Server is started. The rule specifies that the MSSQL audit policy must be enabled to monitor for \"sp_procoption\" in order to receive the event in the application log. The rule looks for events with Provider Name containing 'MSSQL', EventID 33205, and Data containing 'object_name:sp_procoption' and 'statement:EXEC'. Legitimate use by administrators is a rare false positive.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml": {
        "filename": "rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml",
        "creation_Date": "2024-08-07T18:01:35.643483",
        "modification_Date": "2024-08-07T18:03:00.439283",
        "lastUpdate_Date": "2024-08-07T18:03:00.439287",
        "sigmaRule": "title: MSSQL XPCmdshell Suspicious Execution\nid: 7f103213-a04e-4d59-8261-213dddf22314\nstatus: test\ndescription: Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands\nreferences:\n    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/\n    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/07/12\nmodified: 2024/06/26\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: MSSQL audit policy to monitor for \"xp_cmdshell\" must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012)'\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 33205\n        Data|contains|all:\n            # You can modify this to include specific commands\n            - 'object_name:xp_cmdshell'\n            - 'statement:EXEC'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects suspicious executions using the MSSQL \"xp_cmdshell\" stored procedure. It requires the MSSQL audit policy to be enabled to monitor for \"xp_cmdshell\" events in the application log. The rule looks for events with Provider_Name containing 'MSSQL', EventID 33205, and specific data containing 'object_name:xp_cmdshell' and 'statement:EXEC'. The rule is authored by Nasreddine Bencherchali and is tagged as attack.execution with a high severity level. False positives are listed as unknown.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml": {
        "filename": "rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml",
        "creation_Date": "2024-08-07T18:01:37.389920",
        "modification_Date": "2024-08-07T18:03:00.439414",
        "lastUpdate_Date": "2024-08-07T18:03:00.439419",
        "sigmaRule": "title: MSSQL XPCmdshell Option Change\nid: d08dd86f-681e-4a00-a92c-1db218754417\nstatus: test\ndescription: |\n    Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed.\nreferences:\n    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/\n    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/07/12\nmodified: 2024/06/26\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    service: application\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 15457\n        Data|contains: 'xp_cmdshell'\n    condition: selection\nfalsepositives:\n    - Legitimate enable/disable of the setting\n    - Note that since the event contain the change for both values. This means that this will trigger on both enable and disable\nlevel: high\n",
        "summary": "This Sigma Rule detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed. It uses the event log source from Windows applications with specific conditions to trigger the detection. The rule may result in false positives for legitimate changes to the setting. The level of severity for this rule is high.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml": {
        "filename": "rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml",
        "creation_Date": "2024-08-07T18:01:38.676021",
        "modification_Date": "2024-08-07T18:03:00.439614",
        "lastUpdate_Date": "2024-08-07T18:03:00.439618",
        "sigmaRule": "title: Pass the Hash Activity 2\nid: 8eef149c-bd26-49f2-9e5a-9b00e3af499b\nstatus: stable\ndescription: Detects the attack technique pass the hash which is used to move laterally inside the network\nreferences:\n    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events\n    - https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis\n    - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/\nauthor: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)\ndate: 2019/06/14\nmodified: 2022/10/05\ntags:\n    - attack.lateral_movement\n    - attack.t1550.002\nlogsource:\n    product: windows\n    service: security\n    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624\ndetection:\n    selection_logon3:\n        EventID: 4624\n        SubjectUserSid: 'S-1-0-0'\n        LogonType: 3\n        LogonProcessName: 'NtLmSsp'\n        KeyLength: 0\n    selection_logon9:\n        EventID: 4624\n        LogonType: 9\n        LogonProcessName: 'seclogo'\n    filter:\n        TargetUserName: 'ANONYMOUS LOGON'\n    condition: 1 of selection_* and not filter\nfalsepositives:\n    - Administrator activity\nlevel: medium\n",
        "summary": "This Sigma Rule detects the attack technique known as pass the hash, which is used for lateral movement inside a network. It looks for specific event IDs and logon details in Windows security logs to identify potential instances of this attack. The rule was authored by Dave Kennedy, Jeff Warren, and David Vassallo, and was last modified in October 2022. The detection criteria include specific Event IDs, logon types, and process names. The rule has a medium severity level and lists potential false positives related to legitimate Administrator activity.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml": {
        "filename": "rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml",
        "creation_Date": "2024-08-07T18:01:40.360541",
        "modification_Date": "2024-08-07T18:03:00.439675",
        "lastUpdate_Date": "2024-08-07T18:03:00.439679",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, an error will occur.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml": {
        "filename": "rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml",
        "creation_Date": "2024-08-07T18:01:40.916878",
        "modification_Date": "2024-08-07T18:03:00.439907",
        "lastUpdate_Date": "2024-08-07T18:03:00.439911",
        "sigmaRule": "title: Potential Privilege Escalation via Local Kerberos Relay over LDAP\nid: 749c9f5e-b353-4b90-a9c1-05243357ca4b\nstatus: test\ndescription: |\n    Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.\n    This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.\nreferences:\n    - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g\n    - https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38\nauthor: Elastic, @SBousseaden\ndate: 2022/04/27\nmodified: 2024/07/02\ntags:\n    - attack.privilege_escalation\n    - attack.credential_access\n    - attack.t1548\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 3\n        AuthenticationPackageName: 'Kerberos'\n        IpAddress: '127.0.0.1'\n        TargetUserSid|startswith: 'S-1-5-21-'\n        TargetUserSid|endswith: '-500'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects a potential privilege escalation attack using a local Kerberos relay over LDAP. It looks for suspicious logon events where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This could indicate an attempt to elevate privilege locally from a limited user to local System privileges. The rule is set to a high detection level and has references to related Twitter and GitHub resources.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml": {
        "filename": "rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml",
        "creation_Date": "2024-08-07T18:01:42.152493",
        "modification_Date": "2024-08-07T18:03:00.440465",
        "lastUpdate_Date": "2024-08-07T18:03:00.440471",
        "sigmaRule": "title: Windows Defender Threat Detection Service Disabled\nid: 6c0a7755-6d31-44fa-80e1-133e57752680\nrelated:\n    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62\n      type: derived\nstatus: stable\ndescription: Detects when the \"Windows Defender Threat Protection\" service is disabled.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\nauthor: J\u00e1n Tren\u010dansk\u00fd, frack113\ndate: 2020/07/28\nmodified: 2024/07/02\ntags:\n    - attack.defense_evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        EventID: 7036\n        Provider_Name: 'Service Control Manager'\n        # Note: The service name and messages are localized\n        param1:\n            - 'Windows Defender Antivirus Service'\n            - 'Service antivirus Microsoft Defender' # French OS\n        param2:\n            - 'stopped'\n            - 'arr\u00eat\u00e9' # French OS\n    condition: selection\nfalsepositives:\n    - Administrator actions\n    - Auto updates of Windows Defender causes restarts\nlevel: medium\n",
        "summary": "This Sigma Rule detects when the \"Windows Defender Threat Protection\" service is disabled by monitoring EventID 7036 from the Service Control Manager in the Windows system logs. This rule helps in identifying potential security risks when the antivirus service is not running. The rule has been authored by J\u00e1n Tren\u010dansk\u00fd and frack113, and has been last modified on July 2, 2024. The rule is tagged with attack defense evasion and attack t1562.001.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml",
        "creation_Date": "2024-08-07T18:01:43.562680",
        "modification_Date": "2024-08-07T18:03:00.440707",
        "lastUpdate_Date": "2024-08-07T18:03:00.440712",
        "sigmaRule": "title: HackTool - CrackMapExec File Indicators\nid: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a\nrelated:\n    - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489\n      type: obsoletes\nstatus: experimental\ndescription: Detects file creation events with filename patterns used by CrackMapExec.\nreferences:\n    - https://github.com/byt3bl33d3r/CrackMapExec/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/03/11\nmodified: 2024/06/27\ntags:\n    - attack.credential_access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_path:\n        TargetFilename|startswith: 'C:\\Windows\\Temp\\' # The disk extension is hardcoded in the tool.\n    selection_names_str:\n        TargetFilename|endswith:\n            - '\\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68\n            - '\\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106\n    selection_names_re:\n        - TargetFilename|re: '\\\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86\n        - TargetFilename|re: '\\\\[a-zA-Z]{8}\\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146\n    condition: selection_path and 1 of selection_names_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects file creation events with specific filename patterns used by CrackMapExec, a hacking tool. It targets files created in the 'C:\\Windows\\Temp\\' directory with names ending in '\\temp.ps1', '\\msol.ps1', or matching specific regular expressions. The rule has a high level of confidence and may have false positives.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml",
        "creation_Date": "2024-08-07T18:01:44.817031",
        "modification_Date": "2024-08-07T18:03:00.440953",
        "lastUpdate_Date": "2024-08-07T18:03:00.440957",
        "sigmaRule": "title: HackTool - Typical HiveNightmare SAM File Export\nid: 6ea858a8-ba71-4a12-b2cc-5d83312404c7\nstatus: test\ndescription: Detects files written by the different tools that exploit HiveNightmare\nreferences:\n    - https://github.com/GossiTheDog/HiveNightmare\n    - https://github.com/FireFart/hivenightmare/\n    - https://github.com/WiredPulse/Invoke-HiveNightmare\n    - https://twitter.com/cube0x0/status/1418920190759378944\nauthor: Florian Roth (Nextron Systems)\ndate: 2021/07/23\nmodified: 2024/06/27\ntags:\n    - attack.credential_access\n    - attack.t1552.001\n    - cve.2021.36934\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        - TargetFilename|contains:\n              - '\\hive_sam_'  # Go version\n              - '\\SAM-2021-'  # C++ version\n              - '\\SAM-2022-'  # C++ version\n              - '\\SAM-2023-'  # C++ version\n              - '\\SAM-haxx'   # Early C++ versions\n              - '\\Sam.save'   # PowerShell version\n        - TargetFilename: 'C:\\windows\\temp\\sam'  # C# version of HiveNightmare\n    condition: selection\nfalsepositives:\n    - Files that accidentally contain these strings\nlevel: high\n",
        "summary": "This Sigma rule detects files written by tools that exploit HiveNightmare, a vulnerability related to the SAM file in Windows systems. It looks for specific filenames associated with different versions of tools that exploit HiveNightmare. The rule has a high level of detection and may have false positives for files that accidentally contain the specified strings.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml",
        "creation_Date": "2024-08-07T18:01:45.843926",
        "modification_Date": "2024-08-07T18:03:00.441582",
        "lastUpdate_Date": "2024-08-07T18:03:00.441587",
        "sigmaRule": "title: HackTool - Inveigh Execution Artefacts\nid: bb09dd3e-2b78-4819-8e35-a7c1b874e449\nstatus: test\ndescription: Detects the presence and execution of Inveigh via dropped artefacts\nreferences:\n    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs\n    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs\n    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/10/24\nmodified: 2024/06/27\ntags:\n    - attack.command_and_control\n    - attack.t1219\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\Inveigh-Log.txt'\n            - '\\Inveigh-Cleartext.txt'\n            - '\\Inveigh-NTLMv1Users.txt'\n            - '\\Inveigh-NTLMv2Users.txt'\n            - '\\Inveigh-NTLMv1.txt'\n            - '\\Inveigh-NTLMv2.txt'\n            - '\\Inveigh-FormInput.txt'\n            - '\\Inveigh.dll'\n            - '\\Inveigh.exe'\n            - '\\Inveigh.ps1'\n            - '\\Inveigh-Relay.ps1'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n",
        "summary": "This Sigma rule detects the presence and execution of Inveigh, a tool used for capturing network traffic related to Windows in cleartext, NTLM, and other forms. It looks for specific dropped artefacts such as log files, DLLs, executables, and scripts related to Inveigh. The rule is considered critical and has a low likelihood of generating false positives.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml",
        "creation_Date": "2024-08-07T18:01:46.961217",
        "modification_Date": "2024-08-07T18:03:00.441750",
        "lastUpdate_Date": "2024-08-07T18:03:00.441754",
        "sigmaRule": "title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators\nid: 3ab79e90-9fab-4cdf-a7b2-6522bc742adb\nstatus: experimental\ndescription: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.\nreferences:\n    - https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/06/27\ntags:\n    - attack.command_and_control\n    - attack.t1219\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - ':\\windows\\temp\\sam.tmp'\n            - ':\\windows\\temp\\sec.tmp'\n            - ':\\windows\\temp\\sys.tmp'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects the creation of specific files used in the RemoteKrbRelay SMB Relay attack module. The rule looks for files with names ending in 'sam.tmp', 'sec.tmp', and 'sys.tmp' in the Windows temporary folder. The rule is considered to have a high level of detection accuracy and false positives are unlikely.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml",
        "creation_Date": "2024-08-07T18:01:48.022826",
        "modification_Date": "2024-08-07T18:03:00.441878",
        "lastUpdate_Date": "2024-08-07T18:03:00.441883",
        "sigmaRule": "title: HackTool - Mimikatz Kirbi File Creation\nid: 9e099d99-44c2-42b6-a6d8-54c3545cab29\nrelated:\n    - id: 034affe8-6170-11ec-844f-0f78aa0c4d66\n      type: obsoletes\nstatus: test\ndescription: Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.\nreferences:\n    - https://cobalt.io/blog/kerberoast-attack-techniques\n    - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/\nauthor: Florian Roth (Nextron Systems), David ANDRE\ndate: 2021/11/08\nmodified: 2024/06/27\ntags:\n    - attack.credential_access\n    - attack.t1558\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '.kirbi' # Kerberos tickets\n            - 'mimilsa.log' # MemSSP default file\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n",
        "summary": "Sigma Rule detects the creation of specific files (.kirbi, mimilsa.log) generated by the Mimikatz hack tool. The rule is designed to identify potential credential access attacks. False positives are considered unlikely, and the detection level is classified as critical.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_hktl_nppspy.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_hktl_nppspy.yml",
        "creation_Date": "2024-08-07T18:01:49.409111",
        "modification_Date": "2024-08-07T18:03:00.442019",
        "lastUpdate_Date": "2024-08-07T18:03:00.442023",
        "sigmaRule": "title: HackTool - NPPSpy Hacktool Usage\nid: cad1fe90-2406-44dc-bd03-59d0b58fe722\nstatus: test\ndescription: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy\n    - https://twitter.com/0gtweet/status/1465282548494487554\nauthor: Florian Roth (Nextron Systems)\ndate: 2021/11/29\nmodified: 2024/06/27\ntags:\n    - attack.credential_access\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\NPPSpy.txt'\n            - '\\NPPSpy.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects the usage of the NPPSpy hacktool, which stores clear text passwords of users that logged in to a local file. The rule looks for specific file names that end with '\\NPPSpy.txt' or '\\NPPSpy.dll' on Windows file events. The detection level is high, and false positives are listed as unknown.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml",
        "creation_Date": "2024-08-07T18:01:50.535687",
        "modification_Date": "2024-08-07T18:03:00.442146",
        "lastUpdate_Date": "2024-08-07T18:03:00.442151",
        "sigmaRule": "title: HackTool - Powerup Write Hijack DLL\nid: 602a1f13-c640-4d73-b053-be9a2fa58b96\nstatus: test\ndescription: |\n    Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\n    In it's default mode, it builds a self deleting .bat file which executes malicious command.\n    The detection rule relies on creation of the malicious bat file (debug.bat by default).\nreferences:\n    - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/\nauthor: Subhash Popuri (@pbssubhash)\ndate: 2021/08/21\nmodified: 2024/06/27\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.defense_evasion\n    - attack.t1574.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        TargetFilename|endswith: '.bat'\n    condition: selection\nfalsepositives:\n    - Any powershell script that creates bat files # highly unlikely (untested)\nlevel: high\n",
        "summary": "The Sigma Rule detects the Powerup tool's Write Hijack DLL technique, which exploits DLL hijacking for privilege escalation. It identifies the creation of a malicious .bat file named debug.bat by default. The rule looks for file events where the Image ends with powershell.exe or pwsh.exe, and the TargetFilename ends with .bat on Windows systems. This rule has a high severity level.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml",
        "creation_Date": "2024-08-07T18:01:51.947490",
        "modification_Date": "2024-08-07T18:03:00.442277",
        "lastUpdate_Date": "2024-08-07T18:03:00.442281",
        "sigmaRule": "title: HackTool - QuarksPwDump Dump File\nid: 847def9e-924d-4e90-b7c4-5f581395a2b4\nstatus: test\ndescription: Detects a dump file written by QuarksPwDump password dumper\nreferences:\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm\nauthor: Florian Roth (Nextron Systems)\ndate: 2018/02/10\nmodified: 2024/06/27\ntags:\n    - attack.credential_access\n    - attack.t1003.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains|all:\n            - '\\AppData\\Local\\Temp\\SAM-'\n            - '.dmp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n",
        "summary": "Sigma Rule detects a dump file created by the QuarksPwDump password dumper tool. The rule looks for files with names containing '\\AppData\\Local\\Temp\\SAM-' and '.dmp' on Windows systems. The level of detection is critical, and false positives are listed as unknown. The rule was authored by Florian Roth from Nextron Systems and last modified on June 27, 2024.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml",
        "creation_Date": "2024-08-07T18:01:53.316510",
        "modification_Date": "2024-08-07T18:03:00.442406",
        "lastUpdate_Date": "2024-08-07T18:03:00.442412",
        "sigmaRule": "title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump\nid: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a\nstatus: test\ndescription: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.\nreferences:\n    - https://github.com/Porchetta-Industries/CrackMapExec\n    - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py\nauthor: SecurityAura\ndate: 2022/11/16\nmodified: 2024/06/27\ntags:\n    - attack.credential_access\n    - attack.t1003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\svchost.exe'\n        # CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy\n        TargetFilename|re: '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects potential remote credential dumping activity using CrackMapExec or Impacket-Secretsdump by looking for default filenames output from the execution of these tools against an endpoint on a Windows system.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml",
        "creation_Date": "2024-08-07T18:01:54.136934",
        "modification_Date": "2024-08-07T18:03:00.442533",
        "lastUpdate_Date": "2024-08-07T18:03:00.442537",
        "sigmaRule": "title: HackTool - SafetyKatz Dump Indicator\nid: e074832a-eada-4fd7-94a1-10642b130e16\nstatus: test\ndescription: Detects default lsass dump filename generated by SafetyKatz.\nreferences:\n    - https://github.com/GhostPack/SafetyKatz\n    - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63\nauthor: Markus Neis\ndate: 2018/07/24\nmodified: 2024/06/27\ntags:\n    - attack.credential_access\n    - attack.t1003.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\Temp\\debug.bin'\n    condition: selection\nfalsepositives:\n    - Rare legitimate files with similar filename structure\nlevel: high\n",
        "summary": "This Sigma Rule detects the default lsass dump filename generated by SafetyKatz by looking for files with the name ending in '\\Temp\\debug.bin'. It has a high level of detection accuracy but may have false positives with rare legitimate files that have a similar filename structure. The rule was authored by Markus Neis in 2018 and last modified in 2024. It is used for detecting credential access attacks and specifically falls under the attack.t1003.001 category.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml",
        "creation_Date": "2024-08-07T18:01:55.657365",
        "modification_Date": "2024-08-07T18:03:00.442744",
        "lastUpdate_Date": "2024-08-07T18:03:00.442749",
        "sigmaRule": "title: PDF File Created By RegEdit.EXE\nid: 145095eb-e273-443b-83d0-f9b519b7867b\nstatus: experimental\ndescription: |\n    Detects the creation of a file with the \".pdf\" extension by the \"RegEdit.exe\" process.\n    This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.\nreferences:\n    - https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/07/08\ntags:\n    - attack.defense_evasion\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\regedit.exe'\n        TargetFilename|endswith: '.pdf'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects the creation of a PDF file by the \"RegEdit.exe\" process, indicating potential extraction of sensitive information and bypassing of defenses. It has a high detection level and the false positive rate is considered unlikely.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml": {
        "filename": "rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml",
        "creation_Date": "2024-08-07T18:01:56.829737",
        "modification_Date": "2024-08-07T18:03:00.442990",
        "lastUpdate_Date": "2024-08-07T18:03:00.442994",
        "sigmaRule": "title: DPAPI Backup Keys And Certificate Export Activity IOC\nid: 7892ec59-c5bb-496d-8968-e5d210ca3ac4\nstatus: experimental\ndescription: |\n    Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.\nreferences:\n    - https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/\n    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32\nauthor: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/06/26\ntags:\n    - attack.t1555\n    - attack.t1552.004\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains:\n            - 'ntds_capi_'\n            - 'ntds_legacy_'\n            - 'ntds_unknown_'\n        TargetFilename|endswith:\n            - '.cer'\n            - '.key'\n            - '.pfx'\n            - '.pvk'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects file names with specific patterns related to exported or stolen DPAPI backup keys and certificates, which are commonly used by tools like Mimikatz and DSInternals. The rule looks for files with names containing 'ntds_capi_', 'ntds_legacy_', or 'ntds_unknown_', as well as ending with '.cer', '.key', '.pfx', or '.pvk'. This activity is considered a high level threat and has a low likelihood of false positives.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/network_connection/net_connection_win_addinutil_initiated.yml": {
        "filename": "rules/windows/network_connection/net_connection_win_addinutil_initiated.yml",
        "creation_Date": "2024-08-07T18:01:58.528188",
        "modification_Date": "2024-08-07T18:03:00.443197",
        "lastUpdate_Date": "2024-08-07T18:03:00.443201",
        "sigmaRule": "title: Network Connection Initiated By AddinUtil.EXE\nid: 5205613d-2a63-4412-a895-3a2458b587b3\nstatus: test\ndescription: |\n    Detects a network connection initiated by the Add-In deployment cache updating utility \"AddInutil.exe\".\n    This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.\nreferences:\n    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\nauthor: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)\ndate: 2023/09/18\nmodified: 2024/07/16\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith: '\\addinutil.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "Sigma Rule ID 5205613d-2a63-4412-a895-3a2458b587b3 detects a high-level alert for a network connection initiated by the Add-In deployment cache updating utility \"AddInutil.exe,\" which is not a usual behavior for this tool. This could indicate potential command and control communication. The rule is based on the detection of network activity initiated by AddInutil.exe on Windows systems. The rule was authored by Michael McKinley and Tony Latteri, with the latest modification made on July 16, 2024.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml": {
        "filename": "rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml",
        "creation_Date": "2024-08-07T18:02:00.046050",
        "modification_Date": "2024-08-07T18:03:00.443244",
        "lastUpdate_Date": "2024-08-07T18:03:00.443247",
        "sigmaRule": "file does not exist",
        "summary": "If the file being referenced does not exist, the Sigma Rule will not be applied.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml": {
        "filename": "rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml",
        "creation_Date": "2024-08-07T18:02:00.677876",
        "modification_Date": "2024-08-07T18:03:00.443460",
        "lastUpdate_Date": "2024-08-07T18:03:00.443464",
        "sigmaRule": "title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process\nid: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83\nrelated:\n    - id: e043f529-8514-4205-8ab0-7f7d2927b400\n      type: derived\nstatus: experimental\ndescription: |\n    Detects an initiated network connection by a non browser process on the system to \"azurewebsites.net\". The latter was often used by threat actors as a malware hosting and exfiltration site.\nreferences:\n    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\n    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia\n    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/\n    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/06/24\nmodified: 2024/07/16\ntags:\n    - attack.command_and_control\n    - attack.t1102\n    - attack.t1102.001\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith: 'azurewebsites.net'\n    # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations\n    # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results\n    filter_main_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_main_chrome_appdata:\n        Image|startswith: 'C:\\Users\\'\n        Image|endswith: '\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe'\n    filter_main_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_main_firefox_appdata:\n        Image|startswith: 'C:\\Users\\'\n        Image|endswith: '\\AppData\\Local\\Mozilla Firefox\\firefox.exe'\n    filter_main_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_main_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_main_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_main_safari:\n        Image|contains:\n            - 'C:\\Program Files (x86)\\Safari\\'\n            - 'C:\\Program Files\\Safari\\'\n        Image|endswith: '\\safari.exe'\n    filter_main_defender:\n        Image|contains:\n            - 'C:\\Program Files\\Windows Defender Advanced Threat Protection\\'\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        Image|endswith:\n            - '\\MsMpEng.exe' # Microsoft Defender executable\n            - '\\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable\n    filter_main_prtg:\n        # Paessler's PRTG Network Monitor\n        Image|endswith:\n            - 'C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe'\n            - 'C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe'\n    filter_main_brave:\n        Image|startswith: 'C:\\Program Files\\BraveSoftware\\'\n        Image|endswith: '\\brave.exe'\n    filter_main_maxthon:\n        Image|contains: '\\AppData\\Local\\Maxthon\\'\n        Image|endswith: '\\maxthon.exe'\n    filter_main_opera:\n        Image|contains: '\\AppData\\Local\\Programs\\Opera\\'\n        Image|endswith: '\\opera.exe'\n    filter_main_seamonkey:\n        Image|startswith:\n            - 'C:\\Program Files\\SeaMonkey\\'\n            - 'C:\\Program Files (x86)\\SeaMonkey\\'\n        Image|endswith: '\\seamonkey.exe'\n    filter_main_vivaldi:\n        Image|contains: '\\AppData\\Local\\Vivaldi\\'\n        Image|endswith: '\\vivaldi.exe'\n    filter_main_whale:\n        Image|startswith:\n            - 'C:\\Program Files\\Naver\\Naver Whale\\'\n            - 'C:\\Program Files (x86)\\Naver\\Naver Whale\\'\n        Image|endswith: '\\whale.exe'\n    # Note: The TOR browser shouldn't be something you allow in your corporate network.\n    # filter_main_tor:\n    #     Image|contains: '\\Tor Browser\\'\n    filter_main_whaterfox:\n        Image|startswith:\n            - 'C:\\Program Files\\Waterfox\\'\n            - 'C:\\Program Files (x86)\\Waterfox\\'\n        Image|endswith: '\\Waterfox.exe'\n    filter_main_slimbrowser:\n        Image|startswith:\n            - 'C:\\Program Files\\SlimBrowser\\'\n            - 'C:\\Program Files (x86)\\SlimBrowser\\'\n        Image|endswith: '\\slimbrowser.exe'\n    filter_main_flock:\n        Image|contains: '\\AppData\\Local\\Flock\\'\n        Image|endswith: '\\Flock.exe'\n    filter_main_phoebe:\n        Image|contains: '\\AppData\\Local\\Phoebe\\'\n        Image|endswith: '\\Phoebe.exe'\n    filter_main_falkon:\n        Image|startswith:\n            - 'C:\\Program Files\\Falkon\\'\n            - 'C:\\Program Files (x86)\\Falkon\\'\n        Image|endswith: '\\falkon.exe'\n    filter_main_qtweb:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\QtWeb\\'\n            - 'C:\\Program Files\\QtWeb\\'\n        Image|endswith: '\\QtWeb.exe'\n    filter_main_avant:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Avant Browser\\'\n            - 'C:\\Program Files\\Avant Browser\\'\n        Image|endswith: '\\avant.exe'\n    filter_main_discord:\n        Image|contains: '\\AppData\\Local\\Discord\\'\n        Image|endswith: '\\Discord.exe'\n    filter_main_null:\n        Image: null\n    filter_main_empty:\n        Image: ''\n    # filter_optional_qlik:\n    #     Image|endswith: '\\Engine.exe' # Process from qlik.com app\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects a network connection initiated by a non-browser process on the system to \"azurewebsites.net\", which has been used by threat actors for malicious purposes. The rule includes filters for various browser applications to avoid false positives. It has a medium level of severity and its status is experimental.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml": {
        "filename": "rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml",
        "creation_Date": "2024-08-07T18:02:01.730122",
        "modification_Date": "2024-08-07T18:03:00.443710",
        "lastUpdate_Date": "2024-08-07T18:03:00.443715",
        "sigmaRule": "title: Potential Dead Drop Resolvers\nid: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7\nrelated:\n    - id: d7b09985-95a3-44be-8450-b6eadf49833e\n      type: obsoletes\nstatus: test\ndescription: |\n    Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.\n    In this context attackers leverage known websites such as \"facebook\", \"youtube\", etc. In order to pass through undetected.\nreferences:\n    - https://content.fireeye.com/apt-41/rpt-apt41\n    - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/\n    - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html\n    - https://github.com/kleiton0x00/RedditC2\n    - https://twitter.com/kleiton0x7e/status/1600567316810551296\n    - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al\nauthor: Sorina Ionescu, X__Junior (Nextron Systems)\ndate: 2022/08/17\nmodified: 2024/07/16\ntags:\n    - attack.command_and_control\n    - attack.t1102\n    - attack.t1102.001\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith:\n            - '.t.me'\n            - '4shared.com'\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'cloudflare.com'\n            - 'ddns.net'\n            - 'discord.com'\n            - 'docs.google.com'\n            - 'drive.google.com'\n            - 'dropbox.com'\n            - 'dropmefiles.com'\n            - 'facebook.com'\n            - 'feeds.rapidfeeds.com'\n            - 'fotolog.com'\n            - 'ghostbin.co/'\n            - 'githubusercontent.com'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'imgur.com'\n            - 'livejournal.com'\n            - 'mediafire.com'\n            - 'mega.co.nz'\n            - 'mega.nz'\n            - 'onedrive.com'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'reddit.com'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'steamcommunity.com'\n            - 'storage.googleapis.com'\n            - 'technet.microsoft.com'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'twitter.com'\n            - 'ufile.io'\n            - 'abuse.ch'\n            - 'vimeo.com'\n            - 'wetransfer.com'\n            - 'youtube.com'\n    # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations\n    # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results\n    filter_main_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_main_chrome_appdata:\n        Image|startswith: 'C:\\Users\\'\n        Image|endswith: '\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe'\n    filter_main_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_main_firefox_appdata:\n        Image|startswith: 'C:\\Users\\'\n        Image|endswith: '\\AppData\\Local\\Mozilla Firefox\\firefox.exe'\n    filter_main_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_main_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_main_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_main_safari:\n        Image|contains:\n            - 'C:\\Program Files (x86)\\Safari\\'\n            - 'C:\\Program Files\\Safari\\'\n        Image|endswith: '\\safari.exe'\n    filter_main_defender:\n        Image|contains:\n            - 'C:\\Program Files\\Windows Defender Advanced Threat Protection\\'\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        Image|endswith:\n            - '\\MsMpEng.exe' # Microsoft Defender executable\n            - '\\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable\n    filter_main_prtg:\n        # Paessler's PRTG Network Monitor\n        Image|endswith:\n            - 'C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe'\n            - 'C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe'\n    filter_main_brave:\n        Image|startswith: 'C:\\Program Files\\BraveSoftware\\'\n        Image|endswith: '\\brave.exe'\n    filter_main_maxthon:\n        Image|contains: '\\AppData\\Local\\Maxthon\\'\n        Image|endswith: '\\maxthon.exe'\n    filter_main_opera:\n        Image|contains: '\\AppData\\Local\\Programs\\Opera\\'\n        Image|endswith: '\\opera.exe'\n    filter_main_seamonkey:\n        Image|startswith:\n            - 'C:\\Program Files\\SeaMonkey\\'\n            - 'C:\\Program Files (x86)\\SeaMonkey\\'\n        Image|endswith: '\\seamonkey.exe'\n    filter_main_vivaldi:\n        Image|contains: '\\AppData\\Local\\Vivaldi\\'\n        Image|endswith: '\\vivaldi.exe'\n    filter_main_whale:\n        Image|startswith:\n            - 'C:\\Program Files\\Naver\\Naver Whale\\'\n            - 'C:\\Program Files (x86)\\Naver\\Naver Whale\\'\n        Image|endswith: '\\whale.exe'\n    # Note: The TOR browser shouldn't be something you allow in your corporate network.\n    # filter_main_tor:\n    #     Image|contains: '\\Tor Browser\\'\n    filter_main_whaterfox:\n        Image|startswith:\n            - 'C:\\Program Files\\Waterfox\\'\n            - 'C:\\Program Files (x86)\\Waterfox\\'\n        Image|endswith: '\\Waterfox.exe'\n    filter_main_midori:\n        Image|contains: '\\AppData\\Local\\Programs\\midori-ng\\'\n        Image|endswith: '\\Midori Next Generation.exe'\n    filter_main_slimbrowser:\n        Image|startswith:\n            - 'C:\\Program Files\\SlimBrowser\\'\n            - 'C:\\Program Files (x86)\\SlimBrowser\\'\n        Image|endswith: '\\slimbrowser.exe'\n    filter_main_flock:\n        Image|contains: '\\AppData\\Local\\Flock\\'\n        Image|endswith: '\\Flock.exe'\n    filter_main_phoebe:\n        Image|contains: '\\AppData\\Local\\Phoebe\\'\n        Image|endswith: '\\Phoebe.exe'\n    filter_main_falkon:\n        Image|startswith:\n            - 'C:\\Program Files\\Falkon\\'\n            - 'C:\\Program Files (x86)\\Falkon\\'\n        Image|endswith: '\\falkon.exe'\n    filter_main_qtweb:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\QtWeb\\'\n            - 'C:\\Program Files\\QtWeb\\'\n        Image|endswith: '\\QtWeb.exe'\n    filter_main_avant:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Avant Browser\\'\n            - 'C:\\Program Files\\Avant Browser\\'\n        Image|endswith: '\\avant.exe'\n    filter_main_whatsapp:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\WindowsApps\\'\n            - 'C:\\Program Files\\WindowsApps\\'\n        Image|endswith: '\\WhatsApp.exe'\n        DestinationHostname|endswith: 'facebook.com'\n    filter_main_telegram:\n        Image|contains: '\\AppData\\Roaming\\Telegram Desktop\\'\n        Image|endswith: '\\Telegram.exe'\n        DestinationHostname|endswith: '.t.me'\n    filter_main_onedrive:\n        Image|contains: '\\AppData\\Local\\Microsoft\\OneDrive\\'\n        Image|endswith: '\\OneDrive.exe'\n        DestinationHostname|endswith: 'onedrive.com'\n    filter_main_dropbox:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Dropbox\\Client\\'\n            - 'C:\\Program Files\\Dropbox\\Client\\'\n        Image|endswith:\n            - '\\Dropbox.exe'\n            - '\\DropboxInstaller.exe'\n        DestinationHostname|endswith: 'dropbox.com'\n    filter_main_mega:\n        Image|endswith:\n            # Note: This is a basic/best effort filter in order to avoid FP with the MEGA installer and executable.\n            #       In practice please apply exact path to avoid basic path bypass techniques.\n            - '\\MEGAsync.exe'\n            - '\\MEGAsyncSetup32_*RC.exe' # Beta versions\n            - '\\MEGAsyncSetup32.exe' # Installers 32bit\n            - '\\MEGAsyncSetup64.exe' # Installers 64bit\n            - '\\MEGAupdater.exe'\n        DestinationHostname|endswith:\n            - 'mega.co.nz'\n            - 'mega.nz'\n    filter_main_googledrive:\n        Image|contains:\n            - 'C:\\Program Files\\Google\\Drive File Stream\\'\n            - 'C:\\Program Files (x86)\\Google\\Drive File Stream\\'\n        Image|endswith: 'GoogleDriveFS.exe'\n        DestinationHostname|endswith: 'drive.google.com'\n    filter_main_discord:\n        Image|contains: '\\AppData\\Local\\Discord\\'\n        Image|endswith: '\\Discord.exe'\n        DestinationHostname|endswith:\n            - 'discord.com'\n            - 'cdn.discordapp.com'\n    filter_main_null:\n        Image: null\n    filter_main_empty:\n        Image: ''\n    # filter_optional_qlik:\n    #     Image|endswith: '\\Engine.exe' # Process from qlik.com app\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.\n    - Ninite contacting githubusercontent.com\nlevel: high\n",
        "summary": "This Sigma Rule detects executables that are not internet browsers or known applications initiating network connections to popular websites that have been used as dead drop resolvers in previous attacks. Attackers leverage well-known websites such as Facebook, YouTube, etc. to avoid detection. The rule provides a list of legitimate websites and filters out common internet browsers and applications to focus on potential threats. It includes various filters for different browsers and applications to avoid false positives.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml": {
        "filename": "rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml",
        "creation_Date": "2024-08-07T18:02:03.171631",
        "modification_Date": "2024-08-07T18:03:00.443913",
        "lastUpdate_Date": "2024-08-07T18:03:00.443916",
        "sigmaRule": "title: Suspicious Dropbox API Usage\nid: 25eabf56-22f0-4915-a1ed-056b8dae0a68\nstatus: test\ndescription: Detects an executable that isn't dropbox but communicates with the Dropbox API\nreferences:\n    - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb\n    - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/04/20\ntags:\n    - attack.command_and_control\n    - attack.t1105\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith:\n            - 'api.dropboxapi.com'\n            - 'content.dropboxapi.com'\n    filter_main_legit_dropbox:\n        # Note: It's better to add a specific path to the exact location(s) where dropbox is installed\n        Image|contains: '\\Dropbox'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate use of the API with a tool that the author wasn't aware of\nlevel: high\n",
        "summary": "This Sigma Rule detects suspicious Dropbox API usage by identifying an executable that is not Dropbox but communicates with the Dropbox API. The rule specifies criteria for detecting such activity, including checking the destination hostname for specific Dropbox API endpoints and filtering out legitimate Dropbox installations. The rule's author warns of potential false positives if legitimate API usage with unknown tools is identified. The detection level is set to high.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml": {
        "filename": "rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml",
        "creation_Date": "2024-08-07T18:02:04.973325",
        "modification_Date": "2024-08-07T18:03:00.444142",
        "lastUpdate_Date": "2024-08-07T18:03:00.444147",
        "sigmaRule": "title: Suspicious Non-Browser Network Communication With Google API\nid: 7e9cf7b6-e827-11ed-a05b-0242ac120003\nstatus: experimental\ndescription: |\n    Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)\nreferences:\n    - https://github.com/looCiprian/GC2-sheet\n    - https://youtu.be/n2dFlSaBBKo\n    - https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf\n    - https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/\n    - https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/\nauthor: Gavin Knapp\ndate: 2023/05/01\nmodified: 2024/07/16\ntags:\n    - attack.command_and_control\n    - attack.t1102\nlogsource:\n    product: windows\n    category: network_connection\ndetection:\n    selection:\n        DestinationHostname|contains:\n            # Note: Please add additional google API related domains that might be abused.\n            - 'drive.googleapis.com'\n            - 'oauth2.googleapis.com'\n            - 'sheets.googleapis.com'\n            - 'www.googleapis.com'\n    filter_optional_brave:\n        Image|endswith: '\\brave.exe'\n    filter_optional_chrome:\n        Image|endswith:\n            - ':\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - ':\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_google_drive:\n        Image|contains: ':\\Program Files\\Google\\Drive File Stream\\'\n        Image|endswith: '\\GoogleDriveFS.exe'\n    filter_optional_firefox:\n        Image|endswith:\n            - ':\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - ':\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_optional_ie:\n        Image|endswith:\n            - ':\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - ':\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_optional_maxthon:\n        Image|endswith: '\\maxthon.exe'\n    filter_optional_edge_1:\n        - Image|contains: ':\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith:\n              - ':\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - ':\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n              - '\\WindowsApps\\MicrosoftEdge.exe'\n    filter_optional_edge_2:\n        Image|contains:\n            - ':\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - ':\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_optional_opera:\n        Image|endswith: '\\opera.exe'\n    filter_optional_safari:\n        Image|endswith: '\\safari.exe'\n    filter_optional_seamonkey:\n        Image|endswith: '\\seamonkey.exe'\n    filter_optional_vivaldi:\n        Image|endswith: '\\vivaldi.exe'\n    filter_optional_whale:\n        Image|endswith: '\\whale.exe'\n    filter_optional_googleupdate:\n        Image|endswith: '\\GoogleUpdate.exe'\n    filter_optional_outlook.exe:\n        Image|endswith: '\\outlook.exe'\n    filter_main_null:\n        Image: null\n    filter_main_empty:\n        Image: ''\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.\nlevel: medium\n",
        "summary": "This Sigma Rule detects suspicious non-browser processes interacting with Google API, which could signal the use of covert command and control techniques like GC2-sheet. It focuses on monitoring network connections to specific Google API domains and includes filters for various browsers and other software to reduce false positives. The rule's author is Gavin Knapp, and it is tagged with attack.command_and_control and attack.t1102. The detection level is medium, with potential false positives from legitimate applications using Google API.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/network_connection/net_connection_win_msiexec_http.yml": {
        "filename": "rules/windows/network_connection/net_connection_win_msiexec_http.yml",
        "creation_Date": "2024-08-07T18:02:06.445431",
        "modification_Date": "2024-08-07T18:03:00.444188",
        "lastUpdate_Date": "2024-08-07T18:03:00.444192",
        "sigmaRule": "file does not exist",
        "summary": "If the file does not exist, the Sigma rule will not be able to perform any actions or detections on it.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml": {
        "filename": "rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml",
        "creation_Date": "2024-08-07T18:02:07.165375",
        "modification_Date": "2024-08-07T18:03:00.444710",
        "lastUpdate_Date": "2024-08-07T18:03:00.444715",
        "sigmaRule": "title: Office Application Initiated Network Connection To Non-Local IP\nid: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84\nstatus: test\ndescription: |\n    Detects an office application (Word, Excel, PowerPoint)  that initiate a network connection to a non-private IP addresses.\n    This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.\n    This rule will require an initial baseline and tuning that is specific to your organization.\nreferences:\n    - https://corelight.com/blog/detecting-cve-2021-42292\n    - https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide\nauthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021/11/10\nmodified: 2024/07/02\ntags:\n    - attack.execution\n    - attack.t1203\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n            - '\\wordview.exe'\n        Initiated: 'true'\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    filter_main_msrange_generic:\n        DestinationIp|cidr:\n            - '20.184.0.0/13' # Microsoft Corporation\n            - '20.192.0.0/10' # Microsoft Corporation\n            - '23.72.0.0/13' # Akamai International B.V.\n            - '40.76.0.0/14' # Microsoft Corporation\n            - '51.10.0.0/15' # Microsoft Corporation\n            - '51.103.0.0/16' # Microsoft Corporation\n            - '51.104.0.0/15' # Microsoft Corporation\n            - '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22\n            - '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11\n            - '204.79.197.0/24' # Microsoft Corporation\n    filter_main_msrange_exchange_1:\n        # Exchange Online\n        # \"urls\": [\n        #       \"outlook.cloud.microsoft\",\n        #       \"outlook.office.com\",\n        #       \"outlook.office365.com\"\n        # ]\n        DestinationIp|cidr:\n            - '13.107.6.152/31'\n            - '13.107.18.10/31'\n            - '13.107.128.0/22'\n            - '23.103.160.0/20'\n            - '40.96.0.0/13'\n            - '40.104.0.0/15'\n            - '52.96.0.0/14'\n            - '131.253.33.215/32'\n            - '132.245.0.0/16'\n            - '150.171.32.0/22'\n            - '204.79.197.215/32'\n            - '2603:1006::/40'\n            - '2603:1016::/36'\n            - '2603:1026::/36'\n            - '2603:1036::/36'\n            - '2603:1046::/36'\n            - '2603:1056::/36'\n            - '2620:1ec:4::152/128'\n            - '2620:1ec:4::153/128'\n            - '2620:1ec:c::10/128'\n            - '2620:1ec:c::11/128'\n            - '2620:1ec:d::10/128'\n            - '2620:1ec:d::11/128'\n            - '2620:1ec:8f0::/46'\n            - '2620:1ec:900::/46'\n            - '2620:1ec:a92::152/128'\n            - '2620:1ec:a92::153/128'\n        DestinationPort:\n            - 80\n            - 443\n    filter_main_msrange_exchange_2:\n        # Exchange Online\n        # \"urls\": [\n        #       \"outlook.office365.com\",\n        #       \"smtp.office365.com\"\n        # ]\n        DestinationIp|cidr:\n            - '13.107.6.152/31'\n            - '13.107.18.10/31'\n            - '13.107.128.0/22'\n            - '23.103.160.0/20'\n            - '40.96.0.0/13'\n            - '40.104.0.0/15'\n            - '52.96.0.0/14'\n            - '131.253.33.215/32'\n            - '132.245.0.0/16'\n            - '150.171.32.0/22'\n            - '204.79.197.215/32'\n            - '2603:1006::/40'\n            - '2603:1016::/36'\n            - '2603:1026::/36'\n            - '2603:1036::/36'\n            - '2603:1046::/36'\n            - '2603:1056::/36'\n            - '2620:1ec:4::152/128'\n            - '2620:1ec:4::153/128'\n            - '2620:1ec:c::10/128'\n            - '2620:1ec:c::11/128'\n            - '2620:1ec:d::10/128'\n            - '2620:1ec:d::11/128'\n            - '2620:1ec:8f0::/46'\n            - '2620:1ec:900::/46'\n            - '2620:1ec:a92::152/128'\n            - '2620:1ec:a92::153/128'\n        DestinationPort:\n            - 143\n            - 587\n            - 993\n            - 995\n        Protocol: 'tcp'\n    filter_main_msrange_exchange_3:\n        # Exchange Online\n        # \"urls\": [\n        #       \"*.protection.outlook.com\"\n        #  ]\n        DestinationIp|cidr:\n            - '40.92.0.0/15'\n            - '40.107.0.0/16'\n            - '52.100.0.0/14'\n            - '52.238.78.88/32'\n            - '104.47.0.0/17'\n            - '2a01:111:f400::/48'\n            - '2a01:111:f403::/48'\n        DestinationPort: 443\n    filter_main_msrange_exchange_4:\n        # Exchange Online\n        # \"urls\": [\n        #       \"*.mail.protection.outlook.com\",\n        #       \"*.mx.microsoft\"\n        #  ]\n        DestinationIp|cidr:\n            - '40.92.0.0/15'\n            - '40.107.0.0/16'\n            - '52.100.0.0/14'\n            - '52.238.78.88/32'\n            - '104.47.0.0/17'\n            - '2a01:111:f400::/48'\n            - '2a01:111:f403::/48'\n        DestinationPort: 25\n    filter_main_msrange_sharepoint_1:\n        # SharePoint Online and OneDrive for Business\",\n        # \"urls\": [\n        #       \"*.sharepoint.com\"\n        # ]\n        DestinationIp|cidr:\n            - '13.107.136.0/22'\n            - '40.108.128.0/17'\n            - '52.104.0.0/14'\n            - '104.146.128.0/17'\n            - '150.171.40.0/22'\n            - '2603:1061:1300::/40'\n            - '2620:1ec:8f8::/46'\n            - '2620:1ec:908::/46'\n            - '2a01:111:f402::/48'\n        DestinationPort:\n            - 80\n            - 443\n        Protocol: 'tcp'\n    filter_main_msrange_office_1:\n        # Microsoft 365 Common and Office Online\",\n        # \"urls\": [\n        #       \"*.officeapps.live.com\",\n        #       \"*.online.office.com\",\n        #       \"office.live.com\"\n        # ],\n        DestinationIp|cidr:\n            - '13.107.6.171/32'\n            - '13.107.18.15/32'\n            - '13.107.140.6/32'\n            - '52.108.0.0/14'\n            - '52.244.37.168/32'\n            - '2603:1006:1400::/40'\n            - '2603:1016:2400::/40'\n            - '2603:1026:2400::/40'\n            - '2603:1036:2400::/40'\n            - '2603:1046:1400::/40'\n            - '2603:1056:1400::/40'\n            - '2603:1063:2000::/38'\n            - '2620:1ec:c::15/128'\n            - '2620:1ec:8fc::6/128'\n            - '2620:1ec:a92::171/128'\n            - '2a01:111:f100:2000::a83e:3019/128'\n            - '2a01:111:f100:2002::8975:2d79/128'\n            - '2a01:111:f100:2002::8975:2da8/128'\n            - '2a01:111:f100:7000::6fdd:6cd5/128'\n            - '2a01:111:f100:a004::bfeb:88cf/128'\n        DestinationPort:\n            - 80\n            - 443\n        Protocol: 'tcp'\n    filter_main_msrange_office_2:\n        # Microsoft 365 Common and Office Online\n        # \"urls\": [\n        #       \"*.auth.microsoft.com\",\n        #       \"*.msftidentity.com\",\n        #       \"*.msidentity.com\",\n        #       \"account.activedirectory.windowsazure.com\",\n        #       \"accounts.accesscontrol.windows.net\",\n        #       \"adminwebservice.microsoftonline.com\",\n        #       \"api.passwordreset.microsoftonline.com\",\n        #       \"autologon.microsoftazuread-sso.com\",\n        #       \"becws.microsoftonline.com\",\n        #       \"ccs.login.microsoftonline.com\",\n        #       \"clientconfig.microsoftonline-p.net\",\n        #       \"companymanager.microsoftonline.com\",\n        #       \"device.login.microsoftonline.com\",\n        #       \"graph.microsoft.com\",\n        #       \"graph.windows.net\",\n        #       \"login-us.microsoftonline.com\",\n        #       \"login.microsoft.com\",\n        #       \"login.microsoftonline-p.com\",\n        #       \"login.microsoftonline.com\",\n        #       \"login.windows.net\",\n        #       \"logincert.microsoftonline.com\",\n        #       \"loginex.microsoftonline.com\",\n        #       \"nexus.microsoftonline-p.com\",\n        #       \"passwordreset.microsoftonline.com\",\n        #       \"provisioningapi.microsoftonline.com\"\n        # ]\n        DestinationIp|cidr:\n            - '20.20.32.0/19'\n            - '20.190.128.0/18'\n            - '20.231.128.0/19'\n            - '40.126.0.0/18'\n            - '2603:1006:2000::/48'\n            - '2603:1007:200::/48'\n            - '2603:1016:1400::/48'\n            - '2603:1017::/48'\n            - '2603:1026:3000::/48'\n            - '2603:1027:1::/48'\n            - '2603:1036:3000::/48'\n            - '2603:1037:1::/48'\n            - '2603:1046:2000::/48'\n            - '2603:1047:1::/48'\n            - '2603:1056:2000::/48'\n            - '2603:1057:2::/48'\n        DestinationPort:\n            - 80\n            - 443\n        Protocol: 'tcp'\n    filter_main_msrange_office_3:\n        # Microsoft 365 Common and Office Online\n        #  \"urls\": [\n        #       \"*.compliance.microsoft.com\",\n        #       \"*.protection.office.com\",\n        #       \"*.security.microsoft.com\",\n        #       \"compliance.microsoft.com\",\n        #       \"defender.microsoft.com\",\n        #       \"protection.office.com\",\n        #       \"security.microsoft.com\"\n        #  ]\n        DestinationIp|cidr:\n            - '13.107.6.192/32'\n            - '13.107.9.192/32'\n            - '52.108.0.0/14'\n            - '2620:1ec:4::192/128'\n            - '2620:1ec:a92::192/128'\n        DestinationPort: 443\n        Protocol: 'tcp'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.\n    - Office documents commonly have templates that refer to external addresses, like \"sharepoint.ourcompany.com\" may have to be tuned.\n    - It is highly recommended to baseline your activity and tune out common business use cases.\nlevel: medium\n",
        "summary": "This Sigma Rule detects office applications such as Word, Excel, and PowerPoint initiating network connections to non-private IP addresses. It aims to detect traffic similar to that seen in CVE-2021-42292 and requires tuning specific to the organization. The rule filters out connections to known Microsoft IP ranges and common Office 365 services. The rule may require tuning to exclude legitimate business use cases and false positives.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml": {
        "filename": "rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml",
        "creation_Date": "2024-08-07T18:02:09.050508",
        "modification_Date": "2024-08-07T18:03:00.444894",
        "lastUpdate_Date": "2024-08-07T18:03:00.444898",
        "sigmaRule": "title: Office Application Initiated Network Connection Over Uncommon Ports\nid: 3b5ba899-9842-4bc2-acc2-12308498bf42\nstatus: experimental\ndescription: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.\nreferences:\n    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\nauthor: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/07/12\nmodified: 2024/07/02\ntags:\n    - attack.defense_evasion\n    - attack.command_and_control\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n            - '\\wordview.exe'\n    filter_main_common_ports:\n        DestinationPort:\n            - 53 # DNS\n            - 80 # HTTP\n            - 139 # NETBIOS\n            - 443 # HTTPS\n            - 445 # SMB\n    filter_main_outlook_ports:\n        Image|contains: ':\\Program Files\\Microsoft Office\\'\n        Image|endswith: '\\OUTLOOK.EXE'\n        DestinationPort:\n            - 143\n            - 465 # SMTP\n            - 587 # SMTP\n            - 993 # IMAP\n            - 995 # POP3\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Other ports can be used, apply additional filters accordingly\nlevel: medium\n",
        "summary": "This Sigma Rule detects when an office application (such as Word, Excel, PowerPoint, or Outlook) is communicating with target systems over uncommon ports. It specifies the selection criteria for the specific applications and includes filters for common ports and Outlook-related ports. The rule also provides guidance on handling false positives and indicates a medium level of severity.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml": {
        "filename": "rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml",
        "creation_Date": "2024-08-07T18:02:10.081231",
        "modification_Date": "2024-08-07T18:03:00.445075",
        "lastUpdate_Date": "2024-08-07T18:03:00.445079",
        "sigmaRule": "title: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock\nid: 846c7a87-8e14-4569-9d49-ecfd4276a01c\nrelated:\n    - id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e\n      type: similar\nstatus: experimental\ndescription: |\n    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\n    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\nreferences:\n    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/06/26\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Add-ADDBSidHistory'\n            - 'Add-ADNgcKey'\n            - 'Add-ADReplNgcKey'\n            - 'ConvertFrom-ADManagedPasswordBlob'\n            - 'ConvertFrom-GPPrefPassword'\n            - 'ConvertFrom-ManagedPasswordBlob'\n            - 'ConvertFrom-UnattendXmlPassword'\n            - 'ConvertFrom-UnicodePassword'\n            - 'ConvertTo-AADHash'\n            - 'ConvertTo-GPPrefPassword'\n            - 'ConvertTo-KerberosKey'\n            - 'ConvertTo-LMHash'\n            - 'ConvertTo-MsoPasswordHash'\n            - 'ConvertTo-NTHash'\n            - 'ConvertTo-OrgIdHash'\n            - 'ConvertTo-UnicodePassword'\n            - 'Disable-ADDBAccount'\n            - 'Enable-ADDBAccount'\n            - 'Get-ADDBAccount'\n            - 'Get-ADDBBackupKey'\n            - 'Get-ADDBDomainController'\n            - 'Get-ADDBGroupManagedServiceAccount'\n            - 'Get-ADDBKdsRootKey'\n            - 'Get-ADDBSchemaAttribute'\n            - 'Get-ADDBServiceAccount'\n            - 'Get-ADDefaultPasswordPolicy'\n            - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'\n            - 'Get-ADPasswordPolicy'\n            - 'Get-ADReplAccount'\n            - 'Get-ADReplBackupKey'\n            - 'Get-ADReplicationAccount'\n            - 'Get-ADSIAccount'\n            - 'Get-AzureADUserEx'\n            - 'Get-BootKey'\n            - 'Get-KeyCredential'\n            - 'Get-LsaBackupKey'\n            - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'\n            - 'Get-SamPasswordPolicy'\n            - 'Get-SysKey'\n            - 'Get-SystemKey'\n            - 'New-ADDBRestoreFromMediaScript'\n            - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'\n            - 'New-ADNgcKey'\n            - 'New-NTHashSet'\n            - 'Remove-ADDBObject'\n            - 'Save-DPAPIBlob'\n            - 'Set-ADAccountPasswordHash'\n            - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'\n            - 'Set-ADDBBootKey'\n            - 'Set-ADDBDomainController'\n            - 'Set-ADDBPrimaryGroup'\n            - 'Set-ADDBSysKey'\n            - 'Set-AzureADUserEx'\n            - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'\n            - 'Set-SamAccountPasswordHash'\n            - 'Set-WinUserPasswordHash'\n            - 'Test-ADDBPasswordQuality'\n            - 'Test-ADPasswordQuality'\n            - 'Test-ADReplPasswordQuality'\n            - 'Test-PasswordQuality'\n            - 'Unlock-ADDBAccount'\n            - 'Write-ADNgcKey'\n            - 'Write-ADReplNgcKey'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of DSInternals for administration or audit purpose.\nlevel: high\n",
        "summary": "This Sigma rule detects the execution and usage of the DSInternals PowerShell module, which can be used for suspicious activities such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The rule looks for specific PowerShell cmdlets related to DSInternals in script blocks, with the requirement that Script Block Logging must be enabled. It is important to note that legitimate usage of DSInternals for administration or audit purposes may also trigger this rule.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml": {
        "filename": "rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml",
        "creation_Date": "2024-08-07T18:02:11.362666",
        "modification_Date": "2024-08-07T18:03:00.445120",
        "lastUpdate_Date": "2024-08-07T18:03:00.445123",
        "sigmaRule": "file does not exist",
        "summary": "The Sigma Rule states that if a file does not exist, it will trigger an alert or notification.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_7zip_password_extraction.yml",
        "creation_Date": "2024-08-07T18:02:11.990133",
        "modification_Date": "2024-08-07T18:03:00.445160",
        "lastUpdate_Date": "2024-08-07T18:03:00.445164",
        "sigmaRule": "file does not exist",
        "summary": "If the file being referenced does not exist, Sigma rule will not be applicable or executed.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml",
        "creation_Date": "2024-08-07T18:02:12.932764",
        "modification_Date": "2024-08-07T18:03:00.446349",
        "lastUpdate_Date": "2024-08-07T18:03:00.446354",
        "sigmaRule": "title: Permission Misconfiguration Reconnaissance Via Findstr.EXE\nid: 47e4bab7-c626-47dc-967b-255608c9a920\nstatus: experimental\ndescription: |\n    Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords.\n    This was seen being used in combination with \"icacls\" and other utilities to spot misconfigured files or folders permissions.\nreferences:\n    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/08/12\nmodified: 2023/11/11\ntags:\n    - attack.credential_access\n    - attack.t1552.006\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_findstr_img:\n        - Image|endswith:\n              - '\\find.exe'\n              - '\\findstr.exe'\n        - OriginalFileName:\n              - 'FIND.EXE'\n              - 'FINDSTR.EXE'\n    selection_findstr_cli:\n        CommandLine|contains:\n            - '\"Everyone\"'\n            - \"'Everyone'\"\n            - '\"BUILTIN\\\\\"'\n            - \"'BUILTIN\\\\'\"\n    selection_special:\n        CommandLine|contains|all:\n            # Example CLI would be: icacls \"C:\\Program Files\\*\" 2>nul | findstr \"(M)\" | findstr \"Everyone\"\n            # You could extend it for other groups and users\n            #   Example: icacls \"C:\\Program Files\\*\" 2>nul | findstr \"(M)\" | findstr \"BUILTIN\\Users\"\n            # Note: This selection only detects the command when executed from a handler such as a \"cmd /c\" or \"powershell -c\"\n            - 'icacls '\n            - 'findstr '\n            - 'Everyone'\n    condition: all of selection_findstr_* or selection_special\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects the usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords, which is often used to identify misconfigured file or folder permissions. It includes specific command line selections and conditions to identify this behavior in the Windows process creation logs. The rule was authored by Nasreddine Bencherchali and is tagged for attack.credential_access and attack.t1552.006.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml",
        "creation_Date": "2024-08-07T18:02:14.287739",
        "modification_Date": "2024-08-07T18:03:00.446632",
        "lastUpdate_Date": "2024-08-07T18:03:00.446637",
        "sigmaRule": "title: Recon Command Output Piped To Findstr.EXE\nid: ccb5742c-c248-4982-8c5c-5571b9275ad3\nrelated:\n    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929\n      type: derived\nstatus: experimental\ndescription: |\n    Detects the execution of a potential recon command where the results are piped to \"findstr\". This is meant to trigger on inline calls of \"cmd.exe\" via the \"/c\" or \"/k\" for example.\n    Attackers often time use this technique to extract specific information they require in their reconnaissance phase.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist\n    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf\n    - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2023/07/06\nmodified: 2024/06/27\ntags:\n    - attack.discovery\n    - attack.t1057\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            # Note: Add additional CLI to increase and enhance coverage\n            # Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend.\n            - 'ipconfig*|*find'\n            - 'net*|*find'\n            - 'netstat*|*find'\n            - 'ping*|*find'\n            - 'systeminfo*|*find'\n            - 'tasklist*|*find'\n            - 'whoami*|*find'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects the execution of a reconnaissance command where the output is piped to \"findstr\" in Windows. This technique is commonly used by attackers during the reconnaissance phase to extract specific information. The rule provides several examples of commands that may indicate this behavior, such as \"ipconfig | find\" or \"tasklist | find.\" The rule's detection criteria focus on the command line containing specific commands followed by a pipe and \"find.\" The rule is considered experimental and has a medium level of severity.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_finger_execution.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_finger_execution.yml",
        "creation_Date": "2024-08-07T18:02:15.650728",
        "modification_Date": "2024-08-07T18:03:00.447216",
        "lastUpdate_Date": "2024-08-07T18:03:00.447220",
        "sigmaRule": "title: Finger.EXE Execution\nid: af491bca-e752-4b44-9c86-df5680533dbc\nstatus: test\ndescription: |\n    Detects execution of the \"finger.exe\" utility.\n    Finger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.\n    Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of \"finger.exe\" can be considered \"suspicious\" and worth investigating.\nreferences:\n    - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12\n    - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/\n    - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt\nauthor: Florian Roth (Nextron Systems), omkar72, oscd.community\ndate: 2021/02/24\nmodified: 2024/06/27\ntags:\n    - attack.command_and_control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName: 'finger.exe'\n        - Image|endswith: '\\finger.exe'\n    condition: selection\nfalsepositives:\n    - Admin activity (unclear what they do nowadays with finger.exe)\nlevel: high\n",
        "summary": "This Sigma Rule detects the execution of the \"finger.exe\" utility, which is an old utility still present on modern Windows installations. The utility is used to display information about users on a specified remote computer running the finger service. Any execution of \"finger.exe\" is considered suspicious and worth investigating due to its old nature and the rarity of machines with the finger service. The rule provides references for further information and specifies that the detection applies to Windows process creation events. There may be false positives related to admin activity using finger.exe.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_finger_usage.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_finger_usage.yml",
        "creation_Date": "2024-08-07T18:02:17.360601",
        "modification_Date": "2024-08-07T18:03:00.447257",
        "lastUpdate_Date": "2024-08-07T18:03:00.447261",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, check the specified location or verify the file name to ensure it is in the correct location.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml",
        "creation_Date": "2024-08-07T18:02:18.274658",
        "modification_Date": "2024-08-07T18:03:00.447905",
        "lastUpdate_Date": "2024-08-07T18:03:00.447908",
        "sigmaRule": "title: HackTool - RemoteKrbRelay Execution\nid: a7664b14-75fb-4a50-a223-cb9bc0afbacf\nstatus: experimental\ndescription: |\n    Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.\nreferences:\n    - https://github.com/CICADA8-Research/RemoteKrbRelay\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/06/27\ntags:\n    - attack.credential_access\n    - attack.t1558.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\RemoteKrbRelay.exe'\n        - OriginalFileName: 'RemoteKrbRelay.exe'\n    selection_cli_required:\n        CommandLine|contains|all:\n            - ' -clsid '\n            - ' -target '\n            - ' -victim '\n    # selection_cli_attacks:\n    #     # Note: In the current implementation these flags do not require any other flags. Which means they can't be used on their own. They're already covered by \"selection_cli_required\"\n    #     CommandLine|contains:\n    #         - '-adcs ' # relay to HTTP Web Enrollment and get certificate\n    #         - '-laps ' # relay to LDAP and extract LAPS passwords\n    #         - '-ldapwhoami ' # relay to LDAP and get info about relayed user\n    #         - '-shadowcred ' # relay to LDAP and setup Shadow Credentials\n    selection_cli_attack_smb:\n        CommandLine|contains|all:\n            - '-smb ' # relay to SMB\n            - '--smbkeyword '\n        CommandLine|contains:\n            - 'interactive'\n            - 'secrets'\n            - 'service-add'\n    selection_cli_attack_rbcd_main:\n        CommandLine|contains: '-rbcd ' # relay to LDAP and setup RBCD\n    selection_cli_attack_rbcd_options:\n        CommandLine|contains:\n            - '-cn ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity\n            - '--computername ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity\n    selection_cli_attack_changepass:\n        CommandLine|contains: '-chp ' # relay to LDAP and change user password\n        CommandLine|contains|all:\n            - '-chpPass ' # new password\n            - '-chpUser ' # the name of the user whose password you want to change\n    selection_cli_attack_addgrpname:\n        CommandLine|contains|all:\n            - '-addgroupmember ' # relay to LDAP and add user to group\n            - '-group '\n            - '-groupuser '\n    condition: selection_img or selection_cli_required or all of selection_cli_attack_rbcd_* or selection_cli_attack_changepass or selection_cli_attack_addgrpname or selection_cli_attack_smb\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects the use of the RemoteKrbRelay tool, a Kerberos relaying tool, by looking for specific CommandLine flags and PE metadata in the Windows process creation. The rule includes various detection criteria for different attack scenarios involving RemoteKrbRelay, such as relaying to SMB, setting up RBCD, changing user passwords, and adding users to groups. The rule has a high level of certainty and potential false positives are unlikely.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml",
        "creation_Date": "2024-08-07T18:02:19.546536",
        "modification_Date": "2024-08-07T18:03:00.448327",
        "lastUpdate_Date": "2024-08-07T18:03:00.448332",
        "sigmaRule": "title: HackTool - SharpDPAPI Execution\nid: c7d33b50-f690-4b51-8cfb-0fb912a31e57\nstatus: experimental\ndescription: |\n    Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.\n    SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.\nreferences:\n    - https://github.com/GhostPack/SharpDPAPI\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/06/26\ntags:\n    - attack.privilege_escalation\n    - attack.defense_evasion\n    - attack.t1134.001\n    - attack.t1134.003\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\SharpDPAPI.exe'\n        - OriginalFileName: 'SharpDPAPI.exe'\n    selection_other_cli:\n        CommandLine|contains:\n            - ' backupkey '\n            - ' blob '\n            - ' certificates '\n            - ' credentials '\n            - ' keepass '\n            - ' masterkeys '\n            - ' rdg '\n            - ' vaults '\n    selection_other_options_guid:\n        CommandLine|contains|all:\n            - ' {'\n            - '}:'\n    selection_other_options_flags:\n        CommandLine|contains:\n            - ' /file:'\n            - ' /machine'\n            - ' /mkfile:'\n            - ' /password:'\n            - ' /pvk:'\n            - ' /server:'\n            - ' /target:'\n            - ' /unprotect'\n    condition: selection_img or (selection_other_cli and 1 of selection_other_options_*)\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects the execution of the SharpDPAPI tool on a Windows system based on specific command line flags and PE metadata. SharpDPAPI is a C# tool that mimics DPAPI functionality from the Mimikatz project. The rule looks for instances where the tool is executed with certain command line arguments and options. The rule has a high level of confidence in detecting this activity, with no known false positives at this time.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml",
        "creation_Date": "2024-08-07T18:02:20.790604",
        "modification_Date": "2024-08-07T18:03:00.448869",
        "lastUpdate_Date": "2024-08-07T18:03:00.448873",
        "sigmaRule": "title: Uncommon Link.EXE Parent Process\nid: 6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6\nstatus: test\ndescription: |\n    Detects an uncommon parent process of \"LINK.EXE\".\n    Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.\n    Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the \"LINK.EXE\" binary without checking its validity.\n    This would allow an attacker to sideload any binary with the name \"link.exe\" if one of the aforementioned tools get executed from a different location.\n    By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.\nreferences:\n    - https://twitter.com/0gtweet/status/1560732860935729152\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/08/22\nmodified: 2024/06/27\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\link.exe'\n        CommandLine|contains: 'LINK /' # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc\n    # Add other filters for other legitimate locations\n    filter_main_visual_studio:\n        ParentImage|startswith:\n            - 'C:\\Program Files\\Microsoft Visual Studio\\'\n            - 'C:\\Program Files (x86)\\Microsoft Visual Studio\\'\n        ParentImage|contains:\n            - '\\VC\\bin\\'\n            - '\\VC\\Tools\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects an uncommon parent process of \"LINK.EXE\", a utility often bundled with Visual Studio installations. It looks for cases where other utilities call \"LINK.EXE\" without checking its validity, potentially allowing an attacker to sideload a malicious binary. By filtering known locations of such utilities, suspicious or malicious processes using \"LINK.EXE\" can be identified.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_lolbin_setres.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_lolbin_setres.yml",
        "creation_Date": "2024-08-07T18:02:22.143320",
        "modification_Date": "2024-08-07T18:03:00.448913",
        "lastUpdate_Date": "2024-08-07T18:03:00.448920",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, an error will be generated.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml",
        "creation_Date": "2024-08-07T18:02:22.695841",
        "modification_Date": "2024-08-07T18:03:00.448959",
        "lastUpdate_Date": "2024-08-07T18:03:00.448963",
        "sigmaRule": "file does not exist",
        "summary": "If the file does not exist, it means that the specified file is not present on the system or at the specified location.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml",
        "creation_Date": "2024-08-07T18:02:23.380976",
        "modification_Date": "2024-08-07T18:03:00.449599",
        "lastUpdate_Date": "2024-08-07T18:03:00.449603",
        "sigmaRule": "title: DSInternals Suspicious PowerShell Cmdlets\nid: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e\nrelated:\n    - id: 846c7a87-8e14-4569-9d49-ecfd4276a01c\n      type: similar\nstatus: experimental\ndescription: |\n    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\n    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\nreferences:\n    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1\nauthor: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri\ndate: 2024/06/26\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'Add-ADDBSidHistory'\n            - 'Add-ADNgcKey'\n            - 'Add-ADReplNgcKey'\n            - 'ConvertFrom-ADManagedPasswordBlob'\n            - 'ConvertFrom-GPPrefPassword'\n            - 'ConvertFrom-ManagedPasswordBlob'\n            - 'ConvertFrom-UnattendXmlPassword'\n            - 'ConvertFrom-UnicodePassword'\n            - 'ConvertTo-AADHash'\n            - 'ConvertTo-GPPrefPassword'\n            - 'ConvertTo-KerberosKey'\n            - 'ConvertTo-LMHash'\n            - 'ConvertTo-MsoPasswordHash'\n            - 'ConvertTo-NTHash'\n            - 'ConvertTo-OrgIdHash'\n            - 'ConvertTo-UnicodePassword'\n            - 'Disable-ADDBAccount'\n            - 'Enable-ADDBAccount'\n            - 'Get-ADDBAccount'\n            - 'Get-ADDBBackupKey'\n            - 'Get-ADDBDomainController'\n            - 'Get-ADDBGroupManagedServiceAccount'\n            - 'Get-ADDBKdsRootKey'\n            - 'Get-ADDBSchemaAttribute'\n            - 'Get-ADDBServiceAccount'\n            - 'Get-ADDefaultPasswordPolicy'\n            - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'\n            - 'Get-ADPasswordPolicy'\n            - 'Get-ADReplAccount'\n            - 'Get-ADReplBackupKey'\n            - 'Get-ADReplicationAccount'\n            - 'Get-ADSIAccount'\n            - 'Get-AzureADUserEx'\n            - 'Get-BootKey'\n            - 'Get-KeyCredential'\n            - 'Get-LsaBackupKey'\n            - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'\n            - 'Get-SamPasswordPolicy'\n            - 'Get-SysKey'\n            - 'Get-SystemKey'\n            - 'New-ADDBRestoreFromMediaScript'\n            - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'\n            - 'New-ADNgcKey'\n            - 'New-NTHashSet'\n            - 'Remove-ADDBObject'\n            - 'Save-DPAPIBlob'\n            - 'Set-ADAccountPasswordHash'\n            - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'\n            - 'Set-ADDBBootKey'\n            - 'Set-ADDBDomainController'\n            - 'Set-ADDBPrimaryGroup'\n            - 'Set-ADDBSysKey'\n            - 'Set-AzureADUserEx'\n            - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'\n            - 'Set-SamAccountPasswordHash'\n            - 'Set-WinUserPasswordHash'\n            - 'Test-ADDBPasswordQuality'\n            - 'Test-ADPasswordQuality'\n            - 'Test-ADReplPasswordQuality'\n            - 'Test-PasswordQuality'\n            - 'Unlock-ADDBAccount'\n            - 'Write-ADNgcKey'\n            - 'Write-ADReplNgcKey'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of DSInternals for administration or audit purpose.\nlevel: high\n",
        "summary": "This Sigma Rule detects the execution and usage of the DSInternals PowerShell module, which can be used for potentially suspicious activities such as dumping DPAPI backup keys or manipulating NTDS.DIT files. It includes a list of specific PowerShell cmdlets related to DSInternals that are monitored for potential abuse. The rule acknowledges that legitimate usage of DSInternals for administration or auditing purposes may trigger false positives.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml",
        "creation_Date": "2024-08-07T18:02:24.664007",
        "modification_Date": "2024-08-07T18:03:00.449639",
        "lastUpdate_Date": "2024-08-07T18:03:00.449642",
        "sigmaRule": "file does not exist",
        "summary": "If the file does not exist, do not proceed with the action or operation that requires the file.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_renamed_msteams.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_renamed_msteams.yml",
        "creation_Date": "2024-08-07T18:02:25.311312",
        "modification_Date": "2024-08-07T18:03:00.450201",
        "lastUpdate_Date": "2024-08-07T18:03:00.450205",
        "sigmaRule": "title: Renamed Microsoft Teams Execution\nid: 88f46b67-14d4-4f45-ac2c-d66984f22191\nstatus: experimental\ndescription: Detects the execution of a renamed Microsoft Teams binary.\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/07/12\ntags:\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - 'msteams.exe'\n            - 'teams.exe'\n    filter_main_legit_names:\n        Image|endswith:\n            - '\\msteams.exe'\n            - '\\teams.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma Rule detects the execution of a renamed Microsoft Teams binary by searching for specific original file names such as 'msteams.exe' or 'teams.exe'. It is currently in an experimental status and has a medium level of severity. The rule was authored by Nasreddine Bencherchali and references internal research.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml",
        "creation_Date": "2024-08-07T18:02:26.733290",
        "modification_Date": "2024-08-07T18:03:00.450245",
        "lastUpdate_Date": "2024-08-07T18:03:00.450249",
        "sigmaRule": "file does not exist",
        "summary": "If the file does not exist, the Sigma Rule triggers.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml",
        "creation_Date": "2024-08-07T18:02:27.620063",
        "modification_Date": "2024-08-07T18:03:00.450926",
        "lastUpdate_Date": "2024-08-07T18:03:00.450930",
        "sigmaRule": "title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE\nid: 18ee686c-38a3-4f65-9f44-48a077141f42\nrelated:\n    - id: 517490a7-115a-48c6-8862-1a481504d5a8\n      type: derived\nstatus: test\ndescription: |\n    Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.\n    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\n    - https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023/08/01\nmodified: 2024/01/10\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1546.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\sdbinst.exe'\n        - OriginalFileName: 'sdbinst.exe'\n    filter_main_legit_ext:\n        CommandLine|contains: '.sdb'\n    filter_main_legit_extensions:\n        # ParentImage|endswith: ':\\Windows\\System32\\svchost.exe'\n        - CommandLine|endswith:\n              - ' -c'\n              - ' -f'\n              - ' -mm'\n              - ' -t'\n        - CommandLine|contains: ' -m -bg'\n    filter_main_null:\n        CommandLine: null\n    filter_main_empty:\n        CommandLine: ''\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects the installation of a potentially suspicious new shim with an uncommon extension using the sdbinst.exe tool on Windows systems. Adversaries may use this technique to establish persistence and/or elevate privileges. The rule includes filters to reduce false positives and provides references for further reading on the topic.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml",
        "creation_Date": "2024-08-07T18:02:28.679464",
        "modification_Date": "2024-08-07T18:03:00.451366",
        "lastUpdate_Date": "2024-08-07T18:03:00.451370",
        "sigmaRule": "title: Uncommon Child Process Of Setres.EXE\nid: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7\nstatus: test\ndescription: |\n    Detects uncommon child process of Setres.EXE.\n    Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.\n    It can potentially be abused in order to launch any arbitrary file with a name containing the word \"choice\" from the current execution path.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Setres/\n    - https://twitter.com/0gtweet/status/1583356502340870144\n    - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html\n    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)\nauthor: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)'\ndate: 2022/12/11\nmodified: 2024/06/26\ntags:\n    - attack.defense_evasion\n    - attack.t1218\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\setres.exe'\n        Image|contains: '\\choice'\n    filter_main_legit_location:\n        Image|endswith:\n            - 'C:\\Windows\\System32\\choice.exe'\n            - 'C:\\Windows\\SysWOW64\\choice.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects uncommon child processes of Setres.EXE, a Windows server-specific process used to set the screen resolution. It focuses on identifying any arbitrary file with \"choice\" in its name being launched from the current execution path, as this could potentially be an abuse of Setres.EXE. The rule includes references and was authored by '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)'. It has a high level of detection and the false positive rate is deemed unlikely.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml",
        "creation_Date": "2024-08-07T18:02:30.161452",
        "modification_Date": "2024-08-07T18:03:00.452035",
        "lastUpdate_Date": "2024-08-07T18:03:00.452039",
        "sigmaRule": "title: Suspicious Electron Application Child Processes\nid: f26eb764-fd89-464b-85e2-dc4a8e6e77b8\nrelated:\n    - id: 378a05d8-963c-46c9-bcce-13c7657eac99\n      type: similar\nstatus: test\ndescription: |\n    Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of \".asar\" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)\nreferences:\n    - https://taggart-tech.com/quasar-electron/\n    - https://github.com/mttaggart/quasar\n    - https://positive.security/blog/ms-officecmd-rce\n    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/\n    - https://lolbas-project.github.io/lolbas/Binaries/Teams/\n    - https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/\n    - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/10/21\nmodified: 2024/07/12\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            # Add more electron based app to the list\n            - '\\chrome.exe' # Might require additional tuning\n            - '\\discord.exe'\n            - '\\GitHubDesktop.exe'\n            - '\\keybase.exe'\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n            - '\\msteams.exe'\n            - '\\slack.exe'\n            - '\\teams.exe'\n            # - '\\code.exe' # Prone to a lot of FPs. Requires an additional baseline\n    selection_child_image:\n        Image|endswith:\n            # Add more suspicious/unexpected paths\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\whoami.exe'\n            - '\\wscript.exe'\n    selection_child_paths:\n        Image|contains:\n            # Add more suspicious/unexpected paths\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n    filter_optional_discord:\n        ParentImage|endswith: '\\Discord.exe'\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains: '\\NVSMI\\nvidia-smi.exe'\n    condition: selection_parent and 1 of selection_child_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\n# Increase the level once FP rate is reduced (see status)\nlevel: medium\n",
        "summary": "This Sigma rule detects suspicious child processes of Electron-based applications like Teams, Discord, Slack, etc. It may indicate tampering with \".asar\" files or binary execution proxy through specific CLI arguments. The rule looks for specific parent and child processes, as well as certain paths, to identify potentially malicious activity. There is an optional filter for Discord and Nvidia-related commands to reduce false positives.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml",
        "creation_Date": "2024-08-07T18:02:32.874628",
        "modification_Date": "2024-08-07T18:03:00.452120",
        "lastUpdate_Date": "2024-08-07T18:03:00.452123",
        "sigmaRule": "title: ETW Logging Tamper In .NET Processes Via CommandLine\nid: 41421f44-58f9-455d-838a-c398859841d4\nstatus: test\ndescription: |\n    Detects changes to environment variables related to ETW logging via the CommandLine.\n    This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.\nreferences:\n    - https://twitter.com/_xpn_/status/1268712093928378368\n    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr\n    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables\n    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38\n    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39\n    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_\n    - https://bunnyinside.com/?term=f71e8cb9c76a\n    - http://managed670.rssing.com/chan-5590147/all_p1.html\n    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code\n    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020/05/02\nmodified: 2022/12/09\ntags:\n    - attack.defense_evasion\n    - attack.t1562\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'COMPlus_ETWEnabled'\n            - 'COMPlus_ETWFlags'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects changes to environment variables related to ETW logging in .NET processes via the CommandLine, which could indicate potential adversaries stopping ETW providers from recording loaded .NET assemblies. It has a high level of detection and potential false positives are unlikely.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml",
        "creation_Date": "2024-08-07T18:02:33.850664",
        "modification_Date": "2024-08-07T18:03:00.452196",
        "lastUpdate_Date": "2024-08-07T18:03:00.452199",
        "sigmaRule": "title: ETW Trace Evasion Activity\nid: a238b5d0-ce2d-4414-a676-7a531b3d13d6\nstatus: test\ndescription: |\n    Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\n    - https://abuse.io/lockergoga.txt\n    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63\nauthor: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'\ndate: 2019/03/22\nmodified: 2022/06/28\ntags:\n    - attack.defense_evasion\n    - attack.t1070\n    - attack.t1562.006\n    - car.2016-04-002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_clear_1:\n        CommandLine|contains|all:\n            - 'cl'\n            - '/Trace'\n    selection_clear_2:\n        CommandLine|contains|all:\n            - 'clear-log'\n            - '/Trace'\n    selection_disable_1:\n        CommandLine|contains|all:\n            - 'sl'\n            - '/e:false'\n    selection_disable_2:\n        CommandLine|contains|all:\n            - 'set-log'\n            - '/e:false'\n    selection_disable_3:   # ETW provider removal from a trace session\n        CommandLine|contains|all:\n            - 'logman'\n            - 'update'\n            - 'trace'\n            - '--p'\n            - '-ets'\n    selection_pwsh_remove:   # Autologger provider removal\n        CommandLine|contains: 'Remove-EtwTraceProvider'\n    selection_pwsh_set:   # Provider \u201cEnable\u201d property modification\n        CommandLine|contains|all:\n            - 'Set-EtwTraceProvider'\n            - '0x11'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects command line activities that attempt to clear or disable ETW trace logs, which could indicate logging evasion. It includes specific command line patterns related to clearing and disabling ETW trace logs, as well as PowerShell commands for ETW provider removal. The rule's conditions are met if any of the specified patterns are found in the command line activity. The rule has a high detection level and no known false positives.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml",
        "creation_Date": "2024-08-07T18:02:35.373940",
        "modification_Date": "2024-08-07T18:03:00.452268",
        "lastUpdate_Date": "2024-08-07T18:03:00.452271",
        "sigmaRule": "title: Suspicious Eventlog Clearing or Configuration Change Activity\nid: cc36992a-4671-4f21-a91d-6c2b72a2edf5\nstatus: stable\ndescription: |\n    Detects the clearing or configuration tampering of EventLog using utilities such as \"wevtutil\", \"powershell\" and \"wmic\".\n    This technique were seen used by threat actors and ransomware strains in order to evade defenses.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\n    - https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee\n    - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/\nauthor: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105\ndate: 2019/09/26\nmodified: 2023/07/13\ntags:\n    - attack.defense_evasion\n    - attack.t1070.001\n    - attack.t1562.002\n    - car.2016-04-002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_wevtutil:\n        Image|endswith: '\\wevtutil.exe'\n        CommandLine|contains:\n            - 'clear-log '          # clears specified log\n            - ' cl '                # short version of 'clear-log'\n            - 'set-log '            # modifies config of specified log. could be uset to set it to a tiny size\n            - ' sl '                # short version of 'set-log'\n            - 'lfn:'                # change log file location and name\n    selection_other_ps:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains:\n            - 'Clear-EventLog '\n            - 'Remove-EventLog '\n            - 'Limit-EventLog '\n            - 'Clear-WinEvent '\n    selection_other_wmi:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wmic.exe'\n        CommandLine|contains: 'ClearEventLog'\n    filter_msiexec:\n        # Example seen during office update/installation:\n        #   ParentImage: C:\\Windows\\SysWOW64\\msiexec.exe\n        #   CommandLine: \"C:\\WINDOWS\\system32\\wevtutil.exe\" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false\n        ParentImage:\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n            - 'C:\\Windows\\System32\\msiexec.exe'\n        CommandLine|contains: ' sl '\n    condition: 1 of selection_* and not 1 of filter_*\nfalsepositives:\n    - Admin activity\n    - Scripts and administrative tools used in the monitored environment\n    - Maintenance activity\nlevel: high\n",
        "summary": "This Sigma rule detects suspicious activity related to the clearing or configuration tampering of EventLog on Windows systems using utilities such as \"wevtutil\", \"powershell\", and \"wmic\". Threat actors and ransomware strains have been known to use this technique to evade defenses. The rule provides specific criteria for detecting such activity, including monitoring process creation events and filtering out known legitimate activities. The rule has a high detection level and potential false positives include admin activity, scripts, administrative tools, and maintenance activity.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml",
        "creation_Date": "2024-08-07T18:02:39.040566",
        "modification_Date": "2024-08-07T18:03:00.452345",
        "lastUpdate_Date": "2024-08-07T18:03:00.452348",
        "sigmaRule": "title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities\nid: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf\nrelated:\n    - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f\n      type: derived\nstatus: experimental\ndescription: |\n    Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.\n    This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.\nreferences:\n    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\n    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\n    - https://www.group-ib.com/blog/apt41-world-tour-2021/\n    - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1\n    - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\nauthor: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2022/09/09\nmodified: 2024/07/12\ntags:\n    - attack.credential_access\n    - attack.discovery\n    - attack.t1552\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_wmi:\n        CommandLine|contains|all:\n            - 'Select'\n            - 'Win32_NTLogEvent'\n    selection_wevtutil_img:\n        - Image|endswith: '\\wevtutil.exe'\n        - OriginalFileName: 'wevtutil.exe'\n    selection_wevtutil_cli:\n        CommandLine|contains:\n            - ' qe '\n            - ' query-events '\n    selection_wmic_img:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_wmic_cli:\n        CommandLine|contains: ' ntevent'\n    selection_cmdlet:\n        CommandLine|contains:\n            - 'Get-WinEvent '\n            - 'get-eventlog '\n    selection_logs_name:\n        CommandLine|contains:\n            # Note: Add more event log channels that are interesting for attackers\n            - 'Microsoft-Windows-PowerShell'\n            - 'Microsoft-Windows-Security-Auditing'\n            - 'Microsoft-Windows-TerminalServices-LocalSessionManager'\n            - 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'\n            - 'Microsoft-Windows-Windows Defender'\n            - 'PowerShellCore'\n            - 'Security'\n            - 'Windows PowerShell'\n    selection_logs_eid:\n        CommandLine|contains:\n            # Note: We use the \"?\" to account for both a single and a double quote\n            # Note: Please add additional interesting event IDs\n            # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.\n            # This covers EID 4624 from Security Log\n            - '-InstanceId 4624'\n            - 'System[EventID=4624]'\n            - 'EventCode=?4624?'\n            - \"EventIdentifier=?4624?\"\n            # This covers EID 4778 from Security Log\n            - '-InstanceId 4778'\n            - 'System[EventID=4778]'\n            - 'EventCode=?4778?'\n            - \"EventIdentifier=?4778?\"\n            # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log\n            - '-InstanceId 25'\n            - 'System[EventID=25]'\n            - 'EventCode=?25?'\n            - \"EventIdentifier=?25?\"\n    condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)\nfalsepositives:\n    - Legitimate usage of the utility by administrators to query the event log\nlevel: medium\n",
        "summary": "This Sigma rule detects potentially suspicious activity involving the execution of log query utilities and commands to extract sensitive information from event logs. Threat actors use this technique to search for specific event IDs and extract information such as usernames, IP addresses, and hostnames. The rule provides a set of detection criteria based on different log query utilities and log names and event IDs. It includes references to known threat actor techniques and legitimate usage scenarios to avoid false positives.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml",
        "creation_Date": "2024-08-07T18:02:40.933419",
        "modification_Date": "2024-08-07T18:03:00.452391",
        "lastUpdate_Date": "2024-08-07T18:03:00.452395",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, a Sigma Rule is triggered, indicating that the specified file is not present on the system.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml",
        "creation_Date": "2024-08-07T18:02:41.651102",
        "modification_Date": "2024-08-07T18:03:00.452466",
        "lastUpdate_Date": "2024-08-07T18:03:00.452469",
        "sigmaRule": "title: Potentially Suspicious Execution From Parent Process In Public Folder\nid: 69bd9b97-2be2-41b6-9816-fb08757a4d1a\nstatus: test\ndescription: |\n    Detects a potentially suspicious execution of a parent process located in the \"\\Users\\Public\" folder executing a child process containing references to shell or scripting binaries and commandlines.\nreferences:\n    - https://redcanary.com/blog/blackbyte-ransomware/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/02/25\nmodified: 2024/07/12\ntags:\n    - attack.defense_evasion\n    - attack.execution\n    - attack.t1564\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|contains: ':\\Users\\Public\\'\n    selection_child:\n        - Image|endswith:\n              - '\\bitsadmin.exe'\n              - '\\certutil.exe'\n              - '\\cmd.exe'\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - CommandLine|contains:\n              - 'bitsadmin'\n              - 'certutil'\n              - 'cscript'\n              - 'mshta'\n              - 'powershell'\n              - 'regsvr32'\n              - 'rundll32'\n              - 'wscript'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects potentially suspicious executions of parent processes located in the \"\\Users\\Public\" folder. It looks for child processes containing references to shell or scripting binaries and command lines. The rule provides specific selection criteria for both parent and child processes to identify potential malicious activity. The detection level is classified as high, and false positives are listed as unknown.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_execution_path.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_execution_path.yml",
        "creation_Date": "2024-08-07T18:02:43.185009",
        "modification_Date": "2024-08-07T18:03:00.452537",
        "lastUpdate_Date": "2024-08-07T18:03:00.452542",
        "sigmaRule": "title: Process Execution From A Potentially Suspicious Folder\nid: 3dfd06d2-eaf4-4532-9555-68aca59f57c4\nstatus: test\ndescription: Detects a potentially suspicious execution from an uncommon folder.\nreferences:\n    - https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt\n    - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\n    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\n    - https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md\nauthor: Florian Roth (Nextron Systems), Tim Shelton\ndate: 2019/01/16\nmodified: 2024/07/12\ntags:\n    - attack.defense_evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - ':\\Perflogs\\'\n            - ':\\Users\\All Users\\'\n            - ':\\Users\\Default\\'\n            - ':\\Users\\NetworkService\\'\n            - ':\\Windows\\addins\\'\n            - ':\\Windows\\debug\\'\n            - ':\\Windows\\Fonts\\'\n            - ':\\Windows\\Help\\'\n            - ':\\Windows\\IME\\'\n            - ':\\Windows\\Media\\'\n            - ':\\Windows\\repair\\'\n            - ':\\Windows\\security\\'\n            - ':\\Windows\\System32\\Tasks\\'\n            - ':\\Windows\\Tasks\\'\n            - '$Recycle.bin'\n            - '\\config\\systemprofile\\'\n            - '\\Intel\\Logs\\'\n            - '\\RSA\\MachineKeys\\'\n    filter_optional_ibm:\n        Image|startswith: 'C:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\'\n    filter_optional_citrix:\n        Image|startswith: 'C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\'\n        Image|endswith: '\\CitrixReceiverUpdater.exe'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects potentially suspicious process execution from uncommon folders on a Windows system. It looks for processes executed from folders such as Perflogs, Users\\All Users, Windows\\System32\\Tasks, and others. The rule includes optional filters for IBM and Citrix processes to reduce false positives. The detection criteria involve processes executed from specified folders that do not match the filter conditions for IBM or Citrix processes.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml",
        "creation_Date": "2024-08-07T18:02:44.782831",
        "modification_Date": "2024-08-07T18:03:00.452621",
        "lastUpdate_Date": "2024-08-07T18:03:00.452624",
        "sigmaRule": "title: Suspicious Process Execution From Fake Recycle.Bin Folder\nid: 5ce0f04e-3efc-42af-839d-5b3a543b76c0\nrelated:\n    - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca\n      type: derived\nstatus: experimental\ndescription: Detects process execution from a fake recycle bin folder, often used to avoid security solution.\nreferences:\n    - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets\n    - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\nauthor: X__Junior (Nextron Systems)\ndate: 2023/07/12\nmodified: 2023/12/11\ntags:\n    - attack.persistence\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            # e.g. C:\\$RECYCLER.BIN\n            - 'RECYCLERS.BIN\\'\n            - 'RECYCLER.BIN\\'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma rule detects suspicious process execution from a fake recycle bin folder, which is often used to avoid security solutions. The rule looks for processes executed from folders with names similar to \"$RECYCLER.BIN\" and \"$RECYCLER.BIN\\\" on Windows systems. The detection level is high, and false positives are considered unlikely. The rule was authored by X__Junior from Nextron Systems and is still in the experimental stage.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/registry/registry_add/registry_add_malware_ursnif.yml": {
        "filename": "rules/windows/registry/registry_add/registry_add_malware_ursnif.yml",
        "creation_Date": "2024-08-07T18:02:46.928648",
        "modification_Date": "2024-08-07T18:03:00.472869",
        "lastUpdate_Date": "2024-08-07T18:03:00.472872",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, the Sigma Rule alerts the user or administrator to this issue.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4916 from @frack113 - Move some rules to Emerging-Threats folder"
        ]
    },
    "rules/windows/registry/registry_event/registry_event_apt_leviathan.yml": {
        "filename": "rules/windows/registry/registry_event/registry_event_apt_leviathan.yml",
        "creation_Date": "2024-08-07T18:02:47.934626",
        "modification_Date": "2024-08-07T18:03:00.472900",
        "lastUpdate_Date": "2024-08-07T18:03:00.472904",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, the Sigma Rule is triggered.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4916 from @frack113 - Move some rules to Emerging-Threats folder"
        ]
    },
    "rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml": {
        "filename": "rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml",
        "creation_Date": "2024-08-07T18:02:48.561825",
        "modification_Date": "2024-08-07T18:03:00.472933",
        "lastUpdate_Date": "2024-08-07T18:03:00.472936",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, it means that the specified file cannot be found in the specified location.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4916 from @frack113 - Move some rules to Emerging-Threats folder"
        ]
    },
    "rules/windows/registry/registry_event/registry_event_apt_oilrig_mar18.yml": {
        "filename": "rules/windows/registry/registry_event/registry_event_apt_oilrig_mar18.yml",
        "creation_Date": "2024-08-07T18:02:49.163939",
        "modification_Date": "2024-08-07T18:03:00.472963",
        "lastUpdate_Date": "2024-08-07T18:03:00.472966",
        "sigmaRule": "file does not exist",
        "summary": "If the specified file does not exist, it may indicate an error or issue with the file system or file path.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4916 from @frack113 - Move some rules to Emerging-Threats folder"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml",
        "creation_Date": "2024-08-07T18:02:49.842714",
        "modification_Date": "2024-08-07T18:03:00.452779",
        "lastUpdate_Date": "2024-08-07T18:03:00.452782",
        "sigmaRule": "title: Hypervisor Enforced Code Integrity Disabled\nid: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a\nstatus: experimental\ndescription: |\n    Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the \"Enabled\" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel\nreferences:\n    - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/\n    - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci\nauthor: Nasreddine Bencherchali (Nextron Systems), Anish Bogati\ndate: 2023/03/14\nmodified: 2024/07/05\ntags:\n    - attack.defense_evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - '\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity'\n            - '\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity'\n            - '\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects changes to the Hypervisor Enforced Code Integrity registry key where the \"Enabled\" value is set to 0, effectively disabling the feature. This can allow attackers to load unsigned and untrusted code in the kernel. The rule is in experimental status and has a high detection level. It provides references to related articles and specifies the logsource as Windows registry_set.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml",
        "creation_Date": "2024-08-07T18:02:50.950906",
        "modification_Date": "2024-08-07T18:03:00.452853",
        "lastUpdate_Date": "2024-08-07T18:03:00.452857",
        "sigmaRule": "title: Hypervisor Enforced Paging Translation Disabled\nid: 7f2954d2-99c2-4d42-a065-ca36740f187b\nstatus: experimental\ndescription: |\n    Detects changes to the \"DisableHypervisorEnforcedPagingTranslation\" registry value. Where the it is set to \"1\" in order to disable the Hypervisor Enforced Paging Translation feature.\nreferences:\n    - https://twitter.com/standa_t/status/1808868985678803222\n    - https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/07/05\ntags:\n    - attack.defense_evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\DisableHypervisorEnforcedPagingTranslation'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma rule detects changes to the \"DisableHypervisorEnforcedPagingTranslation\" registry value where it is set to \"1\" to disable the Hypervisor Enforced Paging Translation feature. The rule provides detection details and references for further information. The author is Nasreddine Bencherchali, and the rule is tagged with defense evasion and a specific attack technique. The rule is considered high severity.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml",
        "creation_Date": "2024-08-07T18:02:52.534928",
        "modification_Date": "2024-08-07T18:03:00.452929",
        "lastUpdate_Date": "2024-08-07T18:03:00.452933",
        "sigmaRule": "title: Periodic Backup For System Registry Hives Enabled\nid: 973ef012-8f1a-4c40-93b4-7e659a5cd17f\nstatus: experimental\ndescription: |\n    Detects the enabling of the \"EnablePeriodicBackup\" registry value. Once enabled, The OS will backup System registry hives on restarts to the \"C:\\Windows\\System32\\config\\RegBack\" folder. Windows creates a \"RegIdleBackup\" task to manage subsequent backups.\n    Registry backup was a default behavior on Windows and was disabled as of \"Windows 10, version 1803\".\nreferences:\n    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/07/01\ntags:\n    - attack.collection\n    - attack.t1113\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Control\\Session Manager\\Configuration Manager\\EnablePeriodicBackup'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Legitimate need for RegBack feature by administrators.\nlevel: medium\n",
        "summary": "This Sigma Rule detects the enabling of the \"EnablePeriodicBackup\" registry value, which allows the OS to backup System registry hives on restarts to the \"C:\\Windows\\System32\\config\\RegBack\" folder. This behavior was default on Windows but was disabled as of Windows 10, version 1803. The rule includes references for more information and was authored by Nasreddine Bencherchali. The detection uses specific criteria in the registry_set logsource category for Windows products. The rule has a medium level of severity and may have false positives if administrators legitimately need the RegBack feature.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml",
        "creation_Date": "2024-08-07T18:02:54.307864",
        "modification_Date": "2024-08-07T18:03:00.453003",
        "lastUpdate_Date": "2024-08-07T18:03:00.453007",
        "sigmaRule": "title: COM Object Hijacking Via Modification Of Default System CLSID Default Value\nid: 790317c0-0a36-4a6a-a105-6e576bf99a14\nstatus: experimental\ndescription: Detects potential COM object hijacking via modification of default system CLSID.\nreferences:\n    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024/07/16\ntags:\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_target:\n        TargetObject|contains: '\\CLSID\\'\n        TargetObject|endswith:\n            - '\\InprocServer32\\(Default)'\n            - '\\LocalServer32\\(Default)'\n    selection_builtin_clsid:\n        TargetObject|contains:\n            # Note: Add other legitimate CLSID\n            - '\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\'\n            - '\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\'\n            - '\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\'\n            - '\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\'\n            - '\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\'\n    selection_locations:\n        Details|contains:\n            # Note: Add more suspicious paths and locations\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n            - '\\System32\\spool\\drivers\\color\\' # as seen in the knotweed blog\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n            - '%appdata%'\n            - '%temp%'\n            - '%tmp%'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects potential COM object hijacking by monitoring for modifications of the default system CLSID values in the Windows registry. Specific indicators include changes to the Default value under the InprocServer32 and LocalServer32 keys within the CLSID subkey. The rule also includes known legitimate CLSID values to reduce false positives and looks for suspicious paths and locations where the hijacking may occur. False positives are deemed unlikely, and the detection level is set to high.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml",
        "creation_Date": "2024-08-07T18:02:55.731099",
        "modification_Date": "2024-08-07T18:03:00.453042",
        "lastUpdate_Date": "2024-08-07T18:03:00.453045",
        "sigmaRule": "file does not exist",
        "summary": "If a file does not exist, then it means that the specified file cannot be found or accessed.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml",
        "creation_Date": "2024-08-07T18:02:56.668628",
        "modification_Date": "2024-08-07T18:03:00.495020",
        "lastUpdate_Date": "2024-08-07T18:03:00.495026",
        "sigmaRule": "title: New RUN Key Pointing to Suspicious Folder\nid: 02ee49e2-e294-4d0f-9278-f5b3212fc588\nstatus: experimental\ndescription: Detects suspicious new RUN key element pointing to an executable in a suspicious folder\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\nauthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing\ndate: 2018/08/25\nmodified: 2024/07/16\ntags:\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_target:\n        TargetObject|contains:\n            - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\'\n            - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'\n    selection_details:\n        - Details|contains:\n              - ':\\$Recycle.bin\\'\n              - ':\\Temp\\'\n              - ':\\Users\\Default\\'\n              - ':\\Users\\Desktop\\'\n              - ':\\Users\\Public\\'\n              - ':\\Windows\\Temp\\'\n              - '\\AppData\\Local\\Temp\\'\n              - '%temp%\\'\n              - '%tmp%\\'\n        - Details|startswith:\n              - '%Public%\\'\n              - 'wscript'\n              - 'cscript'\n    filter_main_windows_update:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'\n        Image|startswith: 'C:\\Windows\\SoftwareDistribution\\Download\\'\n        Details|contains|all:\n            - 'rundll32.exe '\n            - 'C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32'\n        Details|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - 'C:\\Windows\\Temp\\'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Software using weird folders for updates\nlevel: high\n",
        "summary": "This Sigma rule detects a suspicious new RUN key element in the Windows registry pointing to an executable file in potentially malicious folders. It provides detailed selection criteria and filters to accurately identify suspicious activity related to persistence mechanisms. The rule was last modified in July 2024 and is considered to have a high detection level.",
        "modification_count": 4,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Revert \"Update registry_set_susp_run_key_img_folder.yml\"",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes",
            "Update registry_set_susp_run_key_img_folder.yml"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml",
        "creation_Date": "2024-08-07T18:02:57.784033",
        "modification_Date": "2024-08-07T18:03:00.453172",
        "lastUpdate_Date": "2024-08-07T18:03:00.453177",
        "sigmaRule": "title: Disable Windows Defender Functionalities Via Registry Keys\nid: 0eb46774-f1ab-4a74-8238-1155855f2263\nrelated:\n    - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4\n      type: obsoletes\n    - id: fd115e64-97c7-491f-951c-fc8da7e042fa\n      type: obsoletes\nstatus: test\ndescription: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry\nreferences:\n    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105\n    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\n    - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\n    - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\n    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\nauthor: AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel\ndate: 2022/08/01\nmodified: 2024/07/03\ntags:\n    - attack.defense_evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_main:\n        TargetObject|contains:\n            - '\\SOFTWARE\\Microsoft\\Windows Defender\\'\n            - '\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\'\n            - '\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\'\n    selection_dword_1:\n        TargetObject|endswith:\n            - '\\DisableAntiSpyware'\n            - '\\DisableAntiVirus'\n            - '\\Real-Time Protection\\DisableBehaviorMonitoring'\n            - '\\Real-Time Protection\\DisableIntrusionPreventionSystem'\n            - '\\Real-Time Protection\\DisableIOAVProtection'\n            - '\\Real-Time Protection\\DisableOnAccessProtection'\n            - '\\Real-Time Protection\\DisableRealtimeMonitoring'\n            - '\\Real-Time Protection\\DisableScanOnRealtimeEnable'\n            - '\\Real-Time Protection\\DisableScriptScanning'\n            - '\\Reporting\\DisableEnhancedNotifications'\n            - '\\SpyNet\\DisableBlockAtFirstSeen'\n        Details: 'DWORD (0x00000001)'\n    selection_dword_0:\n        TargetObject|endswith:\n            - '\\App and Browser protection\\DisallowExploitProtectionOverride'\n            - '\\Features\\TamperProtection'\n            - '\\MpEngine\\MpEnablePus'\n            - '\\PUAProtection'\n            - '\\Signature Update\\ForceUpdateFromMU'\n            - '\\SpyNet\\SpynetReporting'\n            - '\\SpyNet\\SubmitSamplesConsent'\n            - '\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess'\n        Details: 'DWORD (0x00000000)'\n    filter_optional_symantec:\n        Image|startswith: 'C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\'\n        Image|endswith: '\\sepWscSvc64.exe'\n    condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*\nfalsepositives:\n    - Administrator actions via the Windows Defender interface\n    - Third party Antivirus\nlevel: high\n",
        "summary": "This Sigma Rule detects when attackers or tools disable Windows Defender functionalities via the Windows registry by monitoring specific registry keys related to Windows Defender settings. It includes various detection criteria for different Windows Defender functionalities being disabled and provides references for further information. The rule specifies conditions to avoid false positives, such as legitimate administrator actions via the Windows Defender interface or the use of third-party antivirus software. The detection level is high.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "tests/thor.yml": {
        "filename": "tests/thor.yml",
        "creation_Date": "2024-08-07T18:02:59.009177",
        "modification_Date": "2024-08-07T18:03:00.453255",
        "lastUpdate_Date": "2024-08-07T18:03:00.453259",
        "sigmaRule": "title: THOR\norder: 20\nbackends:\n    - thor\n# this configuration differs from other configurations and can not be used\n# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.\nlogsources:\n    # log source configurations for generic sigma rules\n    process_creation_1:\n        category: process_creation\n        product: windows\n        conditions:\n            EventID: 1\n        rewrite:\n            product: windows\n            service: sysmon\n    process_creation_2:\n        category: process_creation\n        product: windows\n        conditions:\n            EventID: 4688\n        rewrite:\n            product: windows\n            service: security\n        fieldmappings:\n            Image: NewProcessName\n            ParentImage: ParentProcessName\n    network_connection:\n        category: network_connection\n        product: windows\n        conditions:\n            EventID: 3\n        rewrite:\n            product: windows\n            service: sysmon\n    sysmon_status1:\n        category: sysmon_status\n        product: windows\n        conditions:\n            EventID: 4\n        rewrite:\n            product: windows\n            service: sysmon\n    sysmon_status2:\n        category: sysmon_status\n        product: windows\n        conditions:\n            EventID: 16\n        rewrite:\n            product: windows\n            service: sysmon\n    process_terminated:\n        category: process_termination\n        product: windows\n        conditions:\n            EventID: 5\n        rewrite:\n            product: windows\n            service: sysmon\n    driver_loaded:\n        category: driver_load\n        product: windows\n        conditions:\n            EventID: 6\n        rewrite:\n            product: windows\n            service: sysmon\n    image_loaded:\n        category: image_load\n        product: windows\n        conditions:\n            EventID: 7\n        rewrite:\n            product: windows\n            service: sysmon\n    create_remote_thread:\n        category: create_remote_thread\n        product: windows\n        conditions:\n            EventID: 8\n        rewrite:\n            product: windows\n            service: sysmon\n    raw_access_thread:\n        category: raw_access_thread\n        product: windows\n        conditions:\n            EventID: 9\n        rewrite:\n            product: windows\n            service: sysmon\n    process_access:\n        category: process_access\n        product: windows\n        conditions:\n            EventID: 10\n        rewrite:\n            product: windows\n            service: sysmon\n    file_creation:\n        category: file_event\n        product: windows\n        conditions:\n            EventID: 11\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_event1:\n        category: registry_event\n        product: windows\n        conditions:\n            EventID: 12\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_event2:\n        category: registry_event\n        product: windows\n        conditions:\n            EventID: 13\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_event3:\n        category: registry_event\n        product: windows\n        conditions:\n            EventID: 14\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_add:\n        category: registry_add\n        product: windows\n        conditions:\n            EventID: 12\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_delete:\n        category: registry_delete\n        product: windows\n        conditions:\n            EventID: 12\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_set:\n        category: registry_set\n        product: windows\n        conditions:\n            EventID: 13\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_rename:\n        category: registry_rename\n        product: windows\n        conditions:\n            EventID: 14\n        rewrite:\n            product: windows\n            service: sysmon\n    create_stream_hash:\n        category: create_stream_hash\n        product: windows\n        conditions:\n            EventID: 15\n        rewrite:\n            product: windows\n            service: sysmon\n    pipe_created1:\n        category: pipe_created\n        product: windows\n        conditions:\n            EventID: 17\n        rewrite:\n            product: windows\n            service: sysmon\n    pipe_created2:\n        category: pipe_created\n        product: windows\n        conditions:\n            EventID: 18\n        rewrite:\n            product: windows\n            service: sysmon\n    wmi_event1:\n        category: wmi_event\n        product: windows\n        conditions:\n            EventID: 19\n        rewrite:\n            product: windows\n            service: sysmon\n    wmi_event2:\n        category: wmi_event\n        product: windows\n        conditions:\n            EventID: 20\n        rewrite:\n            product: windows\n            service: sysmon\n    wmi_event3:\n        category: wmi_event\n        product: windows\n        conditions:\n            EventID: 21\n        rewrite:\n            product: windows\n            service: sysmon\n    dns_query:\n        category: dns_query\n        product: windows\n        conditions:\n            EventID: 22\n        rewrite:\n            product: windows\n            service: sysmon\n    file_delete:\n        category: file_delete\n        product: windows\n        conditions:\n            EventID: 23\n        rewrite:\n            product: windows\n            service: sysmon\n    clipboard_change:\n        category: clipboard_change\n        product: windows\n        conditions:\n            EventID: 24\n        rewrite:\n            product: windows\n            service: sysmon\n    process_tampering:\n        category: process_tampering\n        product: windows\n        conditions:\n            EventID: 25\n        rewrite:\n            product: windows\n            service: sysmon\n    file_delete_detected:\n        category: file_delete_detected\n        product: windows\n        conditions:\n            EventID: 26\n        rewrite:\n            product: windows\n            service: sysmon\n    file_block_executable:\n        category: file_block_executable\n        product: windows\n        conditions:\n            EventID: 27\n        rewrite:\n            product: windows\n            service: sysmon\n    file_block_shredding:\n        category: file_block_shredding\n        product: windows\n        conditions:\n            EventID: 28\n        rewrite:\n            product: windows\n            service: sysmon\n    file_executable_detected:\n        category: file_executable_detected\n        product: windows\n        conditions:\n            EventID: 29\n        rewrite:\n            product: windows\n            service: sysmon\n    sysmon_error:\n        category: sysmon_error\n        product: windows\n        conditions:\n            EventID: 255\n        rewrite:\n            product: windows\n            service: sysmon\n    # PowerShell Operational\n    ps_module:\n        category: ps_module\n        product: windows\n        conditions:\n            EventID: 4103\n        rewrite:\n            product: windows\n            service: powershell\n    ps_script:\n        category: ps_script\n        product: windows\n        conditions:\n            EventID: 4104\n        rewrite:\n            product: windows\n            service: powershell\n    # Powershell \"classic\" channel\n    ps_classic_start:\n        category: ps_classic_start\n        product: windows\n        conditions:\n            EventID: 400\n        rewrite:\n            product: windows\n            service: powershell-classic\n    ps_classic_provider_start:\n        category: ps_classic_provider_start\n        product: windows\n        conditions:\n            EventID: 600\n        rewrite:\n            product: windows\n            service: powershell-classic\n    ps_classic_script:\n        category: ps_classic_script\n        product: windows\n        conditions:\n            EventID: 800\n        rewrite:\n            product: windows\n            service: powershell-classic\n    # target system configurations\n    windows-application:\n        product: windows\n        service: application\n        sources:\n            - \"WinEventLog:Application\"\n    windows-security:\n        product: windows\n        service: security\n        sources:\n            - \"WinEventLog:Security\"\n    windows-system:\n        product: windows\n        service: system\n        sources:\n            - \"WinEventLog:System\"\n    windows-ntlm:\n        product: windows\n        service: ntlm\n        sources:\n            - \"WinEventLog:Microsoft-Windows-NTLM/Operational\"\n    windows-sysmon:\n        product: windows\n        service: sysmon\n        sources:\n            - \"WinEventLog:Microsoft-Windows-Sysmon/Operational\"\n    windows-powershell:\n        product: windows\n        service: powershell\n        sources:\n            - \"WinEventLog:Microsoft-Windows-PowerShell/Operational\"\n            - \"WinEventLog:PowerShellCore/Operational\"\n    windows-classicpowershell:\n        product: windows\n        service: powershell-classic\n        sources:\n            - \"WinEventLog:Windows PowerShell\"\n    windows-taskscheduler:\n        product: windows\n        service: taskscheduler\n        sources:\n            - \"WinEventLog:Microsoft-Windows-TaskScheduler/Operational\"\n    windows-wmi:\n        product: windows\n        service: wmi\n        sources:\n            - \"WinEventLog:Microsoft-Windows-WMI-Activity/Operational\"\n    windows-dhcp:\n        product: windows\n        service: dhcp\n        sources:\n            - \"WinEventLog:Microsoft-Windows-DHCP-Server/Operational\"\n    windows-printservice-admin:\n        product: windows\n        service: printservice-admin\n        sources:\n            - \"WinEventLog:Microsoft-Windows-PrintService/Admin\"\n    windows-smbclient-security:\n        product: windows\n        service: smbclient-security\n        sources:\n            - \"WinEventLog:Microsoft-Windows-SmbClient/Security\"\n    windows-smbclient-connectivity:\n        product: windows\n        service: smbclient-connectivity\n        sources:\n            - \"WinEventLog:Microsoft-Windows-SmbClient/Connectivity\"\n    windows-printservice-operational:\n        product: windows\n        service: printservice-operational\n        sources:\n            - \"WinEventLog:Microsoft-Windows-PrintService/Operational\"\n    windows-terminalservices-localsessionmanager-operational:\n        product: windows\n        service: terminalservices-localsessionmanager\n        sources:\n            - 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'\n    windows-codeintegrity-operational:\n        product: windows\n        service: codeintegrity-operational\n        sources:\n            - \"WinEventLog:Microsoft-Windows-CodeIntegrity/Operational\"\n    windows-applocker:\n        product: windows\n        service: applocker\n        sources:\n            - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'\n            - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'\n            - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'\n            - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'\n    windows-msexchange-management:\n        product: windows\n        service: msexchange-management\n        sources:\n            - 'WinEventLog:MSExchange Management'\n    windows-defender:\n        product: windows\n        service: windefend\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'\n    windows-defender-antivirus-mapping:\n        category: antivirus\n        conditions:\n            EventID:  # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'\n                - 1006\n                - 1007\n                - 1008\n                - 1009\n                - 1010\n                - 1011\n                - 1012\n                - 1017\n                - 1018\n                - 1019\n                - 1115\n                - 1116\n        rewrite:\n            product: windows\n            service: windefend\n        fieldmappings:\n            Signature: ThreatName\n            Filename: Path\n    windows-firewall-advanced-security:\n        product: windows\n        service: firewall-as\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'\n    windows-bits-client:\n        product: windows\n        service: bits-client\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'\n    windows-security-mitigations:\n        product: windows\n        service: security-mitigations\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'\n            - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'\n    windows-diagnosis:\n        product: windows\n        service: diagnosis-scripted\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'\n    windows-shell-core:\n        product: windows\n        service: shell-core\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'\n    windows-openssh:\n        product: windows\n        service: openssh\n        sources:\n            - 'WinEventLog:OpenSSH/Operational'\n    windows-ldap-debug:\n        product: windows\n        service: ldap_debug\n        sources:\n            - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'\n    windows-bitlocker:\n        product: windows\n        service: bitlocker\n        sources:\n            - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'\n    windows-vhdmp:\n        product: windows\n        service: vhdmp\n        sources:\n            - 'WinEventLog:Microsoft-Windows-VHDMP/Operational'\n    windows-appxdeployment-server:\n        product: windows\n        service: appxdeployment-server\n        sources:\n            - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'\n    windows-lsa-server:\n        product: windows\n        service: lsa-server\n        sources:\n            - 'WinEventLog:Microsoft-Windows-LSA/Operational'\n    windows-appxpackaging-om:\n        product: windows\n        service: appxpackaging-om\n        sources:\n            - 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational'\n    windows-dns-client:\n        product: windows\n        service: dns-client\n        sources:\n            - 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational'\n    windows-appmodel-runtime:\n        product: windows\n        service: appmodel-runtime\n        sources:\n            - 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin'\n    windows-capi2:\n        product: windows\n        service: capi2\n        sources:\n            - 'WinEventLog:Microsoft-Windows-CAPI2/Operational'\n    windows-certificateservicesclient-lifecycle:\n        product: windows\n        service: certificateservicesclient-lifecycle-system\n        sources:\n            - 'WinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'\n    windows-kernel-shimengine:\n        product: windows\n        service: kernel-shimengine\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Operational'\n            - 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Diagnostic'\n    windows-application-experience:\n        product: windows\n        service: application-experience\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Telemetry'\n            - 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'\n    windows-ntfs:\n        product: windows\n        service: ntfs\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Ntfs/Operational'\n    windows-hyper-v-worker:\n        product: windows\n        service: hyper-v-worker\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Hyper-V-Worker'\n    windows-kernel-event-tracing:\n        product: windows\n        service: kernel-event-tracing\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Kernel-EventTracing'\n    windows-sense:\n        product: windows\n        service: sense\n        sources:\n            - 'WinEventLog:Microsoft-Windows-SENSE/Operational'\n    apache:\n        category: webserver\n        sources:\n            - \"File:/var/log/apache/*.log\"\n            - \"File:/var/log/apache2/*.log\"\n            - \"File:/var/log/httpd/*.log\"\n    linux-auth:\n        product: linux\n        service: auth\n        sources:\n            - \"File:/var/log/auth.log\"\n            - \"File:/var/log/auth.log.?\"\n    linux-syslog:\n        product: linux\n        service: syslog\n        sources:\n            - \"File:/var/log/syslog\"\n            - \"File:/var/log/syslog.?\"\n    logfiles:\n        category: logfile\n        sources:\n            - \"File:*.log\"\n    logfiles-appliances:\n        category: appliance\n        sources:\n            - \"File:*.log\"\n",
        "summary": "This Sigma Rule configuration is specifically designed for use with the THOR and SPARK IOC scanners and cannot be used with the sigmac tool. It includes log source configurations for various Windows event types, such as process creation, network connection, registry events, PowerShell events, and many more. Additionally, it contains target system configurations for different Windows services and sources.",
        "modification_count": 2,
        "comment_history": [
            "Merge branch 'SigmaHQ:master' into master",
            "Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes"
        ]
    },
    "rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml": {
        "filename": "rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml",
        "creation_Date": "2024-08-07T18:03:00.506570",
        "modification_Date": "2024-08-07T18:03:00.506600",
        "lastUpdate_Date": "2024-08-07T18:03:01.501467",
        "sigmaRule": "title: Rare Remote Thread Creation By Uncommon Source Image\nid: 02d1d718-dd13-41af-989d-ea85c7fab93f\nrelated:\n    - id: 66d31e5f-52d6-40a4-9615-002d3789a119\n      type: derived\nstatus: experimental\ndescription: Detects uncommon processes creating remote threads.\nreferences:\n    - Personal research, statistical analysis\n    - https://lolbas-project.github.io\nauthor: Perez Diego (@darkquassar), oscd.community\ndate: 2019/10/27\nmodified: 2024/07/15\ntags:\n    - attack.privilege_escalation\n    - attack.defense_evasion\n    - attack.t1055\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        SourceImage|endswith:\n            - '\\bash.exe'\n            - '\\cscript.exe'\n            - '\\cvtres.exe'\n            - '\\defrag.exe'\n            - '\\dialer.exe'\n            - '\\dnx.exe'\n            - '\\esentutl.exe'\n            - '\\excel.exe'\n            - '\\expand.exe'\n            - '\\find.exe'\n            - '\\findstr.exe'\n            - '\\forfiles.exe'\n            - '\\gpupdate.exe'\n            - '\\hh.exe'\n            - '\\installutil.exe'\n            - '\\lync.exe'\n            - '\\makecab.exe'\n            - '\\mDNSResponder.exe'\n            - '\\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.\n            - '\\msbuild.exe'\n            - '\\mshta.exe'\n            - '\\mspaint.exe'\n            - '\\outlook.exe'\n            - '\\ping.exe'\n            - '\\provtool.exe'\n            - '\\python.exe'\n            - '\\regsvr32.exe'\n            - '\\robocopy.exe'\n            - '\\runonce.exe'\n            - '\\sapcimc.exe'\n            - '\\smartscreen.exe'\n            - '\\spoolsv.exe'\n            - '\\tstheme.exe'\n            - '\\userinit.exe'\n            - '\\vssadmin.exe'\n            - '\\vssvc.exe'\n            - '\\w3wp.exe'\n            - '\\winscp.exe'\n            - '\\winword.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n    condition: selection\nfalsepositives:\n    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.\nlevel: high\n",
        "summary": "This Sigma Rule detects uncommon processes creating remote threads on Windows systems by looking for specific SourceImage paths that are associated with potentially malicious activity. It is recommended to test the rule in a controlled environment to establish a baseline that reflects normal behavior before implementation in a production environment due to the potential for false positives.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4878 from @prashanthpulisetti - Update \"Create Remote Thread\" based rules "
        ]
    },
    "rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml": {
        "filename": "rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml",
        "creation_Date": "2024-08-07T18:03:01.501680",
        "modification_Date": "2024-08-07T18:03:01.501697",
        "lastUpdate_Date": "2024-08-07T18:03:03.946638",
        "sigmaRule": "title: Remote Thread Creation By Uncommon Source Image\nid: 66d31e5f-52d6-40a4-9615-002d3789a119\nrelated:\n    - id: 02d1d718-dd13-41af-989d-ea85c7fab93f\n      type: derived\nstatus: experimental\ndescription: Detects uncommon processes creating remote threads.\nreferences:\n    - Personal research, statistical analysis\n    - https://lolbas-project.github.io\nauthor: Perez Diego (@darkquassar), oscd.community\ndate: 2019/10/27\nmodified: 2024/07/15\ntags:\n    - attack.privilege_escalation\n    - attack.defense_evasion\n    - attack.t1055\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        SourceImage|endswith:\n            - '\\explorer.exe'\n            - '\\iexplore.exe'\n            - '\\msiexec.exe'\n            - '\\powerpnt.exe'\n            - '\\schtasks.exe'\n            - '\\winlogon.exe'\n    filter_main_winlogon_1:\n        SourceImage: 'C:\\Windows\\System32\\winlogon.exe'\n        TargetImage:\n            - 'C:\\Windows\\System32\\services.exe' # happens on Windows 7\n            - 'C:\\Windows\\System32\\wininit.exe' # happens on Windows 7\n            - 'C:\\Windows\\System32\\csrss.exe' # multiple OS\n            - 'C:\\Windows\\System32\\LogonUI.exe' # multiple OS\n    filter_main_winlogon_2:\n        SourceImage: 'C:\\Windows\\System32\\winlogon.exe'\n        TargetParentProcessId: 4\n    filter_main_schtasks_conhost:\n        SourceImage:\n            - 'C:\\Windows\\System32\\schtasks.exe'\n            - 'C:\\Windows\\SysWOW64\\schtasks.exe'\n        TargetImage: 'C:\\Windows\\System32\\conhost.exe'\n    filter_main_explorer:\n        SourceImage: 'C:\\Windows\\explorer.exe'\n        TargetImage|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_main_system:\n        TargetImage: 'System'\n    filter_main_msiexec:\n        # Note: MSI installers will trigger this\n        SourceImage|endswith: '\\msiexec.exe'\n        TargetImage|contains:\n            - '\\AppData\\Local\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n    filter_optional_aurora_smartconsole1:\n        SourceImage: 'C:\\Program Files\\internet explorer\\iexplore.exe'\n        SourceCommandLine|contains|all:\n            - 'https://'\n            - '.checkpoint.com/documents/'\n            - 'SmartConsole_OLH/'\n            - 'default.htm#cshid='\n    filter_optional_aurora_smartconsole2:\n        SourceImage: 'C:\\Program Files\\internet explorer\\iexplore.exe'\n        SourceParentImage|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n        SourceParentImage|contains|all:\n            - '\\CheckPoint\\SmartConsole\\'\n            - '\\SmartConsole.exe'\n    filter_optional_powerpnt:\n        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479\n        SourceImage|contains: '\\Microsoft Office\\'\n        SourceImage|endswith: '\\POWERPNT.EXE'\n        TargetImage: 'C:\\Windows\\System32\\csrss.exe'\n    filter_main_null:\n        TargetImage: null\n    filter_main_empty:\n        TargetImage: ''\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.\nlevel: medium\n",
        "summary": "This Sigma rule detects uncommon processes creating remote threads, such as explorer.exe, iexplore.exe, msiexec.exe, powerpnt.exe, schtasks.exe, and winlogon.exe. It includes various filters to identify specific patterns of behavior, such as winlogon.exe creating threads with specific target images or parent process IDs. The rule also includes optional filters for specific scenarios, such as SmartConsole usage or Microsoft Office PowerPoint interactions. The rule has a medium level of severity and may require testing to establish a baseline for accurate detection in the environment.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4878 from @prashanthpulisetti - Update \"Create Remote Thread\" based rules "
        ]
    },
    "rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml": {
        "filename": "rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml",
        "creation_Date": "2024-08-07T18:03:03.946815",
        "modification_Date": "2024-08-07T18:03:03.946829",
        "lastUpdate_Date": "2024-08-07T18:03:05.089341",
        "sigmaRule": "title: Remote Thread Creation In Uncommon Target Image\nid: a1a144b7-5c9b-4853-a559-2172be8d4a03\nrelated:\n    - id: f016c716-754a-467f-a39e-63c06f773987\n      type: obsoletes\nstatus: experimental\ndescription: Detects uncommon target processes for remote thread creation\nreferences:\n    - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/03/16\nmodified: 2024/07/15\ntags:\n    - attack.defense_evasion\n    - attack.privilege_escalation\n    - attack.t1055.003\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        TargetImage|endswith:\n            - '\\calc.exe'\n            - '\\calculator.exe'\n            - '\\mspaint.exe'\n            - '\\notepad.exe'\n            - '\\ping.exe'\n            - '\\sethc.exe'\n            - '\\spoolsv.exe'\n            - '\\wordpad.exe'\n            - '\\write.exe'\n    filter_main_csrss:\n        SourceImage: 'C:\\Windows\\System32\\csrss.exe'\n    filter_optional_aurora_1:\n        StartFunction: 'EtwpNotificationThread'\n    filter_optional_aurora_2:\n        SourceImage|contains: 'unknown process'\n    filter_optional_vmtoolsd:\n        SourceImage: 'C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe'\n        StartFunction: 'GetCommandLineW'\n        TargetImage:\n            - 'C:\\Windows\\System32\\notepad.exe'\n            - 'C:\\Windows\\System32\\spoolsv.exe'\n    filter_optional_xerox_pjems:\n        SourceImage: 'C:\\Program Files\\Xerox\\XeroxPrintExperience\\CommonFiles\\XeroxPrintJobEventManagerService.exe'\n        StartFunction: 'LoadLibraryW'\n        TargetImage: 'C:\\Windows\\System32\\spoolsv.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n",
        "summary": "This Sigma rule detects uncommon target processes for remote thread creation, specifically focusing on processes such as calc.exe, calculator.exe, mspaint.exe, notepad.exe, ping.exe, sethc.exe, spoolsv.exe, wordpad.exe, and write.exe. The rule includes filters for specific source and target images, as well as conditions to reduce false positives.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4878 from @prashanthpulisetti - Update \"Create Remote Thread\" based rules "
        ]
    },
    "rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml": {
        "filename": "rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml",
        "creation_Date": "2024-08-07T18:03:05.164292",
        "modification_Date": "2024-08-07T18:03:05.164336",
        "lastUpdate_Date": "2024-08-07T18:03:06.306393",
        "sigmaRule": "title: Password Change on Directory Service Restore Mode (DSRM) Account\nid: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51\nrelated:\n    - id: b61e87c0-50db-4b2e-8986-6a2be94b33b0\n      type: similar\nstatus: stable\ndescription: |\n    Detects potential attempts made to set the Directory Services Restore Mode administrator password.\n    The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.\n    Attackers may change the password in order to obtain persistence.\nreferences:\n    - https://adsecurity.org/?p=1714\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794\nauthor: Thomas Patzke\ndate: 2017/02/19\nmodified: 2020/08/23\ntags:\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4794\n    condition: selection\nfalsepositives:\n    - Initial installation of a domain controller.\nlevel: high\n",
        "summary": "This Sigma Rule detects potential attempts to change the password of the Directory Services Restore Mode (DSRM) administrator account, which is a local administrator account on Domain Controllers. Attackers may change this password to maintain persistence in the system. The rule looks for Event ID 4794 in Windows Security logs to trigger an alert. False positives may occur during the initial installation of a domain controller.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4903 from @nischalkhadgi62 - Add `Directory Service Restore Mode(DSRM) Registry Value Tampering`"
        ]
    },
    "rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml": {
        "filename": "rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml",
        "creation_Date": "2024-08-07T18:03:06.306654",
        "modification_Date": "2024-08-07T18:03:06.306677",
        "lastUpdate_Date": "2024-08-07T18:03:07.800673",
        "sigmaRule": "title: Directory Service Restore Mode(DSRM) Registry Value Tampering\nid: b61e87c0-50db-4b2e-8986-6a2be94b33b0\nrelated:\n    - id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51\n      type: similar\nstatus: experimental\ndescription: |\n    Detects changes to \"DsrmAdminLogonBehavior\" registry value.\n    During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an \u201cAdministrator\u201d account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.\n    Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.\n    If the \"DsrmAdminLogonBehavior\" value is set to \"0\", the administrator account can only be used if the DC starts in DSRM.\n    If the \"DsrmAdminLogonBehavior\" value is set to \"1\", the administrator account can only be used if the local AD DS service is stopped.\n    If the \"DsrmAdminLogonBehavior\" value is set to \"2\", the administrator account can always be used.\nreferences:\n    - https://adsecurity.org/?p=1785\n    - https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/\n    - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials\nauthor: Nischal Khadgi\ndate: 2024/07/11\ntags:\n    - attack.persistence\n    - attack.t1556\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Control\\Lsa\\DsrmAdminLogonBehavior'\n    filter_main_default_value:\n        Details: 'DWORD (0x00000000)' # Default value\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects changes to the \"DsrmAdminLogonBehavior\" registry value, which controls the behavior of the Directory Services Restore Mode (DSRM) local administrator account on a Domain Controller. Attackers could abuse this account for persistence and access to the organization's Active Directory. The rule specifies different values for the \"DsrmAdminLogonBehavior\" value and their implications for the administrator account's use. The detection criteria involve monitoring for changes to the default value of the registry key. This rule has a high level of severity.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4903 from @nischalkhadgi62 - Add `Directory Service Restore Mode(DSRM) Registry Value Tampering`"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml",
        "creation_Date": "2024-08-07T18:03:07.836187",
        "modification_Date": "2024-08-07T18:03:07.836258",
        "lastUpdate_Date": "2024-08-07T18:03:09.157414",
        "sigmaRule": "title: BitLockerTogo.EXE Execution\nid: 7f2376f9-42ee-4dfc-9360-fecff9a88fc8\nstatus: experimental\ndescription: |\n    Detects the execution of \"BitLockerToGo.EXE\".\n    BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.\n    This is a rarely used application and usage of it at all is worth investigating.\n    Malware such as Lumma stealer has been seen using this process as a target for process hollowing.\nreferences:\n    - https://tria.ge/240521-ynezpagf56/behavioral1\n    - https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091\n    - https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/\n    - https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/\nauthor: Josh Nickels, mttaggart\ndate: 2024/07/11\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\BitLockerToGo.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of BitLockerToGo.exe to encrypt portable devices.\nlevel: low\n",
        "summary": "This Sigma Rule detects the execution of \"BitLockerToGo.EXE\", which is a rarely used application for encrypting removable data drives. Malware such as Lumma stealer has been known to use this process for process hollowing. The rule is tagged as defense evasion and T1218 and has a low level of impact. Legitimate usage of BitLockerToGo.exe may result in false positives.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4902 from @joshnck - Add `BitlockerTogo.EXE Execution`"
        ]
    },
    "rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml": {
        "filename": "rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml",
        "creation_Date": "2024-08-07T18:03:09.200579",
        "modification_Date": "2024-08-07T18:03:09.200634",
        "lastUpdate_Date": "2024-08-07T18:03:10.557782",
        "sigmaRule": "title: Kubernetes Admission Controller Modification\nid: eed82177-38f5-4299-8a76-098d50d225ab\nrelated:\n    - id: 6ad91e31-53df-4826-bd27-0166171c8040\n      type: similar\nstatus: experimental\ndescription: |\n    Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.\nreferences:\n    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/\n    - https://security.padok.fr/en/blog/kubernetes-webhook-attackers\nauthor: kelnage\ndate: 2024/07/11\ntags:\n    - attack.persistence\n    - attack.t1078\n    - attack.credential_access\n    - attack.t1552\n    - attack.t1552.007\nlogsource:\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        objectRef.apiGroup: 'admissionregistration.k8s.io'\n        objectRef.resource:\n            - 'mutatingwebhookconfigurations'\n            - 'validatingwebhookconfigurations'\n        verb:\n            - 'create'\n            - 'delete'\n            - 'patch'\n            - 'replace'\n            - 'update'\n    condition: selection\nfalsepositives:\n    - Modifying the Kubernetes Admission Controller may need to be done by a system administrator.\n    - Automated processes may need to take these actions and may need to be filtered.\nlevel: medium\n",
        "summary": "This Sigma rule detects when a modification action is taken in Kubernetes that affects mutating or validating webhook configurations. This is important as these configurations can be exploited by adversaries for persistence or credential access. The rule specifies the conditions for detection, such as specific API groups, resources, and verbs, and provides references for further information. The rule is categorized as experimental and has a medium level of severity. False positives may occur when legitimate system administrators or automated processes make these modifications.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4899 from @kelnage - Add Kubernetes rules in audit log format "
        ]
    },
    "rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml": {
        "filename": "rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml",
        "creation_Date": "2024-08-07T18:03:10.557871",
        "modification_Date": "2024-08-07T18:03:10.557922",
        "lastUpdate_Date": "2024-08-07T18:03:11.771160",
        "sigmaRule": "title: Kubernetes CronJob/Job Modification\nid: 0c9b3bda-41a6-4442-9345-356ae86343dc\nrelated:\n    - id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435\n      type: similar\nstatus: experimental\ndescription: |\n    Detects when a Kubernetes CronJob or Job is created or modified.\n    A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.\n    An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.\nreferences:\n    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/\n    - https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob\nauthor: kelnage\ndate: 2024/07/11\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.execution\nlogsource:\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        objectRef.apiGroup: 'batch'\n        objectRef.resource:\n            - 'cronjobs'\n            - 'jobs'\n        verb:\n            - 'create'\n            - 'delete'\n            - 'patch'\n            - 'replace'\n            - 'update'\n    condition: selection\nfalsepositives:\n    - Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.\n    - Automated processes may need to take these actions and may need to be filtered.\nlevel: medium\n",
        "summary": "This Sigma rule detects when a Kubernetes CronJob or Job is created or modified, which could be exploited by adversaries to run malicious code within a cluster for persistence. The rule specifies the conditions for detecting such modifications and provides references for further information on protecting Kubernetes against these types of attacks. It is still in the experimental stage and may have false positives, such as when system administrators or automated processes legitimately modify these objects.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4899 from @kelnage - Add Kubernetes rules in audit log format "
        ]
    },
    "rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml": {
        "filename": "rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml",
        "creation_Date": "2024-08-07T18:03:11.771416",
        "modification_Date": "2024-08-07T18:03:11.771429",
        "lastUpdate_Date": "2024-08-07T18:03:13.221071",
        "sigmaRule": "title: Kubernetes Rolebinding Modification\nid: 10b97915-ec8d-455f-a815-9a78926585f6\nrelated:\n    - id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e\n      type: similar\nstatus: experimental\ndescription: |\n    Detects when a Kubernetes Rolebinding is created or modified.\nreferences:\n    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/\n    - https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab\nauthor: kelnage\ndate: 2024/07/11\ntags:\n    - attack.privilege_escalation\nlogsource:\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        objectRef.apiGroup: 'rbac.authorization.k8s.io'\n        objectRef.resource:\n            - 'clusterrolebindings'\n            - 'rolebindings'\n        verb:\n            - 'create'\n            - 'delete'\n            - 'patch'\n            - 'replace'\n            - 'update'\n    condition: selection\nfalsepositives:\n    - Modifying a Kubernetes Rolebinding may need to be done by a system administrator.\n    - Automated processes may need to take these actions and may need to be filtered.\nlevel: medium\n",
        "summary": "This Sigma Rule detects when a Kubernetes Rolebinding is created or modified. It specifies conditions for selection, such as the objectRef.apiGroup being 'rbac.authorization.k8s.io' and the verb being 'create', 'delete', 'patch', 'replace', or 'update'. The rule is tagged for privilege escalation attacks and provides references for further information on Kubernetes RBAC. It is still marked as experimental and may have false positives in situations where a system administrator or automated processes need to modify Rolebindings.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4899 from @kelnage - Add Kubernetes rules in audit log format "
        ]
    },
    "rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml": {
        "filename": "rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml",
        "creation_Date": "2024-08-07T18:03:13.221365",
        "modification_Date": "2024-08-07T18:03:13.221381",
        "lastUpdate_Date": "2024-08-07T18:03:14.296121",
        "sigmaRule": "title: Kubernetes Secrets Modified or Deleted\nid: 58d31a75-a4f8-4c40-985b-373d58162ca2\nrelated:\n    - id: 2f0bae2d-bf20-4465-be86-1311addebaa3\n      type: similar\nstatus: experimental\ndescription: |\n    Detects when Kubernetes Secrets are Modified or Deleted.\nreferences:\n    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/\n    - https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/\nauthor: kelnage\ndate: 2024/07/11\ntags:\n    - attack.credential_access\nlogsource:\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        objectRef.resource: 'secrets'\n        verb:\n            - 'create'\n            - 'delete'\n            - 'patch'\n            - 'replace'\n            - 'update'\n    condition: selection\nfalsepositives:\n    - Secrets being modified or deleted may be performed by a system administrator.\n    - Automated processes may need to take these actions and may need to be filtered.\nlevel: medium\n",
        "summary": "This Sigma Rule detects when Kubernetes Secrets are modified or deleted by monitoring audit logs for specific actions such as create, delete, patch, replace, and update. False positives may occur if system administrators or automated processes perform these actions. The rule is considered medium level and is currently experimental.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4899 from @kelnage - Add Kubernetes rules in audit log format "
        ]
    },
    "rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml": {
        "filename": "rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml",
        "creation_Date": "2024-08-07T18:03:14.296427",
        "modification_Date": "2024-08-07T18:03:14.296454",
        "lastUpdate_Date": "2024-08-07T18:03:15.518330",
        "sigmaRule": "title: Kubernetes Unauthorized or Unauthenticated Access\nid: 0d933542-1f1f-420d-97d4-21b2c3c492d9\nstatus: experimental\ndescription: |\n    Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.\n    This may indicate an attacker attempting to leverage credentials they have obtained.\nreferences:\n    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/\n    - https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues\nauthor: kelnage\ndate: 2024/04/12\ntags:\n    - attack.privilege_escalation\nlogsource:\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        responseStatus.code:\n            - 401 # Unauthorized\n            - 403 # Forbidden\n    condition: selection\nfalsepositives:\n    - A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.\nlevel: low\n",
        "summary": "This Sigma Rule detects unauthorized or unauthenticated access in Kubernetes API requests, which could indicate an attacker trying to use obtained credentials. It looks for requests that are rejected due to lack of authorization or expired authentication tokens. The rule has a low level of severity and may have false positives caused by misconfigured RBAC policies, user errors, or authentication token issues.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4899 from @kelnage - Add Kubernetes rules in audit log format "
        ]
    },
    "rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml": {
        "filename": "rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml",
        "creation_Date": "2024-08-07T18:03:15.568985",
        "modification_Date": "2024-08-07T18:03:15.569100",
        "lastUpdate_Date": "2024-08-07T18:03:17.081654",
        "sigmaRule": "title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure\nid: 352a918a-34d8-4882-8470-44830c507aa3\nstatus: experimental\ndescription: |\n    Detects when an instance identity has taken an action that isn't inside SSM.\n    This can indicate that a compromised EC2 instance is being used as a pivot point.\nreferences:\n    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html\n    - https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/\n    - https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things\nauthor: jamesc-grafana\ndate: 2024/07/11\ntags:\n    - attack.privilege_escalation\n    - attack.defense_evasion\n    - attack.t1078\n    - attack.t1078.002\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        userIdentity.arn|re: '.+:assumed-role/aws:.+'\n    filter_main_generic:\n        - eventSource: 'ssm.amazonaws.com'\n        - eventName: 'RegisterManagedInstance'\n        - sourceIPAddress: 'AWS Internal'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services\nlevel: high\n",
        "summary": "This Sigma Rule detects when an EC2 instance has taken an action outside of AWS Systems Manager (SSM), indicating potential compromise and use as a pivot point. It looks for instances with credentials assumed outside of SSM and alerts on such activity. The rule provides references for further reading on the topic and includes detection criteria using CloudTrail logs. There is a high level of confidence in this detection, but it may have false positives if EC2 instances are configured to communicate with other AWS services.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4900 from @jamesc-grafana - Add new AWS cloudtrail rules"
        ]
    },
    "rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml": {
        "filename": "rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml",
        "creation_Date": "2024-08-07T18:03:17.081771",
        "modification_Date": "2024-08-07T18:03:17.081782",
        "lastUpdate_Date": "2024-08-07T18:03:18.358950",
        "sigmaRule": "title: New Network ACL Entry Added\nid: e1f7febb-7b94-4234-b5c6-00fb8500f5dd\nstatus: test\ndescription: |\n    Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.\nreferences:\n    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/\nauthor: jamesc-grafana\ndate: 2024/07/11\ntags:\n    - attack.initial_access\n    - attack.t1190\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'ec2.amazonaws.com'\n        eventName: 'CreateNetworkAclEntry'\n    condition: selection\nfalsepositives:\n    - Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC\nlevel: low\n",
        "summary": "This Sigma Rule detects when new network ACL entries have been added to a route table in an AWS account, potentially indicating new attack vectors. It focuses on the event source 'ec2.amazonaws.com' and eventName 'CreateNetworkAclEntry' in CloudTrail logs. The rule may have false positives for legitimate ACL use, and it is categorized as a low-level detection for initial access attacks.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4900 from @jamesc-grafana - Add new AWS cloudtrail rules"
        ]
    },
    "rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml": {
        "filename": "rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml",
        "creation_Date": "2024-08-07T18:03:18.359101",
        "modification_Date": "2024-08-07T18:03:18.359114",
        "lastUpdate_Date": "2024-08-07T18:03:20.134077",
        "sigmaRule": "title: New Network Route Added\nid: c803b2ce-c4a2-4836-beae-b112010390b1\nstatus: test\ndescription: |\n    Detects the addition of a new network route to a route table in AWS.\nreferences:\n    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/\nauthor: jamesc-grafana\ndate: 2024/07/11\ntags:\n    - attack.initial_access\n    - attack.t1190\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'ec2.amazonaws.com'\n        eventName: 'CreateRoute'\n    condition: selection\nfalsepositives:\n    - New VPC Creation requiring setup of a new route table\n    - New subnets added requiring routing setup\nlevel: medium\n",
        "summary": "This Sigma Rule detects the addition of a new network route to a route table in AWS. The rule looks for the 'CreateRoute' event from the 'ec2.amazonaws.com' event source in AWS CloudTrail logs. False positives may occur when a new VPC is created or new subnets are added, requiring routing setup. The rule is tagged with initial access and T1190 attack techniques and is considered a medium-level detection. The rule was authored by jamesc-grafana and was last updated on July 11, 2024.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4900 from @jamesc-grafana - Add new AWS cloudtrail rules"
        ]
    },
    "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml": {
        "filename": "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml",
        "creation_Date": "2024-08-07T18:03:20.134311",
        "modification_Date": "2024-08-07T18:03:20.134335",
        "lastUpdate_Date": "2024-08-07T18:03:21.554243",
        "sigmaRule": "title: Ingress/Egress Security Group Modification\nid: 6fb77778-040f-4015-9440-572aa9b6b580\nstatus: test\ndescription: |\n    Detects when an account makes changes to the ingress or egress rules of a security group.\n    This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.\nreferences:\n    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/\nauthor: jamesc-grafana\ndate: 2024/07/11\ntags:\n    - attack.initial_access\n    - attack.t1190\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'ec2.amazonaws.com'\n        eventName:\n            - 'AuthorizeSecurityGroupEgress'\n            - 'AuthorizeSecurityGroupIngress'\n            - 'RevokeSecurityGroupEgress'\n            - 'RevokeSecurityGroupIngress'\n    condition: selection\nfalsepositives:\n    - New VPCs and Subnets being setup requiring a different security profile to those already defined\n    - A single port being opened for a new service that is known to be deploying\n    - Administrators closing unused ports to reduce the attack surface\nlevel: medium\n",
        "summary": "This Sigma Rule detects when changes are made to the ingress or egress rules of a security group in an AWS account. This could indicate potential malicious activity, such as an attacker trying to open up new attack vectors, exfiltrate data over the network, or allow machines to contact a command and control server. The rule looks for specific events in AWS CloudTrail related to security group modifications. Some potential false positives could include setting up new VPCs or subnets, opening a single port for a new service, or administrators closing unused ports.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4900 from @jamesc-grafana - Add new AWS cloudtrail rules"
        ]
    },
    "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml": {
        "filename": "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml",
        "creation_Date": "2024-08-07T18:03:21.554405",
        "modification_Date": "2024-08-07T18:03:21.554417",
        "lastUpdate_Date": "2024-08-07T18:03:23.087541",
        "sigmaRule": "title: LoadBalancer Security Group Modification\nid: 7a4409fc-f8ca-45f6-8006-127d779eaad9\nstatus: test\ndescription: |\n    Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).\n    This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.\nreferences:\n    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/\nauthor: jamesc-grafana\ndate: 2024/07/11\ntags:\n    - attack.initial_access\n    - attack.t1190\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'elasticloadbalancing.amazonaws.com'\n        eventName:\n            - 'ApplySecurityGroupsToLoadBalancer'\n            - 'SetSecurityGroups'\n    condition: selection\nfalsepositives:\n    - Repurposing of an ELB or ALB to serve a different or additional application\n    - Changes to security groups to allow for new services to be deployed\nlevel: medium\n",
        "summary": "This Sigma Rule detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB) in AWS. This could indicate a misconfiguration allowing unauthorized traffic into the system or potentially an attacker attempting to enable new connections into a VPC or subnet controlled by the account. The rule checks for specific events related to security group modifications in the AWS CloudTrail logs. False positives may occur if an ELB or ALB is repurposed for a different application or if security group changes are made for legitimate reasons such as deploying new services.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4900 from @jamesc-grafana - Add new AWS cloudtrail rules"
        ]
    },
    "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml": {
        "filename": "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml",
        "creation_Date": "2024-08-07T18:03:23.087725",
        "modification_Date": "2024-08-07T18:03:23.087739",
        "lastUpdate_Date": "2024-08-07T18:03:24.744222",
        "sigmaRule": "title: RDS Database Security Group Modification\nid: 14f3f1c8-02d5-43a2-a191-91ffb52d3015\nstatus: test\ndescription: |\n    Detects changes to the security group entries for RDS databases.\n    This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.\nreferences:\n    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/\nauthor: jamesc-grafana\ndate: 2024/07/11\ntags:\n    - attack.initial_access\n    - attack.t1190\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'rds.amazonaws.com'\n        eventName:\n            - 'AuthorizeDBSecurityGroupIngress'\n            - 'CreateDBSecurityGroup'\n            - 'DeleteDBSecurityGroup'\n            - 'RevokeDBSecurityGroupIngress'\n    condition: selection\nfalsepositives:\n    - Creation of a new Database that needs new security group rules\nlevel: medium\n",
        "summary": "This Sigma Rule detects changes to the security group entries for RDS databases in AWS CloudTrail. It can indicate misconfigurations that expose the database to the public internet or wider audience within the VPC, or removal of valid rules that could impact the availability of the database. The rule looks for specific events like AuthorizeDBSecurityGroupIngress, CreateDBSecurityGroup, DeleteDBSecurityGroup, and RevokeDBSecurityGroupIngress. False positives may occur when creating a new database that requires new security group rules.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4900 from @jamesc-grafana - Add new AWS cloudtrail rules"
        ]
    },
    "rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml": {
        "filename": "rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml",
        "creation_Date": "2024-08-07T18:03:24.744439",
        "modification_Date": "2024-08-07T18:03:24.744451",
        "lastUpdate_Date": "2024-08-07T18:03:26.338677",
        "sigmaRule": "title: Potential Malicious Usage of CloudTrail System Manager\nid: 38e7f511-3f74-41d4-836e-f57dfa18eead\nstatus: experimental\ndescription: |\n    Detect when System Manager successfully executes commands against an instance.\nreferences:\n    - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml\nauthor: jamesc-grafana\ndate: 2024/07/11\ntags:\n    - attack.privilege_escalation\n    - attack.t1566\n    - attack.t1566.002\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventName: 'SendCommand'\n        eventSource: 'ssm.amazonaws.com'\n        responseElements.command.status: 'Success'\n    condition: selection\nfalsepositives:\n    - There are legitimate uses of SSM to send commands to EC2 instances\n    - Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them\nlevel: high\n",
        "summary": "This Sigma Rule detects potential malicious usage of the CloudTrail System Manager by alerting when System Manager successfully executes commands against an instance. It specifies the selection criteria for the detection, such as eventName and eventSource, and includes a list of false positives to consider. The rule is tagged with privilege escalation and specific attack techniques.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4900 from @jamesc-grafana - Add new AWS cloudtrail rules"
        ]
    },
    "rules/windows/image_load/image_load_side_load_dbgcore.yml": {
        "filename": "rules/windows/image_load/image_load_side_load_dbgcore.yml",
        "creation_Date": "2024-08-07T18:03:26.379946",
        "modification_Date": "2024-08-07T18:03:26.380053",
        "lastUpdate_Date": "2024-08-07T18:03:27.480876",
        "sigmaRule": "title: Potential DLL Sideloading Of DBGCORE.DLL\nid: 9ca2bf31-0570-44d8-a543-534c47c33ed7\nstatus: test\ndescription: Detects DLL sideloading of \"dbgcore.dll\"\nreferences:\n    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)\nauthor: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)\ndate: 2022/10/25\nmodified: 2023/05/05\ntags:\n    - attack.defense_evasion\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1574.001\n    - attack.t1574.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\dbgcore.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SystemTemp\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_optional_steam:\n        ImageLoaded|endswith: '\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLL mentioned in this rule\nlevel: medium\n",
        "summary": "This Sigma rule detects potential DLL sideloading of \"dbgcore.dll\" by monitoring image load events on Windows systems. It includes selection criteria for detecting the loading of dbgcore.dll and filter criteria to exclude legitimate paths where the DLL may be loaded from. The rule has a medium level of severity and provides references for more information on DLL sideloading.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4906 from @fornotes - Update and add new dll sideloading rules"
        ]
    },
    "rules/windows/image_load/image_load_side_load_dbgcore_dll.yml": {
        "filename": "rules/windows/image_load/image_load_side_load_dbgcore_dll.yml",
        "creation_Date": "2024-08-07T18:03:27.481083",
        "modification_Date": "2024-08-07T18:03:27.481095",
        "lastUpdate_Date": "2024-08-07T18:03:28.158316",
        "sigmaRule": "file does not exist",
        "summary": "If the file does not exist, it means that the specified file or document cannot be found or accessed in the designated location.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4906 from @fornotes - Update and add new dll sideloading rules"
        ]
    },
    "rules/windows/image_load/image_load_side_load_dbghelp.yml": {
        "filename": "rules/windows/image_load/image_load_side_load_dbghelp.yml",
        "creation_Date": "2024-08-07T18:03:28.158511",
        "modification_Date": "2024-08-07T18:03:28.158525",
        "lastUpdate_Date": "2024-08-07T18:03:29.294009",
        "sigmaRule": "title: Potential DLL Sideloading Of DBGHELP.DLL\nid: 6414b5cd-b19d-447e-bb5e-9f03940b5784\nstatus: test\ndescription: Detects potential DLL sideloading of \"dbghelp.dll\"\nreferences:\n    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)\nauthor: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)\ndate: 2022/10/25\nmodified: 2023/05/05\ntags:\n    - attack.defense_evasion\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1574.001\n    - attack.t1574.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\dbghelp.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SystemTemp\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_optional_anaconda:\n        ImageLoaded|endswith:\n            - '\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll'\n            - '\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\i386\\dbghelp.dll'\n    filter_optional_epicgames:\n        ImageLoaded|endswith:\n            - '\\Epic Games\\Launcher\\Engine\\Binaries\\ThirdParty\\DbgHelp\\dbghelp.dll'\n            - '\\Epic Games\\MagicLegends\\x86\\dbghelp.dll'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLL mentioned in this rule\nlevel: medium\n",
        "summary": "This Sigma Rule detects potential DLL sideloading of \"dbghelp.dll\" by monitoring image loading events on Windows systems. The rule includes filters to exclude legitimate sources of the DLL, such as Anaconda and Epic Games installations. False positives may occur with legitimate applications that load their own versions of the DLL. The rule is categorized as medium level.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4906 from @fornotes - Update and add new dll sideloading rules"
        ]
    },
    "rules/windows/image_load/image_load_side_load_dbghelp_dll.yml": {
        "filename": "rules/windows/image_load/image_load_side_load_dbghelp_dll.yml",
        "creation_Date": "2024-08-07T18:03:29.294309",
        "modification_Date": "2024-08-07T18:03:29.294335",
        "lastUpdate_Date": "2024-08-07T18:03:29.885664",
        "sigmaRule": "file does not exist",
        "summary": "If the file being referenced does not exist, this Sigma Rule will not be triggered.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4906 from @fornotes - Update and add new dll sideloading rules"
        ]
    },
    "rules/windows/image_load/image_load_side_load_from_non_system_location.yml": {
        "filename": "rules/windows/image_load/image_load_side_load_from_non_system_location.yml",
        "creation_Date": "2024-08-07T18:03:29.888465",
        "modification_Date": "2024-08-07T18:03:29.888485",
        "lastUpdate_Date": "2024-08-07T18:03:31.221348",
        "sigmaRule": "title: Potential System DLL Sideloading From Non System Locations\nid: 4fc0deee-0057-4998-ab31-d24e46e0aba4\nstatus: experimental\ndescription: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).\nreferences:\n    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)\n    - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll\n    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll\n    - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)\n    - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/08/14\nmodified: 2024/07/11\ntags:\n    - attack.defense_evasion\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1574.001\n    - attack.t1574.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\aclui.dll'\n            - '\\activeds.dll'\n            - '\\adsldpc.dll'\n            - '\\aepic.dll'\n            - '\\apphelp.dll'\n            - '\\applicationframe.dll'\n            - '\\appvpolicy.dll'\n            - '\\appxalluserstore.dll'\n            - '\\appxdeploymentclient.dll'\n            - '\\archiveint.dll'\n            - '\\atl.dll'\n            - '\\audioses.dll'\n            - '\\auditpolcore.dll'\n            - '\\authfwcfg.dll'\n            - '\\authz.dll'\n            - '\\avrt.dll'\n            - '\\batmeter.dll'\n            - '\\bcd.dll'\n            - '\\bcp47langs.dll'\n            - '\\bcp47mrm.dll'\n            - '\\bcrypt.dll'\n            - '\\bderepair.dll'\n            - '\\bootmenuux.dll'\n            - '\\bootux.dll'\n            - '\\cabinet.dll'\n            - '\\cabview.dll'\n            - '\\certcli.dll'\n            - '\\certenroll.dll'\n            - '\\cfgmgr32.dll'\n            - '\\cldapi.dll'\n            - '\\clipc.dll'\n            - '\\clusapi.dll'\n            - '\\cmpbk32.dll'\n            - '\\cmutil.dll'\n            - '\\coloradapterclient.dll'\n            - '\\colorui.dll'\n            - '\\comdlg32.dll'\n            - '\\configmanager2.dll'\n            - '\\connect.dll'\n            - '\\coredplus.dll'\n            - '\\coremessaging.dll'\n            - '\\coreuicomponents.dll'\n            - '\\credui.dll'\n            - '\\cryptbase.dll'\n            - '\\cryptdll.dll'\n            - '\\cryptsp.dll'\n            - '\\cryptui.dll'\n            - '\\cryptxml.dll'\n            - '\\cscapi.dll'\n            - '\\cscobj.dll'\n            - '\\cscui.dll'\n            - '\\d2d1.dll'\n            - '\\d3d10_1.dll'\n            - '\\d3d10_1core.dll'\n            - '\\d3d10.dll'\n            - '\\d3d10core.dll'\n            - '\\d3d10warp.dll'\n            - '\\d3d11.dll'\n            - '\\d3d12.dll'\n            - '\\d3d9.dll'\n            - '\\d3dx9_43.dll'\n            - '\\dataexchange.dll'\n            - '\\davclnt.dll'\n            - '\\dcntel.dll'\n            - '\\dcomp.dll'\n            - '\\defragproxy.dll'\n            - '\\desktopshellext.dll'\n            - '\\deviceassociation.dll'\n            - '\\devicecredential.dll'\n            - '\\devicepairing.dll'\n            - '\\devobj.dll'\n            - '\\devrtl.dll'\n            - '\\dhcpcmonitor.dll'\n            - '\\dhcpcsvc.dll'\n            - '\\dhcpcsvc6.dll'\n            - '\\directmanipulation.dll'\n            - '\\dismapi.dll'\n            - '\\dismcore.dll'\n            - '\\dmcfgutils.dll'\n            - '\\dmcmnutils.dll'\n            - '\\dmcommandlineutils.dll'\n            - '\\dmenrollengine.dll'\n            - '\\dmenterprisediagnostics.dll'\n            - '\\dmiso8601utils.dll'\n            - '\\dmoleaututils.dll'\n            - '\\dmprocessxmlfiltered.dll'\n            - '\\dmpushproxy.dll'\n            - '\\dmxmlhelputils.dll'\n            - '\\dnsapi.dll'\n            - '\\dot3api.dll'\n            - '\\dot3cfg.dll'\n            - '\\dpx.dll'\n            - '\\drprov.dll'\n            - '\\drvstore.dll'\n            - '\\dsclient.dll'\n            - '\\dsparse.dll'\n            - '\\dsprop.dll'\n            - '\\dsreg.dll'\n            - '\\dsrole.dll'\n            - '\\dui70.dll'\n            - '\\duser.dll'\n            - '\\dusmapi.dll'\n            - '\\dwmapi.dll'\n            - '\\dwmcore.dll'\n            - '\\dwrite.dll'\n            - '\\dxcore.dll'\n            - '\\dxgi.dll'\n            - '\\dxva2.dll'\n            - '\\dynamoapi.dll'\n            - '\\eappcfg.dll'\n            - '\\eappprxy.dll'\n            - '\\edgeiso.dll'\n            - '\\edputil.dll'\n            - '\\efsadu.dll'\n            - '\\efsutil.dll'\n            - '\\esent.dll'\n            - '\\execmodelproxy.dll'\n            - '\\explorerframe.dll'\n            - '\\fastprox.dll'\n            - '\\faultrep.dll'\n            - '\\fddevquery.dll'\n            - '\\feclient.dll'\n            - '\\fhcfg.dll'\n            - '\\fhsvcctl.dll'\n            - '\\firewallapi.dll'\n            - '\\flightsettings.dll'\n            - '\\fltlib.dll'\n            - '\\framedynos.dll'\n            - '\\fveapi.dll'\n            - '\\fveskybackup.dll'\n            - '\\fvewiz.dll'\n            - '\\fwbase.dll'\n            - '\\fwcfg.dll'\n            - '\\fwpolicyiomgr.dll'\n            - '\\fwpuclnt.dll'\n            - '\\fxsapi.dll'\n            - '\\fxsst.dll'\n            - '\\fxstiff.dll'\n            - '\\getuname.dll'\n            - '\\gpapi.dll'\n            - '\\hid.dll'\n            - '\\hnetmon.dll'\n            - '\\httpapi.dll'\n            - '\\icmp.dll'\n            - '\\idstore.dll'\n            - '\\ieadvpack.dll'\n            - '\\iedkcs32.dll'\n            - '\\iernonce.dll'\n            - '\\iertutil.dll'\n            - '\\ifmon.dll'\n            - '\\ifsutil.dll'\n            - '\\inproclogger.dll'\n            - '\\iphlpapi.dll'\n            - '\\iri.dll'\n            - '\\iscsidsc.dll'\n            - '\\iscsium.dll'\n            - '\\isv.exe_rsaenh.dll'\n            - '\\iumbase.dll'\n            - '\\iumsdk.dll'\n            - '\\joinutil.dll'\n            - '\\kdstub.dll'\n            - '\\ksuser.dll'\n            - '\\ktmw32.dll'\n            - '\\licensemanagerapi.dll'\n            - '\\licensingdiagspp.dll'\n            - '\\linkinfo.dll'\n            - '\\loadperf.dll'\n            - '\\lockhostingframework.dll'\n            - '\\logoncli.dll'\n            - '\\logoncontroller.dll'\n            - '\\lpksetupproxyserv.dll'\n            - '\\lrwizdll.dll'\n            - '\\magnification.dll'\n            - '\\maintenanceui.dll'\n            - '\\mapistub.dll'\n            - '\\mbaexmlparser.dll'\n            - '\\mdmdiagnostics.dll'\n            - '\\mfc42u.dll'\n            - '\\mfcore.dll'\n            - '\\mfplat.dll'\n            - '\\mi.dll'\n            - '\\midimap.dll'\n            - '\\mintdh.dll'\n            - '\\miutils.dll'\n            - '\\mlang.dll'\n            - '\\mmdevapi.dll'\n            - '\\mobilenetworking.dll'\n            - '\\mpr.dll'\n            - '\\mprapi.dll'\n            - '\\mrmcorer.dll'\n            - '\\msacm32.dll'\n            - '\\mscms.dll'\n            - '\\mscoree.dll'\n            - '\\msctf.dll'\n            - '\\msctfmonitor.dll'\n            - '\\msdrm.dll'\n            - '\\msdtctm.dll'\n            - '\\msftedit.dll'\n            - '\\msi.dll'\n            - '\\msiso.dll'\n            - '\\msutb.dll'\n            - '\\msvcp110_win.dll'\n            - '\\mswb7.dll'\n            - '\\mswsock.dll'\n            - '\\msxml3.dll'\n            - '\\mtxclu.dll'\n            - '\\napinsp.dll'\n            - '\\ncrypt.dll'\n            - '\\ndfapi.dll'\n            - '\\netapi32.dll'\n            - '\\netid.dll'\n            - '\\netiohlp.dll'\n            - '\\netjoin.dll'\n            - '\\netplwiz.dll'\n            - '\\netprofm.dll'\n            - '\\netprovfw.dll'\n            - '\\netsetupapi.dll'\n            - '\\netshell.dll'\n            - '\\nettrace.dll'\n            - '\\netutils.dll'\n            - '\\networkexplorer.dll'\n            - '\\newdev.dll'\n            - '\\ninput.dll'\n            - '\\nlaapi.dll'\n            - '\\nlansp_c.dll'\n            - '\\npmproxy.dll'\n            - '\\nshhttp.dll'\n            - '\\nshipsec.dll'\n            - '\\nshwfp.dll'\n            - '\\ntdsapi.dll'\n            - '\\ntlanman.dll'\n            - '\\ntlmshared.dll'\n            - '\\ntmarta.dll'\n            - '\\ntshrui.dll'\n            - '\\oleacc.dll'\n            - '\\omadmapi.dll'\n            - '\\onex.dll'\n            - '\\opcservices.dll'\n            - '\\osbaseln.dll'\n            - '\\osksupport.dll'\n            - '\\osuninst.dll'\n            - '\\p2p.dll'\n            - '\\p2pnetsh.dll'\n            - '\\p9np.dll'\n            - '\\pcaui.dll'\n            - '\\pdh.dll'\n            - '\\peerdistsh.dll'\n            - '\\pkeyhelper.dll'\n            - '\\pla.dll'\n            - '\\playsndsrv.dll'\n            - '\\pnrpnsp.dll'\n            - '\\policymanager.dll'\n            - '\\polstore.dll'\n            - '\\powrprof.dll'\n            - '\\printui.dll'\n            - '\\prntvpt.dll'\n            - '\\profapi.dll'\n            - '\\propsys.dll'\n            - '\\proximitycommon.dll'\n            - '\\proximityservicepal.dll'\n            - '\\prvdmofcomp.dll'\n            - '\\puiapi.dll'\n            - '\\radcui.dll'\n            - '\\rasapi32.dll'\n            - '\\rasdlg.dll'\n            - '\\rasgcw.dll'\n            - '\\rasman.dll'\n            - '\\rasmontr.dll'\n            - '\\reagent.dll'\n            - '\\regapi.dll'\n            - '\\reseteng.dll'\n            - '\\resetengine.dll'\n            - '\\resutils.dll'\n            - '\\rmclient.dll'\n            - '\\rpcnsh.dll'\n            - '\\rsaenh.dll'\n            - '\\rtutils.dll'\n            - '\\rtworkq.dll'\n            - '\\samcli.dll'\n            - '\\samlib.dll'\n            - '\\sapi_onecore.dll'\n            - '\\sas.dll'\n            - '\\scansetting.dll'\n            - '\\scecli.dll'\n            - '\\schedcli.dll'\n            - '\\secur32.dll'\n            - '\\security.dll'\n            - '\\sensapi.dll'\n            - '\\shell32.dll'\n            - '\\shfolder.dll'\n            - '\\slc.dll'\n            - '\\snmpapi.dll'\n            - '\\spectrumsyncclient.dll'\n            - '\\spp.dll'\n            - '\\sppc.dll'\n            - '\\sppcext.dll'\n            - '\\srclient.dll'\n            - '\\srcore.dll'\n            - '\\srmtrace.dll'\n            - '\\srpapi.dll'\n            - '\\srvcli.dll'\n            - '\\ssp_isv.exe_rsaenh.dll'\n            - '\\ssp.exe_rsaenh.dll'\n            - '\\sspicli.dll'\n            - '\\ssshim.dll'\n            - '\\staterepository.core.dll'\n            - '\\structuredquery.dll'\n            - '\\sxshared.dll'\n            - '\\systemsettingsthresholdadminflowui.dll'\n            - '\\tapi32.dll'\n            - '\\tbs.dll'\n            - '\\tdh.dll'\n            - '\\textshaping.dll'\n            - '\\timesync.dll'\n            - '\\tpmcoreprovisioning.dll'\n            - '\\tquery.dll'\n            - '\\tsworkspace.dll'\n            - '\\ttdrecord.dll'\n            - '\\twext.dll'\n            - '\\twinapi.dll'\n            - '\\twinui.appcore.dll'\n            - '\\uianimation.dll'\n            - '\\uiautomationcore.dll'\n            - '\\uireng.dll'\n            - '\\uiribbon.dll'\n            - '\\umpdc.dll'\n            - '\\unattend.dll'\n            - '\\updatepolicy.dll'\n            - '\\upshared.dll'\n            - '\\urlmon.dll'\n            - '\\userenv.dll'\n            - '\\utildll.dll'\n            - '\\uxinit.dll'\n            - '\\uxtheme.dll'\n            - '\\vaultcli.dll'\n            - '\\vdsutil.dll'\n            - '\\version.dll'\n            - '\\virtdisk.dll'\n            - '\\vssapi.dll'\n            - '\\vsstrace.dll'\n            - '\\wbemprox.dll'\n            - '\\wbemsvc.dll'\n            - '\\wcmapi.dll'\n            - '\\wcnnetsh.dll'\n            - '\\wdi.dll'\n            - '\\wdscore.dll'\n            - '\\webservices.dll'\n            - '\\wecapi.dll'\n            - '\\wer.dll'\n            - '\\wevtapi.dll'\n            - '\\whhelper.dll'\n            - '\\wimgapi.dll'\n            - '\\winbio.dll'\n            - '\\winbrand.dll'\n            - '\\windows.storage.dll'\n            - '\\windows.storage.search.dll'\n            - '\\windows.ui.immersive.dll'\n            - '\\windowscodecs.dll'\n            - '\\windowscodecsext.dll'\n            - '\\windowsudk.shellcommon.dll'\n            - '\\winhttp.dll'\n            - '\\wininet.dll'\n            - '\\winipsec.dll'\n            - '\\winmde.dll'\n            - '\\winmm.dll'\n            - '\\winnsi.dll'\n            - '\\winrnr.dll'\n            - '\\winscard.dll'\n            - '\\winsqlite3.dll'\n            - '\\winsta.dll'\n            - '\\winsync.dll'\n            - '\\wkscli.dll'\n            - '\\wlanapi.dll'\n            - '\\wlancfg.dll'\n            - '\\wldp.dll'\n            - '\\wlidprov.dll'\n            - '\\wmiclnt.dll'\n            - '\\wmidcom.dll'\n            - '\\wmiutils.dll'\n            - '\\wmpdui.dll'\n            - '\\wmsgapi.dll'\n            - '\\wofutil.dll'\n            - '\\wpdshext.dll'\n            - '\\wscapi.dll'\n            - '\\wsdapi.dll'\n            - '\\wshbth.dll'\n            - '\\wshelper.dll'\n            - '\\wsmsvc.dll'\n            - '\\wtsapi32.dll'\n            - '\\wwancfg.dll'\n            - '\\wwapi.dll'\n            - '\\xmllite.dll'\n            - '\\xolehlp.dll'\n            - '\\xpsservices.dll'\n            - '\\xwizards.dll'\n            - '\\xwtpw32.dll'\n            # From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md\n            - '\\amsi.dll'\n            - '\\appraiser.dll'\n            - '\\COMRES.DLL'\n            - '\\cryptnet.dll'\n            - '\\DispBroker.dll'\n            - '\\dsound.dll'\n            - '\\dxilconv.dll'\n            - '\\FxsCompose.dll'\n            - '\\FXSRESM.DLL'\n            - '\\msdtcVSp1res.dll'\n            - '\\PrintIsolationProxy.dll'\n            - '\\rdpendp.dll'\n            - '\\rpchttp.dll'\n            - '\\storageusage.dll'\n            - '\\utcutil.dll'\n            - '\\WfsR.dll'\n            # The DLLs below exists in \"C:\\Windows\\System32\\DriverStore\\FileRepository\\\" folder. But there is also a copy located in \"C:\\ProgramData\\Package Cache\\XXXXXXX\\Graphics\\\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)\n            - '\\igd10iumd64.dll'\n            - '\\igd12umd64.dll'\n            - '\\igdumdim64.dll'\n            - '\\igdusc64.dll'\n            # Other\n            - '\\TSMSISrv.dll'\n            - '\\TSVIPSrv.dll'\n            - '\\wbemcomn.dll'\n            - '\\WLBSCTRL.dll'\n            - '\\wow64log.dll'\n            - '\\WptsExtensions.dll'\n    filter_main_generic:\n        # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots\n        ImageLoaded|contains:\n            - 'C:\\$WINDOWS.~BT\\'\n            - 'C:\\$WinREAgent\\'\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SystemTemp\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_main_dot_net:\n        ImageLoaded|startswith: 'C:\\Windows\\Microsoft.NET\\'\n        ImageLoaded|endswith: '\\cscui.dll'\n    filter_main_defender:\n        ImageLoaded|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        ImageLoaded|endswith: '\\version.dll'\n    filter_main_directx:\n        ImageLoaded|startswith: 'C:\\Program Files\\WindowsApps\\Microsoft.DirectXRuntime_'\n        ImageLoaded|endswith: '\\d3dx9_43.dll'\n    filter_optional_exchange:\n        ImageLoaded|startswith: 'C:\\Program Files\\Microsoft\\Exchange Server\\'\n        ImageLoaded|endswith: '\\mswb7.dll'\n    filter_optional_arsenal_image_mounter:\n        ImageLoaded|startswith: 'C:\\Program Files\\Arsenal-Image-Mounter-'\n        ImageLoaded|endswith:\n            - '\\mi.dll'\n            - '\\miutils.dl'\n    filter_optional_office_appvpolicy:\n        Image: 'C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe'\n        ImageLoaded: 'C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll'\n    filter_optional_azure:\n        ImageLoaded|startswith: 'C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\'\n    filter_optional_dell:\n        Image|contains:\n            - 'C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs'\n            - 'C:\\Windows\\System32\\backgroundTaskHost.exe'\n        ImageLoaded|startswith: 'C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs'\n    filter_optional_dell_wldp:\n        Image|startswith: 'C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs'\n        Image|endswith: '\\wldp.dll'\n    filter_optional_checkpoint:\n        Image|startswith:\n            - 'C:\\Program Files\\CheckPoint\\'\n            - 'C:\\Program Files (x86)\\CheckPoint\\'\n        Image|endswith: '\\SmartConsole.exe'\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\CheckPoint\\'\n            - 'C:\\Program Files (x86)\\CheckPoint\\'\n        ImageLoaded|endswith: '\\PolicyManager.dll'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLLs mentioned in this rule\nlevel: high\n",
        "summary": "This Sigma Rule detects potential DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). The rule includes a list of specific DLLs to monitor for sideloading and filters to avoid false positives from legitimate applications. It provides references for additional information on DLL sideloading and was authored by Nasreddine Bencherchali.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4906 from @fornotes - Update and add new dll sideloading rules"
        ]
    },
    "rules/windows/image_load/image_load_side_load_mpsvc.yml": {
        "filename": "rules/windows/image_load/image_load_side_load_mpsvc.yml",
        "creation_Date": "2024-08-07T18:03:31.221458",
        "modification_Date": "2024-08-07T18:03:31.221470",
        "lastUpdate_Date": "2024-08-07T18:03:32.418369",
        "sigmaRule": "title: Potential DLL Sideloading Of MpSvc.DLL\nid: 5ba243e5-8165-4cf7-8c69-e1d3669654c1\nstatus: experimental\ndescription: Detects potential DLL sideloading of \"MpSvc.dll\".\nreferences:\n    - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html\nauthor: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema\ndate: 2024/07/11\ntags:\n    - attack.defense_evasion\n    - attack.t1574.002\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\MpSvc.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLL mentioned in this rule.\nlevel: medium\n",
        "summary": "This Sigma Rule detects potential DLL sideloading of \"MpSvc.dll\" by monitoring image loading events on Windows systems. It looks for instances where MpSvc.dll is loaded from locations outside of the expected directories related to Windows Defender. False positives may occur with legitimate applications loading their own versions of the DLL.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4906 from @fornotes - Update and add new dll sideloading rules"
        ]
    },
    "rules/windows/image_load/image_load_side_load_mscorsvc.yml": {
        "filename": "rules/windows/image_load/image_load_side_load_mscorsvc.yml",
        "creation_Date": "2024-08-07T18:03:32.418538",
        "modification_Date": "2024-08-07T18:03:32.418550",
        "lastUpdate_Date": "2024-08-07T18:03:33.677880",
        "sigmaRule": "title: Potential DLL Sideloading Of MsCorSvc.DLL\nid: cdb15e19-c2d0-432a-928e-e49c8c60dcf2\nstatus: experimental\ndescription: Detects potential DLL sideloading of \"mscorsvc.dll\".\nreferences:\n    - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html\nauthor: Wietze Beukema\ndate: 2024/07/11\ntags:\n    - attack.defense_evasion\n    - attack.t1574.002\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\mscorsvc.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Windows\\Microsoft.NET\\Framework\\'\n            - 'C:\\Windows\\Microsoft.NET\\Framework64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLL mentioned in this rule.\nlevel: medium\n",
        "summary": "This Sigma Rule detects potential DLL sideloading of \"mscorsvc.dll\" on Windows systems by monitoring for image loading events where the image ends with 'mscorsvc.dll' and does not start with specific trusted directories. Legitimate applications loading their own versions of the DLL may result in false positives.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4906 from @fornotes - Update and add new dll sideloading rules"
        ]
    },
    ".github/workflows/sigma-test.yml": {
        "filename": ".github/workflows/sigma-test.yml",
        "creation_Date": "2024-08-07T18:03:33.703707",
        "modification_Date": "2024-08-07T18:03:33.703763",
        "lastUpdate_Date": "2024-08-07T18:03:35.178072",
        "sigmaRule": "# This workflow will install Python dependencies, run tests and lint with a single version of Python\n# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions\n\nname: Sigma Rule Tests\n\non:\n  push:\n    branches:\n      - \"*\"\n    paths:\n      - \".github/workflows/sigma-test.yml\"\n      - \"deprecated/**.yml\"\n      - \"rules-compliance/**.yml\"\n      - \"rules-dfir/**.yml\"\n      - \"rules-emerging-threats/**.yml\"\n      - \"rules-placeholder/**.yml\"\n      - \"rules-threat-hunting/**.yml\"\n      - \"rules/**.yml\"\n      - \"tests/test_logsource.py\"\n      - \"tests/test_rules.py\"\n      - \"unsupported/**.yml\"\n  pull_request:\n    branches:\n      - master\n    paths:\n      - \".github/workflows/sigma-test.yml\"\n      - \"deprecated/**.yml\"\n      - \"rules-compliance/**.yml\"\n      - \"rules-dfir/**.yml\"\n      - \"rules-emerging-threats/**.yml\"\n      - \"rules-placeholder/**.yml\"\n      - \"rules-threat-hunting/**.yml\"\n      - \"rules/**.yml\"\n      - \"tests/test_logsource.py\"\n      - \"tests/test_rules.py\"\n      - \"unsupported/**.yml\"\n\n  # Allows you to run this workflow manually from the Actions tab\n  workflow_dispatch:\n\njobs:\n  yamllint:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - name: yaml-lint\n      uses: ibiqlik/action-yamllint@v3\n\n  test-sigma-logsource:\n    runs-on: ubuntu-latest\n    needs: yamllint\n    steps:\n    - uses: actions/checkout@v4\n      with:\n        submodules: true\n    - name: Set up Python 3.11\n      uses: actions/setup-python@v5\n      with:\n        python-version: 3.11\n    - name: Test Sigma logsource\n      run: |\n        pip install PyYAML colorama\n        python tests/test_logsource.py\n\n  test-sigma:\n    runs-on: ubuntu-latest\n    needs: test-sigma-logsource\n    steps:\n    - uses: actions/checkout@v4\n      with:\n        submodules: true\n    - name: Set up Python 3.11\n      uses: actions/setup-python@v5\n      with:\n        python-version: 3.11\n    - name: Install dependencies\n      run: |\n        # pip install sigma-cli~=0.7.1\n        pip install sigma-cli\n        pip install pySigma-validators-sigmahq==0.7.0\n    - name: Test Sigma Rule Syntax\n      run: |\n        sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules*\n    - name: Test Sigma Rules\n      run: |\n        pip install PyYAML colorama\n        python tests/test_rules.py\n",
        "summary": "The Sigma Rule Tests workflow installs Python dependencies, runs tests, and performs linting for Sigma rules using a single version of Python (3.11). It is triggered on pushes to specified branches and paths, as well as on pull requests to the master branch. The workflow can also be manually triggered from the Actions tab. The workflow includes steps for linting YAML files, testing Sigma logsource, installing dependencies, checking Sigma rule syntax, and testing Sigma rules.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4912 from @nasbench - update `pySigma-validators-sigmahq` to version 0.7.0 and `sigma_cli_conf.yml`"
        ]
    },
    "rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml": {
        "filename": "rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml",
        "creation_Date": "2024-08-07T18:03:35.178264",
        "modification_Date": "2024-08-07T18:03:35.178279",
        "lastUpdate_Date": "2024-08-07T18:03:36.336583",
        "sigmaRule": "title: Kapeka Backdoor Autorun Persistence\nid: c0c67b21-eb8a-4c84-a395-40473ec3b482\nrelated:\n    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819\n      type: similar\nstatus: experimental\ndescription: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.\nreferences:\n    - https://labs.withsecure.com/publications/kapeka\n    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024/07/03\ntags:\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'\n        TargetObject|endswith:\n            - '\\Sens Api'\n            - '\\OneDrive'\n        Details|contains|all:\n            - ':\\WINDOWS\\system32\\rundll32.exe'\n            - '.wll'\n            - '#1'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence. The rule looks for specific patterns in the registry related to Autorun, Windows system files, and specific strings to identify potential malicious activity. The rule is currently experimental and has a high level of detection.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4912 from @nasbench - update `pySigma-validators-sigmahq` to version 0.7.0 and `sigma_cli_conf.yml`"
        ]
    },
    "rules/windows/process_creation/proc_creation_win_node_abuse.yml": {
        "filename": "rules/windows/process_creation/proc_creation_win_node_abuse.yml",
        "creation_Date": "2024-08-07T18:03:36.336839",
        "modification_Date": "2024-08-07T18:03:36.336876",
        "lastUpdate_Date": "2024-08-07T18:03:37.665895",
        "sigmaRule": "title: Potential Arbitrary Code Execution Via Node.EXE\nid: 6640f31c-01ad-49b5-beb5-83498a5cd8bd\nstatus: test\ndescription: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc\nreferences:\n    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\n    - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return\n    - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/\n    - https://nodejs.org/api/cli.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/09/09\nmodified: 2023/02/03\ntags:\n    - attack.defense_evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_main:\n        Image|endswith: '\\node.exe'\n        CommandLine|contains:\n            - ' -e '\n            - ' --eval '\n    # Add more pattern of abuse as actions\n    selection_action_reverse_shell:\n        CommandLine|contains|all:\n            - '.exec('\n            - 'net.socket'\n            - '.connect'\n            - 'child_process'\n    condition: selection_main and 1 of selection_action_*\nfalsepositives:\n    - Unlikely\nlevel: high\n",
        "summary": "This Sigma Rule detects the potential arbitrary code execution via node.exe, which is commonly shipped with software like VMware and Adobe. The rule looks for the execution of node.exe with specific command line parameters that indicate the execution of arbitrary code, such as establishing a reverse shell. The rule includes specific patterns of abuse related to the execution of arbitrary code. The false positive rate is considered unlikely, and the severity level is rated as high.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4912 from @nasbench - update `pySigma-validators-sigmahq` to version 0.7.0 and `sigma_cli_conf.yml`"
        ]
    },
    "tests/sigma_cli_conf.yml": {
        "filename": "tests/sigma_cli_conf.yml",
        "creation_Date": "2024-08-07T18:03:37.665972",
        "modification_Date": "2024-08-07T18:03:41.074396",
        "lastUpdate_Date": "2024-08-07T18:03:41.074410",
        "sigmaRule": "validators:\n    - all\n    - -tlptag\n    - -tlpv1_tag\n    - -sigmahq_logsource_known\n    - -sigmahq_fieldname_cast\n    - -sigmahq_filename_prefix\n    - -sigmahq_categorie_eventid\n    - -sigmahq_ofselection_condition\nexclusions:\n    # escaped_wildcard\n    021310d9-30a6-480a-84b7-eaa69aeb92bb: escaped_wildcard\n    1114e048-b69c-4f41-bc20-657245ae6e3f: escaped_wildcard\n    204b17ae-4007-471b-917b-b917b315c5db: escaped_wildcard\n    214e8f95-100a-4e04-bb31-ef6cba8ce07e: escaped_wildcard\n    220457c1-1c9f-4c2e-afe6-9598926222c1: escaped_wildcard\n    252902e3-5830-4cf6-bf21-c22083dfd5cf: escaped_wildcard\n    2d3cdeec-c0db-45b4-aa86-082f7eb75701: escaped_wildcard\n    304810ed-8853-437f-9e36-c4975c3dfd7e: escaped_wildcard\n    31d68132-4038-47c7-8f8e-635a39a7c174: escaped_wildcard\n    32d56ea1-417f-44ff-822b-882873f5f43b: escaped_wildcard\n    4281cb20-2994-4580-aa63-c8b86d019934: escaped_wildcard\n    434c08ba-8406-4d15-8b24-782cb071a691: escaped_wildcard\n    435e10e4-992a-4281-96f3-38b11106adde: escaped_wildcard\n    52d8b0c6-53d6-439a-9e41-52ad442ad9ad: escaped_wildcard\n    586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3: escaped_wildcard\n    7857f021-007f-4928-8b2c-7aedbe64bb82: escaped_wildcard\n    7dc2dedd-7603-461a-bc13-15803d132355: escaped_wildcard\n    8fe1c584-ee61-444b-be21-e9054b229694: escaped_wildcard\n    904e8e61-8edf-4350-b59c-b905fc8e810c: escaped_wildcard\n    9637e8a5-7131-4f7f-bdc7-2b05d8670c43: escaped_wildcard\n    a36ce77e-30db-4ea0-8795-644d7af5dfb4: escaped_wildcard\n    a4824fca-976f-4964-b334-0621379e84c4: escaped_wildcard\n    a8f29a7b-b137-4446-80a0-b804272f3da2: escaped_wildcard\n    afe52666-401e-4a02-b4ff-5d128990b8cb: escaped_wildcard\n    c2993223-6da8-4b1a-88ee-668b8bf315e9: escaped_wildcard\n    c37510b8-2107-4b78-aa32-72f251e7a844: escaped_wildcard\n    c462f537-a1e3-41a6-b5fc-b2c2cef9bf82: escaped_wildcard\n    c73124a7-3e89-44a3-bdc1-25fe4df754b1: escaped_wildcard\n    f3f21ce1-cdef-4bfc-8328-ed2e826f5fac: escaped_wildcard\n    d84c0ded-edd7-4123-80ed-348bb3ccc4d5: escaped_wildcard\n    db885529-903f-4c5d-9864-28fe199e6370: escaped_wildcard\n    dd218fb6-4d02-42dc-85f0-a0a376072efd: escaped_wildcard\n    dde85b37-40cd-4a94-b00c-0b8794f956b5: escaped_wildcard\n    e06ac91d-b9e6-443d-8e5b-af749e7aa6b6: escaped_wildcard\n    f57f8d16-1f39-4dcb-a604-6c73d9b54b3d: escaped_wildcard\n    f6de6525-4509-495a-8a82-1f8b0ed73a00: escaped_wildcard\n    fb502828-2db0-438e-93e6-801c7548686d: escaped_wildcard\n    59e938ff-0d6d-4dc3-b13f-36cc28734d4e: escaped_wildcard\n    2e7bbd54-2f26-476e-b4a1-ba5f1a012614: escaped_wildcard\n    7c9340a9-e2ee-4e43-94c5-c54ebbea1006: escaped_wildcard\n    # number_as_string\n    5c84856b-55a5-45f1-826f-13f37250cf4e: number_as_string\n    85b88e05-dadc-430b-8a9e-53ff1cd30aae: number_as_string\n    # specific_instead_of_generic_logsource\n    693a44e9-7f26-4cb6-b787-214867672d3a: specific_instead_of_generic_logsource\n    23b71bc5-953e-4971-be4c-c896cda73fc2: specific_instead_of_generic_logsource\n    8ac03a65-6c84-4116-acad-dc1558ff7a77: specific_instead_of_generic_logsource\n    c3e5c1b1-45e9-4632-b242-27939c170239: specific_instead_of_generic_logsource\n",
        "summary": "The Sigma Rule includes validators that need to be applied to the data, such as -tlptag, -tlpv1_tag, and others. It also includes exclusions for specific UUIDs, such as escaped_wildcard, number_as_string, and specific_instead_of_generic_logsource.",
        "modification_count": 3,
        "comment_history": [
            "Merge PR #4910 from @dr0pd34d - Add `Microsoft Word Add-In Loaded`",
            "Merge PR #4912 from @nasbench - update `pySigma-validators-sigmahq` to version 0.7.0 and `sigma_cli_conf.yml`",
            "Merge PR #4911 from @nas_bench - Update `sigma_cli_conf.yml`"
        ]
    },
    "rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml": {
        "filename": "rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml",
        "creation_Date": "2024-08-07T18:03:38.999395",
        "modification_Date": "2024-08-07T18:03:38.999497",
        "lastUpdate_Date": "2024-08-07T18:03:40.081837",
        "sigmaRule": "title: Microsoft Word Add-In Loaded\nid: 1337afba-d17d-4d23-bd55-29b927603b30\nstatus: experimental\ndescription: |\n    Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.\nreferences:\n    - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence\n    - https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file\nauthor: Steffen Rogge (dr0pd34d)\ndate: 2024/07/10\ntags:\n    - attack.execution\n    - attack.t1204.002\n    - detection.threat_hunting\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\winword.exe'\n        ImageLoaded|endswith: '.wll'\n    condition: selection\nfalsepositives:\n    - The rules is only looking for \".wll\" loads. So some false positives are expected with legitimate and allowed WLLs.\nlevel: low\n",
        "summary": "This Sigma Rule detects when Microsoft Word loads a .wll Add-In file, which could be used by threat actors for initial access or persistence. The rule specifies criteria for detecting this activity in the image_load category on Windows systems. False positives may occur with legitimate .wll files that are allowed.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4910 from @dr0pd34d - Add `Microsoft Word Add-In Loaded`"
        ]
    },
    "rules/cloud/aws/cloudtrail/aws_enum_buckets.yml": {
        "filename": "rules/cloud/aws/cloudtrail/aws_enum_buckets.yml",
        "creation_Date": "2024-08-07T18:03:40.124234",
        "modification_Date": "2024-08-07T18:03:40.124345",
        "lastUpdate_Date": "2024-08-07T18:03:41.031334",
        "sigmaRule": "title: Potential Bucket Enumeration on AWS\nid: f305fd62-beca-47da-ad95-7690a0620084\nrelated:\n    - id: 4723218f-2048-41f6-bcb0-417f2d784f61\n      type: similar\nstatus: test\ndescription: Looks for potential enumeration of AWS buckets via ListBuckets.\nreferences:\n    - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md\n    - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html\n    - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/\nauthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io\ndate: 2023/01/06\nmodified: 2024/07/10\ntags:\n    - attack.discovery\n    - attack.t1580\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 's3.amazonaws.com'\n        eventName: 'ListBuckets'\n    filter:\n        userIdentity.type: 'AssumedRole'\n    condition: selection and not filter\nfalsepositives:\n    - Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.\nlevel: low\n",
        "summary": "This Sigma Rule detects potential enumeration of AWS buckets on AWS by looking for the use of ListBuckets API. It filters out false positives by excluding Administrators who commonly list buckets. The rule is of low severity and was authored by Christopher Peacock and SCYTHE.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4905 from @kelnage - Fix error in field name"
        ]
    },
    "rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml": {
        "filename": "rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml",
        "creation_Date": "2024-08-07T18:03:41.096570",
        "modification_Date": "2024-08-07T18:03:41.096639",
        "lastUpdate_Date": "2024-08-07T18:03:42.136100",
        "sigmaRule": "title: Suspicious SignIns From A Non Registered Device\nid: 572b12d4-9062-11ed-a1eb-0242ac120002\nstatus: test\ndescription: Detects risky authentication from a non AD registered device without MFA being required.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in\nauthor: Harjot Singh, '@cyb3rjy0t'\ndate: 2023/01/10\ntags:\n    - attack.defense_evasion\n    - attack.t1078\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        Status: 'Success'\n        AuthenticationRequirement: 'singleFactorAuthentication'\n        DeviceDetail.trusttype: ''\n        RiskState: 'atRisk'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n",
        "summary": "This Sigma Rule detects suspicious sign-ins from a non-registered device without multi-factor authentication (MFA) being required in Azure. It looks for successful sign-ins with single-factor authentication from devices that are not AD registered and are considered at risk. The rule was authored by Harjot Singh and has a high level of severity.",
        "modification_count": 1,
        "comment_history": [
            "Merge PR #4904 from @cygnetix - Fix typo in `Suspicious SignIns From A Non Registered Device`"
        ]
    }
}