local_rules.xml


<group name="sysmon,MITRE,">
	
 <rule id="255000" level="6">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.sourceImage">\\powershell.exe||\\.ps1||\\.ps2</field>
 <description>Sysmon - Event 1: Powershell exe: $(win.eventdata.sourceImage)</description>
 <group>sysmon_event1,powershell_execution,</group>
 </rule>

 <rule id="255001" level="6">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.sourceImage">\\cmd.exe</field>
 <description>Sysmon - Event 2: CMD exe: $(win.eventdata.sourceImage)</description>
 <group>sysmon_event1,cmd_execution,</group>
 </rule>

 <rule id="255002" level="7">
 <if_sid>185001</if_sid>
 <match>Network connection detected</match>
 <regex>powershell.exe</regex>
 <description>Powershell Network Connection</description>
 <group>sysmon_event3,network,</group>
 </rule>

 <rule id="255003" level="12">
 <if_sid>255000</if_sid>
 <regex>.doc</regex>
 <description>Powershell Spawned from Office Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255004" level="12">
 <if_sid>255000</if_sid>
 <regex>.xls</regex>
 <description>Powershell Spawned from Excel Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255005" level="12">
 <if_sid>255001</if_sid>
 <regex>WINWORD.EXE</regex>
 <description>Command Line process spawned from Mircosoft Word Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255006" level="12">
 <if_sid>255001</if_sid>
 <regex>EXCEL.EXE</regex>
 <description>Command Line process spawned from Mircosoft Excel Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255007" level="10">
 <if_group>sysmon_event1</if_group>
 <match>mshta.exe</match>
 <regex>http</regex>
 <description>Possible Malicious HTA file executed</description>
 <group>MITRE,attack.t1170,</group>
 </rule>

 <rule id="255008" level="12">
 <if_sid>255001</if_sid>
 <regex>POWERPNT.exe</regex>
 <description>Command Line process spawned from Mircosoft Powerpoint Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255009" level="12">
 <if_sid>255001</if_sid>
 <regex>OUTLOOK.EXE</regex>
 <description>Command Line process spawned from Mircosoft Outlook</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule> 

 <rule id="255010" level="12">
 <if_sid>255001</if_sid>
 <regex>VISIO.exe</regex>
 <description>Command Line process spawned from Mircosoft Visio Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule> 

 <rule id="255011" level="12">
 <if_sid>255001</if_sid>
 <regex>MSPUB.exe</regex>
 <description>Command Line process spawned from Mircosoft Publisher Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule> 

 <rule id="255012" level="12">
 <if_sid>255000</if_sid>
 <regex>POWERPNT.exe</regex>
 <description>Powershell Spawned from Powerpoint Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255013" level="12">
 <if_sid>255000</if_sid>
 <regex>OUTLOOK.EXE</regex>
 <description>Powershell Spawned from Microsoft Outlook</description>
 <group>MITRE,attack.t1059,attack.t1202</group>
 </rule>

 <rule id="255014" level="12">
 <if_sid>255000</if_sid>
 <regex>MSPUB.exe</regex>
 <description>Powershell Spawned from Microsoft Publisher</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255015" level="12">
 <if_sid>255000</if_sid>
 <regex>VISIO.exe</regex>
 <description>Powershell Spawned from Microsoft Visio</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255016" level="12">
 <if_sid>255001</if_sid>
 <match>regsvr32</match>
 <regex>http</regex>
 <description>MITRE ATT&CK T1117 - Regsvr32 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md</description>
 <group>MITRE,attack.t1117,</group>
 </rule>

 <rule id="255017" level="12">
 <if_sid>255001</if_sid>
 <match>cscript.exe</match>
 <regex>http</regex>
 <description>MITRE ATT&CK T1216 - Signed Script Proxy Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md</description>
 <group>MITRE,attack.t1216,</group>
 </rule>

 <rule id="255018" level="8">
 <if_sid>255001</if_sid>
 <match>sc.exe</match>
 <regex>create|start|delete</regex>
 <description>New Service Created with sc.exe : MITRE ATT&CK T1035 - Service Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.md</description>
 <group>MITRE,attack.t1035,</group>
 </rule>

 <rule id="255019" level="8">
 <if_sid>255000</if_sid>
 <match>sc.exe</match>
 <regex>create|start|delete</regex>
 <description>New Service Created with sc.exe : MITRE ATT&CK T1035 - Service Execution https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.md</description>
 <group>MITRE,attack.t1035,</group>
 </rule>

</group>


<group name="sysmon-modular,">

 <rule id="255500" level="5">
 <if_group>sysmon_event8</if_group>
 <match>technique_name=Process Injection</match>
 <description>MITRE T1055 Process Injection: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1055,</group>
 </rule>

 <rule id="255501" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Masquerading</match>
 <description>MITRE T1036 Masquerading: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1036,</group>
 </rule>

 <rule id="255502" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Credential Dumping</match>
 <description>MITRE T1003 Credential Dumping: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1003,</group>
 </rule>

 <rule id="255503" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Winlogon Helper DLL</match>
 <description>MITRE T1004 Winlogon Helper DLL: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1004,</group>
 </rule>

 <rule id="255504" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Data from Local System</match>
 <description>MITRE T1005 Data from Local System: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1005,</group>
 </rule>

 <rule id="255505" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=System Service Discovery</match>
 <description>MITRE T1007 System Service Discovery: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1007,</group>
 </rule>

 <rule id="255506" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Query Registry</match>
 <description>MITRE T1012 Query registry: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1012,</group>
 </rule>

 <rule id="255507" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Forced Authentication</match>
 <description>MITRE T1013 Forced Authentication: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1013,</group>
 </rule>

 <rule id="255508" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Accessibility Features</match>
 <description>MITRE T1015 Accessibility Features: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1015,</group>
 </rule>

 <rule id="255509" level="5">
 <if_group>sysmon_event3</if_group>
 <match>technique_name=System Network Configuration Discovery</match>
 <description>MITRE T1016 System Network Configuration Discovery: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1016,</group>
 </rule>

 <rule id="255510" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Remote System Discovery</match>
 <description>MITRE T1018 Remote Systen Discovery: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1018,</group>
 </rule>

 <rule id="255511" level="5">
 <if_group>sysmon_event2</if_group>
 <match>technique_name=Remote Services</match>
 <description>MITRE T1021 Remote Services : $(win.eventdata.image)</description>
 <group>MITRE,attack.t1021,</group>
 </rule>

 <rule id="255512" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Obfuscated Files or Information</match>
 <description>MITRE T1027 Obfuscated Files or Information : $(win.eventdata.image)</description>
 <group>MITRE,attack.t1027,</group>
 </rule>

 <rule id="255513" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Windows Remote Management</match>
 <description>MITRE T1028 Windows Remote Management: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1028,</group>
 </rule>

 <rule id="255514" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Modify Existing Service</match>
 <description>MITRE T1031 Modify Existing Service : $(win.eventdata.image)</description>
 <group>MITRE,attack.t1031,</group>
 </rule>

 <rule id="255515" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=System Owner/User Discovery</match>
 <description>MITRE T1033 System Owner/User Discovery : $(win.eventdata.image)</description>
 <group>MITRE,attack.t1033,</group>
 </rule>

 <rule id="255516" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Service Execution</match>
 <description>MITRE T1035 Service Execution: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1035,</group>
 </rule>

 <rule id="255517" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Logon Scripts</match>
 <description>MITRE T1037 Logon Scripts: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1037,</group>
 </rule>

 <rule id="255518" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Change Default File Association</match>
 <description>MITRE T1042 Change Default File Association: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1042,</group>
 </rule>

 <rule id="255519" level="5">
 <if_group>sysmon_event3</if_group>
 <match>technique_name=Windows Management Instrumentation</match>
 <description>MITRE T1047 Windows Management Instrumentation : $(win.eventdata.image)</description>
 <group>MITRE,attack.t1047,</group>
 </rule>

 <rule id="255520" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=System Network Connections Discovery</match>
 <description>MITRE T1049 System Network Connections Discovery: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1049,</group>
 </rule>

 <rule id="255521" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Scheduled Task</match>
 <description>MITRE T1053 Scheduled Task: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1053,</group>
 </rule>

 <rule id="255522" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Indicator Blocking</match>
 <description>MITRE T1054 Indicator Blocking : $(win.eventdata.image)</description>
 <group>MITRE,attack.t1054,</group>
 </rule>

 <rule id="255523" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Process Discovery</match>
 <description>MITRE T1057 Process Discovery: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1057,</group>
 </rule>

 <rule id="255524" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Command-Line Interface</match>
 <description>MITRE T1059 Command-Line Interface: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1059,</group>
 </rule>

 <rule id="255525" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Registry Run Keys / Start Folder</match>
 <description>MITRE T1060 Registry Run Keys / Start Folder: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1060,</group>
 </rule>

 <rule id="255526" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Security Software Discovery</match>
 <description>MITRE T1063 Security Software Discovery: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1063,</group>
 </rule>

 <rule id="255527" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Permission Groups Discovery</match>
 <description>MITRE T1069 Permission Groups Discovery: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1069,</group>
 </rule>

 <rule id="255528" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Indicator Removal on Host</match>
 <description>MITRE T1070 Indicator Removal on Host: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1070,</group>
 </rule>

 <rule id="255529" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=File and Directory Discovery</match>
 <description>MITRE T1083 File and Directory Discovery: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1083,</group>
 </rule>

 <rule id="255530" level="5">
 <if_group>sysmon_event3</if_group>
 <match>technique_name=Rundll32</match>
 <description>MITRE T1085 Rundll32: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1085,</group>
 </rule>

 <rule id="255531" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=PowerShell</match>
 <description>MITRE T1086 Powershell: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1086,</group>
 </rule>

 <rule id="255532" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Bypass User Account Control</match>
 <description>MITRE T1088 Bypass User Account Control: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1088,</group>
 </rule>

 <rule id="255533" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Disabling Security Tools</match>
 <description>MITRE T1089 Disabling Security Tools: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1089,</group>
 </rule>

 <rule id="255534" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Account Manipulation</match>
 <description>MITRE T1098 =Account Manipulation: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1098,</group>
 </rule>

 <rule id="255535" level="5">
 <if_group>sysmon_event2</if_group>
 <match>technique_name=Timestomp</match>
 <description>MITRE T1099 Timestomp: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1099,</group>
 </rule>

 <rule id="255536" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Security Support Provider</match>
 <description>MITRE T1101 Security Support Provider: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1101,</group>
 </rule>

 <rule id="255537" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Appinit DLLs</match>
 <description>MITRE T1103 Appinit DLLs: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1103,</group>
 </rule>

 <rule id="255538" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Remote File Copy</match>
 <description>MITRE T1105 Remote File Copy: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1105,</group>
 </rule>

 <rule id="255539" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Modify Registry</match>
 <description>MITRE T1112 Modify Registry: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1112,</group>
 </rule>

 <rule id="255540" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Regsvr32</match>
 <description>MITRE T1117 Regsvr32: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1117,</group>
 </rule>

 <rule id="255541" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=InstallUtil</match>
 <description>MITRE T1118 InstallUtil: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1118,</group>
 </rule>

 <rule id="255542" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Regsvcs/Regasm</match>
 <description>MITRE T1121 Regsvcs/Regasm: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1121,</group>
 </rule>

 <rule id="255543" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Component Object Model Hijacking</match>
 <description>MITRE T1122 Component Object Model Hijacking: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1122,</group>
 </rule>

 <rule id="255544" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Trusted Developer Utilities</match>
 <description>MITRE T1127 Trusted Developer Utilities: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1127,</group>
 </rule>

 <rule id="255545" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Netsh Helper DLL</match>
 <description>MITRE T1128 Netsh Helper DLL: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1128,</group>
 </rule>

 <rule id="255546" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Install Root Certificate</match>
 <description>MITRE T1130 Install Root Certificate: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1130,</group>
 </rule>

 <rule id="255547" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Authentication Package</match>
 <description>MITRE T1131 Authentication Package: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1131,</group>
 </rule>

 <rule id="255548" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Access Token Manipulation</match>
 <description>MITRE T1134 Access Token Manipulation: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1134,</group>
 </rule>

 <rule id="255549" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Application Shimming</match>
 <description>MITRE T1138 Application Shimming: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1138,</group>
 </rule>

 <rule id="255550" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Hidden Files and  Files Directories</match>
 <description>MITRE T1158 Hidden Files and Directories: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1158,</group>
 </rule>

 <rule id="255551" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Mshta</match>
 <description>MITRE T1170 Mshta: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1170,</group>
 </rule>

 <rule id="255552" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=AppCert DLLs</match>
 <description>MITRE T1182: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1182,</group>
 </rule>

 <rule id="255553" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Image File Execution Options Injection</match>
 <description>MITRE T1183 Image File Execution Options Injection: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1183,</group>
 </rule>

 <rule id="255554" level="5">
 <if_group>sysmon_event_11</if_group>
 <match>technique_name=Forced Authentication</match>
 <description>MITRE T1187 Forced Authentication: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1187,</group>
 </rule>

 <rule id="255555" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=CMSTP</match>
 <description>MITRE T1191 CMSTP: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1191,</group>
 </rule>

 <rule id="255556" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Control Panel Items</match>
 <description>MITRE T1196: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1196,</group>
 </rule>

 <rule id="255557" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=BITS Jobs</match>
 <description>MITRE T1197 BITS Jobs: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1197,</group>
 </rule>

 <rule id="255558" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=SIP and Trust Provider Hijacking</match>
 <description>MITRE T1198 SIP and Trust Provider Hijacking: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1198,</group>
 </rule>

 <rule id="255559" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Indirect Command Execution</match>
 <description>MITRE T1202 Indirect Command Execution: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1202,</group>
 </rule>

 <rule id="255560" level="5">
 <if_group>sysmon_event_12</if_group>
 <match>technique_name=Time Providers</match>
 <description>MITRE T1209 Time Providers: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1209,</group>
 </rule>

 <rule id="255561" level="5">
 <if_group>sysmon</if_group>
 <match>technique_name=Regsvr32</match>
 <description>MITRE T1218 Regsvr32: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1218,</group>
 </rule>

 <rule id="255562" level="5">
 <if_group>sysmon_event1</if_group>
 <match>technique_name=Signed Binary Proxy Execution</match>
 <description>MITRE T1218 Signed Binary Proxy Execution: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1218,</group>
 </rule>

 <rule id="255563" level="10">
 <if_group>sysmon</if_group>
 <match>technique_name=Signed Binary Proxy Execution</match>
 <description>MITRE T1218 Signed Script Proxy Execution: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1218,</group>
 </rule>

 <rule id="255564" level="5">
 <if_group>sysmon_event3</if_group>
 <match>technique_name=Masquerading</match>
 <description>MITRE T1036 Masquerading: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1036,</group>
 </rule>

 <rule id="255565" level="5">
 <if_group>sysmon</if_group>
 <match>technique_name=System Network Configuration Discovery</match>
 <description>MITRE T1016 System Network Configuration Discovery: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1016,</group>
 </rule>

 <rule id="255566" level="5">
 <if_group>sysmon</if_group>
 <match>technique_name=Windows Remote Management</match>
 <description>MITRE T1028 Windows Remote Management: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1028,</group>
 </rule>

 <rule id="255567" level="5">
 <if_group>sysmon</if_group>
 <match>technique_name=Service Execution</match>
 <description>MITRE T1035 Service Execution: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1035,</group>
 </rule>

 <rule id="255568" level="5">
 <if_group>sysmon_event3</if_group>
 <match>technique_name=Regsvr32</match>
 <description>MITRE T1218 Regsvr32: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1218,</group>
 </rule>

 <rule id="255569" level="6">
 <if_group>sysmon_event3</if_group>
 <match>technique_name=Commonly Used Port</match>
 <description>MITRE T043 Commonly Used Port: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1043,</group>
 </rule>

 <rule id="255570" level="5">
 <if_group>sysmon_event3</if_group>
 <match>technique_name=PowerShell</match>
 <description>MITRE T1086 Powershell Network Connection: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1086,</group>
 </rule>

 <rule id="255571" level="5">
 <if_group>sysmon_event3</if_group>
 <match>technique_name=Indirect Command Execution</match>
 <description>MITRE T1202 Indirect Command Execution Network Activity: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1202,</group>
 </rule>

 <rule id="255572" level="5">
 <if_group>sysmon_event_13</if_group>
 <match>technique_name=Registry Run</match>
 <description>MITRE T1060 Run Key Persistence: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1060,</group>
 </rule>

 <rule id="255573" level="6">
 <if_group>sysmon_event3</if_group>
 <match>technique_name=UnCommonly Used Port</match>
 <description>MITRE T1065 Commonly Used Port: $(win.eventdata.image)</description>
 <group>MITRE,attack.t1065,</group>
 </rule>

 <rule id="255574" level="6">
 <if_group>sysmon_event7</if_group>
 <match>technique_name=User Execution</match>
 <description>MITRE T1204 User Execution: $(win.eventdata.image)</description>
 <group>MITRE,attack.t204,</group>
 </rule>

</group>

<group name="credential_access,MITRE,">

 <rule id="255103" level="8">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\findstr.exe</field>
 <regex>cpassword</regex>
 <description>Finding Passwords in SYSVOL & Exploiting Group Policy Preferences : MITRE ATT&CK T1081 - https://adsecurity.org/?p=2288</description>
 <group>MITRE,attack.t1081,</group>
 </rule>

 <rule id="255104" level="10">
 <if_sid>255547</if_sid>
 <regex>HKLM\\System\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel</regex>
 <description>ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue</description>
 <group>MITRE,attack.t1075</group>
 </rule>

 <rule id="255105" level="10">
 <if_sid>255547</if_sid>
 <regex>HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictSendingNTLMTraffic</regex>
 <description>ATT&CK T1075: Edit to registry key potentially downgrading NTLM authentication, potential Internal Monologue attack https://github.com/eladshamir/Internal-Monologue</description>
 <group>MITRE,attack.t1075</group>
 </rule>

 <rule id="255106" level="10">
 <if_group>sysmon_event_11</if_group>
 <regex>\\Temp\\debug.bin</regex>
 <description>Detects possible SafetyKatz Behaviour</description>
 <group>MITRE,attack.t1003,sigma</group>
 </rule>

 <rule id="255107" level="12">
 <if_group>sysmon_event_10</if_group>
 <match>lsass.exe</match>
 <regex>dbgcore</regex>
 <description>ATT&CK T1003: dbgcore.DLL potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255108" level="12">
 <if_group>sysmon_event_13</if_group>
 <field name="win.eventdata.targetObject">\\WDigest\\UseLogonCredential</field>
 <description>ATT&CK T1003: Detects possible Mimikatz Activity, registry edit for WDigest plain text credentials</description>
 <group>MITRE,attack.t1003,</group>
 </rule>

 <rule id="255109" level="0">
 <if_sid>255107</if_sid>
 <field name="win.eventdata.image">\\MsMpEng.exe|\\ossec-agent.exe|\\wininit.exe|\\csrss.exe</field>
 <description>Whitelist Interaction with LSASS</description>
 <group>MITRE,attack.t1003,</group>
 </rule>

 <rule id="255110" level="12">
 <if_group>windows_application</if_group>
 <regex>grabber_temp</regex>
 <description>Microsoft Internet Explorer Passwords dumped, TTP indicative of Trickbot infection</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255111" level="12">
 <if_sid>255531</if_sid>
 <match>comsvcs.dll</match>
 <regex>MiniDump|#24</regex>
 <description>Comsvcs.dll potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255112" level="12">
 <if_sid>255524</if_sid>
 <match>comsvcs.dll</match>
 <regex>MiniDump|#24</regex>
 <description>Comsvcs.dll potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255113" level="12">
 <if_sid>255524</if_sid>
 <match>comsvcs.dll</match>
 <regex>MiniDump|#24</regex>
 <description>Comsvcs.dll potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255114" level="12">
 <if_group>sysmon_event1</if_group>
 <match>mimikatz</match>
 <description>Mimikatz potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255115" level="12">
 <if_group>sysmon_event1</if_group>
 <match>procdump</match>
 <regex>lsass</regex>
 <description>Procdump potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

 <rule id="255116" level="12">
 <if_group>sysmon_event_10</if_group>
 <match>lsass.exe</match>
 <regex>dbgcore</regex>
 <description>dbgcore.DLL potentially used to dump credentials from LSASS</description>
 <group>MITRE,attack.t1003</group>
 </rule>

</group>

<group name="windows,sysmon,">

  <rule id="254000" level="3">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^16$</field>
    <description>Sysmon - Event 16: ServiceConfigurationChange by $(win.eventdata.image)</description>
    <group>sysmon_event_16,</group>
  </rule>

  <rule id="254001" level="3">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^17$</field>
    <description>Sysmon - Event 17: PipeEvent (Pipe Created) by $(win.eventdata.image)</description>
    <group>sysmon_event_17,</group>
  </rule>

  <rule id="254002" level="3">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^18$</field>
    <description>Sysmon - Event 18: PipeEvent (Pipe Connected) by $(win.eventdata.image)</description>
    <group>sysmon_event_18,</group>
  </rule>

  <rule id="254003" level="3">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^19$</field>
    <description>Sysmon - Event 19:  WmiEvent (WmiEventFilter activity detected) by $(win.eventdata.image)</description>
    <group>sysmon_event_19,</group>
  </rule>

  <rule id="254004" level="3">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^20$</field>
    <description>Sysmon - Event 20:  WmiEvent (WmiEventConsumer activity detected) by $(win.eventdata.image)</description>
    <group>sysmon_event_20,</group>
  </rule>

  <rule id="254005" level="3">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^21$</field>
    <description>Sysmon - Event 21: WmiEvent (WmiEventConsumerToFilter activity detected) by $(win.eventdata.image)</description>
    <group>sysmon_event_21,</group>
  </rule>

  <rule id="254006" level="3">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^22$</field>
    <description>Sysmon - Event 22: DNSEvent (DNS query) by $(win.eventdata.image)</description>
    <group>sysmon_event_22,</group>
  </rule>

  <rule id="254007" level="3">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^23$</field>
    <description>Sysmon - Event 23: FileDelete (A file delete was detected) by $(win.eventdata.image)</description>
    <group>sysmon_event_23,</group>
  </rule>

  <rule id="254008" level="3">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^24$</field>
    <description>Sysmon - Event 24: ClipboardChange (New content in the clipboard) by $(win.eventdata.image)</description>
    <group>sysmon_event_24,</group>
  </rule>

  <rule id="254009" level="3">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID">^25$</field>
    <description>Sysmon - Event 25: ProcessTampering (Process image change) by $(win.eventdata.image)</description>
    <group>sysmon_event_25,</group>
  </rule>
</group>

<group name="WMI,">

 <rule id="255200" level="12">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\WMIC.exe</field>
 <regex>process call create</regex>
 <description>Using WMIC for process creation: https://attack.mitre.org/techniques/T1047/</description>
 <group>MITRE,attack.t1047</group>
 </rule>

 <rule id="255201" level="12">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\WMIC.exe</field>
 <regex>/namespace:\\root\securitycenter2 path antivirusproduct</regex>
 <description>Using WMIC for Antivirus Enumeration: https://attack.mitre.org/techniques/T1047/</description>
 <group>MITRE,attack.t1047</group>
 </rule> 

 <rule id="255202" level="8">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\WMIC.exe</field>
 <regex>/NAMESPACE:\\\\root\\directory\\ldap PATH ds_user</regex>
 <description>Using WMIC for Domain User Enumeration: https://attack.mitre.org/techniques/T1047/</description>
 <group>MITRE,attack.t1047</group>
 </rule>

 <rule id="255203" level="8">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\WMIC.exe</field>
 <regex>/NAMESPACE:\\\\root\\directory\\ldap PATH ds_group</regex>
 <description>Using WMIC for Domain Group Enumeration: https://attack.mitre.org/techniques/T1047/</description>
 <group>MITRE,attack.t1047</group>
 </rule>

 <rule id="255204" level="8">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\WMIC.exe</field>
 <regex>USERACCOUNT</regex>
 <description>Using WMIC for Local Account Enumeration: https://attack.mitre.org/techniques/T1047/</description>
 <group>MITRE,attack.t1047</group>
 </rule>

 <rule id="255205" level="8">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\WMIC.exe</field>
 <regex>NTDOMAIN</regex>
 <description>Using WMIC for Domain Enumeration: https://attack.mitre.org/techniques/T1047/</description>
 <group>MITRE,attack.t1047</group>
 </rule>

 <rule id="255206" level="8">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\WMIC.exe</field>
 <regex>gfe list brief</regex>
 <description>Using WMIC for Host Patch Level Enumeration: https://attack.mitre.org/techniques/T1047/</description>
 <group>MITRE,attack.t1047</group>
 </rule>

 <rule id="255207" level="8">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\scrcons.exe</field>
 <description>WMI persistence Script Event Consumer File Write : https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ </description>
 <group>MITRE,attack.t1084</group>
 </rule>

 <rule id="255208" level="10">
 <if_sid>255000</if_sid>
 <field name="win.eventdata.parentImage">\\WmiPrvSE.exe</field>
 <description>WmiPrvSE event spawning powershell</description>
 <group>MITRE,attack.t1047</group>
 </rule>

 <rule id="255209" level="12">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\WmiPrvSE.exe</field>
 <regex>cmd.exe</regex>
 <match>127.0.0.1</match>
 <description>Red Team WMI technique matching Impacket wmiexec.py tooling</description>
 <group>MITRE,attack.t1047</group>
 </rule>

</group>
<group name="Defense Evasion,Windows Defender">

 <rule id="255300" level="10">
 <if_group>windows</if_group>
 <regex>Windows Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled</regex>
 <description>Windows Defender: Realtime Detection Disabled: https://attack.mitre.org/techniques/T1089/</description>
 <group>gdpr_IV_35.7.d,MITRE,attack.t1089,defender</group>
 </rule>

 <rule id="255301" level="12">
 <if_group>windows</if_group>
 <id>3002</id>
 <description>Windows Defender: Antivirus Rules Missing: https://attack.mitre.org/techniques/T1089/</description>
 <group>MITRE,attack.t1089,defender</group>
 </rule>
 
 <!-- Defender eventid alerting https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus -->
	<rule id="255302" level="12">
		<if_sid>255531</if_sid>
		<field name="win.eventdata.commandline">DisableRealtimeMonitoring $true</field>
		<description>Defender Realtime Monitoring Disabled</description>
		<group>defender,attack.t1089</group>
	</rule>
	<rule id="255303" level="12">
		<if_sid>62100</if_sid>
		<field name="win.system.eventID">^5001$</field>
		<description>Windows Defender Real-time Protection was disabled.</description>
		<group>defender,attack.t1089</group>
	</rule>
	<rule id="255304" level="12">
		<if_sid>62100</if_sid>
		<field name="win.system.eventID">^1006$|^1116$</field>
		<description>Windows Defender found malware or other potentially unwanted software. </description>
		<group>defender,attack.t1089</group>
	</rule>
	<rule id="255305" level="11">
		<if_sid>62100</if_sid>
		<field name="win.system.eventID">^1008$</field>
		<description>Windows Defender found malware and failed to clean it. </description>
		<group>defender,attack.t1089</group>
	</rule>
	<rule id="255306" level="12">
		<if_sid>62100</if_sid>
		<field name="win.system.eventID">^1015$</field>
		<description>Windows Defender detected suspicious behavior. </description>
		<group>defender,attack.t1089</group>
	</rule>
	<rule id="255307" level="12">
		<if_sid>62100</if_sid>
		<field name="win.system.eventID">^5010$</field>
		<description> Scanning for malware and other potentially unwanted software is disabled.</description>
		<group>defender,attack.t1089</group>
	</rule>
	<rule id="255308" level="12">
		<if_sid>62100</if_sid>
		<field name="win.system.eventID">^5012$</field>
		<description> Scanning for viruses is disabled. </description>
		<group>defender,attack.t1089</group>
	</rule>
	<rule id="255309" level="12">
		<if_sid>62100</if_sid>
		<field name="win.system.eventID">^5007$</field>
		<field name="win.eventdata.new Value">DisableBlockAtFirstSeen = 0x1</field>
		<description>Windows Defender Block At First Seen disabled</description>
		<group>defender,attack.t1089</group>
	</rule>
	<rule id="255310" level="10">
		<if_sid>62100</if_sid>
		<field name="win.system.eventID">^5007$</field>
		<field name="win.eventdata.new Value">DisableBehaviorMonitoring</field>
		<description> Windows Defender Behavior Monitoring Was Configured</description>
		<group>defender,attack.t1089</group>
	</rule>
	<rule id="255311" level="10">
		<if_sid>62100</if_sid>
		<field name="win.system.eventID">^5007$</field>
		<field name="win.eventdata.new Value">DisableRealtimeMonitoring</field>
		<description> Windows Defender Realtime Monitoring Was Configured</description>
		<group>defender,attack.t1089</group>
	</rule>
	<rule id="255312" level="10">
		<if_sid>62100</if_sid>
		<field name="win.system.eventID">^5007$</field>
		<field name="win.eventdata.new Value">C:\\ = 0x0|D:\\ = 0x0|E:\\ = 0x0|F:\\ = 0x0</field>
		<description> Windows Defender Exclusion for Attached Drive</description>
		<group>defender,attack.t1089</group>
	</rule>
</group>

<group name="privesc,">

 <rule id="255600" level="12">
 <if_sid>255531</if_sid>
 <regex>\\csc.exe</regex>
 <match>cmdline</match>
 <description>ATT&CK T1055: Suspected Shellcode Compile on Endpoint</description>
 <group>MITRE,attack.t1055,</group>
 </rule>

 <rule id="255601" level="12">
 <if_sid>255500</if_sid>
 <field name="win.eventdata.image">\\powershell.exe</field>
 <field name="win.eventdata.targetImage">\\rundll32.exe</field>
 <description>ATT&CK T1055: Suspected Process Injection matching Cobalt Strike methods</description>
 <group>MITRE,attack.t1055,</group>
 </rule>

 <rule id="255602" level="12">
 <if_sid>255524</if_sid>
 <match>\\\\.\\pipe\\</match>
 <description>Named Pipe potential Privilege Escalation (Meterpreter) T1134</description>
 <group>MITRE,attack.t1134,sysmon</group>
 </rule>

 <rule id="255603" level="12">
 <if_group>sysmon_event8</if_group>
 <match>rundll32.exe</match>
 <regex>winlogon.exe|dllhost.exe|svchost.exe</regex>
 <description>ATT&CK T1055: Process injections by $(win.eventdata.sourceImage) into $(win.eventdata.targetImage)</description>
 <group>MITRE,attack.t1055,sysmon</group>
 </rule>


</group>


<group name="persistence,">

 <rule id="255700" level="9">
 <if_group>sysmon_event_13</if_group>
 <regex>services.exe</regex>
 <description>ATT&CK T1058:Registry edit for new service</description>
 <group>MITRE,attack.t1058</group>
 </rule>


 <rule id="255701" level="12">
 <if_sid>255700</if_sid>
 <field name="win.eventdata.details">\\.exe</field>
 <description>ATT&CK T1058:Executable written to Registry for Persistence</description>
 <group>MITRE,attack.t1058</group>
 </rule>

 <rule id="255702" level="12">
 <if_group>sysmon_event_11</if_group>
 <match>\\Programs\\Startup</match>
 <description>ATT&CK T1060: Potential Persistence Method via Startup Folder</description>
 <group>MITRE,attack.t1060</group>
 </rule>

 <rule id="255703" level="0">
 <if_sid>255702</if_sid>
 <regex>desktop.ini</regex>
 <description>Startup Folder Whitelist</description>
 <group>MITRE,attack.t1060</group>
 </rule>

 <rule id="255704" level="10">
 <if_group>sysmon_event_11</if_group>
 <field name="win.eventdata.targetFilename">\\.scr</field>
 <description>ATT&CK T1180: Screensaver, unusual filetype anamoly .scr file detected</description>
 <group>MITRE,attack.t1180</group>
 </rule>

 <rule id="255705" level="12">
 <if_group>sysmon_event_13</if_group>
 <regex>RunOnce</regex>
 <description>ATT&CK T1547.001: Potential Run Key Persistence Setup</description>
 <group>MITRE,attack.t1547.001</group>
 </rule>

 <rule id="255706" level="0">
 <if_sid>255705</if_sid>
 <field name="win.eventdata.image">\\OneDriveSetup.exe</field>
 <description>silence normal onedrive activity</description>
 <group>MITRE,attack.t1160</group>
 </rule>

 <rule id="255707" level="0">
 <if_sid>255702</if_sid>
 <regex>Explorer.EXE</regex>
 <description>Startup Folder Whitelist</description>
 <group>MITRE,attack.t1060</group>
 </rule>

 <rule id="255708" level="12">
 <if_sid>255539</if_sid>
 <regex>Windows\\CurrentVersion\\Run</regex>
 <description>Run Key Persistence Detected</description>
 <group>MITRE,attack.t1547.001</group>
 </rule>

 <rule id="255709" level="12">
 <if_sid>255572</if_sid>
 <regex>powershell</regex>
 <description>ATT&CK T1547.001: Powershell in registry, potential malicious persistence</description>
 <group>MITRE,attack.t1547.001</group>
 </rule>

 <rule id="255710" level="12">
 <if_group>sysmon_event_12</if_group>
 <regex>RunOnce</regex>
 <description>ATT&CK T1547.001: Potential Run Key Persistence Setup</description>
 <group>MITRE,attack.t1547.001</group>
 </rule>

 <rule id="255711" level="12">
 <if_group>sysmon_event_11</if_group>
 <match>w3wp.exe</match>
 <regex>asp|php|jsp</regex>
 <description>ATT&CK T1505.003: Potential Webshell from IIS</description>
 <group>MITRE,attack.t1505.003</group>
 </rule>

</group>

<group name="Defense Evasion,">

 <rule id="255800" level="10">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\mshta.exe</field>
 <regex>browser_broker.exe</regex>
 <description>ATT&CK T1170: MSHTA execution demiguise techniques</description>
 <group>MITRE,attack.t1170</group>
 </rule>

 <rule id="255801" level="10">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\mshta.exe</field>
 <regex>chrome.exe</regex>
 <description>ATT&CK T1170: MSHTA execution demiguise techniques</description>
 <group>MITRE,attack.t1170</group>
 </rule>

 <rule id="255802" level="10">
 <if_group>sysmon_event1</if_group>
 <regex>firewall set opmode mode=disable</regex>
 <description>ATT&CK T1089: Disabling the Windows Firewall</description>
 <group>MITRE,attack.t1089</group>
 </rule>

 <rule id="255803" level="10">
 <if_group>sysmon_event1</if_group>
 <regex>advfirewall set currentprofile state off</regex>
 <description>ATT&CK T1089: Disabling the Windows Firewall</description>
 <group>MITRE,attack.t1089</group>
 </rule>

 <rule id="255804" level="10">
 <if_group>sysmon_event_11</if_group>
 <field name="win.eventdata.targetFilename">\\.arj</field>
 <description>ATT&CK T1406: Filetype anomaly, unusual file type .arj</description>
 <group>MITRE,attack.t1406</group>
 </rule>

 <rule id="255805" level="12">
 <if_sid>255531</if_sid>
 <field name="win.eventdata.image">sysmon64.exe</field>
 <field name="win.eventdata.commandline">-u</field>
 <description>Sysmon has been uninstalled</description>
 <group>MITRE,attack.t1089</group>
 </rule>

 <rule id="255806" level="12">
 <if_sid>255531</if_sid>
 <field name="win.eventdata.image">fltmc.exe</field>
 <field name="win.eventdata.commandline">unload</field>
 <description>Unload Filter Driver, possibly sysmon</description>
 <group>MITRE,attack.t1089,sysmon</group>
 </rule>

</group>
<group name="execution,">

 <rule id="255901" level="12">
 <if_sid>255531</if_sid>
 <regex>-e PAA|-en PAA|-enc PAA|-enco PAA|-encod PAA|JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ|QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA|kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA|IgAoACcAKgAnACkAOwAkA|IAKAAnACoAJwApADsAJA|iACgAJwAqACcAKQA7ACQA</regex>
 <description>ATT&CK T1059: Powershell execution techniques seen with Emotet malware</description>
 <group>MITRE,attack.t1059</group>
 </rule>


 <rule id="255902" level="12">
 <if_sid>255531</if_sid>
 <regex>-noP -sta -w 1 -enc|-NoP -sta -NonI -W Hidden -Enc|-NoP -NonI -W Hidden -enc</regex>
 <description>ATT&CK T1059: Powershell execution techniques default PowerShell Empire launcher</description>
 <group>MITRE,attack.t1059</group>
 </rule>

 <rule id="255903" level="10">
 <if_group>sysmon_event1</if_group>
 <regex>certutil -urlcache -split -f </regex>
 <description>ATT&CK T1059: CertUtil Download Technique</description>
 <group>MITRE,attack.t1059</group>
 </rule>

 <rule id="255904" level="12">
 <if_sid>255531</if_sid>
 <regex>-exec bypass -Noninteractive -windowstyle hidden -e</regex>
 <description>ATT&CK T1059: Powershell execution techniques default Posh C2 launcher</description>
 <group>MITRE,attack.t1059</group>
 </rule>

 <rule id="255905" level="12">
 <if_sid>255531</if_sid>
 <regex>/w 1</regex>
 <match>value.toString</match>
 <description>ATT&CK T1059: Powershell execution techniques default Unicorn Powershell Meterpreter launcher</description>
 <group>MITRE,attack.t1059</group>
 </rule>

 <rule id="255906" level="9">
    <if_sid>60100</if_sid>
    <field name="win.system.eventID">^400$</field>
    <regex>PowerShell</regex>
    <description>Windows PowerShell was started.</description>
 </rule>

 <rule id="255907" level="9">
    <if_sid>60100</if_sid>
    <field name="win.system.eventID">^800$</field>
    <regex>PowerShell</regex>
    <description>Windows PowerShell command executed.</description>
 </rule>
 
 <rule id="255910" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>englishsize|adamteapot|initijpn|classchx|choreengine|pixelproc|cablesongs|mscmsknown</regex>
 <description>Potential Emotet Executable running detection</description>
 <group>MITRE,execution</group>
 </rule>

 <rule id="255911" level="12">
 <if_group>sysmon_event3</if_group>
 <regex>englishsize|adamteapot|initijpn|classchx|choreengine|pixelproc|vertclient|cablesongs|mscmsknown</regex>
 <description>Potential Emotet Executable running detection</description>
 <group>MITRE,execution</group>
 </rule>

 <rule id="255912" level="12">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.currentDirectory">AppData\\Roaming</field>
 <regex>ipconfig|workstation|domain_trusts</regex>
 <description>Potential Trickbot Executable running local and domain reconnaissance</description>
 <group>MITRE,execution</group>
 </rule>

  <rule id="255913" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>Roaming\\NuiGet|Roaming\\HomeLan|Roaming\\netRest|Roaming\\netcloud|Roaming\\netRest</regex>
 <description>Potential Emotet Executable running detection</description>
 <group>MITRE,execution</group>
 </rule>

 <rule id="255914" level="12">
 <if_group>sysmon_event3</if_group>
 <regex>Roaming\\NuiGet|Roaming\\HomeLan|Roaming\\netRest|Roaming\\netcloud|Roaming\\netRest</regex>
 <description>Potential Emotet Executable running detection</description>
 <group>MITRE,execution</group>
 </rule>

 <rule id="255915" level="12">
 <if_sid>255531</if_sid>
 <regex>RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==</regex>
 <description>ATT&CK T1485: Powershell Ransomware technique to delete shadow copies seen in Sodinokibi strains</description>
 <group>MITRE,attack.t1485,ransomware</group>
 </rule>

 <rule id="255916" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>WMIC.exe shadowcopy delete</regex>
 <description>ATT&CK T1485: WMIC Ransomware technique to delete shadow copies seen in Robinhood strains</description>
 <group>MITRE,attack.t1485,ransomware</group>
 </rule>

 <rule id="255917" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>vssadmin delete shadows /all /quiet</regex>
 <description>ATT&CK T1485:Ransomware technique to delete shadow copies</description>
 <group>MITRE,attack.t1485,ransomware</group>
 </rule>

 <rule id="255918" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>/c Bcdedit.exe /set {default} recoveryenabled no</regex>
 <description>ATT&CK T1485:Ransomware technique to delete backups seen in Robinhood strains</description>
 <group>MITRE,attack.t1485,ransomware</group>
 </rule>

 <rule id="255919" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>wbadmin  delete catalog -quiet</regex>
 <description>ATT&CK T1485:Ransomware technique to delete backups seen in Wannacry strains</description>
 <group>MITRE,attack.t1485,ransomware</group>
 </rule>

 <rule id="255920" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>icacls . /grant Everyone:F /T /C /Q</regex>
 <description>ATT&CK T1486:Ransomware technique to grant all permissions seen in Wannacry strains</description>
 <group>MITRE,attack.t1486,ransomware</group>
 </rule>

 <rule id="255921" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>gandcrab.bit|ransomware.bit|carder.bit</regex>
 <description>ATT&CK T1486:Ransomware technique to look up Ransomware Domains seen in Gandcrab strain</description>
 <group>MITRE,attack.t1486,ransomware</group>
 </rule>

 <rule id="255922" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>EQNEDT32.EXE</regex>
 <description>ATT&CK T1173: Potential use of Microsoft Equation Editor for Exploitation</description>
 <group>MITRE,attack.t1173,</group>
 </rule>

 <rule id="255923" level="12">
 <if_sid>255561</if_sid>
 <field name="win.eventdata.parentImage">\\powershell.exe</field>
 <description>ATT&CK T1117: Regsrv32 execution spawned from Powershell (Ursnif IOC)</description>
 <group>MITRE,attack.t1117</group>
 </rule>

 <rule id="255924" level="12">
 <if_sid>255901</if_sid>
 <regex>IwBwAGEAY</regex>
 <description>ATT&CK T1059: Powershell Signature Matching Ursnif Malware</description>
 <group>MITRE,attack.t1059</group>
 </rule>

 <rule id="255925" level="5">
 <if_group>sysmon_event1</if_group>
 <field name="win.eventdata.image">\\wscript.exe</field>
 <description>ATT&CK T1064: WScript Execution $(win.eventdata.image)</description>
 <group>MITRE,attack.t1064</group>
 </rule>

 <rule id="255926" level="12">
 <if_sid>255559</if_sid>
 <regex>WINWORD.EXE</regex>
 <description>ATT&CK T1064: Word Executing WScript $(win.eventdata.image)</description>
 <group>MITRE,attack.t1064</group>
 </rule>


 <rule id="255927" level="12">
 <if_sid>255531</if_sid>
 <regex>.doc</regex>
 <description>Powershell Spawned from Office Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255928" level="12">
 <if_sid>255531</if_sid>
 <regex>.xls</regex>
 <description>Powershell Spawned from Excel Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255929" level="12">
 <if_sid>255524</if_sid>
 <regex>WINWORD.EXE</regex>
 <description>Command Line process spawned from Microsoft Word Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255930" level="12">
 <if_sid>255524</if_sid>
 <regex>EXCEL.EXE</regex>
 <description>Command Line process spawned from Microsoft Excel Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255931" level="12">
 <if_sid>255524</if_sid>
 <regex>POWERPNT.exe</regex>
 <description>Command Line process spawned from Microsoft Powerpoint Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255932" level="12">
 <if_sid>255524</if_sid>
 <regex>OUTLOOK.EXE</regex>
 <description>Command Line process spawned from Microsoft Outlook</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255933" level="12">
 <if_sid>255524</if_sid>
 <regex>VISIO.exe</regex>
 <description>Command Line process spawned from Microsoft Visio Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255934" level="12">
 <if_sid>255524</if_sid>
 <regex>MSPUB.exe</regex>
 <description>Command Line process spawned from Microsoft Publisher Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255935" level="12">
 <if_sid>255531</if_sid>
 <regex>POWERPNT.exe</regex>
 <description>Powershell Spawned from Powerpoint Doc</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255936" level="12">
 <if_sid>255531</if_sid>
 <regex>OUTLOOK.EXE</regex>
 <description>Powershell Spawned from Microsoft Outlook</description>
 <group>MITRE,attack.t1059,attack.t1202</group>
 </rule>

 <rule id="255937" level="12">
 <if_sid>255531</if_sid>
 <regex>MSPUB.exe</regex>
 <description>Powershell Spawned from Microsoft Publisher</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255938" level="12">
 <if_sid>255531</if_sid>
 <regex>VISIO.exe</regex>
 <description>Powershell Spawned from Microsoft Visio</description>
 <group>MITRE,attack.t1059,attack.t1202,</group>
 </rule>

 <rule id="255939" level="12">
 <if_sid>255524</if_sid>
 <regex>start microsoft-edge:http:</regex>
 <description>Potential Trickbot behaviour spawning Microsoft Edge via the Commandline</description>
 <group>MITRE,</group>
 </rule>

 <rule id="255940" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>whoami.exe</regex>
 <match>SYSTEM</match>
 <description>Whoami ran as SYSTEM user, potential user recon after privelge escalation</description>
 <group>MITRE,attack.t1033</group>
 </rule>

 <rule id="255941" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>CollectionMethod All</regex>
 <description>Bloodhound Active Directory enumeration tool executed</description>
 <group>MITRE,attack.t1087</group>
 </rule>

 <rule id="255942" level="12">
 <if_group>sysmon_event1</if_group>
 <regex>rar.exe</regex>
 <description>Rar file archive action detected, potential data being staged for exfiltration</description>
 <group>MITRE,attack.t1002,attack.t1074</group>
 </rule>

 <rule id="255943" level="12">
 <if_group>sysmon_event1</if_group>
 <match>net.webclient</match>
 <regex>downloadstring|downloadfile</regex>
 <description>Potential powershell download anomaly investigate for potential malware</description>
 <group>MITRE,attack.t1086</group>
 </rule>

 <rule id="255944" level="12">
 <if_group>sysmon_event7</if_group>
 <match>Revoked</match>
 <description>T1073 Potential DLL Side Loading by Executable with Revoked Certificate: Image loaded by $(win.eventdata.image)</description>
 <group>MITRE,attack.t1073</group>
 </rule>

 <rule id="255945" level="8">
 <if_group>sysmon_event7</if_group>
 <match>false</match>
 <description>T1073 Potential DLL Side Loading by Unsigned Executable: Image loaded by $(win.eventdata.image)</description>
 <group>MITRE,attack.t1073</group>
 </rule>

 <rule id="255946" level="12">
 <if_group>sysmon_event_11</if_group>
 <match>WINWORD.EXE</match>
 <field name="data.win.eventdata.targetfilename">\\.exe</field>
 <description>WORD document wrote executable file: $(data.win.eventdata.targetfilenam)</description>
 <group>MITRE,</group>
 </rule>

 <rule id="255947" level="12">
 <if_sid>255531</if_sid>
 <field name="win.eventdata.image">cmstp.exe</field>
 <field name="win.eventdata.commandline">.inf</field>
 <description>CMSTP Executing Remote Scriptlet - T1191</description>
 <group>MITRE,attack.t1089,Execution,sysmon</group>
 </rule>
 
 <rule id="255948" level="12">
 <if_sid>255531</if_sid>
 <field name="win.eventdata.image">cmstp.exe</field>
 <field name="win.eventdata.commandline">.inf</field>
 <field name="win.eventdata.commandline">/au</field>
 <description>CMSTP Executing UAC Bypass - T1191</description>
 <group>MITRE,attack.t1089,Execution,sysmon</group>
 </rule>
 
 <rule id="255949" level="12">
 <if_sid>255531</if_sid>
 <field name="win.eventdata.image">hh.exe</field>
 <field name="win.eventdata.commandline">.chm</field>
 <field name="win.eventdata.commandline">http|https</field>
 <description>Compiled HTML Help Remote Payload - T1223</description>
 <group>MITRE,attack.t1223,Execution,sysmon</group>
 </rule>
 
 <rule id="255950" level="12">
 <if_sid>255531</if_sid>
 <field name="win.eventdata.image">control.exe</field>
 <field name="win.eventdata.commandLine">.cpl</field>
 <description>Compiled HTML Help Local Payload - T1196</description>
 <group>MITRE,attack.t1196,Execution,sysmon</group>
 </rule>

 <rule id="255951" level="12">
 <if_sid>255561</if_sid>
 <match>appdata</match>
 <field name="win.eventdata.commandLine">.txt</field>
 <description>Ursnif DLL loading via Regsrv32 T1218</description>
 <group>MITRE,attack.t1218,Execution,sysmon</group>
 </rule>

 <rule id="255952" level="12">
 <if_sid>255551</if_sid>
 <match>regread</match>
 <regex>WScript.Shell</regex>
 <description>Ursnif loading from Registry via MSHTA exec, T1170</description>
 <group>MITRE,attack.t1170,Execution,sysmon</group>
 </rule>

 <rule id="255953" level="12">
 <if_sid>255531</if_sid>
 <match>SQB</match>
 <description>Encoded Powershell IEX, T1086</description>
 <group>MITRE,attack.t1086,Execution,sysmon</group>
 </rule>

 <rule id="255954" level="12">
 <if_group>sysmon_event3</if_group>
 <match>psexec</match>
 <description>potential lateral movement using psexec</description>
 <group>MITRE,attack.t1570,sysmon</group>
 </rule>

 <rule id="255955" level="12">
 <if_sid>255524</if_sid>
 <match>127.0.0.1\\</match>
 <regex>ADMIN\$|C\$|IPC\$</regex>
 <description>ATT&CK T1021.002: Execute command writing output to local Admin Share</description>
 <group>MITRE,attack.t1021.002,sysmon</group>
 </rule>

 <rule id="255956" level="12">
 <if_group>sysmon_event1</if_group>
 <match>w3wp.exe</match>
 <regex>cmd.exe</regex>
 <description>ATT&CK T1505.003: Potential webshell interaction</description>
 <group>MITRE,attack.t1505.003,sysmon</group>
 </rule>
</group>
<group name="command and control">

<rule id="256000" level="0">
  <if_group>sysmon_event3</if_group>
  <list field="win.eventdata.destinationIp" lookup="address_match_key">etc/lists/emotet-list</list>
  <description>IP connection to Emotet Command and Control</description>
  <group>emotet,</group>
</rule>

<rule id="256001" level="10">
  <if_group>sysmon_event3</if_group>
  <field name="win.eventdata.image">C:\\Windows\\System32\\wermgr.exe</field>
  <field name="win.eventdata.destinationPort">449</field>
  <description>Wergmr connection on port 449 suspected Trickbot injected process C2 activity</description>
  <group>trickbot,</group>
</rule>

<rule id="256002" level="10">
  <if_group>sysmon_event3</if_group>
  <field name="win.eventdata.image">C:\\Windows\\System32\\svchost.exe</field>
  <field name="win.eventdata.destinationPort">449</field>
  <description>Svchost connection on port 449 suspected Trickbot injected process C2 activity</description>
  <group>trickbot,</group>
</rule>


</group>

<group name="logcollect">
 <rule id="256100" level="3">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^Microsoft-Windows-TerminalServices-LocalSessionManager/Operational$</field>
    <options>no_full_log</options>
    <description>Group of Windows rules for the System channel</description>
  </rule>
  <rule id="256101" level="3">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^Microsoft-Windows-SMBServer/Operational$</field>
    <options>no_full_log</options>
    <description>Group of Windows rules for the System channel</description>
  </rule>
  <rule id="256102" level="3">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^Microsoft-Windows-SMBServer/Connectivity$</field>
    <options>no_full_log</options>
    <description>Group of Windows rules for the System channel</description>
  </rule>
  <rule id="256103" level="3">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^Microsoft-Windows-SMBClient/Operational$</field>
    <options>no_full_log</options>
    <description>Group of Windows rules for the System channel</description>
  </rule>
  <rule id="256104" level="3">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^Microsoft-Windows-SmbClient/Connectivity$</field>
    <options>no_full_log</options>
    <description>Group of Windows rules for the System channel</description>
  </rule>
  <rule id="256105" level="3">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational$</field>
    <options>no_full_log</options>
    <description>Group of Windows rules for the System channel</description>
 </rule>
</group>
<group name="lateral movement,">

 <rule id="256200" level="5">
 <if_group>sysmon_event_11</if_group>
 <field name="win.eventdata.processId">^4$</field>
 <description>ATT&CK T1570: Executable transferred potentially by Psexec tool, potential lateral movement</description>
 <group>MITRE,attack.t1570</group>
 </rule>

 <rule id="256201" level="12">
 <if_sid>256200</if_sid>
 <regex>.exe</regex>
 <description>ATT&CK T1570: Executable transferred potentially by Psexec tool, potential lateral movement</description>
 <group>MITRE,attack.t1570</group>
 </rule>

 <rule id="256202" level="12">
 <if_sid>255700</if_sid>
 <regex>%COMSPEC%</regex>
 <description>ATT&CK T1543.003: %COMSPEC% Variable in Registry Service, potential lateral movement or persistence mechanism</description>
 <group>MITRE,attack.t1543.001</group>
 </rule>

 <rule id="256203" level="12">
 <if_sid>60106</if_sid>
 <field name="win.eventdata.logonType">10|12</field>
 <description>ATT&CK T1021/T1133: Successful RDP Logon from $(win.eventdata.ipAddress)</description>
 <group>MITRE,attack.t1021,attack.t1133</group>
 </rule>

 <rule id="256204" level="12">
 <if_group>sysmon_event_11</if_group>
 <match>Network Shortcuts</match>
 <regex>c\$</regex>
 <description>ATT&CK T1021.002: Remote System C$ drive mounted</description>
 <group>MITRE,attack.t1021.002</group>
 </rule>

 <rule id="256205" level="12">
 <if_sid>60106</if_sid>
 <field name="win.eventdata.logonType">9</field>
 <match>seclogo</match> 
 <description>ATT&CK T1550.002: Potential Pass the Hash Attack</description>
 <group>MITRE,attack.t1550.002</group>
 </rule>

 <rule id="256206" level="12">
 <if_group>sysmon_event_17</if_group>
 <regex>msagent_</regex>
 <description>ATT&CK T1071: Cobalt Strike Named Pipe SMB Beacon usage</description>
 <group>MITRE,attack.t1071</group>
 </rule>


</group>

<group name="exfiltration,">

 <rule id="256500" level="12">
 <if_group>sysmon</if_group>
 <field name="win.eventdata.product">Rclone</field>
 <description>T1567.002 Rclone potential data exfiltration</description>
 </rule>

 <rule id="256501" level="12">
 <if_group>sysmon-modular</if_group>
 <field name="win.eventdata.product">Rclone</field>
 <description>T1567.002 Rclone potential data exfiltration</description>
 </rule>

</group>